From e5b734e90e983df7fc9cc33f2a9f33567eb02dda Mon Sep 17 00:00:00 2001
From: Justin Ibarra <brokensound77@users.noreply.github.com>
Date: Tue, 15 Feb 2022 12:01:53 -0900
Subject: [PATCH] Add rule docs for 8.0 rule changes (#1506)

* Add rule docs for 8.0 rule changes

* remove missing link for aws-ec2-vm-export-failure-history

* update script to not add history without changelog

* remove missing history links

* remove extra version bump

* remove debug line from script

* update all occurrences of 8.0 to 8.0.0

Co-authored-by: Janeen Mikell-Straughn <57149392+jmikell821@users.noreply.github.com>
(cherry picked from commit 9f79109bf1567ff1e781f068a5d201a8d459c43c)
---
 .../prebuilt-rules-changelog.asciidoc         |    67 +
 .../prebuilt-rules-reference.asciidoc         |   176 +-
 .../prebuilt-rules/rule-desc-index.asciidoc   |    31 +-
 .../account-password-reset-remotely.asciidoc  |    74 +
 ...behavior-detected-elastic-endgame.asciidoc |     9 +-
 ...-added-to-google-workspace-domain.asciidoc |    23 +-
 ...ntbridge-rule-disabled-or-deleted.asciidoc |    13 +-
 .../aws-rds-snapshot-restored.asciidoc        |    13 +-
 ...-high-risk-user-sign-in-heuristic.asciidoc |    78 +
 ...pression-rule-created-or-modified.asciidoc |    81 +
 .../azure-kubernetes-events-deleted.asciidoc  |    13 +-
 .../azure-kubernetes-pods-deleted.asciidoc    |    13 +-
 ...e-kubernetes-rolebindings-created.asciidoc |    75 +
 .../clearing-windows-console-history.asciidoc |    71 +
 .../component-object-model-hijacking.asciidoc |    31 +-
 ...n-to-commonly-abused-web-services.asciidoc |    47 +-
 ...el-process-with-unusual-arguments.asciidoc |    13 +-
 ...-dumping-detected-elastic-endgame.asciidoc |     9 +-
 ...dumping-prevented-elastic-endgame.asciidoc |     9 +-
 ...pulation-detected-elastic-endgame.asciidoc |     9 +-
 ...ulation-prevented-elastic-endgame.asciidoc |     9 +-
 ...s-over-https-enabled-via-registry.asciidoc |    13 +-
 ...-google-workspace-trusted-domains.asciidoc |    23 +-
 ...rivileged-local-groups-membership.asciidoc |    91 +
 .../exploit-detected-elastic-endgame.asciidoc |     9 +-
 ...exploit-prevented-elastic-endgame.asciidoc |     9 +-
 ...tual-private-cloud-route-creation.asciidoc |     9 +-
 ...ace-admin-role-assigned-to-a-user.asciidoc |    23 +-
 ...gle-workspace-admin-role-deletion.asciidoc |    23 +-
 ...main-wide-delegation-of-authority.asciidoc |    23 +-
 ...rkspace-custom-admin-role-created.asciidoc |    23 +-
 ...orkspace-mfa-enforcement-disabled.asciidoc |    26 +-
 ...orkspace-password-policy-modified.asciidoc |    32 +-
 .../google-workspace-role-modified.asciidoc   |    23 +-
 ...licy-abuse-for-privilege-addition.asciidoc |   119 +
 ...g-dcom-lateral-movement-via-mshta.asciidoc |    23 +-
 ...ng-dcom-lateral-movement-with-mmc.asciidoc |    22 +-
 ...hellbrowserwindow-or-shellwindows.asciidoc |    24 +-
 ...execution-via-powershell-remoting.asciidoc |    25 +-
 ...-execution-via-winrm-remote-shell.asciidoc |    19 +-
 .../lateral-tool-transfer.asciidoc            |    27 +-
 ...odification-and-immediate-loading.asciidoc |    20 +-
 .../malware-detected-elastic-endgame.asciidoc |     9 +-
 ...malware-prevented-elastic-endgame.asciidoc |     9 +-
 ...for-google-workspace-organization.asciidoc |    27 +-
 ...365-potential-ransomware-activity.asciidoc |    13 +-
 ...rosoft-windows-defender-tampering.asciidoc |   113 +
 ...ssive-single-sign-on-logon-errors.asciidoc |    16 +-
 ...o365-mailbox-audit-logging-bypass.asciidoc |    80 +
 ...on-theft-detected-elastic-endgame.asciidoc |     9 +-
 ...n-theft-prevented-elastic-endgame.asciidoc |     9 +-
 ...sistence-via-folder-action-script.asciidoc |    19 +-
 ...cess-via-duplicatehandle-in-lsass.asciidoc |    13 +-
 ...tial-access-via-lsass-memory-dump.asciidoc |    68 +
 ...cess-via-renamed-com-services-dll.asciidoc |    80 +
 ...e-creation-via-psscapturesnapshot.asciidoc |    76 +
 ...emory-dump-via-psscapturesnapshot.asciidoc |    78 +
 ...alation-via-installerfiletakeover.asciidoc |   105 +
 ...-process-injection-via-powershell.asciidoc |   134 +
 .../potential-sharprdp-behavior.asciidoc      |    29 +-
 .../powershell-keylogging-script.asciidoc     |   135 +
 .../powershell-minidump-script.asciidoc       |    77 +-
 .../powershell-psreflect-script.asciidoc      |   131 +
 ...ery-related-windows-api-functions.asciidoc |    81 +-
 ...us-payload-encoded-and-compressed.asciidoc |    75 +
 ...t-with-audio-capture-capabilities.asciidoc |    77 +-
 ...ript-with-screenshot-capabilities.asciidoc |    73 +
 ...ia-rogue-named-pipe-impersonation.asciidoc |    79 +
 ...njection-detected-elastic-endgame.asciidoc |     9 +-
 ...jection-prevented-elastic-endgame.asciidoc |     9 +-
 ...nsomware-detected-elastic-endgame.asciidoc |    11 +-
 ...somware-prevented-elastic-endgame.asciidoc |    11 +-
 .../remote-scheduled-task-creation.asciidoc   |    23 +-
 ...remotely-started-services-via-rpc.asciidoc |    26 +-
 ...file-downloaded-from-the-internet.asciidoc |     7 +-
 ...d-task-execution-at-scale-via-gpo.asciidoc |   135 +
 ...ript-added-to-group-policy-object.asciidoc |   139 +
 ...us-.net-reflection-via-powershell.asciidoc |    74 +
 .../suspicious-certutil-commands.asciidoc     |    19 +-
 ...=> suspicious-java-child-process.asciidoc} |    40 +-
 ...able-encoded-in-powershell-script.asciidoc |    82 +-
 ...ess-access-via-direct-system-call.asciidoc |    13 +-
 ...icious-process-creation-calltrace.asciidoc |    68 +
 ...bolic-link-to-shadow-copy-created.asciidoc |    71 +
 ...es-deleted-via-unexpected-process.asciidoc |    13 +-
 ...beat-module-v8.x-indicator-match.asciidoc} |    31 +-
 .../threat-intel-indicator-match.asciidoc     |   107 +
 ...e-padding-in-process-command-line.asciidoc |     7 +-
 ...r-exclusions-added-via-powershell.asciidoc |    20 +-
 ...-firewall-disabled-via-powershell.asciidoc |    75 +
 .../wmi-incoming-lateral-movement.asciidoc    |    33 +-
 prebuilt-rules-scripts/changelog-entries.yml  |     1 +
 .../final-files/final-rule-file-8.0.0.json    | 50607 ++++++++++++++++
 .../gen-files/json-from-docs-8.0.0.json       | 33946 +++++++++++
 prebuilt-rules-scripts/generate.py            |     7 +-
 .../7.16.0-prebuilt-rule.json                 | 32154 ++++++++++
 .../8.0.0-prebuilt-rule.json                  | 33946 +++++++++++
 97 files changed, 154440 insertions(+), 329 deletions(-)
 create mode 100644 docs/detections/prebuilt-rules/rule-details/account-password-reset-remotely.asciidoc
 create mode 100644 docs/detections/prebuilt-rules/rule-details/azure-active-directory-high-risk-user-sign-in-heuristic.asciidoc
 create mode 100644 docs/detections/prebuilt-rules/rule-details/azure-alert-suppression-rule-created-or-modified.asciidoc
 create mode 100644 docs/detections/prebuilt-rules/rule-details/azure-kubernetes-rolebindings-created.asciidoc
 create mode 100644 docs/detections/prebuilt-rules/rule-details/clearing-windows-console-history.asciidoc
 create mode 100644 docs/detections/prebuilt-rules/rule-details/enumeration-of-privileged-local-groups-membership.asciidoc
 create mode 100644 docs/detections/prebuilt-rules/rule-details/group-policy-abuse-for-privilege-addition.asciidoc
 create mode 100644 docs/detections/prebuilt-rules/rule-details/microsoft-windows-defender-tampering.asciidoc
 create mode 100644 docs/detections/prebuilt-rules/rule-details/o365-mailbox-audit-logging-bypass.asciidoc
 create mode 100644 docs/detections/prebuilt-rules/rule-details/potential-credential-access-via-lsass-memory-dump.asciidoc
 create mode 100644 docs/detections/prebuilt-rules/rule-details/potential-credential-access-via-renamed-com-services-dll.asciidoc
 create mode 100644 docs/detections/prebuilt-rules/rule-details/potential-lsass-clone-creation-via-psscapturesnapshot.asciidoc
 create mode 100644 docs/detections/prebuilt-rules/rule-details/potential-lsass-memory-dump-via-psscapturesnapshot.asciidoc
 create mode 100644 docs/detections/prebuilt-rules/rule-details/potential-privilege-escalation-via-installerfiletakeover.asciidoc
 create mode 100644 docs/detections/prebuilt-rules/rule-details/potential-process-injection-via-powershell.asciidoc
 create mode 100644 docs/detections/prebuilt-rules/rule-details/powershell-keylogging-script.asciidoc
 create mode 100644 docs/detections/prebuilt-rules/rule-details/powershell-psreflect-script.asciidoc
 create mode 100644 docs/detections/prebuilt-rules/rule-details/powershell-suspicious-payload-encoded-and-compressed.asciidoc
 create mode 100644 docs/detections/prebuilt-rules/rule-details/powershell-suspicious-script-with-screenshot-capabilities.asciidoc
 create mode 100644 docs/detections/prebuilt-rules/rule-details/privilege-escalation-via-rogue-named-pipe-impersonation.asciidoc
 create mode 100644 docs/detections/prebuilt-rules/rule-details/scheduled-task-execution-at-scale-via-gpo.asciidoc
 create mode 100644 docs/detections/prebuilt-rules/rule-details/startup-logon-script-added-to-group-policy-object.asciidoc
 create mode 100644 docs/detections/prebuilt-rules/rule-details/suspicious-.net-reflection-via-powershell.asciidoc
 rename docs/detections/prebuilt-rules/rule-details/{suspicious-jar-child-process.asciidoc => suspicious-java-child-process.asciidoc} (57%)
 create mode 100644 docs/detections/prebuilt-rules/rule-details/suspicious-process-creation-calltrace.asciidoc
 create mode 100644 docs/detections/prebuilt-rules/rule-details/symbolic-link-to-shadow-copy-created.asciidoc
 rename docs/detections/prebuilt-rules/rule-details/{threat-intel-filebeat-module-indicator-match.asciidoc => threat-intel-filebeat-module-v8.x-indicator-match.asciidoc} (76%)
 create mode 100644 docs/detections/prebuilt-rules/rule-details/threat-intel-indicator-match.asciidoc
 create mode 100644 docs/detections/prebuilt-rules/rule-details/windows-firewall-disabled-via-powershell.asciidoc
 create mode 100644 prebuilt-rules-scripts/diff-files/final-files/final-rule-file-8.0.0.json
 create mode 100644 prebuilt-rules-scripts/diff-files/gen-files/json-from-docs-8.0.0.json
 create mode 100644 prebuilt-rules-scripts/orig-rules-json-files/7.16.0-prebuilt-rule.json
 create mode 100644 prebuilt-rules-scripts/orig-rules-json-files/8.0.0-prebuilt-rule.json

diff --git a/docs/detections/prebuilt-rules/prebuilt-rules-changelog.asciidoc b/docs/detections/prebuilt-rules/prebuilt-rules-changelog.asciidoc
index 109a3edf17..d377efb7ea 100644
--- a/docs/detections/prebuilt-rules/prebuilt-rules-changelog.asciidoc
+++ b/docs/detections/prebuilt-rules/prebuilt-rules-changelog.asciidoc
@@ -5,6 +5,73 @@ The following lists prebuilt rule updates per release. Only rules with
 significant modifications to their query or scope are listed. For detailed
 information about a rule's changes, see the rule's description page.
 
+[float]
+=== 8.0
+
+<<application-added-to-google-workspace-domain>>
+
+<<component-object-model-hijacking>>
+
+<<connection-to-commonly-abused-web-services>>
+
+<<domain-added-to-google-workspace-trusted-domains>>
+
+<<google-workspace-api-access-granted-via-domain-wide-delegation-of-authority>>
+
+<<google-workspace-admin-role-assigned-to-a-user>>
+
+<<google-workspace-admin-role-deletion>>
+
+<<google-workspace-custom-admin-role-created>>
+
+<<google-workspace-mfa-enforcement-disabled>>
+
+<<google-workspace-password-policy-modified>>
+
+<<google-workspace-role-modified>>
+
+<<incoming-dcom-lateral-movement-via-mshta>>
+
+<<incoming-dcom-lateral-movement-with-mmc>>
+
+<<incoming-dcom-lateral-movement-with-shellbrowserwindow-or-shellwindows>>
+
+<<incoming-execution-via-powershell-remoting>>
+
+<<incoming-execution-via-winrm-remote-shell>>
+
+<<lateral-tool-transfer>>
+
+<<launchdaemon-creation-or-modification-and-immediate-loading>>
+
+<<mfa-disabled-for-google-workspace-organization>>
+
+<<o365-excessive-single-sign-on-logon-errors>>
+
+<<persistence-via-folder-action-script>>
+
+<<potential-sharprdp-behavior>>
+
+<<powershell-minidump-script>>
+
+<<powershell-suspicious-discovery-related-windows-api-functions>>
+
+<<powershell-suspicious-script-with-audio-capture-capabilities>>
+
+<<remote-scheduled-task-creation>>
+
+<<remotely-started-services-via-rpc>>
+
+<<suspicious-certutil-commands>>
+
+<<suspicious-java-child-process>>
+
+<<suspicious-portable-executable-encoded-in-powershell-script>>
+
+<<wmi-incoming-lateral-movement>>
+
+<<windows-defender-exclusions-added-via-powershell>>
+
 [float]
 === 7.16.0
 
diff --git a/docs/detections/prebuilt-rules/prebuilt-rules-reference.asciidoc b/docs/detections/prebuilt-rules/prebuilt-rules-reference.asciidoc
index 4c58a464f6..e458de3bbd 100644
--- a/docs/detections/prebuilt-rules/prebuilt-rules-reference.asciidoc
+++ b/docs/detections/prebuilt-rules/prebuilt-rules-reference.asciidoc
@@ -54,7 +54,7 @@ and their rule type is `machine_learning`.
 
 |<<aws-elasticache-security-group-modified-or-deleted, AWS ElastiCache Security Group Modified or Deleted>> |Identifies when an ElastiCache security group has been modified or deleted. |[Elastic] [Cloud] [AWS] [Continuous Monitoring] [SecOps] [Monitoring]  |7.16.0 |1
 
-|<<aws-eventbridge-rule-disabled-or-deleted, AWS EventBridge Rule Disabled or Deleted>> |Identifies when a user disabled or deleted an EventBridge rule. This activity can result in an unintended loss of visibility in applications or breaking the flow with other AWS services. |[Elastic] [Cloud] [AWS] [Continuous Monitoring] [SecOps] [Monitoring]  |7.16.0 |1
+|<<aws-eventbridge-rule-disabled-or-deleted, AWS EventBridge Rule Disabled or Deleted>> |Identifies when a user has disabled or deleted an EventBridge rule. This activity can result in an unintended loss of visibility in applications or a break in the flow with other AWS services. |[Elastic] [Cloud] [AWS] [Continuous Monitoring] [SecOps] [Monitoring]  |7.16.0 |2 <<aws-eventbridge-rule-disabled-or-deleted-history, Version history>>
 
 |<<aws-execution-via-system-manager, AWS Execution via System Manager>> |Identifies the execution of commands and scripts via System Manager. Execution methods such as RunShellScript, RunPowerShellScript, and alike can be abused by an authenticated attacker to install a backdoor or to interact with a compromised instance via reverse-shell using system only commands. |[Elastic] [Cloud] [AWS] [Continuous Monitoring] [SecOps] [Log Auditing]  |7.9.0 |6 <<aws-execution-via-system-manager-history, Version history>>
 
@@ -92,7 +92,7 @@ and their rule type is `machine_learning`.
 
 |<<aws-rds-snapshot-export, AWS RDS Snapshot Export>> |Identifies the export of an Amazon Relational Database Service (RDS) Aurora database snapshot. |[Elastic] [Cloud] [AWS] [Continuous Monitoring] [SecOps] [Asset Visibility]  |7.16.0 |1
 
-|<<aws-rds-snapshot-restored, AWS RDS Snapshot Restored>> |Identifies when an attempt was made to restored RDS Snapshot. Snapshots are sometimes shared by threat actors in order to exfiltrate bulk data. If the permissions were modified, verify if the snapshot was shared with an unauthorized or unexpected AWS account. |[Elastic] [Cloud] [AWS] [Continuous Monitoring] [SecOps] [Asset Visibility]  |7.16.0 |1
+|<<aws-rds-snapshot-restored, AWS RDS Snapshot Restored>> |Identifies when an attempt was made to restore an RDS Snapshot. Snapshots are sometimes shared by threat actors in order to exfiltrate bulk data. If the permissions were modified, verify if the snapshot was shared with an unauthorized or unexpected AWS account. |[Elastic] [Cloud] [AWS] [Continuous Monitoring] [SecOps] [Asset Visibility]  |7.16.0 |2 <<aws-rds-snapshot-restored-history, Version history>>
 
 |<<aws-root-login-without-mfa, AWS Root Login Without MFA>> |Identifies attempts to login to AWS as the root user without using multi-factor authentication (MFA). Amazon AWS best practices indicate that the root user should be protected by MFA. |[Elastic] [Cloud] [AWS] [Continuous Monitoring] [SecOps] [Identity and Access]  |7.9.0 |5 <<aws-root-login-without-mfa-history, Version history>>
 
@@ -126,6 +126,8 @@ and their rule type is `machine_learning`.
 
 |<<access-to-keychain-credentials-directories, Access to Keychain Credentials Directories>> |Adversaries may collect the keychain storage data from a system to acquire credentials. Keychains are the built-in way for macOS to keep track of users' passwords and credentials for many services and features such as WiFi passwords, websites, secure notes and certificates. |[Elastic] [Host] [macOS] [Threat Detection] [Credential Access]  |7.10.0 |5 <<access-to-keychain-credentials-directories-history, Version history>>
 
+|<<account-password-reset-remotely, Account Password Reset Remotely>> |Identifies an attempt to reset an account password remotely. Adversaries may manipulate account passwords to maintain access or evade password duration policies and preserve compromised credentials. |[Elastic] [Host] [Windows] [Threat Detection] [Persistence]  |8.0.0 |1
+
 |<<adfind-command-activity, AdFind Command Activity>> |This rule detects the Active Directory query tool, AdFind.exe. AdFind has legitimate purposes, but it is frequently leveraged by threat actors to perform post-exploitation Active Directory reconnaissance. The AdFind tool has been observed in Trickbot, Ryuk, Maze, and FIN6 campaigns. For Winlogbeat, this rule requires Sysmon. |[Elastic] [Host] [Windows] [Threat Detection] [Discovery]  |7.11.0 |5 <<adfind-command-activity-history, Version history>>
 
 |<<adding-hidden-file-attribute-via-attrib, Adding Hidden File Attribute via Attrib>> |Adversaries can add the 'hidden' attribute to files to hide them from the user in an attempt to evade detection. |[Elastic] [Host] [Windows] [Threat Detection] [Defense Evasion]  |7.6.0 |9 <<adding-hidden-file-attribute-via-attrib-history, Version history>>
@@ -136,7 +138,7 @@ and their rule type is `machine_learning`.
 
 |<<adobe-hijack-persistence, Adobe Hijack Persistence>> |Detects writing executable files that will be automatically launched by Adobe on launch. |[Elastic] [Host] [Windows] [Threat Detection] [Persistence]  |7.6.0 |9 <<adobe-hijack-persistence-history, Version history>>
 
-|<<adversary-behavior-detected-elastic-endgame, Adversary Behavior - Detected - Elastic Endgame>> |Elastic Endgame detected an Adversary Behavior. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information. |[Elastic] [Elastic Endgame]  |7.6.0 |6 <<adversary-behavior-detected-elastic-endgame-history, Version history>>
+|<<adversary-behavior-detected-elastic-endgame, Adversary Behavior - Detected - Elastic Endgame>> |Elastic Endgame detected an Adversary Behavior. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information. |[Elastic] [Elastic Endgame]  |7.6.0 |7 <<adversary-behavior-detected-elastic-endgame-history, Version history>>
 
 |<<agent-spoofing-mismatched-agent-id, Agent Spoofing - Mismatched Agent ID>> |Detects events which have a mismatch on the expected event agent ID. The status "agent_id_mismatch" occurs when the expected agent ID associated with the API key does not match the actual agent ID in an event. This could indicate attempts to spoof events in order to masquerade actual activity to evade detection. |[Elastic] [Threat Detection] [Defense Evasion]  |7.14.0 |1
 
@@ -156,7 +158,7 @@ and their rule type is `machine_learning`.
 
 |<<apple-scripting-execution-with-administrator-privileges, Apple Scripting Execution with Administrator Privileges>> |Identifies execution of the Apple script interpreter (osascript) without a password prompt and with administrator privileges. |[Elastic] [Host] [macOS] [Threat Detection] [Execution] [Privilege Escalation]  |7.12.0 |1
 
-|<<application-added-to-google-workspace-domain, Application Added to Google Workspace Domain>> |Detects when a Google marketplace application is added to the Google Workspace domain. An adversary may add a malicious application to an organization’s Google Workspace domain in order to maintain a presence in their target’s organization and steal data. |[Elastic] [Cloud] [Google Workspace] [Continuous Monitoring] [SecOps] [Configuration Audit]  |7.11.0 |5 <<application-added-to-google-workspace-domain-history, Version history>>
+|<<application-added-to-google-workspace-domain, Application Added to Google Workspace Domain>> |Detects when a Google marketplace application is added to the Google Workspace domain. An adversary may add a malicious application to an organization’s Google Workspace domain in order to maintain a presence in their target’s organization and steal data. |[Elastic] [Cloud] [Google Workspace] [Continuous Monitoring] [SecOps] [Configuration Audit]  |7.11.0 |6 <<application-added-to-google-workspace-domain-history, Version history>>
 
 |<<attempt-to-create-okta-api-token, Attempt to Create Okta API Token>> |Detects attempts to create an Okta API token. An adversary may create an Okta API token to maintain access to an organization's network while they work to achieve their objectives. An attacker may abuse an API token to execute techniques such as creating user accounts or disabling security rules or policies. |[Elastic] [Identity] [Okta] [Continuous Monitoring] [SecOps] [Monitoring]  |7.9.0 |6 <<attempt-to-create-okta-api-token-history, Version history>>
 
@@ -224,8 +226,12 @@ and their rule type is `machine_learning`.
 
 |<<azure-active-directory-high-risk-sign-in, Azure Active Directory High Risk Sign-in>> |Identifies high risk Azure Active Directory (AD) sign-ins by leveraging Microsoft's Identity Protection machine learning and heuristics. Identity Protection categorizes risk into three tiers: low, medium, and high. While Microsoft does not provide specific details about how risk is calculated, each level brings higher confidence that the user or sign-in is compromised. |[Elastic] [Cloud] [Azure] [Continuous Monitoring] [SecOps] [Identity and Access]  |7.12.0 |3 <<azure-active-directory-high-risk-sign-in-history, Version history>>
 
+|<<azure-active-directory-high-risk-user-sign-in-heuristic, Azure Active Directory High Risk User Sign-in Heuristic>> |Identifies high risk Azure Active Directory (AD) sign-ins by leveraging Microsoft Identity Protection machine learning and heuristics. |[Elastic] [Cloud] [Azure] [Continuous Monitoring] [SecOps] [Identity and Access]  |8.0.0 |1
+
 |<<azure-active-directory-powershell-sign-in, Azure Active Directory PowerShell Sign-in>> |Identifies a sign-in using the Azure Active Directory PowerShell module. PowerShell for Azure Active Directory allows for managing settings from the command line, which is intended for users who are members of an admin role. |[Elastic] [Cloud] [Azure] [Continuous Monitoring] [SecOps] [Identity and Access]  |7.11.0 |4 <<azure-active-directory-powershell-sign-in-history, Version history>>
 
+|<<azure-alert-suppression-rule-created-or-modified, Azure Alert Suppression Rule Created or Modified>> |Identifies the creation of suppression rules in Azure. Suppression rules are a mechanism used to suppress alerts previously identified as False Positives or too noisy to be in Production. This mechanism can be abused or mistakenly configured, resulting in defense evasions and loss of security visibility. |[Elastic] [Cloud] [Azure] [Continuous Monitoring] [SecOps] [Configuration Audit]  |8.0.0 |1
+
 |<<azure-application-credential-modification, Azure Application Credential Modification>> |Identifies when a new credential is added to an application in Azure. An application may use a certificate or secret string to prove its identity when requesting a token. Multiple certificates and secrets can be added for an application and an adversary may abuse this by creating an additional authentication method to evade defenses or persist in an environment. |[Elastic] [Cloud] [Azure] [Continuous Monitoring] [SecOps] [Identity and Access]  |7.11.0 |4 <<azure-application-credential-modification-history, Version history>>
 
 |<<azure-automation-account-created, Azure Automation Account Created>> |Identifies when an Azure Automation account is created. Azure Automation accounts can be used to automate management tasks and orchestrate actions across systems. An adversary may create an Automation account in order to maintain persistence in their target's environment. |[Elastic] [Cloud] [Azure] [Continuous Monitoring] [SecOps] [Identity and Access]  |7.10.0 |5 <<azure-automation-account-created-history, Version history>>
@@ -262,9 +268,11 @@ and their rule type is `machine_learning`.
 
 |<<azure-key-vault-modified, Azure Key Vault Modified>> |Identifies modifications to a Key Vault in Azure. The Key Vault is a service that safeguards encryption keys and secrets like certificates, connection strings, and passwords. Because this data is sensitive and business critical, access to key vaults should be secured to allow only authorized applications and users. |[Elastic] [Cloud] [Azure] [Continuous Monitoring] [SecOps] [Data Protection]  |7.10.0 |5 <<azure-key-vault-modified-history, Version history>>
 
-|<<azure-kubernetes-events-deleted, Azure Kubernetes Events Deleted>> |Identifies when Events are deleted in Azure Kubernetes. Kubernetes events are objects that log any state changes. Example events are a container creation, an image pull, or a pod scheduling on a node. An adversary may delete events in Azure Kubernetes in an attempt to evade detection. |[Elastic] [Cloud] [Azure] [Continuous Monitoring] [SecOps] [Log Auditing]  |7.16.0 |1
+|<<azure-kubernetes-events-deleted, Azure Kubernetes Events Deleted>> |Identifies when events are deleted in Azure Kubernetes. Kubernetes events are objects that log any state changes. Example events are a container creation, an image pull, or a pod scheduling on a node. An adversary may delete events in Azure Kubernetes in an attempt to evade detection. |[Elastic] [Cloud] [Azure] [Continuous Monitoring] [SecOps] [Log Auditing]  |7.16.0 |2 <<azure-kubernetes-events-deleted-history, Version history>>
+
+|<<azure-kubernetes-pods-deleted, Azure Kubernetes Pods Deleted>> |Identifies the deletion of Azure Kubernetes Pods. Adversaries may delete a Kubernetes pod to disrupt the normal behavior of the environment. |[Elastic] [Cloud] [Azure] [Continuous Monitoring] [SecOps] [Asset Visibility]  |7.16.0 |2 <<azure-kubernetes-pods-deleted-history, Version history>>
 
-|<<azure-kubernetes-pods-deleted, Azure Kubernetes Pods Deleted>> |Identifies the deletion of Azure Kubernetes Pods. Adversary may delete a kubernetes pod to disrupt the normal behavior of the environment. |[Elastic] [Cloud] [Azure] [Continuous Monitoring] [SecOps] [Asset Visibility]  |7.16.0 |1
+|<<azure-kubernetes-rolebindings-created, Azure Kubernetes Rolebindings Created>> |Identifies the creation of role binding or cluster role bindings. You can assign these roles to Kubernetes subjects (users, groups, or service accounts) with role bindings and cluster role bindings. An adversary who has permissions to create bindings and cluster-bindings in the cluster can create a binding to the cluster-admin ClusterRole or to other high privileges roles. |[Elastic] [Cloud] [Azure] [Continuous Monitoring] [SecOps] [Identity and Access]  |8.0.0 |1
 
 |<<azure-network-watcher-deletion, Azure Network Watcher Deletion>> |Identifies the deletion of a Network Watcher in Azure. Network Watchers are used to monitor, diagnose, view metrics, and enable or disable logs for resources in an Azure virtual network. An adversary may delete a Network Watcher in an attempt to evade defenses. |[Elastic] [Cloud] [Azure] [Continuous Monitoring] [SecOps] [Network Security]  |7.10.0 |5 <<azure-network-watcher-deletion-history, Version history>>
 
@@ -286,6 +294,8 @@ and their rule type is `machine_learning`.
 
 |<<bypass-uac-via-event-viewer, Bypass UAC via Event Viewer>> |Identifies User Account Control (UAC) bypass via eventvwr.exe. Attackers bypass UAC to stealthily execute code with elevated permissions. |[Elastic] [Host] [Windows] [Threat Detection] [Privilege Escalation]  |7.7.0 |9 <<bypass-uac-via-event-viewer-history, Version history>>
 
+|<<clearing-windows-console-history, Clearing Windows Console History>> |Identifies when a user attempts to clear console history. An adversary may clear the command history of a compromised account to conceal the actions undertaken during an intrusion. |[Elastic] [Host] [Windows] [Threat Detection] [Defense Evasion]  |8.0.0 |1
+
 |<<clearing-windows-event-logs, Clearing Windows Event Logs>> |Identifies attempts to clear or disable Windows event log stores using Windows wevetutil command. This is often done by attackers in an attempt to evade detection or destroy forensic evidence on a system. |[Elastic] [Host] [Windows] [Threat Detection] [Defense Evasion]  |7.6.0 |11 <<clearing-windows-event-logs-history, Version history>>
 
 |<<cobalt-strike-command-and-control-beacon, Cobalt Strike Command and Control Beacon>> |Cobalt Strike is a threat emulation platform commonly modified and used by adversaries to conduct network attack and exploitation campaigns. This rule detects a network activity algorithm leveraged by Cobalt Strike implant beacons for command and control. |[Elastic] [Network] [Threat Detection] [Command and Control] [Host]  |7.10.0 |6 <<cobalt-strike-command-and-control-beacon-history, Version history>>
@@ -296,19 +306,19 @@ and their rule type is `machine_learning`.
 
 |<<command-shell-activity-started-via-rundll32, Command Shell Activity Started via RunDLL32>> |Identifies command shell activity started via RunDLL32, which is commonly abused by attackers to host malicious code. |[Elastic] [Host] [Windows] [Threat Detection] [Execution]  |7.11.0 |4 <<command-shell-activity-started-via-rundll32-history, Version history>>
 
-|<<component-object-model-hijacking, Component Object Model Hijacking>> |Identifies Component Object Model (COM) hijacking via registry modification. Adversaries may establish persistence by executing malicious content triggered by hijacked references to COM objects. |[Elastic] [Host] [Windows] [Threat Detection] [Persistence]  |7.11.0 |4 <<component-object-model-hijacking-history, Version history>>
+|<<component-object-model-hijacking, Component Object Model Hijacking>> |Identifies Component Object Model (COM) hijacking via registry modification. Adversaries may establish persistence by executing malicious content triggered by hijacked references to COM objects. |[Elastic] [Host] [Windows] [Threat Detection] [Persistence]  |7.11.0 |5 <<component-object-model-hijacking-history, Version history>>
 
 |<<conhost-spawned-by-suspicious-parent-process, Conhost Spawned By Suspicious Parent Process>> |Detects when the Console Window Host (conhost.exe) process is spawned by a suspicious parent process, which could be indicative of code injection. |[Elastic] [Host] [Windows] [Threat Detection] [Execution]  |7.10.0 |4 <<conhost-spawned-by-suspicious-parent-process-history, Version history>>
 
 |<<connection-to-commonly-abused-free-ssl-certificate-providers, Connection to Commonly Abused Free SSL Certificate Providers>> |Identifies unusual processes connecting to domains using known free SSL certificates. Adversaries may employ a known encryption algorithm to conceal command and control traffic. |[Elastic] [Host] [Windows] [Threat Detection] [Command and Control]  |7.11.0 |3 <<connection-to-commonly-abused-free-ssl-certificate-providers-history, Version history>>
 
-|<<connection-to-commonly-abused-web-services, Connection to Commonly Abused Web Services>> |Adversaries may implement command and control communications that use common web services in order to hide their activity. This attack technique is typically targeted to an organization and uses web services common to the victim network which allows the adversary to blend into legitimate traffic. activity. These popular services are typically targeted since they have most likely been used before a compromise and allow adversaries to blend in the network. |[Elastic] [Host] [Windows] [Threat Detection] [Command and Control]  |7.11.0 |5 <<connection-to-commonly-abused-web-services-history, Version history>>
+|<<connection-to-commonly-abused-web-services, Connection to Commonly Abused Web Services>> |Adversaries may implement command and control communications that use common web services in order to hide their activity. This attack technique is typically targeted to an organization and uses web services common to the victim network which allows the adversary to blend into legitimate traffic. activity. These popular services are typically targeted since they have most likely been used before a compromise and allow adversaries to blend in the network. |[Elastic] [Host] [Windows] [Threat Detection] [Command and Control]  |7.11.0 |6 <<connection-to-commonly-abused-web-services-history, Version history>>
 
 |<<connection-to-external-network-via-telnet, Connection to External Network via Telnet>> |Telnet provides a command line interface for communication with a remote device or server. This rule identifies Telnet network connections to publicly routable IP addresses. |[Elastic] [Host] [Linux] [Threat Detection] [Lateral Movement]  |7.8.0 |6 <<connection-to-external-network-via-telnet-history, Version history>>
 
 |<<connection-to-internal-network-via-telnet, Connection to Internal Network via Telnet>> |Telnet provides a command line interface for communication with a remote device or server. This rule identifies Telnet network connections to non-publicly routable IP addresses. |[Elastic] [Host] [Linux] [Threat Detection] [Lateral Movement]  |7.8.0 |6 <<connection-to-internal-network-via-telnet-history, Version history>>
 
-|<<control-panel-process-with-unusual-arguments, Control Panel Process with Unusual Arguments>> |Identifies unusual instances of Control Panel with suspicious keywords or paths in the process command line value. Adversaries may abuse Control.exe to proxy execution of malicious code. |[Elastic] [Host] [Windows] [Threat Detection] [Defense Evasion]  |7.16.0 |1
+|<<control-panel-process-with-unusual-arguments, Control Panel Process with Unusual Arguments>> |Identifies unusual instances of Control Panel with suspicious keywords or paths in the process command line value. Adversaries may abuse control.exe to proxy execution of malicious code. |[Elastic] [Host] [Windows] [Threat Detection] [Defense Evasion]  |7.16.0 |2 <<control-panel-process-with-unusual-arguments-history, Version history>>
 
 |<<creation-of-hidden-files-and-directories, Creation of Hidden Files and Directories>> |Users can mark specific files as hidden simply by putting a "." as the first character in the file or folder name. Adversaries can use this to their advantage to hide files and folders on the system for persistence and defense evasion. This rule looks for hidden files or folders in common writable directories. |[Elastic] [Host] [Linux] [Threat Detection] [Defense Evasion]  |7.9.0 |7 <<creation-of-hidden-files-and-directories-history, Version history>>
 
@@ -326,13 +336,13 @@ and their rule type is `machine_learning`.
 
 |<<credential-acquisition-via-registry-hive-dumping, Credential Acquisition via Registry Hive Dumping>> |Identifies attempts to export a registry hive which may contain credentials using the Windows reg.exe tool. |[Elastic] [Host] [Windows] [Threat Detection] [Credential Access]  |7.11.0 |4 <<credential-acquisition-via-registry-hive-dumping-history, Version history>>
 
-|<<credential-dumping-detected-elastic-endgame, Credential Dumping - Detected - Elastic Endgame>> |Elastic Endgame detected Credential Dumping. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information. |[Elastic] [Elastic Endgame]  |7.6.0 |6 <<credential-dumping-detected-elastic-endgame-history, Version history>>
+|<<credential-dumping-detected-elastic-endgame, Credential Dumping - Detected - Elastic Endgame>> |Elastic Endgame detected Credential Dumping. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information. |[Elastic] [Elastic Endgame]  |7.6.0 |7 <<credential-dumping-detected-elastic-endgame-history, Version history>>
 
-|<<credential-dumping-prevented-elastic-endgame, Credential Dumping - Prevented - Elastic Endgame>> |Elastic Endgame prevented Credential Dumping. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information. |[Elastic] [Elastic Endgame]  |7.6.0 |6 <<credential-dumping-prevented-elastic-endgame-history, Version history>>
+|<<credential-dumping-prevented-elastic-endgame, Credential Dumping - Prevented - Elastic Endgame>> |Elastic Endgame prevented Credential Dumping. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information. |[Elastic] [Elastic Endgame]  |7.6.0 |7 <<credential-dumping-prevented-elastic-endgame-history, Version history>>
 
-|<<credential-manipulation-detected-elastic-endgame, Credential Manipulation - Detected - Elastic Endgame>> |Elastic Endgame detected Credential Manipulation. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information. |[Elastic] [Elastic Endgame]  |7.6.0 |6 <<credential-manipulation-detected-elastic-endgame-history, Version history>>
+|<<credential-manipulation-detected-elastic-endgame, Credential Manipulation - Detected - Elastic Endgame>> |Elastic Endgame detected Credential Manipulation. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information. |[Elastic] [Elastic Endgame]  |7.6.0 |7 <<credential-manipulation-detected-elastic-endgame-history, Version history>>
 
-|<<credential-manipulation-prevented-elastic-endgame, Credential Manipulation - Prevented - Elastic Endgame>> |Elastic Endgame prevented Credential Manipulation. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information. |[Elastic] [Elastic Endgame]  |7.6.0 |6 <<credential-manipulation-prevented-elastic-endgame-history, Version history>>
+|<<credential-manipulation-prevented-elastic-endgame, Credential Manipulation - Prevented - Elastic Endgame>> |Elastic Endgame prevented Credential Manipulation. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information. |[Elastic] [Elastic Endgame]  |7.6.0 |7 <<credential-manipulation-prevented-elastic-endgame-history, Version history>>
 
 |<<cyberark-privileged-access-security-error, CyberArk Privileged Access Security Error>> |Identifies the occurrence of a CyberArk Privileged Access Security (PAS) error level audit event. The event.code correlates to the CyberArk Vault Audit Action Code. |[Elastic] [cyberarkpas] [SecOps] [Log Auditing] [Threat Detection] [Privilege Escalation]  |7.14.0 |1
 
@@ -342,7 +352,7 @@ and their rule type is `machine_learning`.
 
 |<<dns-tunneling, DNS Tunneling>> |A machine learning job detected unusually large numbers of DNS queries for a single top-level DNS domain, which is often used for DNS tunneling. DNS tunneling can be used for command-and-control, persistence, or data exfiltration activity. For example, dnscat tends to generate many DNS questions for a top-level domain as it uses the DNS protocol to tunnel data. |[Elastic] [Network] [Threat Detection] [ML]  |7.7.0 |4 <<dns-tunneling-history, Version history>>
 
-|<<dns-over-https-enabled-via-registry, DNS-over-HTTPS Enabled via Registry>> |Identifies when a user enables DNS-over-HTTPS. This can be used to hide internet activity or be used to hide the process of exfiltrating data. With this enabled organization will lose visibility into data such as query type, response and originating IP that are used to determine bad actors. |[Elastic] [Host] [Windows] [Threat Detection] [Defense Evasion]  |7.16.0 |1
+|<<dns-over-https-enabled-via-registry, DNS-over-HTTPS Enabled via Registry>> |Identifies when a user enables DNS-over-HTTPS. This can be used to hide internet activity or the process of exfiltrating data. With this enabled, an organization will lose visibility into data such as query type, response, and originating IP, which are used to determine bad actors. |[Elastic] [Host] [Windows] [Threat Detection] [Defense Evasion]  |7.16.0 |2 <<dns-over-https-enabled-via-registry-history, Version history>>
 
 |<<default-cobalt-strike-team-server-certificate, Default Cobalt Strike Team Server Certificate>> |This rule detects the use of the default Cobalt Strike Team Server TLS certificate. Cobalt Strike is software for Adversary Simulations and Red Team Operations which are security assessments that replicate the tactics and techniques of an advanced adversary in a network. Modifications to the Packetbeat configuration can be made to include MD5 and SHA256 hashing algorithms (the default is SHA1). See the References section for additional information on module configuration. |[Command and Control] [Post-Execution] [Threat Detection] [Elastic] [Network] [Host]  |7.11.0 |6 <<default-cobalt-strike-team-server-certificate-history, Version history>>
 
@@ -360,7 +370,7 @@ and their rule type is `machine_learning`.
 
 |<<disabling-windows-defender-security-settings-via-powershell, Disabling Windows Defender Security Settings via PowerShell>> |Identifies use of the Set-MpPreference PowerShell command to disable or weaken certain Windows Defender settings. |[Elastic] [Host] [Windows] [Threat Detection] [Defense Evasion]  |7.14.0 |2 <<disabling-windows-defender-security-settings-via-powershell-history, Version history>>
 
-|<<domain-added-to-google-workspace-trusted-domains, Domain Added to Google Workspace Trusted Domains>> |Detects when a domain is added to the list of trusted Google Workspace domains. An adversary may add a trusted domain in order to collect and exfiltrate data from their target’s organization with less restrictive security controls. |[Elastic] [Cloud] [Google Workspace] [Continuous Monitoring] [SecOps] [Configuration Audit]  |7.11.0 |5 <<domain-added-to-google-workspace-trusted-domains-history, Version history>>
+|<<domain-added-to-google-workspace-trusted-domains, Domain Added to Google Workspace Trusted Domains>> |Detects when a domain is added to the list of trusted Google Workspace domains. An adversary may add a trusted domain in order to collect and exfiltrate data from their target’s organization with less restrictive security controls. |[Elastic] [Cloud] [Google Workspace] [Continuous Monitoring] [SecOps] [Configuration Audit]  |7.11.0 |6 <<domain-added-to-google-workspace-trusted-domains-history, Version history>>
 
 |<<dumping-account-hashes-via-built-in-commands, Dumping Account Hashes via Built-In Commands>> |Identifies the execution of macOS built-in commands used to dump user account hashes. Adversaries may attempt to dump credentials to obtain account login information in the form of a hash. These hashes can be cracked or leveraged for lateral movement. |[Elastic] [Host] [macOS] [Threat Detection] [Credential Access]  |7.12.0 |1
 
@@ -384,6 +394,8 @@ and their rule type is `machine_learning`.
 
 |<<enumeration-of-kernel-modules, Enumeration of Kernel Modules>> |Loadable Kernel Modules (or LKMs) are pieces of code that can be loaded and unloaded into the kernel upon demand. They extend the functionality of the kernel without the need to reboot the system. This identifies attempts to enumerate information about a kernel module. |[Elastic] [Host] [Linux] [Threat Detection] [Discovery]  |7.8.0 |6 <<enumeration-of-kernel-modules-history, Version history>>
 
+|<<enumeration-of-privileged-local-groups-membership, Enumeration of Privileged Local Groups Membership>> |Identifies instances of an unusual process enumerating built-in Windows privileged local groups membership like Administrators or Remote Desktop users. |[Elastic] [Host] [Windows] [Threat Detection] [Discovery]  |8.0.0 |1
+
 |<<enumeration-of-users-or-groups-via-built-in-commands, Enumeration of Users or Groups via Built-in Commands>> |Identifies the execution of macOS built-in commands related to account or group enumeration. |[Elastic] [Host] [macOS] [Threat Detection] [Discovery]  |7.12.0 |2 <<enumeration-of-users-or-groups-via-built-in-commands-history, Version history>>
 
 |<<executable-file-creation-with-multiple-extensions, Executable File Creation with Multiple Extensions>> |Masquerading can allow an adversary to evade defenses and better blend in with the environment. One way it occurs is when the name or location of a file is manipulated as a means of tricking a user into executing what they think is a benign file type but is actually executable code. |[Elastic] [Host] [Windows] [Threat Detection] [Defense Evasion]  |7.12.0 |3 <<executable-file-creation-with-multiple-extensions-history, Version history>>
@@ -408,9 +420,9 @@ and their rule type is `machine_learning`.
 
 |<<execution-with-explicit-credentials-via-scripting, Execution with Explicit Credentials via Scripting>> |Identifies execution of the security_authtrampoline process via a scripting interpreter. This occurs when programs use AuthorizationExecute-WithPrivileges from the Security.framework to run another program with root privileges. It should not be run by itself, as this is a sign of execution with explicit logon credentials. |[Elastic] [Host] [macOS] [Threat Detection] [Execution] [Privilege Escalation]  |7.11.0 |2 <<execution-with-explicit-credentials-via-scripting-history, Version history>>
 
-|<<exploit-detected-elastic-endgame, Exploit - Detected - Elastic Endgame>> |Elastic Endgame detected an Exploit. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information. |[Elastic] [Elastic Endgame]  |7.6.0 |6 <<exploit-detected-elastic-endgame-history, Version history>>
+|<<exploit-detected-elastic-endgame, Exploit - Detected - Elastic Endgame>> |Elastic Endgame detected an Exploit. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information. |[Elastic] [Elastic Endgame]  |7.6.0 |7 <<exploit-detected-elastic-endgame-history, Version history>>
 
-|<<exploit-prevented-elastic-endgame, Exploit - Prevented - Elastic Endgame>> |Elastic Endgame prevented an Exploit. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information. |[Elastic] [Elastic Endgame]  |7.6.0 |6 <<exploit-prevented-elastic-endgame-history, Version history>>
+|<<exploit-prevented-elastic-endgame, Exploit - Prevented - Elastic Endgame>> |Elastic Endgame prevented an Exploit. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information. |[Elastic] [Elastic Endgame]  |7.6.0 |7 <<exploit-prevented-elastic-endgame-history, Version history>>
 
 |<<exporting-exchange-mailbox-via-powershell, Exporting Exchange Mailbox via PowerShell>> |Identifies the use of the Exchange PowerShell cmdlet, New-MailBoxExportRequest, to export the contents of a primary mailbox or archive to a .pst file. Adversaries may target user email to collect sensitive information. |[Elastic] [Host] [Windows] [Threat Detection] [Collection]  |7.11.0 |6 <<exporting-exchange-mailbox-via-powershell-history, Version history>>
 
@@ -470,23 +482,25 @@ and their rule type is `machine_learning`.
 
 |<<gcp-virtual-private-cloud-network-deletion, GCP Virtual Private Cloud Network Deletion>> |Identifies when a Virtual Private Cloud (VPC) network is deleted in Google Cloud Platform (GCP). A VPC network is a virtual version of a physical network within a GCP project. Each VPC network has its own subnets, routes, and firewall, as well as other elements. An adversary may delete a VPC network in order to disrupt their target's network and business operations. |[Elastic] [Cloud] [GCP] [Continuous Monitoring] [SecOps] [Configuration Audit]  |7.10.0 |5 <<gcp-virtual-private-cloud-network-deletion-history, Version history>>
 
-|<<gcp-virtual-private-cloud-route-creation, GCP Virtual Private Cloud Route Creation>> |Identifies when a Virtual Private Cloud (VPC) route is created in Google Cloud Platform (GCP). Google Cloud routes define the paths that network traffic takes from a virtual machine (VM) instance to other destinations. These destinations can be inside a Google VPC network or outside it. An adversary may create a route in order to impact the flow of network traffic in their target's cloud environment. |[Elastic] [Cloud] [GCP] [Continuous Monitoring] [SecOps] [Configuration Audit]  |7.10.0 |5 <<gcp-virtual-private-cloud-route-creation-history, Version history>>
+|<<gcp-virtual-private-cloud-route-creation, GCP Virtual Private Cloud Route Creation>> |Identifies when a Virtual Private Cloud a virtual private cloud (VPC) route is created in Google Cloud Platform (GCP). Google Cloud routes define the paths that network traffic takes from a virtual machine (VM) instance to other destinations. These destinations can be inside a Google VPC network or outside it. An adversary may create a route in order to impact the flow of network traffic in their target's cloud environment. |[Elastic] [Cloud] [GCP] [Continuous Monitoring] [SecOps] [Configuration Audit]  |7.10.0 |6 <<gcp-virtual-private-cloud-route-creation-history, Version history>>
 
 |<<gcp-virtual-private-cloud-route-deletion, GCP Virtual Private Cloud Route Deletion>> |Identifies when a Virtual Private Cloud (VPC) route is deleted in Google Cloud Platform (GCP). Google Cloud routes define the paths that network traffic takes from a virtual machine (VM) instance to other destinations. These destinations can be inside a Google VPC network or outside it. An adversary may delete a route in order to impact the flow of network traffic in their target's cloud environment. |[Elastic] [Cloud] [GCP] [Continuous Monitoring] [SecOps] [Configuration Audit]  |7.10.0 |5 <<gcp-virtual-private-cloud-route-deletion-history, Version history>>
 
-|<<google-workspace-api-access-granted-via-domain-wide-delegation-of-authority, Google Workspace API Access Granted via Domain-Wide Delegation of Authority>> |Detects when a domain-wide delegation of authority is granted to a service account. Domain-wide delegation can be configured to grant third-party and internal applications to access the data of Google Workspace users. An adversary may configure domain-wide delegation to maintain access to their target’s data. |[Elastic] [Cloud] [Google Workspace] [Continuous Monitoring] [SecOps] [Identity and Access]  |7.11.0 |5 <<google-workspace-api-access-granted-via-domain-wide-delegation-of-authority-history, Version history>>
+|<<google-workspace-api-access-granted-via-domain-wide-delegation-of-authority, Google Workspace API Access Granted via Domain-Wide Delegation of Authority>> |Detects when a domain-wide delegation of authority is granted to a service account. Domain-wide delegation can be configured to grant third-party and internal applications to access the data of Google Workspace users. An adversary may configure domain-wide delegation to maintain access to their target’s data. |[Elastic] [Cloud] [Google Workspace] [Continuous Monitoring] [SecOps] [Identity and Access]  |7.11.0 |6 <<google-workspace-api-access-granted-via-domain-wide-delegation-of-authority-history, Version history>>
+
+|<<google-workspace-admin-role-assigned-to-a-user, Google Workspace Admin Role Assigned to a User>> |Detects when an admin role is assigned to a Google Workspace user. An adversary may assign an admin role to a user in order to elevate the permissions of another user account and persist in their target’s environment. |[Elastic] [Cloud] [Google Workspace] [Continuous Monitoring] [SecOps] [Identity and Access]  |7.11.0 |6 <<google-workspace-admin-role-assigned-to-a-user-history, Version history>>
 
-|<<google-workspace-admin-role-assigned-to-a-user, Google Workspace Admin Role Assigned to a User>> |Detects when an admin role is assigned to a Google Workspace user. An adversary may assign an admin role to a user in order to elevate the permissions of another user account and persist in their target’s environment. |[Elastic] [Cloud] [Google Workspace] [Continuous Monitoring] [SecOps] [Identity and Access]  |7.11.0 |5 <<google-workspace-admin-role-assigned-to-a-user-history, Version history>>
+|<<google-workspace-admin-role-deletion, Google Workspace Admin Role Deletion>> |Detects when a custom admin role is deleted. An adversary may delete a custom admin role in order to impact the permissions or capabilities of system administrators. |[Elastic] [Cloud] [Google Workspace] [Continuous Monitoring] [SecOps] [Identity and Access]  |7.11.0 |6 <<google-workspace-admin-role-deletion-history, Version history>>
 
-|<<google-workspace-admin-role-deletion, Google Workspace Admin Role Deletion>> |Detects when a custom admin role is deleted. An adversary may delete a custom admin role in order to impact the permissions or capabilities of system administrators. |[Elastic] [Cloud] [Google Workspace] [Continuous Monitoring] [SecOps] [Identity and Access]  |7.11.0 |5 <<google-workspace-admin-role-deletion-history, Version history>>
+|<<google-workspace-custom-admin-role-created, Google Workspace Custom Admin Role Created>> |Detects when a custom admin role is created in Google Workspace. An adversary may create a custom admin role in order to elevate the permissions of other user accounts and persist in their target’s environment. |[Elastic] [Cloud] [Google Workspace] [Continuous Monitoring] [SecOps] [Identity and Access]  |7.11.0 |6 <<google-workspace-custom-admin-role-created-history, Version history>>
 
-|<<google-workspace-custom-admin-role-created, Google Workspace Custom Admin Role Created>> |Detects when a custom admin role is created in Google Workspace. An adversary may create a custom admin role in order to elevate the permissions of other user accounts and persist in their target’s environment. |[Elastic] [Cloud] [Google Workspace] [Continuous Monitoring] [SecOps] [Identity and Access]  |7.11.0 |5 <<google-workspace-custom-admin-role-created-history, Version history>>
+|<<google-workspace-mfa-enforcement-disabled, Google Workspace MFA Enforcement Disabled>> |Detects when multi-factor authentication (MFA) enforcement is disabled for Google Workspace users. An adversary may disable MFA enforcement in order to weaken an organization’s security controls. |[Elastic] [Cloud] [Google Workspace] [Continuous Monitoring] [SecOps] [Configuration Audit]  |7.11.0 |7 <<google-workspace-mfa-enforcement-disabled-history, Version history>>
 
-|<<google-workspace-mfa-enforcement-disabled, Google Workspace MFA Enforcement Disabled>> |Detects when multi-factor authentication (MFA) enforcement is disabled for Google Workspace users. An adversary may disable MFA enforcement in order to weaken an organization’s security controls. |[Elastic] [Cloud] [Google Workspace] [Continuous Monitoring] [SecOps] [Configuration Audit]  |7.11.0 |6 <<google-workspace-mfa-enforcement-disabled-history, Version history>>
+|<<google-workspace-password-policy-modified, Google Workspace Password Policy Modified>> |Detects when a Google Workspace password policy is modified. An adversary may attempt to modify a password policy in order to weaken an organization’s security controls. |[Elastic] [Cloud] [Google Workspace] [Continuous Monitoring] [SecOps] [Identity and Access]  |7.11.0 |7 <<google-workspace-password-policy-modified-history, Version history>>
 
-|<<google-workspace-password-policy-modified, Google Workspace Password Policy Modified>> |Detects when a Google Workspace password policy is modified. An adversary may attempt to modify a password policy in order to weaken an organization’s security controls. |[Elastic] [Cloud] [Google Workspace] [Continuous Monitoring] [SecOps] [Identity and Access]  |7.11.0 |6 <<google-workspace-password-policy-modified-history, Version history>>
+|<<google-workspace-role-modified, Google Workspace Role Modified>> |Detects when a custom admin role or its permissions are modified. An adversary may modify a custom admin role in order to elevate the permissions of other user accounts and persist in their target’s environment. |[Elastic] [Cloud] [Google Workspace] [Continuous Monitoring] [SecOps] [Identity and Access]  |7.11.0 |6 <<google-workspace-role-modified-history, Version history>>
 
-|<<google-workspace-role-modified, Google Workspace Role Modified>> |Detects when a custom admin role or its permissions are modified. An adversary may modify a custom admin role in order to elevate the permissions of other user accounts and persist in their target’s environment. |[Elastic] [Cloud] [Google Workspace] [Continuous Monitoring] [SecOps] [Identity and Access]  |7.11.0 |5 <<google-workspace-role-modified-history, Version history>>
+|<<group-policy-abuse-for-privilege-addition, Group Policy Abuse for Privilege Addition>> |This rule detects the first occurrence of a modification to Group Policy Object Attributes to add privileges to user accounts or use them to add users as local admins. |[Elastic] [Host] [Windows] [Threat Detection] [Privilege Escalation] [Active Directory]  |8.0.0 |1
 
 |<<halfbaked-command-and-control-beacon, Halfbaked Command and Control Beacon>> |Halfbaked is a malware family used to establish persistence in a contested network. This rule detects a network activity algorithm leveraged by Halfbaked implant beacons for command and control. |[Elastic] [Network] [Threat Detection] [Command and Control] [Host]  |7.10.0 |6 <<halfbaked-command-and-control-beacon-history, Version history>>
 
@@ -508,15 +522,15 @@ and their rule type is `machine_learning`.
 
 |<<inbound-connection-to-an-unsecure-elasticsearch-node, Inbound Connection to an Unsecure Elasticsearch Node>> |Identifies Elasticsearch nodes that do not have Transport Layer Security (TLS), and/or lack authentication, and are accepting inbound network connections over the default Elasticsearch port. |[Elastic] [Network] [Threat Detection] [Initial Access] [Host]  |7.10.0 |5 <<inbound-connection-to-an-unsecure-elasticsearch-node-history, Version history>>
 
-|<<incoming-dcom-lateral-movement-via-mshta, Incoming DCOM Lateral Movement via MSHTA>> |Identifies the use of Distributed Component Object Model (DCOM) to execute commands from a remote host, which are launched via the HTA Application COM Object. This behavior may indicate an attacker abusing a DCOM application to move laterally while attempting to evading detection. |[Elastic] [Host] [Windows] [Threat Detection] [Lateral Movement]  |7.11.0 |4 <<incoming-dcom-lateral-movement-via-mshta-history, Version history>>
+|<<incoming-dcom-lateral-movement-via-mshta, Incoming DCOM Lateral Movement via MSHTA>> |Identifies the use of Distributed Component Object Model (DCOM) to execute commands from a remote host, which are launched via the HTA Application COM Object. This behavior may indicate an attacker abusing a DCOM application to move laterally while attempting to evading detection. |[Elastic] [Host] [Windows] [Threat Detection] [Lateral Movement]  |7.11.0 |5 <<incoming-dcom-lateral-movement-via-mshta-history, Version history>>
 
-|<<incoming-dcom-lateral-movement-with-mmc, Incoming DCOM Lateral Movement with MMC>> |Identifies the use of Distributed Component Object Model (DCOM) to run commands from a remote host, which are launched via the MMC20 Application COM Object. This behavior may indicate an attacker abusing a DCOM application to move laterally. |[Elastic] [Host] [Windows] [Threat Detection] [Lateral Movement]  |7.11.0 |4 <<incoming-dcom-lateral-movement-with-mmc-history, Version history>>
+|<<incoming-dcom-lateral-movement-with-mmc, Incoming DCOM Lateral Movement with MMC>> |Identifies the use of Distributed Component Object Model (DCOM) to run commands from a remote host, which are launched via the MMC20 Application COM Object. This behavior may indicate an attacker abusing a DCOM application to move laterally. |[Elastic] [Host] [Windows] [Threat Detection] [Lateral Movement]  |7.11.0 |5 <<incoming-dcom-lateral-movement-with-mmc-history, Version history>>
 
-|<<incoming-dcom-lateral-movement-with-shellbrowserwindow-or-shellwindows, Incoming DCOM Lateral Movement with ShellBrowserWindow or ShellWindows>> |Identifies use of Distributed Component Object Model (DCOM) to run commands from a remote host, which are launched via the ShellBrowserWindow or ShellWindows Application COM Object. This behavior may indicate an attacker abusing a DCOM application to stealthily move laterally. |[Elastic] [Host] [Windows] [Threat Detection] [Lateral Movement]  |7.11.0 |4 <<incoming-dcom-lateral-movement-with-shellbrowserwindow-or-shellwindows-history, Version history>>
+|<<incoming-dcom-lateral-movement-with-shellbrowserwindow-or-shellwindows, Incoming DCOM Lateral Movement with ShellBrowserWindow or ShellWindows>> |Identifies use of Distributed Component Object Model (DCOM) to run commands from a remote host, which are launched via the ShellBrowserWindow or ShellWindows Application COM Object. This behavior may indicate an attacker abusing a DCOM application to stealthily move laterally. |[Elastic] [Host] [Windows] [Threat Detection] [Lateral Movement]  |7.11.0 |5 <<incoming-dcom-lateral-movement-with-shellbrowserwindow-or-shellwindows-history, Version history>>
 
-|<<incoming-execution-via-powershell-remoting, Incoming Execution via PowerShell Remoting>> |Identifies remote execution via Windows PowerShell remoting. Windows PowerShell remoting allows for running any Windows PowerShell command on one or more remote computers. This could be an indication of lateral movement. |[Elastic] [Host] [Windows] [Threat Detection] [Lateral Movement]  |7.11.0 |3 <<incoming-execution-via-powershell-remoting-history, Version history>>
+|<<incoming-execution-via-powershell-remoting, Incoming Execution via PowerShell Remoting>> |Identifies remote execution via Windows PowerShell remoting. Windows PowerShell remoting allows for running any Windows PowerShell command on one or more remote computers. This could be an indication of lateral movement. |[Elastic] [Host] [Windows] [Threat Detection] [Lateral Movement]  |7.11.0 |4 <<incoming-execution-via-powershell-remoting-history, Version history>>
 
-|<<incoming-execution-via-winrm-remote-shell, Incoming Execution via WinRM Remote Shell>> |Identifies remote execution via Windows Remote Management (WinRM) remote shell on a target host. This could be an indication of lateral movement. |[Elastic] [Host] [Windows] [Threat Detection] [Lateral Movement]  |7.11.0 |3 <<incoming-execution-via-winrm-remote-shell-history, Version history>>
+|<<incoming-execution-via-winrm-remote-shell, Incoming Execution via WinRM Remote Shell>> |Identifies remote execution via Windows Remote Management (WinRM) remote shell on a target host. This could be an indication of lateral movement. |[Elastic] [Host] [Windows] [Threat Detection] [Lateral Movement]  |7.11.0 |4 <<incoming-execution-via-winrm-remote-shell-history, Version history>>
 
 |<<installutil-process-making-network-connections, InstallUtil Process Making Network Connections>> |Identifies InstallUtil.exe making outbound network connections. This may indicate adversarial activity as InstallUtil is often leveraged by adversaries to execute code and evade detection. |[Elastic] [Host] [Windows] [Threat Detection] [Defense Evasion]  |7.10.0 |4 <<installutil-process-making-network-connections-history, Version history>>
 
@@ -540,19 +554,19 @@ and their rule type is `machine_learning`.
 
 |<<lateral-movement-via-startup-folder, Lateral Movement via Startup Folder>> |Identifies suspicious file creations in the startup folder of a remote system. An adversary could abuse this to move laterally by dropping a malicious script or executable that will be executed after a reboot or user logon. |[Elastic] [Host] [Windows] [Threat Detection] [Lateral Movement]  |7.11.0 |3 <<lateral-movement-via-startup-folder-history, Version history>>
 
-|<<lateral-tool-transfer, Lateral Tool Transfer>> |Identifies the creation or change of a Windows executable file over network shares. Adversaries may transfer tools or other files between systems in a compromised environment. |[Elastic] [Host] [Windows] [Threat Detection] [Lateral Movement]  |7.11.0 |3 <<lateral-tool-transfer-history, Version history>>
+|<<lateral-tool-transfer, Lateral Tool Transfer>> |Identifies the creation or change of a Windows executable file over network shares. Adversaries may transfer tools or other files between systems in a compromised environment. |[Elastic] [Host] [Windows] [Threat Detection] [Lateral Movement]  |7.11.0 |4 <<lateral-tool-transfer-history, Version history>>
 
 |<<launch-agent-creation-or-modification-and-immediate-loading, Launch Agent Creation or Modification and Immediate Loading>> |An adversary can establish persistence by installing a new launch agent that executes at login by using launchd or launchctl to load a plist into the appropriate directories. |[Elastic] [Host] [macOS] [Threat Detection] [Persistence]  |7.11.0 |2 <<launch-agent-creation-or-modification-and-immediate-loading-history, Version history>>
 
-|<<launchdaemon-creation-or-modification-and-immediate-loading, LaunchDaemon Creation or Modification and Immediate Loading>> |Adversaries may create or modify launch daemons to repeatedly execute malicious payloads as part of persistence. |[Elastic] [Host] [macOS] [Threat Detection] [Persistence]  |7.11.0 |2 <<launchdaemon-creation-or-modification-and-immediate-loading-history, Version history>>
+|<<launchdaemon-creation-or-modification-and-immediate-loading, LaunchDaemon Creation or Modification and Immediate Loading>> |Adversaries may create or modify launch daemons to repeatedly execute malicious payloads as part of persistence. |[Elastic] [Host] [macOS] [Threat Detection] [Persistence]  |7.11.0 |3 <<launchdaemon-creation-or-modification-and-immediate-loading-history, Version history>>
 
 |<<local-scheduled-task-creation, Local Scheduled Task Creation>> |A scheduled task can be used by an adversary to establish persistence, move laterally, and/or escalate privileges. |[Elastic] [Host] [Windows] [Threat Detection] [Persistence]  |7.6.0 |9 <<local-scheduled-task-creation-history, Version history>>
 
-|<<mfa-disabled-for-google-workspace-organization, MFA Disabled for Google Workspace Organization>> |Detects when multi-factor authentication (MFA) is disabled for a Google Workspace organization. An adversary may attempt to modify a password policy in order to weaken an organization’s security controls. |[Elastic] [Cloud] [Google Workspace] [Continuous Monitoring] [SecOps] [Identity and Access]  |7.11.0 |6 <<mfa-disabled-for-google-workspace-organization-history, Version history>>
+|<<mfa-disabled-for-google-workspace-organization, MFA Disabled for Google Workspace Organization>> |Detects when multi-factor authentication (MFA) is disabled for a Google Workspace organization. An adversary may attempt to modify a password policy in order to weaken an organization’s security controls. |[Elastic] [Cloud] [Google Workspace] [Continuous Monitoring] [SecOps] [Identity and Access]  |7.11.0 |7 <<mfa-disabled-for-google-workspace-organization-history, Version history>>
 
-|<<malware-detected-elastic-endgame, Malware - Detected - Elastic Endgame>> |Elastic Endgame detected Malware. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information. |[Elastic] [Elastic Endgame]  |7.6.0 |6 <<malware-detected-elastic-endgame-history, Version history>>
+|<<malware-detected-elastic-endgame, Malware - Detected - Elastic Endgame>> |Elastic Endgame detected Malware. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information. |[Elastic] [Elastic Endgame]  |7.6.0 |7 <<malware-detected-elastic-endgame-history, Version history>>
 
-|<<malware-prevented-elastic-endgame, Malware - Prevented - Elastic Endgame>> |Elastic Endgame prevented Malware. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information. |[Elastic] [Elastic Endgame]  |7.6.0 |6 <<malware-prevented-elastic-endgame-history, Version history>>
+|<<malware-prevented-elastic-endgame, Malware - Prevented - Elastic Endgame>> |Elastic Endgame prevented Malware. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information. |[Elastic] [Elastic Endgame]  |7.6.0 |7 <<malware-prevented-elastic-endgame-history, Version history>>
 
 |<<microsoft-365-exchange-anti-phish-policy-deletion, Microsoft 365 Exchange Anti-Phish Policy Deletion>> |Identifies the deletion of an anti-phishing policy in Microsoft 365. By default, Microsoft 365 includes built-in features that help protect users from phishing attacks. Anti-phishing polices increase this protection by refining settings to better detect and prevent attacks. |[Elastic] [Cloud] [Microsoft 365] [Continuous Monitoring] [SecOps] [Configuration Audit]  |7.11.0 |4 <<microsoft-365-exchange-anti-phish-policy-deletion-history, Version history>>
 
@@ -578,7 +592,7 @@ and their rule type is `machine_learning`.
 
 |<<microsoft-365-new-inbox-rule-created, Microsoft 365 New Inbox Rule Created>> |Identifies when a new Inbox rule is created in Microsoft 365. Inbox rules process messages in the Inbox based on conditions and take actions, such as moving a message to a specified folder or deleting a message. Adequate permissions are required on the mailbox to create an Inbox rule. |[Elastic] [Cloud] [Microsoft 365] [Continuous Monitoring] [SecOps] [Configuration Audit]  |7.13.0 |1
 
-|<<microsoft-365-potential-ransomware-activity, Microsoft 365 Potential ransomware activity>> |Identifies when Microsoft Cloud App Security reported when a user uploads files to the cloud that might be infected with ransomware. |[Elastic] [Cloud] [Microsoft 365] [Continuous Monitoring] [SecOps] [Configuration Audit]  |7.16.0 |1
+|<<microsoft-365-potential-ransomware-activity, Microsoft 365 Potential ransomware activity>> |Identifies when Microsoft Cloud App Security reports that a user has uploaded files to the cloud that might be infected with ransomware. |[Elastic] [Cloud] [Microsoft 365] [Continuous Monitoring] [SecOps] [Configuration Audit]  |7.16.0 |2 <<microsoft-365-potential-ransomware-activity-history, Version history>>
 
 |<<microsoft-365-teams-custom-application-interaction-allowed, Microsoft 365 Teams Custom Application Interaction Allowed>> |Identifies when custom applications are allowed in Microsoft Teams. If an organization requires applications other than those available in the Teams app store, custom applications can be developed as packages and uploaded. An adversary may abuse this behavior to establish persistence in an environment. |[Elastic] [Cloud] [Microsoft 365] [Continuous Monitoring] [SecOps] [Configuration Audit]  |7.11.0 |4 <<microsoft-365-teams-custom-application-interaction-allowed-history, Version history>>
 
@@ -612,6 +626,8 @@ and their rule type is `machine_learning`.
 
 |<<microsoft-iis-service-account-password-dumped, Microsoft IIS Service Account Password Dumped>> |Identifies the Internet Information Services (IIS) command-line tool, AppCmd, being used to list passwords. An attacker with IIS web server access via a web shell can decrypt and dump the IIS AppPool service account password using AppCmd. |[Elastic] [Host] [Windows] [Threat Detection] [Credential Access]  |7.10.0 |4 <<microsoft-iis-service-account-password-dumped-history, Version history>>
 
+|<<microsoft-windows-defender-tampering, Microsoft Windows Defender Tampering>> |Identifies when one or more features on Microsoft Defender are disabled. Adversaries may disable or tamper Microsoft Defender features to evade detection and conceal malicious behavior. |[Elastic] [Host] [Windows] [Threat Detection] [Defense Evasion]  |8.0.0 |1
+
 |<<mimikatz-memssp-log-file-detected, Mimikatz Memssp Log File Detected>> |Identifies the password log file from the default Mimikatz memssp module. |[Elastic] [Host] [Windows] [Threat Detection] [Credential Access]  |7.10.0 |4 <<mimikatz-memssp-log-file-detected-history, Version history>>
 
 |<<modification-of-amsienable-registry-key, Modification of AmsiEnable Registry Key>> |JScript tries to query the AmsiEnable registry key from the HKEY_USERS registry hive before initializing Antimalware Scan Interface (AMSI). If this key is set to 0, AMSI is not enabled for the JScript process. An adversary can modify this key to disable AMSI protections. |[Elastic] [Host] [Windows] [Threat Detection] [Defense Evasion]  |7.14.0 |2 <<modification-of-amsienable-registry-key-history, Version history>>
@@ -668,10 +684,12 @@ and their rule type is `machine_learning`.
 
 |<<nullsessionpipe-registry-modification, NullSessionPipe Registry Modification>> |Identifies NullSessionPipe registry modifications that specify which pipes can be accessed anonymously. This could be indicative of adversary lateral movement preparation by making the added pipe available to everyone. |[Elastic] [Host] [Windows] [Threat Detection] [Lateral Movement]  |7.13.0 |1
 
-|<<o365-excessive-single-sign-on-logon-errors, O365 Excessive Single Sign-On Logon Errors>> |Identifies accounts with a high number of single sign-on (SSO) logon errors. Excessive logon errors may indicate an attempt to brute force a password or SSO token. |[Elastic] [Cloud] [Microsoft 365] [Continuous Monitoring] [SecOps] [Identity and Access]  |7.14.0 |2 <<o365-excessive-single-sign-on-logon-errors-history, Version history>>
+|<<o365-excessive-single-sign-on-logon-errors, O365 Excessive Single Sign-On Logon Errors>> |Identifies accounts with a high number of single sign-on (SSO) logon errors. Excessive logon errors may indicate an attempt to brute force a password or SSO token. |[Elastic] [Cloud] [Microsoft 365] [Continuous Monitoring] [SecOps] [Identity and Access]  |7.14.0 |3 <<o365-excessive-single-sign-on-logon-errors-history, Version history>>
 
 |<<o365-exchange-suspicious-mailbox-right-delegation, O365 Exchange Suspicious Mailbox Right Delegation>> |Identifies the assignment of rights to accesss content from another mailbox. An adversary may use the compromised account to send messages to other accounts in the network of the target business while creating inbox rules, so messages can evade spam/phishing detection mechanisms. |[Elastic] [Cloud] [Microsoft 365] [Continuous Monitoring] [SecOps] [Configuration Audit]  |7.16.0 |1
 
+|<<o365-mailbox-audit-logging-bypass, O365 Mailbox Audit Logging Bypass>> |Detects the occurrence of mailbox audit bypass associations. The mailbox audit is responsible for logging specified mailbox events (like accessing a folder or a message or permanently deleting a message). However, actions taken by some authorized accounts, such as accounts used by third-party tools or accounts used for lawful monitoring, can create a large number of mailbox audit log entries and may not be of interest to your organization. Because of this, administrators can create bypass associations, allowing certain accounts to perform their tasks without being logged. Attackers can abuse this allowlist mechanism to conceal actions taken, as the mailbox audit will log no activity done by the account. |[Elastic] [Cloud] [Microsoft 365] [Continuous Monitoring] [SecOps] [Initial Access]  |8.0.0 |1
+
 |<<okta-brute-force-or-password-spraying-attack, Okta Brute Force or Password Spraying Attack>> |Identifies a high number of failed Okta user authentication attempts from a single IP address, which could be indicative of a brute force or password spraying attack. An adversary may attempt a brute force or password spraying attack to obtain unauthorized access to user accounts. |[Elastic] [Identity] [Okta] [Continuous Monitoring] [SecOps] [Identity and Access]  |7.9.0 |5 <<okta-brute-force-or-password-spraying-attack-history, Version history>>
 
 |<<outbound-scheduled-task-activity-via-powershell, Outbound Scheduled Task Activity via PowerShell>> |Identifies the PowerShell process loading the Task Scheduler COM DLL followed by an outbound RPC network connection within a short time period. This may indicate lateral movement or remote discovery via scheduled tasks. |[Elastic] [Host] [Windows] [Threat Detection] [Execution]  |7.11.0 |4 <<outbound-scheduled-task-activity-via-powershell-history, Version history>>
@@ -680,9 +698,9 @@ and their rule type is `machine_learning`.
 
 |<<peripheral-device-discovery, Peripheral Device Discovery>> |Identifies use of the Windows file system utility (fsutil.exe ) to gather information about attached peripheral devices and components connected to a computer system. |[Elastic] [Host] [Windows] [Threat Detection] [Discovery]  |7.11.0 |3 <<peripheral-device-discovery-history, Version history>>
 
-|<<permission-theft-detected-elastic-endgame, Permission Theft - Detected - Elastic Endgame>> |Elastic Endgame detected Permission Theft. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information. |[Elastic] [Elastic Endgame]  |7.6.0 |6 <<permission-theft-detected-elastic-endgame-history, Version history>>
+|<<permission-theft-detected-elastic-endgame, Permission Theft - Detected - Elastic Endgame>> |Elastic Endgame detected Permission Theft. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information. |[Elastic] [Elastic Endgame]  |7.6.0 |7 <<permission-theft-detected-elastic-endgame-history, Version history>>
 
-|<<permission-theft-prevented-elastic-endgame, Permission Theft - Prevented - Elastic Endgame>> |Elastic Endgame prevented Permission Theft. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information. |[Elastic] [Elastic Endgame]  |7.6.0 |6 <<permission-theft-prevented-elastic-endgame-history, Version history>>
+|<<permission-theft-prevented-elastic-endgame, Permission Theft - Prevented - Elastic Endgame>> |Elastic Endgame prevented Permission Theft. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information. |[Elastic] [Elastic Endgame]  |7.6.0 |7 <<permission-theft-prevented-elastic-endgame-history, Version history>>
 
 |<<persistence-via-bits-job-notify-cmdline, Persistence via BITS Job Notify Cmdline>> |An adversary can use the Background Intelligent Transfer Service (BITS) SetNotifyCmdLine method to execute a program that runs after a job finishes transferring data or after a job enters a specified state in order to persist on a system. |[Elastic] [Host] [Windows] [Threat Detection] [Persistence]  |7.13.0 |1
 
@@ -690,7 +708,7 @@ and their rule type is `machine_learning`.
 
 |<<persistence-via-docker-shortcut-modification, Persistence via Docker Shortcut Modification>> |An adversary can establish persistence by modifying an existing macOS dock property list in order to execute a malicious application instead of the intended one when invoked. |[Elastic] [Host] [macOS] [Threat Detection] [Persistence]  |7.12.0 |2 <<persistence-via-docker-shortcut-modification-history, Version history>>
 
-|<<persistence-via-folder-action-script, Persistence via Folder Action Script>> |A Folder Action script is executed when the folder to which it is attached has items added or removed, or when its window is opened, closed, moved, or resized. Adversaries may abuse this feature to establish persistence by utilizing a malicious script. |[Elastic] [Host] [macOS] [Threat Detection] [Execution] [Persistence]  |7.11.0 |3 <<persistence-via-folder-action-script-history, Version history>>
+|<<persistence-via-folder-action-script, Persistence via Folder Action Script>> |A Folder Action script is executed when the folder to which it is attached has items added or removed, or when its window is opened, closed, moved, or resized. Adversaries may abuse this feature to establish persistence by utilizing a malicious script. |[Elastic] [Host] [macOS] [Threat Detection] [Execution] [Persistence]  |7.11.0 |4 <<persistence-via-folder-action-script-history, Version history>>
 
 |<<persistence-via-hidden-run-key-detected, Persistence via Hidden Run Key Detected>> |Identifies a persistence mechanism that utilizes the NtSetValueKey native API to create a hidden (null terminated) registry key. An adversary may use this method to hide from system utilities such as the Registry Editor (regedit). |[Elastic] [Host] [Windows] [Threat Detection] [Persistence]  |7.11.0 |3 <<persistence-via-hidden-run-key-detected-history, Version history>>
 
@@ -730,7 +748,11 @@ and their rule type is `machine_learning`.
 
 |<<potential-cookies-theft-via-browser-debugging, Potential Cookies Theft via Browser Debugging>> |Identifies the execution of a Chromium based browser with the debugging process argument, which may indicate an attempt to steal authentication cookies. An adversary may steal web application or service session cookies and use them to gain access web applications or Internet services as an authenticated user without needing credentials. |[Elastic] [Host] [Linux] [Windows] [macOS] [Threat Detection] [Credential Access]  |7.12.0 |1
 
-|<<potential-credential-access-via-duplicatehandle-in-lsass, Potential Credential Access via DuplicateHandle in LSASS>> |Identifies suspicious access to an LSASS handle via DuplicateHandle from an unknown call trace module. This may indicate an attempt to bypass the NtOpenProcess API to evade detection and dump Lsass memory for credential access. |[Elastic] [Host] [Windows] [Threat Detection] [Credential Access]  |7.16.0 |1
+|<<potential-credential-access-via-duplicatehandle-in-lsass, Potential Credential Access via DuplicateHandle in LSASS>> |Identifies suspicious access to an LSASS handle via DuplicateHandle from an unknown call trace module. This may indicate an attempt to bypass the NtOpenProcess API to evade detection and dump LSASS memory for credential access. |[Elastic] [Host] [Windows] [Threat Detection] [Credential Access]  |7.16.0 |2 <<potential-credential-access-via-duplicatehandle-in-lsass-history, Version history>>
+
+|<<potential-credential-access-via-lsass-memory-dump, Potential Credential Access via LSASS Memory Dump>> |Identifies suspicious access to LSASS handle from a call trace pointing to DBGHelp.dll or DBGCore.dll, which both export the MiniDumpWriteDump method that can be used to dump LSASS memory content in preperation for credential access. |[Elastic] [Host] [Windows] [Threat Detection] [Credential Access]  |8.0.0 |1
+
+|<<potential-credential-access-via-renamed-com-services-dll, Potential Credential Access via Renamed COM+ Services DLL>> |Identifies suspicious renamed COMSVCS.DLL Image Load, which exports the MiniDump function that can be used to dump a process memory. This may indicate an attempt to dump LSASS memory while bypassing command line based detection in preparation for credential access. |[Elastic] [Host] [Windows] [Threat Detection] [Credential Access]  |8.0.0 |1
 
 |<<potential-credential-access-via-windows-utilities, Potential Credential Access via Windows Utilities>> |Identifies the execution of known Windows utilities often abused to dump LSASS memory or the Active Directory database (NTDS.dit) in preparation for credential access. |[Elastic] [Host] [Windows] [Threat Detection] [Credential Access]  |7.11.0 |5 <<potential-credential-access-via-windows-utilities-history, Version history>>
 
@@ -752,6 +774,10 @@ and their rule type is `machine_learning`.
 
 |<<potential-lsa-authentication-package-abuse, Potential LSA Authentication Package Abuse>> |Adversaries can use the autostart mechanism provided by the Local Security Authority (LSA) authentication packages for privilege escalation or persistence by placing a reference to a binary in the Windows registry. The binary will then be executed by SYSTEM when the authentication packages are loaded. |[Elastic] [Host] [Windows] [Threat Detection] [Privilege Escalation]  |7.12.0 |1
 
+|<<potential-lsass-clone-creation-via-psscapturesnapshot, Potential LSASS Clone Creation via PssCaptureSnapShot>> |Identifies the creation of an LSASS process clone via PssCaptureSnapShot where the parent process is the initial LSASS process instance. This may indicate an attempt to evade detection and dump LSASS memory for credential access. |[Elastic] [Host] [Windows] [Threat Detection] [Credential Access]  |8.0.0 |1
+
+|<<potential-lsass-memory-dump-via-psscapturesnapshot, Potential LSASS Memory Dump via PssCaptureSnapShot>> |Identifies suspicious access to an LSASS handle via PssCaptureSnapShot where two successive process access are performed by the same process and targeting two different instances of LSASS. This may indicate an attempt to evade detection and dump LSASS memory for credential access. |[Elastic] [Host] [Windows] [Threat Detection] [Credential Access]  |8.0.0 |1
+
 |<<potential-microsoft-office-sandbox-evasion, Potential Microsoft Office Sandbox Evasion>> |Identifies the creation of a suspicious zip file prepended with special characters. Sandboxed Microsoft Office applications on macOS are allowed to write files that start with special characters, which can be combined with an AutoStart location to achieve sandbox evasion. |[Elastic] [Host] [macOS] [Threat Detection] [Defense Evasion]  |7.12.0 |1
 
 |<<potential-modification-of-accessibility-binaries, Potential Modification of Accessibility Binaries>> |Windows contains accessibility features that may be launched with a key combination before a user has logged in. An adversary can modify the way these programs are launched to get a command prompt or backdoor without logging in to the system. |[Elastic] [Host] [Windows] [Threat Detection] [Persistence]  |7.6.0 |7 <<potential-modification-of-accessibility-binaries-history, Version history>>
@@ -778,10 +804,14 @@ and their rule type is `machine_learning`.
 
 |<<potential-privacy-control-bypass-via-tccdb-modification, Potential Privacy Control Bypass via TCCDB Modification>> |Identifies the use of sqlite3 to directly modify the Transparency, Consent, and Control (TCC) SQLite database. This may indicate an attempt to bypass macOS privacy controls, including access to sensitive resources like the system camera, microphone, address book, and calendar. |[Elastic] [Host] [macOS] [Threat Detection] [Defense Evasion]  |7.12.0 |2 <<potential-privacy-control-bypass-via-tccdb-modification-history, Version history>>
 
+|<<potential-privilege-escalation-via-installerfiletakeover, Potential Privilege Escalation via InstallerFileTakeOver>> |Identifies a potential exploitation of InstallerTakeOver (CVE-2021-41379) default PoC execution. Successful exploitation allows an unprivileged user to escalate privileges to SYSTEM. |[Elastic] [Host] [Windows] [Threat Detection] [Privilege Escalation]  |8.0.0 |1
+
 |<<potential-privilege-escalation-via-sudoers-file-modification, Potential Privilege Escalation via Sudoers File Modification>> |A sudoers file specifies the commands users or groups can run and from which terminals. Adversaries can take advantage of these configurations to execute commands as other users or spawn processes with higher privileges. |[Elastic] [Host] [Linux] [macOS] [Threat Detection] [Privilege Escalation]  |7.12.0 |1
 
 |<<potential-process-herpaderping-attempt, Potential Process Herpaderping Attempt>> |Identifies process execution followed by a file overwrite of an executable by the same parent process. This may indicate an evasion attempt to execute malicious code in a stealthy way. |[Elastic] [Host] [Windows] [Threat Detection] [Defense Evasion]  |7.11.0 |2 <<potential-process-herpaderping-attempt-history, Version history>>
 
+|<<potential-process-injection-via-powershell, Potential Process Injection via PowerShell>> |Detects the use of Windows API functions that are commonly abused by malware and security tools to load malicious code or inject it into remote processes. |[Elastic] [Host] [Windows] [Threat Detection] [Defense Evasion]  |8.0.0 |2
+
 |<<potential-protocol-tunneling-via-earthworm, Potential Protocol Tunneling via EarthWorm>> |Identifies the execution of the EarthWorm tunneler. Adversaries may tunnel network communications to and from a victim system within a separate protocol to avoid detection and network filtering, or to enable access to otherwise unreachable systems. |[Elastic] [Host] [Linux] [Threat Detection] [Command and Control]  |7.13.0 |1
 
 |<<potential-remote-desktop-shadowing-activity, Potential Remote Desktop Shadowing Activity>> |Identifies the modification of the Remote Desktop Protocol (RDP) Shadow registry or the execution of processes indicative of an active RDP shadowing session. An adversary may abuse the RDP Shadowing feature to spy on or control other users active RDP sessions. |[Elastic] [Host] [Windows] [Threat Detection] [Lateral Movement]  |7.13.0 |1
@@ -794,20 +824,30 @@ and their rule type is `machine_learning`.
 
 |<<potential-secure-file-deletion-via-sdelete-utility, Potential Secure File Deletion via SDelete Utility>> |Detects file name patterns generated by the use of Sysinternals SDelete utility to securely delete a file via multiple file overwrite and rename operations. |[Elastic] [Host] [Windows] [Threat Detection] [Defense Evasion]  |7.10.0 |5 <<potential-secure-file-deletion-via-sdelete-utility-history, Version history>>
 
-|<<potential-sharprdp-behavior, Potential SharpRDP Behavior>> |Identifies potential behavior of SharpRDP, which is a tool that can be used to perform authenticated command execution against a remote target via Remote Desktop Protocol (RDP) for the purposes of lateral movement. |[Elastic] [Host] [Windows] [Threat Detection] [Lateral Movement]  |7.11.0 |4 <<potential-sharprdp-behavior-history, Version history>>
+|<<potential-sharprdp-behavior, Potential SharpRDP Behavior>> |Identifies potential behavior of SharpRDP, which is a tool that can be used to perform authenticated command execution against a remote target via Remote Desktop Protocol (RDP) for the purposes of lateral movement. |[Elastic] [Host] [Windows] [Threat Detection] [Lateral Movement]  |7.11.0 |5 <<potential-sharprdp-behavior-history, Version history>>
 
 |<<potential-shell-via-web-server, Potential Shell via Web Server>> |Identifies suspicious commands executed via a web server, which may suggest a vulnerability and remote shell access. |[Elastic] [Host] [Linux] [Threat Detection] [Persistence]  |7.6.0 |9 <<potential-shell-via-web-server-history, Version history>>
 
 |<<potential-windows-error-manager-masquerading, Potential Windows Error Manager Masquerading>> |Identifies suspicious instances of the Windows Error Reporting process (WerFault.exe or Wermgr.exe) with matching command-line and process executable values performing outgoing network connections. This may be indicative of a masquerading attempt to evade suspicious child process behavior detections. |[Elastic] [Host] [Windows] [Threat Detection] [Defense Evasion]  |7.10.0 |4 <<potential-windows-error-manager-masquerading-history, Version history>>
 
-|<<powershell-minidump-script, PowerShell MiniDump Script>> |This rule detects PowerShell scripts that have capabilities to dump process memory using WindowsErrorReporting or Dbghelp.dll MiniDumpWriteDump. Attackers can use this tooling to dump LSASS and get access to credentials. |[Elastic] [Host] [Windows] [Threat Detection] [Credential Access]  |7.16.0 |1
+|<<powershell-keylogging-script, PowerShell Keylogging Script>> |Detects the use of Win32 API Functions that can be used to capture user Keystrokes in PowerShell Scripts. Attackers use this technique to capture user input, looking for credentials and/or other valuable data. |[Elastic] [Host] [Windows] [Threat Detection] [Collection]  |8.0.0 |2
+
+|<<powershell-minidump-script, PowerShell MiniDump Script>> |This rule detects PowerShell scripts that have capabilities to dump process memory using WindowsErrorReporting or Dbghelp.dll MiniDumpWriteDump. Attackers can use this tooling to dump LSASS and get access to credentials. |[Elastic] [Host] [Windows] [Threat Detection] [Credential Access]  |7.16.0 |3 <<powershell-minidump-script-history, Version history>>
+
+|<<powershell-psreflect-script, PowerShell PSReflect Script>> |Detects the use of PSReflect in PowerShell scripts. Attackers leverage PSReflect as a library that enables PowerShell to access win32 API functions. |[Elastic] [Host] [Windows] [Threat Detection] [Execution]  |8.0.0 |1
+
+|<<powershell-suspicious-discovery-related-windows-api-functions, PowerShell Suspicious Discovery Related Windows API Functions>> |This rule detects the use of discovery-related Windows API functions in PowerShell Scripts. Attackers can use these functions to perform various situational awareness related activities, like enumerating users, shares, sessions, domain trusts, groups, etc. |[Elastic] [Host] [Windows] [Threat Detection] [Discovery]  |7.16.0 |3 <<powershell-suspicious-discovery-related-windows-api-functions-history, Version history>>
 
-|<<powershell-suspicious-discovery-related-windows-api-functions, PowerShell Suspicious Discovery Related Windows API Functions>> |This rule detects the use of discovery-related Windows API Functions in Powershell Scripts. Attackers can use these functions to perform various situational awareness related activities, like enumerating users, shares, sessions, domain trusts, groups, etc., |[Elastic] [Host] [Windows] [Threat Detection] [Discovery]  |7.16.0 |1
+|<<powershell-suspicious-payload-encoded-and-compressed, PowerShell Suspicious Payload Encoded and Compressed>> |Identifies the use of .Net functionality for decompression and base64 decoding combined in PowerShell scripts, which Malware and security tools heavily use to deobfuscate payloads and load them directly in memory to bypass defenses. |[Elastic] [Host] [Windows] [Threat Detection] [Defense Evasion]  |8.0.0 |1
 
-|<<powershell-suspicious-script-with-audio-capture-capabilities, PowerShell Suspicious Script with Audio Capture Capabilities>> |Detects PowerShell Scripts that can record audio, a common feature in popular post-exploitation tooling. |[Elastic] [Host] [Windows] [Threat Detection] [Collection]  |7.16.0 |1
+|<<powershell-suspicious-script-with-audio-capture-capabilities, PowerShell Suspicious Script with Audio Capture Capabilities>> |Detects PowerShell scripts that can record audio, a common feature in popular post-exploitation tooling. |[Elastic] [Host] [Windows] [Threat Detection] [Collection]  |7.16.0 |3 <<powershell-suspicious-script-with-audio-capture-capabilities-history, Version history>>
+
+|<<powershell-suspicious-script-with-screenshot-capabilities, PowerShell Suspicious Script with Screenshot Capabilities>> |Detects PowerShell Scripts that can take screenshots, which is a common feature in post-exploitation kits and RATs (Remote Access Tools). |[Elastic] [Host] [Windows] [Threat Detection] [Collection]  |8.0.0 |1
 
 |<<privilege-escalation-via-named-pipe-impersonation, Privilege Escalation via Named Pipe Impersonation>> |Identifies a privilege escalation attempt via named pipe impersonation. An adversary may abuse this technique by utilizing a framework such Metasploit's meterpreter getsystem command. |[Elastic] [Host] [Windows] [Threat Detection] [Privilege Escalation]  |7.11.0 |3 <<privilege-escalation-via-named-pipe-impersonation-history, Version history>>
 
+|<<privilege-escalation-via-rogue-named-pipe-impersonation, Privilege Escalation via Rogue Named Pipe Impersonation>> |Identifies a privilege escalation attempt via rogue named pipe impersonation. An adversary may abuse this technique by masquerading as a known named pipe and manipulating a privileged process to connect to it. |[Elastic] [Host] [Windows] [Threat Detection] [Privilege Escalation]  |8.0.0 |1
+
 |<<privilege-escalation-via-root-crontab-file-modification, Privilege Escalation via Root Crontab File Modification>> |Identifies modifications to the root crontab file. Adversaries may overwrite this file to gain code execution with root privileges by exploiting privileged file write or move related vulnerabilities. |[Elastic] [Host] [macOS] [Threat Detection] [Privilege Escalation]  |7.12.0 |1
 
 |<<privilege-escalation-via-windir-environment-variable, Privilege Escalation via Windir Environment Variable>> |Identifies a privilege escalation attempt via a rogue Windows directory (Windir) environment variable. This is a known primitive that is often combined with other vulnerabilities to elevate privileges. |[Elastic] [Host] [Windows] [Threat Detection] [Privilege Escalation]  |7.11.0 |3 <<privilege-escalation-via-windir-environment-variable-history, Version history>>
@@ -816,9 +856,9 @@ and their rule type is `machine_learning`.
 
 |<<process-execution-from-an-unusual-directory, Process Execution from an Unusual Directory>> |Identifies process execution from suspicious default Windows directories. This is sometimes done by adversaries to hide malware in trusted paths. |[Elastic] [Host] [Windows] [Threat Detection] [Execution]  |7.11.0 |3 <<process-execution-from-an-unusual-directory-history, Version history>>
 
-|<<process-injection-detected-elastic-endgame, Process Injection - Detected - Elastic Endgame>> |Elastic Endgame detected Process Injection. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information. |[Elastic] [Elastic Endgame]  |7.6.0 |6 <<process-injection-detected-elastic-endgame-history, Version history>>
+|<<process-injection-detected-elastic-endgame, Process Injection - Detected - Elastic Endgame>> |Elastic Endgame detected Process Injection. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information. |[Elastic] [Elastic Endgame]  |7.6.0 |7 <<process-injection-detected-elastic-endgame-history, Version history>>
 
-|<<process-injection-prevented-elastic-endgame, Process Injection - Prevented - Elastic Endgame>> |Elastic Endgame prevented Process Injection. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information. |[Elastic] [Elastic Endgame]  |7.6.0 |6 <<process-injection-prevented-elastic-endgame-history, Version history>>
+|<<process-injection-prevented-elastic-endgame, Process Injection - Prevented - Elastic Endgame>> |Elastic Endgame prevented Process Injection. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information. |[Elastic] [Elastic Endgame]  |7.6.0 |7 <<process-injection-prevented-elastic-endgame-history, Version history>>
 
 |<<process-injection-by-the-microsoft-build-engine, Process Injection by the Microsoft Build Engine>> |An instance of MSBuild, the Microsoft Build Engine, created a thread in another process. This technique is sometimes used to evade detection or elevate privileges. |[Elastic] [Host] [Windows] [Threat Detection] [Defense Evasion]  |7.7.0 |5 <<process-injection-by-the-microsoft-build-engine-history, Version history>>
 
@@ -838,9 +878,9 @@ and their rule type is `machine_learning`.
 
 |<<rpc-remote-procedure-call-to-the-internet, RPC (Remote Procedure Call) to the Internet>> |This rule detects network events that may indicate the use of RPC traffic to the Internet. RPC is commonly used by system administrators to remotely control a system for maintenance or to use shared resources. It should almost never be directly exposed to the Internet, as it is frequently targeted and exploited by threat actors as an initial access or backdoor vector. |[Elastic] [Host] [Network] [Threat Detection] [Initial Access] [Host]  |7.6.0 |11 <<rpc-remote-procedure-call-to-the-internet-history, Version history>>
 
-|<<ransomware-detected-elastic-endgame, Ransomware - Detected - Elastic Endgame>> |Elastic Endgame detected Ransomware. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information. |[Elastic] [Elastic Endgame]  |7.6.0 |6 <<ransomware-detected-elastic-endgame-history, Version history>>
+|<<ransomware-detected-elastic-endgame, Ransomware - Detected - Elastic Endgame>> |Elastic Endgame detected ransomware. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information. |[Elastic] [Elastic Endgame]  |7.6.0 |8 <<ransomware-detected-elastic-endgame-history, Version history>>
 
-|<<ransomware-prevented-elastic-endgame, Ransomware - Prevented - Elastic Endgame>> |Elastic Endgame prevented Ransomware. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information. |[Elastic] [Elastic Endgame]  |7.6.0 |6 <<ransomware-prevented-elastic-endgame-history, Version history>>
+|<<ransomware-prevented-elastic-endgame, Ransomware - Prevented - Elastic Endgame>> |Elastic Endgame prevented ransomware. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information. |[Elastic] [Elastic Endgame]  |7.6.0 |8 <<ransomware-prevented-elastic-endgame-history, Version history>>
 
 |<<rare-aws-error-code, Rare AWS Error Code>> |A machine learning job detected an unusual error in a CloudTrail message. These can be byproducts of attempted or successful persistence, privilege escalation, defense evasion, discovery, lateral movement, or collection. |[Elastic] [Cloud] [AWS] [ML]  |7.9.0 |7 <<rare-aws-error-code-history, Version history>>
 
@@ -868,15 +908,15 @@ and their rule type is `machine_learning`.
 
 |<<remote-ssh-login-enabled-via-systemsetup-command, Remote SSH Login Enabled via systemsetup Command>> |Detects use of the systemsetup command to enable remote SSH Login. |[Elastic] [Host] [macOS] [Threat Detection] [Lateral Movement]  |7.10.0 |3 <<remote-ssh-login-enabled-via-systemsetup-command-history, Version history>>
 
-|<<remote-scheduled-task-creation, Remote Scheduled Task Creation>> |Identifies remote scheduled task creations on a target host. This could be indicative of adversary lateral movement. |[Elastic] [Host] [Windows] [Threat Detection] [Lateral Movement]  |7.11.0 |5 <<remote-scheduled-task-creation-history, Version history>>
+|<<remote-scheduled-task-creation, Remote Scheduled Task Creation>> |Identifies remote scheduled task creations on a target host. This could be indicative of adversary lateral movement. |[Elastic] [Host] [Windows] [Threat Detection] [Lateral Movement]  |7.11.0 |6 <<remote-scheduled-task-creation-history, Version history>>
 
 |<<remote-system-discovery-commands, Remote System Discovery Commands>> |Discovery of remote system information using built-in commands, which may be used to mover laterally. |[Elastic] [Host] [Windows] [Threat Detection] [Discovery]  |7.11.0 |3 <<remote-system-discovery-commands-history, Version history>>
 
-|<<remotely-started-services-via-rpc, Remotely Started Services via RPC>> |Identifies remote execution of Windows services over remote procedure call (RPC). This could be indicative of lateral movement, but will be noisy if commonly done by administrators." |[Elastic] [Host] [Windows] [Threat Detection] [Lateral Movement]  |7.11.0 |3 <<remotely-started-services-via-rpc-history, Version history>>
+|<<remotely-started-services-via-rpc, Remotely Started Services via RPC>> |Identifies remote execution of Windows services over remote procedure call (RPC). This could be indicative of lateral movement, but will be noisy if commonly done by administrators." |[Elastic] [Host] [Windows] [Threat Detection] [Lateral Movement]  |7.11.0 |4 <<remotely-started-services-via-rpc-history, Version history>>
 
 |<<renamed-autoit-scripts-interpreter, Renamed AutoIt Scripts Interpreter>> |Identifies a suspicious AutoIt process execution. Malware written as an AutoIt script tends to rename the AutoIt executable to avoid detection. |[Elastic] [Host] [Windows] [Threat Detection] [Defense Evasion]  |7.10.0 |5 <<renamed-autoit-scripts-interpreter-history, Version history>>
 
-|<<roshal-archive-rar-or-powershell-file-downloaded-from-the-internet, Roshal Archive (RAR) or PowerShell File Downloaded from the Internet>> |Detects a Roshal Archive (RAR) file or PowerShell script downloaded from the internet by an internal host. Gaining initial access to a system and then downloading encoded or encrypted tools to move laterally is a common practice for adversaries as a way to protect their more valuable tools and tactics, techniques, and procedures (TTPs). This may be atypical behavior for a managed network and can be indicative of malware, exfiltration, or command and control. |[Elastic] [Network] [Threat Detection] [Command and Control] [Host]  |7.10.0 |8 <<roshal-archive-rar-or-powershell-file-downloaded-from-the-internet-history, Version history>>
+|<<roshal-archive-rar-or-powershell-file-downloaded-from-the-internet, Roshal Archive (RAR) or PowerShell File Downloaded from the Internet>> |Detects a Roshal Archive (RAR) file or PowerShell script downloaded from the internet by an internal host. Gaining initial access to a system and then downloading encoded or encrypted tools to move laterally is a common practice for adversaries as a way to protect their more valuable tools and tactics, techniques, and procedures (TTPs). This may be atypical behavior for a managed network and can be indicative of malware, exfiltration, or command and control. |[Elastic] [Network] [Threat Detection] [Command and Control] [Host]  |7.10.0 |9 <<roshal-archive-rar-or-powershell-file-downloaded-from-the-internet-history, Version history>>
 
 |<<sip-provider-modification, SIP Provider Modification>> |Identifies modifications to the registered Subject Interface Package (SIP) providers. SIP providers are used by the Windows cryptographic system to validate file signatures on the system. This may be an attempt to bypass signature validation checks or inject code into critical processes. |[Elastic] [Host] [Windows] [Threat Detection] [Defense Evasion]  |7.12.0 |1
 
@@ -890,6 +930,8 @@ and their rule type is `machine_learning`.
 
 |<<scheduled-task-created-by-a-windows-script, Scheduled Task Created by a Windows Script>> |A scheduled task was created by a Windows script via cscript.exe, wscript.exe or powershell.exe. This can be abused by an adversary to establish persistence. |[Elastic] [Host] [Windows] [Threat Detection] [Persistence]  |7.11.0 |5 <<scheduled-task-created-by-a-windows-script-history, Version history>>
 
+|<<scheduled-task-execution-at-scale-via-gpo, Scheduled Task Execution at Scale via GPO>> |Detects the modification of Group Policy Object attributes to execute a scheduled task in the objects controlled by the GPO. |[Elastic] [Host] [Windows] [Threat Detection] [Privilege Escalation] [Active Directory]  |8.0.0 |1
+
 |<<scheduled-tasks-at-command-enabled, Scheduled Tasks AT Command Enabled>> |Identifies attempts to enable the Windows scheduled tasks AT command via the registry. Attackers may use this method to move laterally or persist locally. The AT command has been deprecated since Windows 8 and Windows Server 2012, but still exists for backwards compatibility. |[Elastic] [Host] [Windows] [Threat Detection] [Defense Evasion]  |7.11.0 |3 <<scheduled-tasks-at-command-enabled-history, Version history>>
 
 |<<screensaver-plist-file-modified-by-unexpected-process, Screensaver Plist File Modified by Unexpected Process>> |Identifies when a screensaver plist file is modified by an unexpected process. An adversary can maintain persistence on a macOS endpoint by creating a malicious screensaver (.saver) file and configuring the screensaver plist file to execute code each time the screensaver is activated. |[Elastic] [Host] [macOS] [Threat Detection] [Persistence]  |7.16.0 |1
@@ -934,6 +976,8 @@ and their rule type is `machine_learning`.
 
 |<<startup-or-run-key-registry-modification, Startup or Run Key Registry Modification>> |Identifies run key or startup key registry modifications. In order to survive reboots and other system interrupts, attackers will modify run keys within the registry or leverage startup folder items as a form of persistence. |[Elastic] [Host] [Windows] [Threat Detection] [Persistence]  |7.11.0 |4 <<startup-or-run-key-registry-modification-history, Version history>>
 
+|<<startup-logon-script-added-to-group-policy-object, Startup/Logon Script added to Group Policy Object>> |Detects the modification of Group Policy Objects (GPO) to add a startup/logon script to users or computer objects. |[Elastic] [Host] [Windows] [Threat Detection] [Privilege Escalation] [Active Directory]  |8.0.0 |1
+
 |<<strace-process-activity, Strace Process Activity>> |Strace runs in a privileged context and can be used to escape restrictive environments by instantiating a shell in order to elevate privileges or move laterally. |[Elastic] [Host] [Linux] [Threat Detection]  |7.6.0 |7 <<strace-process-activity-history, Version history>>
 
 |<<sublime-plugin-or-application-script-modification, Sublime Plugin or Application Script Modification>> |Adversaries may create or modify the Sublime application plugins or scripts to execute a malicious payload each time the Sublime application is started. |[Elastic] [Host] [macOS] [Threat Detection] [Persistence]  |7.12.0 |1
@@ -944,6 +988,8 @@ and their rule type is `machine_learning`.
 
 |<<suspicious-.net-code-compilation, Suspicious .NET Code Compilation>> |Identifies suspicious .NET code execution. connections. |[Elastic] [Host] [Windows] [Threat Detection] [Defense Evasion]  |7.10.0 |5 <<suspicious-.net-code-compilation-history, Version history>>
 
+|<<suspicious-.net-reflection-via-powershell, Suspicious .NET Reflection via PowerShell>> |This rule detects the use of Reflection.Assembly to load PEs and DLLs in memory in Powershell Scripts. Attackers use this method to load executables and DLLs without writing to the disk, bypassing security solutions. |[Elastic] [Host] [Windows] [Threat Detection] [Defense Evasion]  |8.0.0 |1
+
 |<<suspicious-activity-reported-by-okta-user, Suspicious Activity Reported by Okta User>> |Detects when a user reports suspicious activity for their Okta account. These events should be investigated, as they can help security teams identify when an adversary is attempting to gain access to their network. |[Elastic] [Identity] [Okta] [Continuous Monitoring] [SecOps] [Monitoring]  |7.9.0 |6 <<suspicious-activity-reported-by-okta-user-history, Version history>>
 
 |<<suspicious-automator-workflows-execution, Suspicious Automator Workflows Execution>> |Identifies the execution of the Automator Workflows process followed by a network connection from it's XPC service. Adversaries may drop a custom workflow template that hosts malicious JavaScript for Automation (JXA) code as an alternative to using osascript. |[Elastic] [Host] [macOS] [Threat Detection] [Execution]  |7.12.0 |1
@@ -952,7 +998,7 @@ and their rule type is `machine_learning`.
 
 |<<suspicious-calendar-file-modification, Suspicious Calendar File Modification>> |Identifies suspicious modifications of the calendar file by an unusual process. Adversaries may create a custom calendar notification procedure to execute a malicious program at a recurring interval to establish persistence. |[Elastic] [Host] [macOS] [Threat Detection] [Persistence]  |7.12.0 |1
 
-|<<suspicious-certutil-commands, Suspicious CertUtil Commands>> |Identifies suspicious commands being used with certutil.exe. CertUtil is a native Windows component which is part of Certificate Services. CertUtil is often abused by attackers to live off the land for stealthier command and control or data exfiltration. |[Elastic] [Host] [Windows] [Threat Detection] [Defense Evasion]  |7.6.0 |9 <<suspicious-certutil-commands-history, Version history>>
+|<<suspicious-certutil-commands, Suspicious CertUtil Commands>> |Identifies suspicious commands being used with certutil.exe. CertUtil is a native Windows component which is part of Certificate Services. CertUtil is often abused by attackers to live off the land for stealthier command and control or data exfiltration. |[Elastic] [Host] [Windows] [Threat Detection] [Defense Evasion]  |7.6.0 |10 <<suspicious-certutil-commands-history, Version history>>
 
 |<<suspicious-child-process-of-adobe-acrobat-reader-update-service, Suspicious Child Process of Adobe Acrobat Reader Update Service>> |Detects attempts to exploit privilege escalation vulnerabilities related to the Adobe Acrobat Reader PrivilegedHelperTool responsible for installing updates. For more information, refer to CVE-2020-9615, CVE-2020-9614 and CVE-2020-9613 and verify that the impacted system is patched. |[Elastic] [Host] [macOS] [Threat Detection] [Privilege Escalation]  |7.12.0 |1
 
@@ -978,7 +1024,7 @@ and their rule type is `machine_learning`.
 
 |<<suspicious-imagepath-service-creation, Suspicious ImagePath Service Creation>> |Identifies the creation of a suspicious ImagePath value. This could be an indication of an adversary attempting to stealthily persist or escalate privileges through abnormal service creation. |[Elastic] [Host] [Windows] [Threat Detection] [Persistence]  |7.11.0 |3 <<suspicious-imagepath-service-creation-history, Version history>>
 
-|<<suspicious-jar-child-process, Suspicious JAR Child Process>> |Identifies suspicious child processes of a Java Archive (JAR) file. JAR files may be used to deliver malware in order to evade detection. |[Elastic] [Host] [Linux] [macOS] [Threat Detection] [Execution]  |7.12.0 |2 <<suspicious-jar-child-process-history, Version history>>
+|<<suspicious-java-child-process, Suspicious JAVA Child Process>> |Identifies suspicious child processes of the Java interpreter process. This may indicate an attempt to execute a malicious JAR file or an exploitation attempt via a JAVA specific vulnerability. |[Elastic] [Host] [Linux] [macOS] [Threat Detection] [Execution]  |7.12.0 |3 <<suspicious-java-child-process-history, Version history>>
 
 |<<suspicious-ms-office-child-process, Suspicious MS Office Child Process>> |Identifies suspicious child processes of frequently targeted Microsoft Office applications (Word, PowerPoint, Excel). These child processes are often launched during exploitation of Office applications or from documents with malicious macros. |[Elastic] [Host] [Windows] [Threat Detection] [Initial Access]  |7.6.0 |9 <<suspicious-ms-office-child-process-history, Version history>>
 
@@ -988,7 +1034,7 @@ and their rule type is `machine_learning`.
 
 |<<suspicious-pdf-reader-child-process, Suspicious PDF Reader Child Process>> |Identifies suspicious child processes of PDF reader applications. These child processes are often launched via exploitation of PDF applications or social engineering. |[Elastic] [Host] [Windows] [Threat Detection] [Execution]  |7.7.0 |7 <<suspicious-pdf-reader-child-process-history, Version history>>
 
-|<<suspicious-portable-executable-encoded-in-powershell-script, Suspicious Portable Executable Encoded in Powershell Script>> |This rule detects the presence of Portable Executables in a PowerShell Script by Looking for its encoded header. Attackers embed PEs into PowerShell Scripts for Injecting them into the memory, avoiding defenses by not writing to disk., |[Elastic] [Host] [Windows] [Threat Detection] [Execution]  |7.16.0 |1
+|<<suspicious-portable-executable-encoded-in-powershell-script, Suspicious Portable Executable Encoded in Powershell Script>> |Detects the presence of portable executables (PE) in a PowerShell script by looking for its encoded header. Attackers embed PEs into PowerShell scripts for injecting them into the memory, avoiding defenses by not writing to disk. |[Elastic] [Host] [Windows] [Threat Detection] [Execution]  |7.16.0 |3 <<suspicious-portable-executable-encoded-in-powershell-script-history, Version history>>
 
 |<<suspicious-powershell-engine-imageload, Suspicious PowerShell Engine ImageLoad>> |Identifies the PowerShell engine being invoked by unexpected processes. Rather than executing PowerShell functionality with powershell.exe, some attackers do this to operate more stealthily. |[Elastic] [Host] [Windows] [Threat Detection] [Execution]  |7.11.0 |4 <<suspicious-powershell-engine-imageload-history, Version history>>
 
@@ -1002,7 +1048,9 @@ and their rule type is `machine_learning`.
 
 |<<suspicious-printspooler-service-executable-file-creation, Suspicious PrintSpooler Service Executable File Creation>> |Detects attempts to exploit privilege escalation vulnerabilities related to the Print Spooler service. For more information refer to the following CVE's - CVE-2020-1048, CVE-2020-1337 and CVE-2020-1300 and verify that the impacted system is patched. |[Elastic] [Host] [Windows] [Threat Detection] [Privilege Escalation]  |7.10.0 |4 <<suspicious-printspooler-service-executable-file-creation-history, Version history>>
 
-|<<suspicious-process-access-via-direct-system-call, Suspicious Process Access via Direct System Call>> |Identifies suspicious process access events from unknown memory region. Endpoint security solutions usually hook userland Windows APIs in order to decide if the code that is being executed is malicious or not. It's possible to bypass hooked functions by writing malicious functions that call syscalls directly. |[Elastic] [Host] [Windows] [Threat Detection] [Defense Evasion]  |7.16.0 |1
+|<<suspicious-process-access-via-direct-system-call, Suspicious Process Access via Direct System Call>> |Identifies suspicious process access events from an unknown memory region. Endpoint security solutions usually hook userland Windows APIs in order to decide if the code that is being executed is malicious or not. It's possible to bypass hooked functions by writing malicious functions that call syscalls directly. |[Elastic] [Host] [Windows] [Threat Detection] [Defense Evasion]  |7.16.0 |2 <<suspicious-process-access-via-direct-system-call-history, Version history>>
+
+|<<suspicious-process-creation-calltrace, Suspicious Process Creation CallTrace>> |Identifies when a process is created and immediately accessed from an unknown memory code region and by the same parent process. This may indicate a code injection or hollowing attempt. |[Elastic] [Host] [Windows] [Threat Detection] [Defense Evasion]  |8.0.0 |1
 
 |<<suspicious-process-execution-via-renamed-psexec-executable, Suspicious Process Execution via Renamed PsExec Executable>> |Identifies suspicious psexec activity which is executing from the psexec service that has been renamed, possibly to evade detection. |[Elastic] [Host] [Windows] [Threat Detection] [Execution]  |7.10.0 |4 <<suspicious-process-execution-via-renamed-psexec-executable-history, Version history>>
 
@@ -1028,6 +1076,8 @@ and their rule type is `machine_learning`.
 
 |<<svchost-spawning-cmd, Svchost spawning Cmd>> |Identifies a suspicious parent child process relationship with cmd.exe descending from svchost.exe |[Elastic] [Host] [Windows] [Threat Detection] [Execution]  |7.6.0 |8 <<svchost-spawning-cmd-history, Version history>>
 
+|<<symbolic-link-to-shadow-copy-created, Symbolic Link to Shadow Copy Created>> |Identifies the creation of symbolic links to a shadow copy. Symbolic Links can be used to access files in the shadow copy, including sensitive files that may contain credential information. |[Elastic] [Host] [Windows] [Threat Detection] [Credential Access]  |8.0.0 |1
+
 |<<system-log-file-deletion, System Log File Deletion>> |Identifies the deletion of sensitive Linux system logs. This may indicate an attempt to evade detection or destroy forensic evidence on a system. |[Elastic] [Host] [Linux] [Threat Detection] [Defense Evasion]  |7.11.0 |3 <<system-log-file-deletion-history, Version history>>
 
 |<<system-shells-via-services, System Shells via Services>> |Windows services typically run as SYSTEM and can be used as a privilege escalation opportunity. Malware or penetration testers may run a shell as a service to gain SYSTEM permissions. |[Elastic] [Host] [Windows] [Threat Detection] [Persistence]  |7.6.0 |10 <<system-shells-via-services-history, Version history>>
@@ -1040,11 +1090,13 @@ and their rule type is `machine_learning`.
 
 |<<telnet-port-activity, Telnet Port Activity>> |This rule detects network events that may indicate the use of Telnet traffic. Telnet is commonly used by system administrators to remotely control older or embedded systems using the command line shell. It should almost never be directly exposed to the Internet, as it is frequently targeted and exploited by threat actors as an initial access or backdoor vector. As a plain-text protocol, it may also expose usernames and passwords to anyone capable of observing the traffic. |[Elastic] [Host] [Network] [Threat Detection] [Command and Control] [Host]  |7.6.0 |9 <<telnet-port-activity-history, Version history>>
 
-|<<third-party-backup-files-deleted-via-unexpected-process, Third-party Backup Files Deleted via Unexpected Process>> |Identifies the deletion of backup files, saved using third-party software, by a process outside of the backup suite. Adversaries may delete Backup files to ensure that recovery from a Ransomware attack is less likely. |[Elastic] [Host] [Windows] [Threat Detection] [Impact]  |7.16.0 |1
+|<<third-party-backup-files-deleted-via-unexpected-process, Third-party Backup Files Deleted via Unexpected Process>> |Identifies the deletion of backup files, saved using third-party software, by a process outside of the backup suite. Adversaries may delete Backup files to ensure that recovery from a ransomware attack is less likely. |[Elastic] [Host] [Windows] [Threat Detection] [Impact]  |7.16.0 |2 <<third-party-backup-files-deleted-via-unexpected-process-history, Version history>>
 
 |<<threat-detected-by-okta-threatinsight, Threat Detected by Okta ThreatInsight>> |Detects when Okta ThreatInsight identifies a request from a malicious IP address. Investigating requests from IP addresses identified as malicious by Okta ThreatInsight can help security teams monitor for and respond to credential based attacks against their organization, such as brute force and password spraying attacks. |[Elastic] [Identity] [Okta] [Continuous Monitoring] [SecOps] [Monitoring]  |7.9.0 |6 <<threat-detected-by-okta-threatinsight-history, Version history>>
 
-|<<threat-intel-filebeat-module-indicator-match, Threat Intel Filebeat Module Indicator Match>> |This rule is triggered when indicators from the Threat Intel Filebeat module has a match against local file or network observations. |[Elastic] [Windows] [Elastic Endgame] [Network] [Continuous Monitoring] [SecOps] [Monitoring]  |7.13.0 |3 <<threat-intel-filebeat-module-indicator-match-history, Version history>>
+|<<threat-intel-filebeat-module-v8.x-indicator-match, Threat Intel Filebeat Module (v8.x) Indicator Match>> |This rule is triggered when indicators from the Threat Intel Filebeat module (v8.x) has a match against local file or network observations. |[Elastic] [Windows] [Elastic Endgame] [Network] [Continuous Monitoring] [SecOps] [Monitoring]  |8.0.0 |1
+
+|<<threat-intel-indicator-match, Threat Intel Indicator Match>> |This rule is triggered when indicators from the Threat Intel integrations has a match against local file or network observations. |[Elastic] [Windows] [Elastic Endgame] [Network] [Continuous Monitoring] [SecOps] [Monitoring]  |8.0.0 |1
 
 |<<timestomping-using-touch-command, Timestomping using Touch Command>> |Timestomping is an anti-forensics technique which is used to modify the timestamps of a file, often to mimic files that are in the same folder. |[Elastic] [Host] [Linux] [macOS] [Threat Detection] [Defense Evasion]  |7.11.0 |4 <<timestomping-using-touch-command-history, Version history>>
 
@@ -1192,7 +1244,7 @@ and their rule type is `machine_learning`.
 
 |<<volume-shadow-copy-deletion-via-wmic, Volume Shadow Copy Deletion via WMIC>> |Identifies use of wmic.exe for shadow copy deletion on endpoints. This commonly occurs in tandem with ransomware or other destructive attacks. |[Elastic] [Host] [Windows] [Threat Detection] [Impact]  |7.6.0 |10 <<volume-shadow-copy-deletion-via-wmic-history, Version history>>
 
-|<<wmi-incoming-lateral-movement, WMI Incoming Lateral Movement>> |Identifies processes executed via Windows Management Instrumentation (WMI) on a remote host. This could be indicative of adversary lateral movement, but could be noisy if administrators use WMI to remotely manage hosts. |[Elastic] [Host] [Windows] [Threat Detection] [Lateral Movement]  |7.11.0 |3 <<wmi-incoming-lateral-movement-history, Version history>>
+|<<wmi-incoming-lateral-movement, WMI Incoming Lateral Movement>> |Identifies processes executed via Windows Management Instrumentation (WMI) on a remote host. This could be indicative of adversary lateral movement, but could be noisy if administrators use WMI to remotely manage hosts. |[Elastic] [Host] [Windows] [Threat Detection] [Lateral Movement]  |7.11.0 |4 <<wmi-incoming-lateral-movement-history, Version history>>
 
 |<<web-application-suspicious-activity-no-user-agent, Web Application Suspicious Activity: No User Agent>> |A request to a web application server contained no identifying user agent string. |[Elastic] [APM]  |7.6.0 |7 <<web-application-suspicious-activity-no-user-agent-history, Version history>>
 
@@ -1208,7 +1260,7 @@ and their rule type is `machine_learning`.
 
 |<<webshell-detection-script-process-child-of-common-web-processes, Webshell Detection: Script Process Child of Common Web Processes>> |Identifies suspicious commands executed via a web server, which may suggest a vulnerability and remote shell access. |[Elastic] [Host] [Windows] [Threat Detection] [Persistence]  |7.15.0 |3 <<webshell-detection-script-process-child-of-common-web-processes-history, Version history>>
 
-|<<whitespace-padding-in-process-command-line, Whitespace Padding in Process Command Line>> |Identifies process execution events where the command line value contains a long sequence of whitespace characters or multiple occurrences of contiguous whitespace. Attackers may attempt to evade signature-based detections by padding their malicious command with unnecessary whitespace characters. These observations should be investigated for malicious behavior. |[Elastic] [Host] [Windows] [Threat Detection] [Defense Evasion]  |7.15.0 |2 <<whitespace-padding-in-process-command-line-history, Version history>>
+|<<whitespace-padding-in-process-command-line, Whitespace Padding in Process Command Line>> |Identifies process execution events where the command line value contains a long sequence of whitespace characters or multiple occurrences of contiguous whitespace. Attackers may attempt to evade signature-based detections by padding their malicious command with unnecessary whitespace characters. These observations should be investigated for malicious behavior. |[Elastic] [Host] [Windows] [Threat Detection] [Defense Evasion]  |7.15.0 |4 <<whitespace-padding-in-process-command-line-history, Version history>>
 
 |<<whoami-process-activity, Whoami Process Activity>> |Identifies use of whoami.exe which displays user, group, and privileges information for the user who is currently logged on to the local system. |[Elastic] [Host] [Windows] [Threat Detection] [Discovery]  |7.6.0 |7 <<whoami-process-activity-history, Version history>>
 
@@ -1216,10 +1268,12 @@ and their rule type is `machine_learning`.
 
 |<<windows-defender-disabled-via-registry-modification, Windows Defender Disabled via Registry Modification>> |Identifies modifications to the Windows Defender registry settings to disable the service or set the service to be started manually. |[Elastic] [Host] [Windows] [Threat Detection] [Defense Evasion]  |7.12.0 |3 <<windows-defender-disabled-via-registry-modification-history, Version history>>
 
-|<<windows-defender-exclusions-added-via-powershell, Windows Defender Exclusions Added via PowerShell>> |Identifies modifications to the Windows Defender configuration settings using PowerShell to add exclusions at the folder directory or process level. |[Elastic] [Host] [Windows] [Threat Detection] [Defense Evasion]  |7.14.0 |4 <<windows-defender-exclusions-added-via-powershell-history, Version history>>
+|<<windows-defender-exclusions-added-via-powershell, Windows Defender Exclusions Added via PowerShell>> |Identifies modifications to the Windows Defender configuration settings using PowerShell to add exclusions at the folder directory or process level. |[Elastic] [Host] [Windows] [Threat Detection] [Defense Evasion]  |7.14.0 |5 <<windows-defender-exclusions-added-via-powershell-history, Version history>>
 
 |<<windows-event-logs-cleared, Windows Event Logs Cleared>> |Identifies attempts to clear Windows event log stores. This is often done by attackers in an attempt to evade detection or destroy forensic evidence on a system. |[Elastic] [Host] [Windows] [Threat Detection] [Defense Evasion]  |7.12.0 |2 <<windows-event-logs-cleared-history, Version history>>
 
+|<<windows-firewall-disabled-via-powershell, Windows Firewall Disabled via PowerShell>> |Identifies when the Windows Firewall is disabled using PowerShell cmdlets, which attackers do to evade network constraints, like internet and network lateral communication restrictions. |[Elastic] [Host] [Windows] [Threat Detection] [Defense Evasion]  |8.0.0 |1
+
 |<<windows-network-enumeration, Windows Network Enumeration>> |Identifies attempts to enumerate hosts in a network using the built-in Windows net.exe tool. |[Elastic] [Host] [Windows] [Threat Detection] [Discovery]  |7.11.0 |4 <<windows-network-enumeration-history, Version history>>
 
 |<<windows-script-executing-powershell, Windows Script Executing PowerShell>> |Identifies a PowerShell process launched by either cscript.exe or wscript.exe. Observing Windows scripting processes executing a PowerShell script, may be indicative of malicious activity. |[Elastic] [Host] [Windows] [Threat Detection] [Initial Access]  |7.6.0 |9 <<windows-script-executing-powershell-history, Version history>>
diff --git a/docs/detections/prebuilt-rules/rule-desc-index.asciidoc b/docs/detections/prebuilt-rules/rule-desc-index.asciidoc
index 5cafe5f44d..ccbe244502 100644
--- a/docs/detections/prebuilt-rules/rule-desc-index.asciidoc
+++ b/docs/detections/prebuilt-rules/rule-desc-index.asciidoc
@@ -54,6 +54,7 @@ include::rule-details/aws-waf-rule-or-rule-group-deletion.asciidoc[]
 include::rule-details/abnormally-large-dns-response.asciidoc[]
 include::rule-details/access-of-stored-browser-credentials.asciidoc[]
 include::rule-details/access-to-keychain-credentials-directories.asciidoc[]
+include::rule-details/account-password-reset-remotely.asciidoc[]
 include::rule-details/adfind-command-activity.asciidoc[]
 include::rule-details/adding-hidden-file-attribute-via-attrib.asciidoc[]
 include::rule-details/administrator-privileges-assigned-to-an-okta-group.asciidoc[]
@@ -103,7 +104,9 @@ include::rule-details/auditd-max-failed-login-attempts.asciidoc[]
 include::rule-details/auditd-max-login-sessions.asciidoc[]
 include::rule-details/authorization-plugin-modification.asciidoc[]
 include::rule-details/azure-active-directory-high-risk-sign-in.asciidoc[]
+include::rule-details/azure-active-directory-high-risk-user-sign-in-heuristic.asciidoc[]
 include::rule-details/azure-active-directory-powershell-sign-in.asciidoc[]
+include::rule-details/azure-alert-suppression-rule-created-or-modified.asciidoc[]
 include::rule-details/azure-application-credential-modification.asciidoc[]
 include::rule-details/azure-automation-account-created.asciidoc[]
 include::rule-details/azure-automation-runbook-created-or-modified.asciidoc[]
@@ -124,6 +127,7 @@ include::rule-details/azure-global-administrator-role-addition-to-pim-user.ascii
 include::rule-details/azure-key-vault-modified.asciidoc[]
 include::rule-details/azure-kubernetes-events-deleted.asciidoc[]
 include::rule-details/azure-kubernetes-pods-deleted.asciidoc[]
+include::rule-details/azure-kubernetes-rolebindings-created.asciidoc[]
 include::rule-details/azure-network-watcher-deletion.asciidoc[]
 include::rule-details/azure-privilege-identity-management-role-modified.asciidoc[]
 include::rule-details/azure-resource-group-deletion.asciidoc[]
@@ -134,6 +138,7 @@ include::rule-details/azure-virtual-network-device-modified-or-deleted.asciidoc[
 include::rule-details/base16-or-base32-encoding-decoding-activity.asciidoc[]
 include::rule-details/bash-shell-profile-modification.asciidoc[]
 include::rule-details/bypass-uac-via-event-viewer.asciidoc[]
+include::rule-details/clearing-windows-console-history.asciidoc[]
 include::rule-details/clearing-windows-event-logs.asciidoc[]
 include::rule-details/cobalt-strike-command-and-control-beacon.asciidoc[]
 include::rule-details/command-execution-via-solarwinds-process.asciidoc[]
@@ -183,6 +188,7 @@ include::rule-details/endpoint-security.asciidoc[]
 include::rule-details/enumeration-command-spawned-via-wmiprvse.asciidoc[]
 include::rule-details/enumeration-of-administrator-accounts.asciidoc[]
 include::rule-details/enumeration-of-kernel-modules.asciidoc[]
+include::rule-details/enumeration-of-privileged-local-groups-membership.asciidoc[]
 include::rule-details/enumeration-of-users-or-groups-via-built-in-commands.asciidoc[]
 include::rule-details/executable-file-creation-with-multiple-extensions.asciidoc[]
 include::rule-details/execution-from-unusual-directory-command-line.asciidoc[]
@@ -235,6 +241,7 @@ include::rule-details/google-workspace-custom-admin-role-created.asciidoc[]
 include::rule-details/google-workspace-mfa-enforcement-disabled.asciidoc[]
 include::rule-details/google-workspace-password-policy-modified.asciidoc[]
 include::rule-details/google-workspace-role-modified.asciidoc[]
+include::rule-details/group-policy-abuse-for-privilege-addition.asciidoc[]
 include::rule-details/halfbaked-command-and-control-beacon.asciidoc[]
 include::rule-details/high-number-of-okta-user-password-reset-or-unlock-attempts.asciidoc[]
 include::rule-details/high-number-of-process-and-or-service-terminations.asciidoc[]
@@ -297,6 +304,7 @@ include::rule-details/microsoft-exchange-server-um-writing-suspicious-files.asci
 include::rule-details/microsoft-exchange-worker-spawning-suspicious-processes.asciidoc[]
 include::rule-details/microsoft-iis-connection-strings-decryption.asciidoc[]
 include::rule-details/microsoft-iis-service-account-password-dumped.asciidoc[]
+include::rule-details/microsoft-windows-defender-tampering.asciidoc[]
 include::rule-details/mimikatz-memssp-log-file-detected.asciidoc[]
 include::rule-details/modification-of-amsienable-registry-key.asciidoc[]
 include::rule-details/modification-of-boot-configuration.asciidoc[]
@@ -327,6 +335,7 @@ include::rule-details/nping-process-activity.asciidoc[]
 include::rule-details/nullsessionpipe-registry-modification.asciidoc[]
 include::rule-details/o365-excessive-single-sign-on-logon-errors.asciidoc[]
 include::rule-details/o365-exchange-suspicious-mailbox-right-delegation.asciidoc[]
+include::rule-details/o365-mailbox-audit-logging-bypass.asciidoc[]
 include::rule-details/okta-brute-force-or-password-spraying-attack.asciidoc[]
 include::rule-details/outbound-scheduled-task-activity-via-powershell.asciidoc[]
 include::rule-details/parent-process-pid-spoofing.asciidoc[]
@@ -357,6 +366,8 @@ include::rule-details/potential-application-shimming-via-sdbinst.asciidoc[]
 include::rule-details/potential-command-and-control-via-internet-explorer.asciidoc[]
 include::rule-details/potential-cookies-theft-via-browser-debugging.asciidoc[]
 include::rule-details/potential-credential-access-via-duplicatehandle-in-lsass.asciidoc[]
+include::rule-details/potential-credential-access-via-lsass-memory-dump.asciidoc[]
+include::rule-details/potential-credential-access-via-renamed-com-services-dll.asciidoc[]
 include::rule-details/potential-credential-access-via-windows-utilities.asciidoc[]
 include::rule-details/potential-dll-side-loading-via-microsoft-antimalware-service-executable.asciidoc[]
 include::rule-details/potential-dll-sideloading-via-trusted-microsoft-programs.asciidoc[]
@@ -367,6 +378,8 @@ include::rule-details/potential-evasion-via-filter-manager.asciidoc[]
 include::rule-details/potential-hidden-local-user-account-creation.asciidoc[]
 include::rule-details/potential-kerberos-attack-via-bifrost.asciidoc[]
 include::rule-details/potential-lsa-authentication-package-abuse.asciidoc[]
+include::rule-details/potential-lsass-clone-creation-via-psscapturesnapshot.asciidoc[]
+include::rule-details/potential-lsass-memory-dump-via-psscapturesnapshot.asciidoc[]
 include::rule-details/potential-microsoft-office-sandbox-evasion.asciidoc[]
 include::rule-details/potential-modification-of-accessibility-binaries.asciidoc[]
 include::rule-details/potential-openssh-backdoor-logging-activity.asciidoc[]
@@ -380,8 +393,10 @@ include::rule-details/potential-printnightmare-exploit-registry-modification.asc
 include::rule-details/potential-printnightmare-file-modification.asciidoc[]
 include::rule-details/potential-privacy-control-bypass-via-localhost-secure-copy.asciidoc[]
 include::rule-details/potential-privacy-control-bypass-via-tccdb-modification.asciidoc[]
+include::rule-details/potential-privilege-escalation-via-installerfiletakeover.asciidoc[]
 include::rule-details/potential-privilege-escalation-via-sudoers-file-modification.asciidoc[]
 include::rule-details/potential-process-herpaderping-attempt.asciidoc[]
+include::rule-details/potential-process-injection-via-powershell.asciidoc[]
 include::rule-details/potential-protocol-tunneling-via-earthworm.asciidoc[]
 include::rule-details/potential-remote-desktop-shadowing-activity.asciidoc[]
 include::rule-details/potential-remote-desktop-tunneling-detected.asciidoc[]
@@ -391,10 +406,15 @@ include::rule-details/potential-secure-file-deletion-via-sdelete-utility.asciido
 include::rule-details/potential-sharprdp-behavior.asciidoc[]
 include::rule-details/potential-shell-via-web-server.asciidoc[]
 include::rule-details/potential-windows-error-manager-masquerading.asciidoc[]
+include::rule-details/powershell-keylogging-script.asciidoc[]
 include::rule-details/powershell-minidump-script.asciidoc[]
+include::rule-details/powershell-psreflect-script.asciidoc[]
 include::rule-details/powershell-suspicious-discovery-related-windows-api-functions.asciidoc[]
+include::rule-details/powershell-suspicious-payload-encoded-and-compressed.asciidoc[]
 include::rule-details/powershell-suspicious-script-with-audio-capture-capabilities.asciidoc[]
+include::rule-details/powershell-suspicious-script-with-screenshot-capabilities.asciidoc[]
 include::rule-details/privilege-escalation-via-named-pipe-impersonation.asciidoc[]
+include::rule-details/privilege-escalation-via-rogue-named-pipe-impersonation.asciidoc[]
 include::rule-details/privilege-escalation-via-root-crontab-file-modification.asciidoc[]
 include::rule-details/privilege-escalation-via-windir-environment-variable.asciidoc[]
 include::rule-details/process-activity-via-compiled-html-file.asciidoc[]
@@ -436,6 +456,7 @@ include::rule-details/smtp-on-port-26-tcp.asciidoc[]
 include::rule-details/ssh-authorized-keys-file-modification.asciidoc[]
 include::rule-details/sunburst-command-and-control-activity.asciidoc[]
 include::rule-details/scheduled-task-created-by-a-windows-script.asciidoc[]
+include::rule-details/scheduled-task-execution-at-scale-via-gpo.asciidoc[]
 include::rule-details/scheduled-tasks-at-command-enabled.asciidoc[]
 include::rule-details/screensaver-plist-file-modified-by-unexpected-process.asciidoc[]
 include::rule-details/searching-for-saved-credentials-via-vaultcmd.asciidoc[]
@@ -458,11 +479,13 @@ include::rule-details/spike-in-network-traffic.asciidoc[]
 include::rule-details/spike-in-network-traffic-to-a-country.asciidoc[]
 include::rule-details/startup-folder-persistence-via-unsigned-process.asciidoc[]
 include::rule-details/startup-or-run-key-registry-modification.asciidoc[]
+include::rule-details/startup-logon-script-added-to-group-policy-object.asciidoc[]
 include::rule-details/strace-process-activity.asciidoc[]
 include::rule-details/sublime-plugin-or-application-script-modification.asciidoc[]
 include::rule-details/sudo-heap-based-buffer-overflow-attempt.asciidoc[]
 include::rule-details/sudoers-file-modification.asciidoc[]
 include::rule-details/suspicious-.net-code-compilation.asciidoc[]
+include::rule-details/suspicious-.net-reflection-via-powershell.asciidoc[]
 include::rule-details/suspicious-activity-reported-by-okta-user.asciidoc[]
 include::rule-details/suspicious-automator-workflows-execution.asciidoc[]
 include::rule-details/suspicious-browser-child-process.asciidoc[]
@@ -480,7 +503,7 @@ include::rule-details/suspicious-explorer-child-process.asciidoc[]
 include::rule-details/suspicious-hidden-child-process-of-launchd.asciidoc[]
 include::rule-details/suspicious-image-load-taskschd.dll-from-ms-office.asciidoc[]
 include::rule-details/suspicious-imagepath-service-creation.asciidoc[]
-include::rule-details/suspicious-jar-child-process.asciidoc[]
+include::rule-details/suspicious-java-child-process.asciidoc[]
 include::rule-details/suspicious-ms-office-child-process.asciidoc[]
 include::rule-details/suspicious-ms-outlook-child-process.asciidoc[]
 include::rule-details/suspicious-managed-code-hosting-process.asciidoc[]
@@ -493,6 +516,7 @@ include::rule-details/suspicious-print-spooler-point-and-print-dll.asciidoc[]
 include::rule-details/suspicious-printspooler-spl-file-created.asciidoc[]
 include::rule-details/suspicious-printspooler-service-executable-file-creation.asciidoc[]
 include::rule-details/suspicious-process-access-via-direct-system-call.asciidoc[]
+include::rule-details/suspicious-process-creation-calltrace.asciidoc[]
 include::rule-details/suspicious-process-execution-via-renamed-psexec-executable.asciidoc[]
 include::rule-details/suspicious-process-from-conhost.asciidoc[]
 include::rule-details/suspicious-rdp-activex-client-loaded.asciidoc[]
@@ -505,6 +529,7 @@ include::rule-details/suspicious-werfault-child-process.asciidoc[]
 include::rule-details/suspicious-zoom-child-process.asciidoc[]
 include::rule-details/suspicious-macos-ms-office-child-process.asciidoc[]
 include::rule-details/svchost-spawning-cmd.asciidoc[]
+include::rule-details/symbolic-link-to-shadow-copy-created.asciidoc[]
 include::rule-details/system-log-file-deletion.asciidoc[]
 include::rule-details/system-shells-via-services.asciidoc[]
 include::rule-details/systemkey-access-via-command-line.asciidoc[]
@@ -513,7 +538,8 @@ include::rule-details/tampering-of-bash-command-line-history.asciidoc[]
 include::rule-details/telnet-port-activity.asciidoc[]
 include::rule-details/third-party-backup-files-deleted-via-unexpected-process.asciidoc[]
 include::rule-details/threat-detected-by-okta-threatinsight.asciidoc[]
-include::rule-details/threat-intel-filebeat-module-indicator-match.asciidoc[]
+include::rule-details/threat-intel-filebeat-module-v8.x-indicator-match.asciidoc[]
+include::rule-details/threat-intel-indicator-match.asciidoc[]
 include::rule-details/timestomping-using-touch-command.asciidoc[]
 include::rule-details/uac-bypass-attempt-via-elevated-com-internet-explorer-add-on-installer.asciidoc[]
 include::rule-details/uac-bypass-attempt-via-privileged-ifileoperation-com-interface.asciidoc[]
@@ -601,6 +627,7 @@ include::rule-details/windows-cryptoapi-spoofing-vulnerability-cve-2020-0601-cur
 include::rule-details/windows-defender-disabled-via-registry-modification.asciidoc[]
 include::rule-details/windows-defender-exclusions-added-via-powershell.asciidoc[]
 include::rule-details/windows-event-logs-cleared.asciidoc[]
+include::rule-details/windows-firewall-disabled-via-powershell.asciidoc[]
 include::rule-details/windows-network-enumeration.asciidoc[]
 include::rule-details/windows-script-executing-powershell.asciidoc[]
 include::rule-details/windows-script-interpreter-executing-process-via-wmi.asciidoc[]
diff --git a/docs/detections/prebuilt-rules/rule-details/account-password-reset-remotely.asciidoc b/docs/detections/prebuilt-rules/rule-details/account-password-reset-remotely.asciidoc
new file mode 100644
index 0000000000..77719ad13f
--- /dev/null
+++ b/docs/detections/prebuilt-rules/rule-details/account-password-reset-remotely.asciidoc
@@ -0,0 +1,74 @@
+[[account-password-reset-remotely]]
+=== Account Password Reset Remotely
+
+Identifies an attempt to reset an account password remotely. Adversaries may manipulate account passwords to maintain access or evade password duration policies and preserve compromised credentials.
+
+*Rule type*: eql
+
+*Rule indices*:
+
+* winlogbeat-*
+* logs-windows.*
+
+*Severity*: medium
+
+*Risk score*: 47
+
+*Runs every*: 5 minutes
+
+*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>)
+
+*Maximum alerts per execution*: 100
+
+*References*:
+
+* https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4724
+* https://stealthbits.com/blog/manipulating-user-passwords-with-mimikatz/
+* https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES/blob/master/Credential%20Access/remote_pwd_reset_rpc_mimikatz_postzerologon_target_DC.evtx
+
+*Tags*:
+
+* Elastic
+* Host
+* Windows
+* Threat Detection
+* Persistence
+
+*Version*: 1
+
+*Added ({stack} release)*: 8.0.0
+
+*Rule authors*: Elastic
+
+*Rule license*: Elastic License v2
+
+==== Potential false positives
+
+Legitimate remote account administration.
+
+==== Rule query
+
+
+[source,js]
+----------------------------------
+sequence by host.id with maxspan=5m [authentication where
+event.action == "logged-in" and /* event 4624 need to be logged */
+winlog.logon.type : "Network" and event.outcome == "success" and
+source.ip != null and not source.ip in ("127.0.0.1", "::1")] by
+winlog.event_data.TargetLogonId /* event 4724 need to be logged */
+[iam where event.action == "reset-password"] by
+winlog.event_data.SubjectLogonId
+----------------------------------
+
+==== Threat mapping
+
+*Framework*: MITRE ATT&CK^TM^
+
+* Tactic:
+** Name: Persistence
+** ID: TA0003
+** Reference URL: https://attack.mitre.org/tactics/TA0003/
+* Technique:
+** Name: Account Manipulation
+** ID: T1098
+** Reference URL: https://attack.mitre.org/techniques/T1098/
diff --git a/docs/detections/prebuilt-rules/rule-details/adversary-behavior-detected-elastic-endgame.asciidoc b/docs/detections/prebuilt-rules/rule-details/adversary-behavior-detected-elastic-endgame.asciidoc
index b2f531a3df..1a52416df6 100644
--- a/docs/detections/prebuilt-rules/rule-details/adversary-behavior-detected-elastic-endgame.asciidoc
+++ b/docs/detections/prebuilt-rules/rule-details/adversary-behavior-detected-elastic-endgame.asciidoc
@@ -17,18 +17,18 @@ Elastic Endgame detected an Adversary Behavior. Click the Elastic Endgame icon i
 
 *Searches indices from*: now-15m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>)
 
-*Maximum alerts per execution*: 100
+*Maximum alerts per execution*: 10000
 
 *Tags*:
 
 * Elastic
 * Elastic Endgame
 
-*Version*: 6 (<<adversary-behavior-detected-elastic-endgame-history, version history>>)
+*Version*: 7 (<<adversary-behavior-detected-elastic-endgame-history, version history>>)
 
 *Added ({stack} release)*: 7.6.0
 
-*Last modified ({stack} release)*: 7.12.1
+*Last modified ({stack} release)*: 8.0.0
 
 *Rule authors*: Elastic
 
@@ -48,6 +48,9 @@ endgame.event_subtype_full:rules_engine_event)
 [[adversary-behavior-detected-elastic-endgame-history]]
 ==== Rule version history
 
+Version 7 (8.0.0 release)::
+* Formatting only
+
 Version 6 (7.12.1 release)::
 * Formatting only
 
diff --git a/docs/detections/prebuilt-rules/rule-details/application-added-to-google-workspace-domain.asciidoc b/docs/detections/prebuilt-rules/rule-details/application-added-to-google-workspace-domain.asciidoc
index dbffa09756..690791109c 100644
--- a/docs/detections/prebuilt-rules/rule-details/application-added-to-google-workspace-domain.asciidoc
+++ b/docs/detections/prebuilt-rules/rule-details/application-added-to-google-workspace-domain.asciidoc
@@ -33,11 +33,11 @@ Detects when a Google marketplace application is added to the Google Workspace d
 * SecOps
 * Configuration Audit
 
-*Version*: 5 (<<application-added-to-google-workspace-domain-history, version history>>)
+*Version*: 6 (<<application-added-to-google-workspace-domain-history, version history>>)
 
 *Added ({stack} release)*: 7.11.0
 
-*Last modified ({stack} release)*: 7.15.0
+*Last modified ({stack} release)*: 8.0.0
 
 *Rule authors*: Elastic
 
@@ -50,7 +50,7 @@ Applications can be added to a Google Workspace domain by system administrators.
 ==== Investigation guide
 
 
-[source, markdown, subs="attributes"]
+[source,markdown]
 ----------------------------------
 ## Config
 
@@ -63,7 +63,7 @@ The Google Workspace Fleet integration, Filebeat module, or similarly structured
 - By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).
 - See the following references for further information:
   - https://support.google.com/a/answer/7061566
-  - https://www.elastic.co/guide/en/beats/filebeat/{branch}/filebeat-module-google_workspace.html
+  - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html
 ----------------------------------
 
 
@@ -72,15 +72,24 @@ The Google Workspace Fleet integration, Filebeat module, or similarly structured
 
 [source,js]
 ----------------------------------
-event.dataset:(gsuite.admin or google_workspace.admin) and
-event.provider:admin and event.category:iam and
-event.action:ADD_APPLICATION
+event.dataset:google_workspace.admin and event.provider:admin and
+event.category:iam and event.action:ADD_APPLICATION
 ----------------------------------
 
 
 [[application-added-to-google-workspace-domain-history]]
 ==== Rule version history
 
+Version 6 (8.0.0 release)::
+* Updated query, changed from:
++
+[source, js]
+----------------------------------
+event.dataset:(gsuite.admin or google_workspace.admin) and
+event.provider:admin and event.category:iam and
+event.action:ADD_APPLICATION
+----------------------------------
+
 Version 5 (7.15.0 release)::
 * Formatting only
 
diff --git a/docs/detections/prebuilt-rules/rule-details/aws-eventbridge-rule-disabled-or-deleted.asciidoc b/docs/detections/prebuilt-rules/rule-details/aws-eventbridge-rule-disabled-or-deleted.asciidoc
index a909d8909f..f2516a327d 100644
--- a/docs/detections/prebuilt-rules/rule-details/aws-eventbridge-rule-disabled-or-deleted.asciidoc
+++ b/docs/detections/prebuilt-rules/rule-details/aws-eventbridge-rule-disabled-or-deleted.asciidoc
@@ -1,7 +1,7 @@
 [[aws-eventbridge-rule-disabled-or-deleted]]
 === AWS EventBridge Rule Disabled or Deleted
 
-Identifies when a user disabled or deleted an EventBridge rule. This activity can result in an unintended loss of visibility in applications or breaking the flow with other AWS services.
+Identifies when a user has disabled or deleted an EventBridge rule. This activity can result in an unintended loss of visibility in applications or a break in the flow with other AWS services.
 
 *Rule type*: query
 
@@ -34,10 +34,12 @@ Identifies when a user disabled or deleted an EventBridge rule. This activity ca
 * SecOps
 * Monitoring
 
-*Version*: 1
+*Version*: 2 (<<aws-eventbridge-rule-disabled-or-deleted-history, version history>>)
 
 *Added ({stack} release)*: 7.16.0
 
+*Last modified ({stack} release)*: 8.0.0
+
 *Rule authors*: Austin Songer
 
 *Rule license*: Elastic License v2
@@ -75,3 +77,10 @@ or DisableRule) and event.outcome:success
 ** Name: Impact
 ** ID: TA0040
 ** Reference URL: https://attack.mitre.org/tactics/TA0040/
+
+[[aws-eventbridge-rule-disabled-or-deleted-history]]
+==== Rule version history
+
+Version 2 (8.0.0 release)::
+* Formatting only
+
diff --git a/docs/detections/prebuilt-rules/rule-details/aws-rds-snapshot-restored.asciidoc b/docs/detections/prebuilt-rules/rule-details/aws-rds-snapshot-restored.asciidoc
index 7fa41eb5b7..480720c47b 100644
--- a/docs/detections/prebuilt-rules/rule-details/aws-rds-snapshot-restored.asciidoc
+++ b/docs/detections/prebuilt-rules/rule-details/aws-rds-snapshot-restored.asciidoc
@@ -1,7 +1,7 @@
 [[aws-rds-snapshot-restored]]
 === AWS RDS Snapshot Restored
 
-Identifies when an attempt was made to restored RDS Snapshot. Snapshots are sometimes shared by threat actors in order to exfiltrate bulk data. If the permissions were modified, verify if the snapshot was shared with an unauthorized or unexpected AWS account.
+Identifies when an attempt was made to restore an RDS Snapshot. Snapshots are sometimes shared by threat actors in order to exfiltrate bulk data. If the permissions were modified, verify if the snapshot was shared with an unauthorized or unexpected AWS account.
 
 *Rule type*: query
 
@@ -34,10 +34,12 @@ Identifies when an attempt was made to restored RDS Snapshot. Snapshots are some
 * SecOps
 * Asset Visibility
 
-*Version*: 1
+*Version*: 2 (<<aws-rds-snapshot-restored-history, version history>>)
 
 *Added ({stack} release)*: 7.16.0
 
+*Last modified ({stack} release)*: 8.0.0
+
 *Rule authors*: Austin Songer
 
 *Rule license*: Elastic License v2
@@ -74,3 +76,10 @@ event.action:RestoreDBInstanceFromDBSnapshot and event.outcome:success
 ** Name: Exfiltration
 ** ID: TA0010
 ** Reference URL: https://attack.mitre.org/tactics/TA0010/
+
+[[aws-rds-snapshot-restored-history]]
+==== Rule version history
+
+Version 2 (8.0.0 release)::
+* Formatting only
+
diff --git a/docs/detections/prebuilt-rules/rule-details/azure-active-directory-high-risk-user-sign-in-heuristic.asciidoc b/docs/detections/prebuilt-rules/rule-details/azure-active-directory-high-risk-user-sign-in-heuristic.asciidoc
new file mode 100644
index 0000000000..fbdb15bfd3
--- /dev/null
+++ b/docs/detections/prebuilt-rules/rule-details/azure-active-directory-high-risk-user-sign-in-heuristic.asciidoc
@@ -0,0 +1,78 @@
+[[azure-active-directory-high-risk-user-sign-in-heuristic]]
+=== Azure Active Directory High Risk User Sign-in Heuristic
+
+Identifies high risk Azure Active Directory (AD) sign-ins by leveraging Microsoft Identity Protection machine learning and heuristics.
+
+*Rule type*: query
+
+*Rule indices*:
+
+* filebeat-*
+* logs-azure*
+
+*Severity*: medium
+
+*Risk score*: 47
+
+*Runs every*: 5 minutes
+
+*Searches indices from*: now-25m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>)
+
+*Maximum alerts per execution*: 100
+
+*References*:
+
+* https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/reference-azure-monitor-sign-ins-log-schema
+* https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/overview-identity-protection
+* https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/howto-identity-protection-investigate-risk
+
+*Tags*:
+
+* Elastic
+* Cloud
+* Azure
+* Continuous Monitoring
+* SecOps
+* Identity and Access
+
+*Version*: 1
+
+*Added ({stack} release)*: 8.0.0
+
+*Rule authors*: Austin Songer
+
+*Rule license*: Elastic License v2
+
+==== Investigation guide
+
+
+[source,markdown]
+----------------------------------
+## Config
+
+The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.
+----------------------------------
+
+
+==== Rule query
+
+
+[source,js]
+----------------------------------
+event.dataset:azure.signinlogs and
+azure.signinlogs.properties.risk_state:("confirmedCompromised" or
+"atRisk") and event.outcome:(success or Success)
+----------------------------------
+
+==== Threat mapping
+
+*Framework*: MITRE ATT&CK^TM^
+
+* Tactic:
+** Name: Initial Access
+** ID: TA0001
+** Reference URL: https://attack.mitre.org/tactics/TA0001/
+* Technique:
+** Name: Valid Accounts
+** ID: T1078
+** Reference URL: https://attack.mitre.org/techniques/T1078/
diff --git a/docs/detections/prebuilt-rules/rule-details/azure-alert-suppression-rule-created-or-modified.asciidoc b/docs/detections/prebuilt-rules/rule-details/azure-alert-suppression-rule-created-or-modified.asciidoc
new file mode 100644
index 0000000000..4aee6867a7
--- /dev/null
+++ b/docs/detections/prebuilt-rules/rule-details/azure-alert-suppression-rule-created-or-modified.asciidoc
@@ -0,0 +1,81 @@
+[[azure-alert-suppression-rule-created-or-modified]]
+=== Azure Alert Suppression Rule Created or Modified
+
+Identifies the creation of suppression rules in Azure. Suppression rules are a mechanism used to suppress alerts previously identified as False Positives or too noisy to be in Production. This mechanism can be abused or mistakenly configured, resulting in defense evasions and loss of security visibility.
+
+*Rule type*: query
+
+*Rule indices*:
+
+* filebeat-*
+* logs-azure*
+
+*Severity*: low
+
+*Risk score*: 21
+
+*Runs every*: 5 minutes
+
+*Searches indices from*: now-25m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>)
+
+*Maximum alerts per execution*: 100
+
+*References*:
+
+* https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations
+* https://docs.microsoft.com/en-us/rest/api/securitycenter/alerts-suppression-rules/update
+
+*Tags*:
+
+* Elastic
+* Cloud
+* Azure
+* Continuous Monitoring
+* SecOps
+* Configuration Audit
+
+*Version*: 1
+
+*Added ({stack} release)*: 8.0.0
+
+*Rule authors*: Austin Songer
+
+*Rule license*: Elastic License v2
+
+==== Potential false positives
+
+Suppression Rules can be created legitimately by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Suppression Rules created by unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
+
+==== Investigation guide
+
+
+[source,markdown]
+----------------------------------
+## Config
+
+The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.
+----------------------------------
+
+
+==== Rule query
+
+
+[source,js]
+----------------------------------
+event.dataset:azure.activitylogs and azure.activitylogs.operation_name
+:"MICROSOFT.SECURITY/ALERTSSUPPRESSIONRULES/WRITE" and event.outcome:
+"success"
+----------------------------------
+
+==== Threat mapping
+
+*Framework*: MITRE ATT&CK^TM^
+
+* Tactic:
+** Name: Defense Evasion
+** ID: TA0005
+** Reference URL: https://attack.mitre.org/tactics/TA0005/
+* Technique:
+** Name: Impair Defenses
+** ID: T1562
+** Reference URL: https://attack.mitre.org/techniques/T1562/
diff --git a/docs/detections/prebuilt-rules/rule-details/azure-kubernetes-events-deleted.asciidoc b/docs/detections/prebuilt-rules/rule-details/azure-kubernetes-events-deleted.asciidoc
index 861a6bda6d..2761439b71 100644
--- a/docs/detections/prebuilt-rules/rule-details/azure-kubernetes-events-deleted.asciidoc
+++ b/docs/detections/prebuilt-rules/rule-details/azure-kubernetes-events-deleted.asciidoc
@@ -1,7 +1,7 @@
 [[azure-kubernetes-events-deleted]]
 === Azure Kubernetes Events Deleted
 
-Identifies when Events are deleted in Azure Kubernetes. Kubernetes events are objects that log any state changes. Example events are a container creation, an image pull, or a pod scheduling on a node.  An adversary may delete events in Azure Kubernetes in an attempt to evade detection.
+Identifies when events are deleted in Azure Kubernetes. Kubernetes events are objects that log any state changes. Example events are a container creation, an image pull, or a pod scheduling on a node.  An adversary may delete events in Azure Kubernetes in an attempt to evade detection.
 
 *Rule type*: query
 
@@ -33,10 +33,12 @@ Identifies when Events are deleted in Azure Kubernetes. Kubernetes events are ob
 * SecOps
 * Log Auditing
 
-*Version*: 1
+*Version*: 2 (<<azure-kubernetes-events-deleted-history, version history>>)
 
 *Added ({stack} release)*: 7.16.0
 
+*Last modified ({stack} release)*: 8.0.0
+
 *Rule authors*: Austin Songer
 
 *Rule license*: Elastic License v2
@@ -78,3 +80,10 @@ and event.outcome:(Success or success)
 ** Name: Impair Defenses
 ** ID: T1562
 ** Reference URL: https://attack.mitre.org/techniques/T1562/
+
+[[azure-kubernetes-events-deleted-history]]
+==== Rule version history
+
+Version 2 (8.0.0 release)::
+* Formatting only
+
diff --git a/docs/detections/prebuilt-rules/rule-details/azure-kubernetes-pods-deleted.asciidoc b/docs/detections/prebuilt-rules/rule-details/azure-kubernetes-pods-deleted.asciidoc
index 2609111e31..50b21ec4e9 100644
--- a/docs/detections/prebuilt-rules/rule-details/azure-kubernetes-pods-deleted.asciidoc
+++ b/docs/detections/prebuilt-rules/rule-details/azure-kubernetes-pods-deleted.asciidoc
@@ -1,7 +1,7 @@
 [[azure-kubernetes-pods-deleted]]
 === Azure Kubernetes Pods Deleted
 
-Identifies the deletion of Azure Kubernetes Pods. Adversary may delete a kubernetes pod to disrupt the normal behavior of the environment.
+Identifies the deletion of Azure Kubernetes Pods. Adversaries may delete a Kubernetes pod to disrupt the normal behavior of the environment.
 
 *Rule type*: query
 
@@ -33,10 +33,12 @@ Identifies the deletion of Azure Kubernetes Pods. Adversary may delete a kuberne
 * SecOps
 * Asset Visibility
 
-*Version*: 1
+*Version*: 2 (<<azure-kubernetes-pods-deleted-history, version history>>)
 
 *Added ({stack} release)*: 7.16.0
 
+*Last modified ({stack} release)*: 8.0.0
+
 *Rule authors*: Austin Songer
 
 *Rule license*: Elastic License v2
@@ -74,3 +76,10 @@ event.outcome:(Success or success)
 ** Name: Impact
 ** ID: TA0040
 ** Reference URL: https://attack.mitre.org/tactics/TA0040/
+
+[[azure-kubernetes-pods-deleted-history]]
+==== Rule version history
+
+Version 2 (8.0.0 release)::
+* Formatting only
+
diff --git a/docs/detections/prebuilt-rules/rule-details/azure-kubernetes-rolebindings-created.asciidoc b/docs/detections/prebuilt-rules/rule-details/azure-kubernetes-rolebindings-created.asciidoc
new file mode 100644
index 0000000000..7e8c2ff091
--- /dev/null
+++ b/docs/detections/prebuilt-rules/rule-details/azure-kubernetes-rolebindings-created.asciidoc
@@ -0,0 +1,75 @@
+[[azure-kubernetes-rolebindings-created]]
+=== Azure Kubernetes Rolebindings Created
+
+Identifies the creation of role binding or cluster role bindings. You can assign these roles to Kubernetes subjects (users, groups, or service accounts) with role bindings and cluster role bindings. An adversary who has permissions to create bindings and cluster-bindings in the cluster can create a binding to the cluster-admin ClusterRole or to other high privileges roles.
+
+*Rule type*: query
+
+*Rule indices*:
+
+* filebeat-*
+* logs-azure*
+
+*Severity*: low
+
+*Risk score*: 21
+
+*Runs every*: 5 minutes
+
+*Searches indices from*: now-20m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>)
+
+*Maximum alerts per execution*: 100
+
+*References*:
+
+* https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes
+* https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/
+
+*Tags*:
+
+* Elastic
+* Cloud
+* Azure
+* Continuous Monitoring
+* SecOps
+* Identity and Access
+
+*Version*: 1
+
+*Added ({stack} release)*: 8.0.0
+
+*Rule authors*: Austin Songer
+
+*Rule license*: Elastic License v2
+
+==== Investigation guide
+
+
+[source,markdown]
+----------------------------------
+## Config
+
+The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.
+----------------------------------
+
+
+==== Rule query
+
+
+[source,js]
+----------------------------------
+event.dataset:azure.activitylogs and
+azure.activitylogs.operation_name: ("MICROSOFT.KUBERNETES/CONN
+ECTEDCLUSTERS/RBAC.AUTHORIZATION.K8S.IO/ROLEBINDINGS/WRITE" or
+"MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/RBAC.AUTHORIZATION.K8S.IO/CLUS
+TERROLEBINDINGS/WRITE") and event.outcome:(Success or success)
+----------------------------------
+
+==== Threat mapping
+
+*Framework*: MITRE ATT&CK^TM^
+
+* Tactic:
+** Name: Privilege Escalation
+** ID: TA0004
+** Reference URL: https://attack.mitre.org/tactics/TA0004/
diff --git a/docs/detections/prebuilt-rules/rule-details/clearing-windows-console-history.asciidoc b/docs/detections/prebuilt-rules/rule-details/clearing-windows-console-history.asciidoc
new file mode 100644
index 0000000000..72dab00fff
--- /dev/null
+++ b/docs/detections/prebuilt-rules/rule-details/clearing-windows-console-history.asciidoc
@@ -0,0 +1,71 @@
+[[clearing-windows-console-history]]
+=== Clearing Windows Console History
+
+Identifies when a user attempts to clear console history. An adversary may clear the command history of a compromised account to conceal the actions undertaken during an intrusion.
+
+*Rule type*: eql
+
+*Rule indices*:
+
+* winlogbeat-*
+* logs-endpoint.events.*
+* logs-windows.*
+
+*Severity*: medium
+
+*Risk score*: 47
+
+*Runs every*: 5 minutes
+
+*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>)
+
+*Maximum alerts per execution*: 100
+
+*References*:
+
+* https://stefanos.cloud/blog/kb/how-to-clear-the-powershell-command-history/
+* https://www.shellhacks.com/clear-history-powershell/
+* https://community.sophos.com/sophos-labs/b/blog/posts/powershell-command-history-forensics
+
+*Tags*:
+
+* Elastic
+* Host
+* Windows
+* Threat Detection
+* Defense Evasion
+
+*Version*: 1
+
+*Added ({stack} release)*: 8.0.0
+
+*Rule authors*: Austin Songer
+
+*Rule license*: Elastic License v2
+
+==== Rule query
+
+
+[source,js]
+----------------------------------
+process where event.action == "start" and (process.name :
+("powershell.exe", "pwsh.exe", "powershell_ise.exe") or
+process.pe.original_file_name == "PowerShell.EXE") and
+(process.args : "*Clear-History*" or (process.args : ("*Remove-
+Item*", "rm") and process.args : ("*ConsoleHost_history.txt*", "*(Get-
+PSReadlineOption).HistorySavePath*")) or (process.args : "*Set-
+PSReadlineOption*" and process.args : "*SaveNothing*"))
+----------------------------------
+
+==== Threat mapping
+
+*Framework*: MITRE ATT&CK^TM^
+
+* Tactic:
+** Name: Defense Evasion
+** ID: TA0005
+** Reference URL: https://attack.mitre.org/tactics/TA0005/
+* Technique:
+** Name: Indicator Removal on Host
+** ID: T1070
+** Reference URL: https://attack.mitre.org/techniques/T1070/
diff --git a/docs/detections/prebuilt-rules/rule-details/component-object-model-hijacking.asciidoc b/docs/detections/prebuilt-rules/rule-details/component-object-model-hijacking.asciidoc
index a334ea26ba..03145073f7 100644
--- a/docs/detections/prebuilt-rules/rule-details/component-object-model-hijacking.asciidoc
+++ b/docs/detections/prebuilt-rules/rule-details/component-object-model-hijacking.asciidoc
@@ -33,11 +33,11 @@ Identifies Component Object Model (COM) hijacking via registry modification. Adv
 * Threat Detection
 * Persistence
 
-*Version*: 4 (<<component-object-model-hijacking-history, version history>>)
+*Version*: 5 (<<component-object-model-hijacking-history, version history>>)
 
 *Added ({stack} release)*: 7.11.0
 
-*Last modified ({stack} release)*: 7.14.0
+*Last modified ({stack} release)*: 8.0.0
 
 *Rule authors*: Elastic
 
@@ -58,8 +58,11 @@ COM Registry changes on Users Hive is less noisy and worth alerting */
 "HKEY_USERS\\*Classes\\*\\LocalServer32\\",
 "HKEY_USERS\\*Classes\\*\\DelegateExecute\\",
 "HKEY_USERS\\*Classes\\*\\TreatAs\\",
-"HKEY_USERS\\*Classes\\CLSID\\*\\ScriptletURL\\") and /* not
-necessary but good for filtering privileged installations */
+"HKEY_USERS\\*Classes\\CLSID\\*\\ScriptletURL\\") and not
+(process.executable : "?:\\Program Files*\\Veeam\\Backup and
+Replication\\Console\\veeam.backup.shell.exe" and registry.path
+: "HKEY_USERS\\S-1-5-21-*_Classes\\CLSID\\*\\LocalServer32\\") and /*
+not necessary but good for filtering privileged installations */
 user.domain != "NT AUTHORITY")
 ----------------------------------
 
@@ -79,6 +82,26 @@ user.domain != "NT AUTHORITY")
 [[component-object-model-hijacking-history]]
 ==== Rule version history
 
+Version 5 (8.0.0 release)::
+* Updated query, changed from:
++
+[source, js]
+----------------------------------
+registry where /* uncomment once length is stable
+length(bytes_written_string) > 0 and */ (registry.path :
+"HK*}\\InprocServer32\\" and registry.data.strings: ("scrobj.dll",
+"C:\\*\\scrobj.dll") and not registry.path :
+"*\\{06290BD*-48AA-11D2-8432-006008C3FBFC}\\*") or /* in general
+COM Registry changes on Users Hive is less noisy and worth alerting */
+(registry.path : ("HKEY_USERS\\*Classes\\*\\InprocServer32\\",
+"HKEY_USERS\\*Classes\\*\\LocalServer32\\",
+"HKEY_USERS\\*Classes\\*\\DelegateExecute\\",
+"HKEY_USERS\\*Classes\\*\\TreatAs\\",
+"HKEY_USERS\\*Classes\\CLSID\\*\\ScriptletURL\\") and /* not
+necessary but good for filtering privileged installations */
+user.domain != "NT AUTHORITY")
+----------------------------------
+
 Version 4 (7.14.0 release)::
 * Updated query, changed from:
 +
diff --git a/docs/detections/prebuilt-rules/rule-details/connection-to-commonly-abused-web-services.asciidoc b/docs/detections/prebuilt-rules/rule-details/connection-to-commonly-abused-web-services.asciidoc
index 428cd58103..58825a27d2 100644
--- a/docs/detections/prebuilt-rules/rule-details/connection-to-commonly-abused-web-services.asciidoc
+++ b/docs/detections/prebuilt-rules/rule-details/connection-to-commonly-abused-web-services.asciidoc
@@ -29,11 +29,11 @@ Adversaries may implement command and control communications that use common web
 * Threat Detection
 * Command and Control
 
-*Version*: 5 (<<connection-to-commonly-abused-web-services-history, version history>>)
+*Version*: 6 (<<connection-to-commonly-abused-web-services-history, version history>>)
 
 *Added ({stack} release)*: 7.11.0
 
-*Last modified ({stack} release)*: 7.16.0
+*Last modified ({stack} release)*: 8.0.0
 
 *Rule authors*: Elastic
 
@@ -56,9 +56,10 @@ new WebSvc domains here */ dns.question.name : (
 "*localtunnel.me", "*pagekite.me", "*localxpose.io",
 "*notabug.org", "rawcdn.githack.*",
 "paste.nrecom.net", "zerobin.net", "controlc.com",
-"requestbin.net" ) and /* Insert noisy false positives here */
-not process.executable : ( "?:\\Program Files\\*.exe",
-"?:\\Program Files (x86)\\*.exe",
+"requestbin.net", "cdn.discordapp.com",
+"discordapp.com", "discord.com" ) and /* Insert noisy
+false positives here */ not process.executable : (
+"?:\\Program Files\\*.exe", "?:\\Program Files (x86)\\*.exe",
 "?:\\Windows\\System32\\WWAHost.exe",
 "?:\\Windows\\System32\\smartscreen.exe",
 "?:\\Windows\\System32\\MicrosoftEdgeCP.exe",
@@ -69,7 +70,8 @@ al\\Google\\Chrome\\Application\\chrome.exe",
 "?:\\Users\\*\\AppData\\Local\\Programs\\Microsoft VS Code\\Code.exe",
 "?:\\Users\\*\\AppData\\Local\\Microsoft\\OneDrive\\OneDrive.exe",
 "?:\\Windows\\system32\\mobsync.exe",
-"?:\\Windows\\SysWOW64\\mobsync.exe" )
+"?:\\Windows\\SysWOW64\\mobsync.exe",
+"?:\\Users\\*\\AppData\\Local\\Discord\\-*\\Discord.exe" )
 ----------------------------------
 
 ==== Threat mapping
@@ -98,6 +100,39 @@ al\\Google\\Chrome\\Application\\chrome.exe",
 [[connection-to-commonly-abused-web-services-history]]
 ==== Rule version history
 
+Version 6 (8.0.0 release)::
+* Updated query, changed from:
++
+[source, js]
+----------------------------------
+network where network.protocol == "dns" and process.name != null
+and user.id not in ("S-1-5-18", "S-1-5-19", "S-1-5-20") and /* Add
+new WebSvc domains here */ dns.question.name : (
+"raw.githubusercontent.*", "*.pastebin.*",
+"*drive.google.*", "*docs.live.*",
+"*api.dropboxapi.*", "*dropboxusercontent.*",
+"*onedrive.*", "*4shared.*", "*.file.io",
+"*filebin.net", "*slack-files.com", "*ghostbin.*",
+"*ngrok.*", "*portmap.*", "*serveo.net",
+"*localtunnel.me", "*pagekite.me", "*localxpose.io",
+"*notabug.org", "rawcdn.githack.*",
+"paste.nrecom.net", "zerobin.net", "controlc.com",
+"requestbin.net" ) and /* Insert noisy false positives here */
+not process.executable : ( "?:\\Program Files\\*.exe",
+"?:\\Program Files (x86)\\*.exe",
+"?:\\Windows\\System32\\WWAHost.exe",
+"?:\\Windows\\System32\\smartscreen.exe",
+"?:\\Windows\\System32\\MicrosoftEdgeCP.exe",
+"?:\\ProgramData\\Microsoft\\Windows
+Defender\\Platform\\*\\MsMpEng.exe", "?:\\Users\\*\\AppData\\Loc
+al\\Google\\Chrome\\Application\\chrome.exe",
+"?:\\Users\\*\\AppData\\Local\\Programs\\Fiddler\\Fiddler.exe",
+"?:\\Users\\*\\AppData\\Local\\Programs\\Microsoft VS Code\\Code.exe",
+"?:\\Users\\*\\AppData\\Local\\Microsoft\\OneDrive\\OneDrive.exe",
+"?:\\Windows\\system32\\mobsync.exe",
+"?:\\Windows\\SysWOW64\\mobsync.exe" )
+----------------------------------
+
 Version 5 (7.16.0 release)::
 * Formatting only
 
diff --git a/docs/detections/prebuilt-rules/rule-details/control-panel-process-with-unusual-arguments.asciidoc b/docs/detections/prebuilt-rules/rule-details/control-panel-process-with-unusual-arguments.asciidoc
index 375f3e419f..26603240d9 100644
--- a/docs/detections/prebuilt-rules/rule-details/control-panel-process-with-unusual-arguments.asciidoc
+++ b/docs/detections/prebuilt-rules/rule-details/control-panel-process-with-unusual-arguments.asciidoc
@@ -1,7 +1,7 @@
 [[control-panel-process-with-unusual-arguments]]
 === Control Panel Process with Unusual Arguments
 
-Identifies unusual instances of Control Panel with suspicious keywords or paths in the process command line value. Adversaries may abuse Control.exe to proxy execution of malicious code.
+Identifies unusual instances of Control Panel with suspicious keywords or paths in the process command line value. Adversaries may abuse control.exe to proxy execution of malicious code.
 
 *Rule type*: eql
 
@@ -33,10 +33,12 @@ Identifies unusual instances of Control Panel with suspicious keywords or paths
 * Threat Detection
 * Defense Evasion
 
-*Version*: 1
+*Version*: 2 (<<control-panel-process-with-unusual-arguments-history, version history>>)
 
 *Added ({stack} release)*: 7.16.0
 
+*Last modified ({stack} release)*: 8.0.0
+
 *Rule authors*: Elastic
 
 *Rule license*: Elastic License v2
@@ -68,3 +70,10 @@ process.executable : ("?:\\Windows\\SysWOW64\\control.exe",
 ** Name: Signed Binary Proxy Execution
 ** ID: T1218
 ** Reference URL: https://attack.mitre.org/techniques/T1218/
+
+[[control-panel-process-with-unusual-arguments-history]]
+==== Rule version history
+
+Version 2 (8.0.0 release)::
+* Formatting only
+
diff --git a/docs/detections/prebuilt-rules/rule-details/credential-dumping-detected-elastic-endgame.asciidoc b/docs/detections/prebuilt-rules/rule-details/credential-dumping-detected-elastic-endgame.asciidoc
index ec737162b0..336a2f37d8 100644
--- a/docs/detections/prebuilt-rules/rule-details/credential-dumping-detected-elastic-endgame.asciidoc
+++ b/docs/detections/prebuilt-rules/rule-details/credential-dumping-detected-elastic-endgame.asciidoc
@@ -17,18 +17,18 @@ Elastic Endgame detected Credential Dumping. Click the Elastic Endgame icon in t
 
 *Searches indices from*: now-15m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>)
 
-*Maximum alerts per execution*: 100
+*Maximum alerts per execution*: 10000
 
 *Tags*:
 
 * Elastic
 * Elastic Endgame
 
-*Version*: 6 (<<credential-dumping-detected-elastic-endgame-history, version history>>)
+*Version*: 7 (<<credential-dumping-detected-elastic-endgame-history, version history>>)
 
 *Added ({stack} release)*: 7.6.0
 
-*Last modified ({stack} release)*: 7.12.1
+*Last modified ({stack} release)*: 8.0.0
 
 *Rule authors*: Elastic
 
@@ -48,6 +48,9 @@ endgame.event_subtype_full:cred_theft_event)
 [[credential-dumping-detected-elastic-endgame-history]]
 ==== Rule version history
 
+Version 7 (8.0.0 release)::
+* Formatting only
+
 Version 6 (7.12.1 release)::
 * Formatting only
 
diff --git a/docs/detections/prebuilt-rules/rule-details/credential-dumping-prevented-elastic-endgame.asciidoc b/docs/detections/prebuilt-rules/rule-details/credential-dumping-prevented-elastic-endgame.asciidoc
index c55a00444a..1b006fff62 100644
--- a/docs/detections/prebuilt-rules/rule-details/credential-dumping-prevented-elastic-endgame.asciidoc
+++ b/docs/detections/prebuilt-rules/rule-details/credential-dumping-prevented-elastic-endgame.asciidoc
@@ -17,18 +17,18 @@ Elastic Endgame prevented Credential Dumping. Click the Elastic Endgame icon in
 
 *Searches indices from*: now-15m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>)
 
-*Maximum alerts per execution*: 100
+*Maximum alerts per execution*: 10000
 
 *Tags*:
 
 * Elastic
 * Elastic Endgame
 
-*Version*: 6 (<<credential-dumping-prevented-elastic-endgame-history, version history>>)
+*Version*: 7 (<<credential-dumping-prevented-elastic-endgame-history, version history>>)
 
 *Added ({stack} release)*: 7.6.0
 
-*Last modified ({stack} release)*: 7.12.1
+*Last modified ({stack} release)*: 8.0.0
 
 *Rule authors*: Elastic
 
@@ -48,6 +48,9 @@ endgame.event_subtype_full:cred_theft_event)
 [[credential-dumping-prevented-elastic-endgame-history]]
 ==== Rule version history
 
+Version 7 (8.0.0 release)::
+* Formatting only
+
 Version 6 (7.12.1 release)::
 * Formatting only
 
diff --git a/docs/detections/prebuilt-rules/rule-details/credential-manipulation-detected-elastic-endgame.asciidoc b/docs/detections/prebuilt-rules/rule-details/credential-manipulation-detected-elastic-endgame.asciidoc
index df9cb0f334..4ce376d5b9 100644
--- a/docs/detections/prebuilt-rules/rule-details/credential-manipulation-detected-elastic-endgame.asciidoc
+++ b/docs/detections/prebuilt-rules/rule-details/credential-manipulation-detected-elastic-endgame.asciidoc
@@ -17,18 +17,18 @@ Elastic Endgame detected Credential Manipulation. Click the Elastic Endgame icon
 
 *Searches indices from*: now-15m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>)
 
-*Maximum alerts per execution*: 100
+*Maximum alerts per execution*: 10000
 
 *Tags*:
 
 * Elastic
 * Elastic Endgame
 
-*Version*: 6 (<<credential-manipulation-detected-elastic-endgame-history, version history>>)
+*Version*: 7 (<<credential-manipulation-detected-elastic-endgame-history, version history>>)
 
 *Added ({stack} release)*: 7.6.0
 
-*Last modified ({stack} release)*: 7.12.1
+*Last modified ({stack} release)*: 8.0.0
 
 *Rule authors*: Elastic
 
@@ -49,6 +49,9 @@ endgame.event_subtype_full:token_manipulation_event)
 [[credential-manipulation-detected-elastic-endgame-history]]
 ==== Rule version history
 
+Version 7 (8.0.0 release)::
+* Formatting only
+
 Version 6 (7.12.1 release)::
 * Formatting only
 
diff --git a/docs/detections/prebuilt-rules/rule-details/credential-manipulation-prevented-elastic-endgame.asciidoc b/docs/detections/prebuilt-rules/rule-details/credential-manipulation-prevented-elastic-endgame.asciidoc
index 289c33fc4c..01dacaad63 100644
--- a/docs/detections/prebuilt-rules/rule-details/credential-manipulation-prevented-elastic-endgame.asciidoc
+++ b/docs/detections/prebuilt-rules/rule-details/credential-manipulation-prevented-elastic-endgame.asciidoc
@@ -17,18 +17,18 @@ Elastic Endgame prevented Credential Manipulation. Click the Elastic Endgame ico
 
 *Searches indices from*: now-15m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>)
 
-*Maximum alerts per execution*: 100
+*Maximum alerts per execution*: 10000
 
 *Tags*:
 
 * Elastic
 * Elastic Endgame
 
-*Version*: 6 (<<credential-manipulation-prevented-elastic-endgame-history, version history>>)
+*Version*: 7 (<<credential-manipulation-prevented-elastic-endgame-history, version history>>)
 
 *Added ({stack} release)*: 7.6.0
 
-*Last modified ({stack} release)*: 7.12.1
+*Last modified ({stack} release)*: 8.0.0
 
 *Rule authors*: Elastic
 
@@ -49,6 +49,9 @@ endgame.event_subtype_full:token_manipulation_event)
 [[credential-manipulation-prevented-elastic-endgame-history]]
 ==== Rule version history
 
+Version 7 (8.0.0 release)::
+* Formatting only
+
 Version 6 (7.12.1 release)::
 * Formatting only
 
diff --git a/docs/detections/prebuilt-rules/rule-details/dns-over-https-enabled-via-registry.asciidoc b/docs/detections/prebuilt-rules/rule-details/dns-over-https-enabled-via-registry.asciidoc
index ecd638fc09..417d8977d6 100644
--- a/docs/detections/prebuilt-rules/rule-details/dns-over-https-enabled-via-registry.asciidoc
+++ b/docs/detections/prebuilt-rules/rule-details/dns-over-https-enabled-via-registry.asciidoc
@@ -1,7 +1,7 @@
 [[dns-over-https-enabled-via-registry]]
 === DNS-over-HTTPS Enabled via Registry
 
-Identifies when a user enables DNS-over-HTTPS. This can be used to hide internet activity or be used to hide the process of exfiltrating data. With this enabled organization will lose visibility into data such as query type, response and originating IP that are used to determine bad actors.
+Identifies when a user enables DNS-over-HTTPS. This can be used to hide internet activity or the process of exfiltrating data. With this enabled, an organization will lose visibility into data such as query type, response, and originating IP, which are used to determine bad actors.
 
 *Rule type*: eql
 
@@ -34,10 +34,12 @@ Identifies when a user enables DNS-over-HTTPS. This can be used to hide internet
 * Threat Detection
 * Defense Evasion
 
-*Version*: 1
+*Version*: 2 (<<dns-over-https-enabled-via-registry-history, version history>>)
 
 *Added ({stack} release)*: 7.16.0
 
+*Last modified ({stack} release)*: 8.0.0
+
 *Rule authors*: Austin Songer
 
 *Rule license*: Elastic License v2
@@ -69,3 +71,10 @@ registry.data.strings : "1")
 ** Name: Impair Defenses
 ** ID: T1562
 ** Reference URL: https://attack.mitre.org/techniques/T1562/
+
+[[dns-over-https-enabled-via-registry-history]]
+==== Rule version history
+
+Version 2 (8.0.0 release)::
+* Formatting only
+
diff --git a/docs/detections/prebuilt-rules/rule-details/domain-added-to-google-workspace-trusted-domains.asciidoc b/docs/detections/prebuilt-rules/rule-details/domain-added-to-google-workspace-trusted-domains.asciidoc
index 4c919b3e32..6fe5473701 100644
--- a/docs/detections/prebuilt-rules/rule-details/domain-added-to-google-workspace-trusted-domains.asciidoc
+++ b/docs/detections/prebuilt-rules/rule-details/domain-added-to-google-workspace-trusted-domains.asciidoc
@@ -33,11 +33,11 @@ Detects when a domain is added to the list of trusted Google Workspace domains.
 * SecOps
 * Configuration Audit
 
-*Version*: 5 (<<domain-added-to-google-workspace-trusted-domains-history, version history>>)
+*Version*: 6 (<<domain-added-to-google-workspace-trusted-domains-history, version history>>)
 
 *Added ({stack} release)*: 7.11.0
 
-*Last modified ({stack} release)*: 7.15.0
+*Last modified ({stack} release)*: 8.0.0
 
 *Rule authors*: Elastic
 
@@ -50,7 +50,7 @@ Trusted domains may be added by system administrators. Verify that the configura
 ==== Investigation guide
 
 
-[source, markdown, subs="attributes"]
+[source,markdown]
 ----------------------------------
 ## Config
 
@@ -63,7 +63,7 @@ The Google Workspace Fleet integration, Filebeat module, or similarly structured
 - By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).
 - See the following references for further information:
   - https://support.google.com/a/answer/7061566
-  - https://www.elastic.co/guide/en/beats/filebeat/{branch}/filebeat-module-google_workspace.html
+  - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html
 ----------------------------------
 
 
@@ -72,15 +72,24 @@ The Google Workspace Fleet integration, Filebeat module, or similarly structured
 
 [source,js]
 ----------------------------------
-event.dataset:(gsuite.admin or google_workspace.admin) and
-event.provider:admin and event.category:iam and
-event.action:ADD_TRUSTED_DOMAINS
+event.dataset:google_workspace.admin and event.provider:admin and
+event.category:iam and event.action:ADD_TRUSTED_DOMAINS
 ----------------------------------
 
 
 [[domain-added-to-google-workspace-trusted-domains-history]]
 ==== Rule version history
 
+Version 6 (8.0.0 release)::
+* Updated query, changed from:
++
+[source, js]
+----------------------------------
+event.dataset:(gsuite.admin or google_workspace.admin) and
+event.provider:admin and event.category:iam and
+event.action:ADD_TRUSTED_DOMAINS
+----------------------------------
+
 Version 5 (7.15.0 release)::
 * Formatting only
 
diff --git a/docs/detections/prebuilt-rules/rule-details/enumeration-of-privileged-local-groups-membership.asciidoc b/docs/detections/prebuilt-rules/rule-details/enumeration-of-privileged-local-groups-membership.asciidoc
new file mode 100644
index 0000000000..63d399a772
--- /dev/null
+++ b/docs/detections/prebuilt-rules/rule-details/enumeration-of-privileged-local-groups-membership.asciidoc
@@ -0,0 +1,91 @@
+[[enumeration-of-privileged-local-groups-membership]]
+=== Enumeration of Privileged Local Groups Membership
+
+Identifies instances of an unusual process enumerating built-in Windows privileged local groups membership like Administrators or Remote Desktop users.
+
+*Rule type*: eql
+
+*Rule indices*:
+
+* winlogbeat-*
+* logs-windows.*
+
+*Severity*: medium
+
+*Risk score*: 43
+
+*Runs every*: 5 minutes
+
+*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>)
+
+*Maximum alerts per execution*: 100
+
+*Tags*:
+
+* Elastic
+* Host
+* Windows
+* Threat Detection
+* Discovery
+
+*Version*: 1
+
+*Added ({stack} release)*: 8.0.0
+
+*Rule authors*: Elastic
+
+*Rule license*: Elastic License v2
+
+==== Investigation guide
+
+
+[source,markdown]
+----------------------------------
+## Config
+
+This will require Windows security event 4799 by enabling audit success for the windows Account Management category and
+the Security Group Management subcategory.
+
+----------------------------------
+
+
+==== Rule query
+
+
+[source,js]
+----------------------------------
+iam where event.action == "user-member-enumerated" and /* noisy and
+usual legit processes excluded */ not
+winlog.event_data.CallerProcessName:
+("?:\\Windows\\System32\\VSSVC.exe",
+"?:\\Windows\\System32\\SearchIndexer.exe",
+"?:\\Windows\\System32\\CompatTelRunner.exe",
+"?:\\Windows\\System32\\oobe\\msoobe.exe",
+"?:\\Windows\\System32\\net1.exe",
+"?:\\Windows\\System32\\svchost.exe",
+"?:\\Windows\\System32\\Netplwiz.exe",
+"?:\\Windows\\System32\\msiexec.exe",
+"?:\\Windows\\System32\\CloudExperienceHostBroker.exe",
+"?:\\Windows\\System32\\wbem\\WmiPrvSE.exe",
+"?:\\Windows\\System32\\SrTasks.exe",
+"?:\\Windows\\System32\\lsass.exe",
+"?:\\Windows\\System32\\diskshadow.exe",
+"?:\\Windows\\System32\\dfsrs.exe", "?:\\Program
+Files\\*.exe", "?:\\Program Files (x86)\\*.exe") and
+/* privileged local groups */
+(group.name:("admin*","RemoteDesktopUsers") or
+winlog.event_data.TargetSid:("S-1-5-32-544","S-1-5-32-555"))
+----------------------------------
+
+==== Threat mapping
+
+*Framework*: MITRE ATT&CK^TM^
+
+* Tactic:
+** Name: Discovery
+** ID: TA0007
+** Reference URL: https://attack.mitre.org/tactics/TA0007/
+* Technique:
+** Name: Permission Groups Discovery
+** ID: T1069
+** Reference URL: https://attack.mitre.org/techniques/T1069/
diff --git a/docs/detections/prebuilt-rules/rule-details/exploit-detected-elastic-endgame.asciidoc b/docs/detections/prebuilt-rules/rule-details/exploit-detected-elastic-endgame.asciidoc
index 51b4373494..e11fac7145 100644
--- a/docs/detections/prebuilt-rules/rule-details/exploit-detected-elastic-endgame.asciidoc
+++ b/docs/detections/prebuilt-rules/rule-details/exploit-detected-elastic-endgame.asciidoc
@@ -17,18 +17,18 @@ Elastic Endgame detected an Exploit. Click the Elastic Endgame icon in the event
 
 *Searches indices from*: now-15m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>)
 
-*Maximum alerts per execution*: 100
+*Maximum alerts per execution*: 10000
 
 *Tags*:
 
 * Elastic
 * Elastic Endgame
 
-*Version*: 6 (<<exploit-detected-elastic-endgame-history, version history>>)
+*Version*: 7 (<<exploit-detected-elastic-endgame-history, version history>>)
 
 *Added ({stack} release)*: 7.6.0
 
-*Last modified ({stack} release)*: 7.12.1
+*Last modified ({stack} release)*: 8.0.0
 
 *Rule authors*: Elastic
 
@@ -48,6 +48,9 @@ endgame.event_subtype_full:exploit_event)
 [[exploit-detected-elastic-endgame-history]]
 ==== Rule version history
 
+Version 7 (8.0.0 release)::
+* Formatting only
+
 Version 6 (7.12.1 release)::
 * Formatting only
 
diff --git a/docs/detections/prebuilt-rules/rule-details/exploit-prevented-elastic-endgame.asciidoc b/docs/detections/prebuilt-rules/rule-details/exploit-prevented-elastic-endgame.asciidoc
index 4ae96b5c3b..df2c5935cd 100644
--- a/docs/detections/prebuilt-rules/rule-details/exploit-prevented-elastic-endgame.asciidoc
+++ b/docs/detections/prebuilt-rules/rule-details/exploit-prevented-elastic-endgame.asciidoc
@@ -17,18 +17,18 @@ Elastic Endgame prevented an Exploit. Click the Elastic Endgame icon in the even
 
 *Searches indices from*: now-15m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>)
 
-*Maximum alerts per execution*: 100
+*Maximum alerts per execution*: 10000
 
 *Tags*:
 
 * Elastic
 * Elastic Endgame
 
-*Version*: 6 (<<exploit-prevented-elastic-endgame-history, version history>>)
+*Version*: 7 (<<exploit-prevented-elastic-endgame-history, version history>>)
 
 *Added ({stack} release)*: 7.6.0
 
-*Last modified ({stack} release)*: 7.12.1
+*Last modified ({stack} release)*: 8.0.0
 
 *Rule authors*: Elastic
 
@@ -48,6 +48,9 @@ endgame.event_subtype_full:exploit_event)
 [[exploit-prevented-elastic-endgame-history]]
 ==== Rule version history
 
+Version 7 (8.0.0 release)::
+* Formatting only
+
 Version 6 (7.12.1 release)::
 * Formatting only
 
diff --git a/docs/detections/prebuilt-rules/rule-details/gcp-virtual-private-cloud-route-creation.asciidoc b/docs/detections/prebuilt-rules/rule-details/gcp-virtual-private-cloud-route-creation.asciidoc
index 55e7c69da6..8211534116 100644
--- a/docs/detections/prebuilt-rules/rule-details/gcp-virtual-private-cloud-route-creation.asciidoc
+++ b/docs/detections/prebuilt-rules/rule-details/gcp-virtual-private-cloud-route-creation.asciidoc
@@ -1,7 +1,7 @@
 [[gcp-virtual-private-cloud-route-creation]]
 === GCP Virtual Private Cloud Route Creation
 
-Identifies when a Virtual Private Cloud (VPC) route is created in Google Cloud Platform (GCP). Google Cloud routes define the paths that network traffic takes from a virtual machine (VM) instance to other destinations. These destinations can be inside a Google VPC network or outside it. An adversary may create a route in order to impact the flow of network traffic in their target's cloud environment.
+Identifies when a Virtual Private Cloud a virtual private cloud (VPC) route is created in Google Cloud Platform (GCP). Google Cloud routes define the paths that network traffic takes from a virtual machine (VM) instance to other destinations. These destinations can be inside a Google VPC network or outside it. An adversary may create a route in order to impact the flow of network traffic in their target's cloud environment.
 
 *Rule type*: query
 
@@ -34,11 +34,11 @@ Identifies when a Virtual Private Cloud (VPC) route is created in Google Cloud P
 * SecOps
 * Configuration Audit
 
-*Version*: 5 (<<gcp-virtual-private-cloud-route-creation-history, version history>>)
+*Version*: 6 (<<gcp-virtual-private-cloud-route-creation-history, version history>>)
 
 *Added ({stack} release)*: 7.10.0
 
-*Last modified ({stack} release)*: 7.13.0
+*Last modified ({stack} release)*: 8.0.0
 
 *Rule authors*: Elastic
 
@@ -73,6 +73,9 @@ event.action:(v*.compute.routes.insert or
 [[gcp-virtual-private-cloud-route-creation-history]]
 ==== Rule version history
 
+Version 6 (8.0.0 release)::
+* Formatting only
+
 Version 5 (7.13.0 release)::
 * Updated query, changed from:
 +
diff --git a/docs/detections/prebuilt-rules/rule-details/google-workspace-admin-role-assigned-to-a-user.asciidoc b/docs/detections/prebuilt-rules/rule-details/google-workspace-admin-role-assigned-to-a-user.asciidoc
index 4bedaea784..975bceef0c 100644
--- a/docs/detections/prebuilt-rules/rule-details/google-workspace-admin-role-assigned-to-a-user.asciidoc
+++ b/docs/detections/prebuilt-rules/rule-details/google-workspace-admin-role-assigned-to-a-user.asciidoc
@@ -33,11 +33,11 @@ Detects when an admin role is assigned to a Google Workspace user. An adversary
 * SecOps
 * Identity and Access
 
-*Version*: 5 (<<google-workspace-admin-role-assigned-to-a-user-history, version history>>)
+*Version*: 6 (<<google-workspace-admin-role-assigned-to-a-user-history, version history>>)
 
 *Added ({stack} release)*: 7.11.0
 
-*Last modified ({stack} release)*: 7.15.0
+*Last modified ({stack} release)*: 8.0.0
 
 *Rule authors*: Elastic
 
@@ -50,7 +50,7 @@ Google Workspace admin role assignments may be modified by system administrators
 ==== Investigation guide
 
 
-[source, markdown, subs="attributes"]
+[source,markdown]
 ----------------------------------
 ## Config
 
@@ -63,7 +63,7 @@ The Google Workspace Fleet integration, Filebeat module, or similarly structured
 - By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).
 - See the following references for further information:
   - https://support.google.com/a/answer/7061566
-  - https://www.elastic.co/guide/en/beats/filebeat/{branch}/filebeat-module-google_workspace.html
+  - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html
 ----------------------------------
 
 
@@ -72,9 +72,8 @@ The Google Workspace Fleet integration, Filebeat module, or similarly structured
 
 [source,js]
 ----------------------------------
-event.dataset:(gsuite.admin or google_workspace.admin) and
-event.provider:admin and event.category:iam and
-event.action:ASSIGN_ROLE
+event.dataset:google_workspace.admin and event.provider:admin and
+event.category:iam and event.action:ASSIGN_ROLE
 ----------------------------------
 
 ==== Threat mapping
@@ -93,6 +92,16 @@ event.action:ASSIGN_ROLE
 [[google-workspace-admin-role-assigned-to-a-user-history]]
 ==== Rule version history
 
+Version 6 (8.0.0 release)::
+* Updated query, changed from:
++
+[source, js]
+----------------------------------
+event.dataset:(gsuite.admin or google_workspace.admin) and
+event.provider:admin and event.category:iam and
+event.action:ASSIGN_ROLE
+----------------------------------
+
 Version 5 (7.15.0 release)::
 * Formatting only
 
diff --git a/docs/detections/prebuilt-rules/rule-details/google-workspace-admin-role-deletion.asciidoc b/docs/detections/prebuilt-rules/rule-details/google-workspace-admin-role-deletion.asciidoc
index d91226bf6b..3738f97b08 100644
--- a/docs/detections/prebuilt-rules/rule-details/google-workspace-admin-role-deletion.asciidoc
+++ b/docs/detections/prebuilt-rules/rule-details/google-workspace-admin-role-deletion.asciidoc
@@ -33,11 +33,11 @@ Detects when a custom admin role is deleted. An adversary may delete a custom ad
 * SecOps
 * Identity and Access
 
-*Version*: 5 (<<google-workspace-admin-role-deletion-history, version history>>)
+*Version*: 6 (<<google-workspace-admin-role-deletion-history, version history>>)
 
 *Added ({stack} release)*: 7.11.0
 
-*Last modified ({stack} release)*: 7.15.0
+*Last modified ({stack} release)*: 8.0.0
 
 *Rule authors*: Elastic
 
@@ -50,7 +50,7 @@ Google Workspace admin roles may be deleted by system administrators. Verify tha
 ==== Investigation guide
 
 
-[source, markdown, subs="attributes"]
+[source,markdown]
 ----------------------------------
 ## Config
 
@@ -63,7 +63,7 @@ The Google Workspace Fleet integration, Filebeat module, or similarly structured
 - By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).
 - See the following references for further information:
   - https://support.google.com/a/answer/7061566
-  - https://www.elastic.co/guide/en/beats/filebeat/{branch}/filebeat-module-google_workspace.html
+  - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html
 ----------------------------------
 
 
@@ -72,15 +72,24 @@ The Google Workspace Fleet integration, Filebeat module, or similarly structured
 
 [source,js]
 ----------------------------------
-event.dataset:(gsuite.admin or google_workspace.admin) and
-event.provider:admin and event.category:iam and
-event.action:DELETE_ROLE
+event.dataset:google_workspace.admin and event.provider:admin and
+event.category:iam and event.action:DELETE_ROLE
 ----------------------------------
 
 
 [[google-workspace-admin-role-deletion-history]]
 ==== Rule version history
 
+Version 6 (8.0.0 release)::
+* Updated query, changed from:
++
+[source, js]
+----------------------------------
+event.dataset:(gsuite.admin or google_workspace.admin) and
+event.provider:admin and event.category:iam and
+event.action:DELETE_ROLE
+----------------------------------
+
 Version 5 (7.15.0 release)::
 * Formatting only
 
diff --git a/docs/detections/prebuilt-rules/rule-details/google-workspace-api-access-granted-via-domain-wide-delegation-of-authority.asciidoc b/docs/detections/prebuilt-rules/rule-details/google-workspace-api-access-granted-via-domain-wide-delegation-of-authority.asciidoc
index 4db9c204d3..7bc19e209f 100644
--- a/docs/detections/prebuilt-rules/rule-details/google-workspace-api-access-granted-via-domain-wide-delegation-of-authority.asciidoc
+++ b/docs/detections/prebuilt-rules/rule-details/google-workspace-api-access-granted-via-domain-wide-delegation-of-authority.asciidoc
@@ -33,11 +33,11 @@ Detects when a domain-wide delegation of authority is granted to a service accou
 * SecOps
 * Identity and Access
 
-*Version*: 5 (<<google-workspace-api-access-granted-via-domain-wide-delegation-of-authority-history, version history>>)
+*Version*: 6 (<<google-workspace-api-access-granted-via-domain-wide-delegation-of-authority-history, version history>>)
 
 *Added ({stack} release)*: 7.11.0
 
-*Last modified ({stack} release)*: 7.15.0
+*Last modified ({stack} release)*: 8.0.0
 
 *Rule authors*: Elastic
 
@@ -50,7 +50,7 @@ Domain-wide delegation of authority may be granted to service accounts by system
 ==== Investigation guide
 
 
-[source, markdown, subs="attributes"]
+[source,markdown]
 ----------------------------------
 ## Config
 
@@ -63,7 +63,7 @@ The Google Workspace Fleet integration, Filebeat module, or similarly structured
 - By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).
 - See the following references for further information:
   - https://support.google.com/a/answer/7061566
-  - https://www.elastic.co/guide/en/beats/filebeat/{branch}/filebeat-module-google_workspace.html
+  - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html
 ----------------------------------
 
 
@@ -72,9 +72,8 @@ The Google Workspace Fleet integration, Filebeat module, or similarly structured
 
 [source,js]
 ----------------------------------
-event.dataset:(gsuite.admin or google_workspace.admin) and
-event.provider:admin and event.category:iam and
-event.action:AUTHORIZE_API_CLIENT_ACCESS
+event.dataset:google_workspace.admin and event.provider:admin and
+event.category:iam and event.action:AUTHORIZE_API_CLIENT_ACCESS
 ----------------------------------
 
 ==== Threat mapping
@@ -93,6 +92,16 @@ event.action:AUTHORIZE_API_CLIENT_ACCESS
 [[google-workspace-api-access-granted-via-domain-wide-delegation-of-authority-history]]
 ==== Rule version history
 
+Version 6 (8.0.0 release)::
+* Updated query, changed from:
++
+[source, js]
+----------------------------------
+event.dataset:(gsuite.admin or google_workspace.admin) and
+event.provider:admin and event.category:iam and
+event.action:AUTHORIZE_API_CLIENT_ACCESS
+----------------------------------
+
 Version 5 (7.15.0 release)::
 * Formatting only
 
diff --git a/docs/detections/prebuilt-rules/rule-details/google-workspace-custom-admin-role-created.asciidoc b/docs/detections/prebuilt-rules/rule-details/google-workspace-custom-admin-role-created.asciidoc
index 08a925a161..04a8209ee2 100644
--- a/docs/detections/prebuilt-rules/rule-details/google-workspace-custom-admin-role-created.asciidoc
+++ b/docs/detections/prebuilt-rules/rule-details/google-workspace-custom-admin-role-created.asciidoc
@@ -33,11 +33,11 @@ Detects when a custom admin role is created in Google Workspace. An adversary ma
 * SecOps
 * Identity and Access
 
-*Version*: 5 (<<google-workspace-custom-admin-role-created-history, version history>>)
+*Version*: 6 (<<google-workspace-custom-admin-role-created-history, version history>>)
 
 *Added ({stack} release)*: 7.11.0
 
-*Last modified ({stack} release)*: 7.15.0
+*Last modified ({stack} release)*: 8.0.0
 
 *Rule authors*: Elastic
 
@@ -50,7 +50,7 @@ Custom Google Workspace admin roles may be created by system administrators. Ver
 ==== Investigation guide
 
 
-[source, markdown, subs="attributes"]
+[source,markdown]
 ----------------------------------
 ## Config
 
@@ -63,7 +63,7 @@ The Google Workspace Fleet integration, Filebeat module, or similarly structured
 - By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).
 - See the following references for further information:
   - https://support.google.com/a/answer/7061566
-  - https://www.elastic.co/guide/en/beats/filebeat/{branch}/filebeat-module-google_workspace.html
+  - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html
 ----------------------------------
 
 
@@ -72,9 +72,8 @@ The Google Workspace Fleet integration, Filebeat module, or similarly structured
 
 [source,js]
 ----------------------------------
-event.dataset:(gsuite.admin or google_workspace.admin) and
-event.provider:admin and event.category:iam and
-event.action:CREATE_ROLE
+event.dataset:google_workspace.admin and event.provider:admin and
+event.category:iam and event.action:CREATE_ROLE
 ----------------------------------
 
 ==== Threat mapping
@@ -93,6 +92,16 @@ event.action:CREATE_ROLE
 [[google-workspace-custom-admin-role-created-history]]
 ==== Rule version history
 
+Version 6 (8.0.0 release)::
+* Updated query, changed from:
++
+[source, js]
+----------------------------------
+event.dataset:(gsuite.admin or google_workspace.admin) and
+event.provider:admin and event.category:iam and
+event.action:CREATE_ROLE
+----------------------------------
+
 Version 5 (7.15.0 release)::
 * Formatting only
 
diff --git a/docs/detections/prebuilt-rules/rule-details/google-workspace-mfa-enforcement-disabled.asciidoc b/docs/detections/prebuilt-rules/rule-details/google-workspace-mfa-enforcement-disabled.asciidoc
index 17a28ceb87..cb26f04e3c 100644
--- a/docs/detections/prebuilt-rules/rule-details/google-workspace-mfa-enforcement-disabled.asciidoc
+++ b/docs/detections/prebuilt-rules/rule-details/google-workspace-mfa-enforcement-disabled.asciidoc
@@ -33,11 +33,11 @@ Detects when multi-factor authentication (MFA) enforcement is disabled for Googl
 * SecOps
 * Configuration Audit
 
-*Version*: 6 (<<google-workspace-mfa-enforcement-disabled-history, version history>>)
+*Version*: 7 (<<google-workspace-mfa-enforcement-disabled-history, version history>>)
 
 *Added ({stack} release)*: 7.11.0
 
-*Last modified ({stack} release)*: 7.15.0
+*Last modified ({stack} release)*: 8.0.0
 
 *Rule authors*: Elastic
 
@@ -50,7 +50,7 @@ MFA policies may be modified by system administrators. Verify that the configura
 ==== Investigation guide
 
 
-[source, markdown, subs="attributes"]
+[source,markdown]
 ----------------------------------
 ## Config
 
@@ -63,7 +63,7 @@ The Google Workspace Fleet integration, Filebeat module, or similarly structured
 - By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).
 - See the following references for further information:
   - https://support.google.com/a/answer/7061566
-  - https://www.elastic.co/guide/en/beats/filebeat/{branch}/filebeat-module-google_workspace.html
+  - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html
 ----------------------------------
 
 
@@ -72,6 +72,20 @@ The Google Workspace Fleet integration, Filebeat module, or similarly structured
 
 [source,js]
 ----------------------------------
+event.dataset:google_workspace.admin and event.provider:admin and
+event.category:iam and event.action:ENFORCE_STRONG_AUTHENTICATION and
+google_workspace.admin.new_value:false
+----------------------------------
+
+
+[[google-workspace-mfa-enforcement-disabled-history]]
+==== Rule version history
+
+Version 7 (8.0.0 release)::
+* Updated query, changed from:
++
+[source, js]
+----------------------------------
 event.dataset:(gsuite.admin or google_workspace.admin) and
 event.provider:admin and event.category:iam and
 event.action:ENFORCE_STRONG_AUTHENTICATION and
@@ -79,10 +93,6 @@ event.action:ENFORCE_STRONG_AUTHENTICATION and
 google_workspace.admin.new_value:false)
 ----------------------------------
 
-
-[[google-workspace-mfa-enforcement-disabled-history]]
-==== Rule version history
-
 Version 6 (7.15.0 release)::
 * Formatting only
 
diff --git a/docs/detections/prebuilt-rules/rule-details/google-workspace-password-policy-modified.asciidoc b/docs/detections/prebuilt-rules/rule-details/google-workspace-password-policy-modified.asciidoc
index 3373ebe9d7..cfecfc7fd7 100644
--- a/docs/detections/prebuilt-rules/rule-details/google-workspace-password-policy-modified.asciidoc
+++ b/docs/detections/prebuilt-rules/rule-details/google-workspace-password-policy-modified.asciidoc
@@ -29,11 +29,11 @@ Detects when a Google Workspace password policy is modified. An adversary may at
 * SecOps
 * Identity and Access
 
-*Version*: 6 (<<google-workspace-password-policy-modified-history, version history>>)
+*Version*: 7 (<<google-workspace-password-policy-modified-history, version history>>)
 
 *Added ({stack} release)*: 7.11.0
 
-*Last modified ({stack} release)*: 7.15.0
+*Last modified ({stack} release)*: 8.0.0
 
 *Rule authors*: Elastic
 
@@ -46,7 +46,7 @@ Password policies may be modified by system administrators. Verify that the conf
 ==== Investigation guide
 
 
-[source, markdown, subs="attributes"]
+[source,markdown]
 ----------------------------------
 ## Config
 
@@ -59,7 +59,7 @@ The Google Workspace Fleet integration, Filebeat module, or similarly structured
 - By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).
 - See the following references for further information:
   - https://support.google.com/a/answer/7061566
-  - https://www.elastic.co/guide/en/beats/filebeat/{branch}/filebeat-module-google_workspace.html
+  - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html
 ----------------------------------
 
 
@@ -68,6 +68,26 @@ The Google Workspace Fleet integration, Filebeat module, or similarly structured
 
 [source,js]
 ----------------------------------
+event.dataset:google_workspace.admin and event.provider:admin and
+event.category:iam and event.action:(CHANGE_APPLICATION_SETTING or
+CREATE_APPLICATION_SETTING) and
+google_workspace.admin.setting.name:( "Password Management -
+Enforce strong password" or "Password Management - Password reset
+frequency" or "Password Management - Enable password reuse" or
+"Password Management - Enforce password policy at next login" or
+"Password Management - Minimum password length" or "Password
+Management - Maximum password length" )
+----------------------------------
+
+
+[[google-workspace-password-policy-modified-history]]
+==== Rule version history
+
+Version 7 (8.0.0 release)::
+* Updated query, changed from:
++
+[source, js]
+----------------------------------
 event.dataset:(gsuite.admin or google_workspace.admin) and
 event.provider:admin and event.category:iam and
 event.action:(CHANGE_APPLICATION_SETTING or
@@ -85,10 +105,6 @@ frequency" or "Password Management - Enable password reuse" or
 Management - Maximum password length" )
 ----------------------------------
 
-
-[[google-workspace-password-policy-modified-history]]
-==== Rule version history
-
 Version 6 (7.15.0 release)::
 * Formatting only
 
diff --git a/docs/detections/prebuilt-rules/rule-details/google-workspace-role-modified.asciidoc b/docs/detections/prebuilt-rules/rule-details/google-workspace-role-modified.asciidoc
index ae61515a30..5312df4866 100644
--- a/docs/detections/prebuilt-rules/rule-details/google-workspace-role-modified.asciidoc
+++ b/docs/detections/prebuilt-rules/rule-details/google-workspace-role-modified.asciidoc
@@ -33,11 +33,11 @@ Detects when a custom admin role or its permissions are modified. An adversary m
 * SecOps
 * Identity and Access
 
-*Version*: 5 (<<google-workspace-role-modified-history, version history>>)
+*Version*: 6 (<<google-workspace-role-modified-history, version history>>)
 
 *Added ({stack} release)*: 7.11.0
 
-*Last modified ({stack} release)*: 7.15.0
+*Last modified ({stack} release)*: 8.0.0
 
 *Rule authors*: Elastic
 
@@ -50,7 +50,7 @@ Google Workspace admin roles may be modified by system administrators. Verify th
 ==== Investigation guide
 
 
-[source, markdown, subs="attributes"]
+[source,markdown]
 ----------------------------------
 ## Config
 
@@ -63,7 +63,7 @@ The Google Workspace Fleet integration, Filebeat module, or similarly structured
 - By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).
 - See the following references for further information:
   - https://support.google.com/a/answer/7061566
-  - https://www.elastic.co/guide/en/beats/filebeat/{branch}/filebeat-module-google_workspace.html
+  - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html
 ----------------------------------
 
 
@@ -72,9 +72,8 @@ The Google Workspace Fleet integration, Filebeat module, or similarly structured
 
 [source,js]
 ----------------------------------
-event.dataset:(gsuite.admin or google_workspace.admin) and
-event.provider:admin and event.category:iam and
-event.action:(ADD_PRIVILEGE or UPDATE_ROLE)
+event.dataset:google_workspace.admin and event.provider:admin and
+event.category:iam and event.action:(ADD_PRIVILEGE or UPDATE_ROLE)
 ----------------------------------
 
 ==== Threat mapping
@@ -93,6 +92,16 @@ event.action:(ADD_PRIVILEGE or UPDATE_ROLE)
 [[google-workspace-role-modified-history]]
 ==== Rule version history
 
+Version 6 (8.0.0 release)::
+* Updated query, changed from:
++
+[source, js]
+----------------------------------
+event.dataset:(gsuite.admin or google_workspace.admin) and
+event.provider:admin and event.category:iam and
+event.action:(ADD_PRIVILEGE or UPDATE_ROLE)
+----------------------------------
+
 Version 5 (7.15.0 release)::
 * Formatting only
 
diff --git a/docs/detections/prebuilt-rules/rule-details/group-policy-abuse-for-privilege-addition.asciidoc b/docs/detections/prebuilt-rules/rule-details/group-policy-abuse-for-privilege-addition.asciidoc
new file mode 100644
index 0000000000..70c937fcc8
--- /dev/null
+++ b/docs/detections/prebuilt-rules/rule-details/group-policy-abuse-for-privilege-addition.asciidoc
@@ -0,0 +1,119 @@
+[[group-policy-abuse-for-privilege-addition]]
+=== Group Policy Abuse for Privilege Addition
+
+This rule detects the first occurrence of a modification to Group Policy Object Attributes to add privileges to user accounts or use them to add users as local admins.
+
+*Rule type*: query
+
+*Rule indices*:
+
+* winlogbeat-*
+* logs-system.*
+
+*Severity*: high
+
+*Risk score*: 73
+
+*Runs every*: 5 minutes
+
+*Searches indices from*: now-6m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>)
+
+*Maximum alerts per execution*: 100
+
+*References*:
+
+* https://github.com/atc-project/atc-data/blob/master/docs/Logging_Policies/LP_0025_windows_audit_directory_service_changes.md
+* https://labs.f-secure.com/tools/sharpgpoabuse
+
+*Tags*:
+
+* Elastic
+* Host
+* Windows
+* Threat Detection
+* Privilege Escalation
+* Active Directory
+
+*Version*: 1
+
+*Added ({stack} release)*: 8.0.0
+
+*Rule authors*: Elastic
+
+*Rule license*: Elastic License v2
+
+==== Investigation guide
+
+
+[source,markdown]
+----------------------------------
+## Triage and analysis
+
+### Investigating Group Policy Abuse for Privilege Addition
+
+Group Policy Objects can be used to add rights and/or modify Group Membership on GPOs by changing the contents of an INF file named
+GptTmpl.inf, which is responsible for storing every setting under the Security Settings container in the GPO, this file is unique
+for each GPO, and only exists if the GPO contains security settings.
+Example Path: "\\DC.com\SysVol\DC.com\Policies\{21B9B880-B2FB-4836-9C2D-2013E0D832E9}\Machine\Microsoft\Windows NT\SecEdit\GptTmpl.inf"
+
+#### Possible investigation steps:
+- This attack abuses a legitimate mechanism of the Active Directory, so it is important to determine whether the activity is legitimate
+and the administrator is authorized to perform this operation.
+- Retrieve the contents of the `GptTmpl.inf` file, under the `Privilege Rights` section, look for potentially dangerous high privileges,
+for example: SeTakeOwnershipPrivilege, SeEnableDelegationPrivilege, etc.
+- Inspect the user SIDs associated with these privileges
+
+### False Positive Analysis
+- Verify if these User SIDs should have these privileges enabled.
+- Inspect whether the user that has done these modifications should be allowed to do it. The user name can be found in the
+`winlog.event_data.SubjectUserName` field
+
+### Related Rules
+- Scheduled Task Execution at Scale via GPO
+- Startup/Logon Script added to Group Policy Object
+
+### Response and Remediation
+- Immediate response should be taken to validate activity, investigate and potentially isolate activity to prevent further
+post-compromise behavior.
+
+## Config
+
+The 'Audit Directory Service Changes' audit policy is required be configured (Success Failure).
+Steps to implement the logging policy with with Advanced Audit Configuration:
+```
+Computer Configuration > 
+Policies > 
+Windows Settings > 
+Security Settings > 
+Advanced Audit Policies Configuration > 
+Audit Policies > 
+DS Access > 
+Audit Directory Service Changes (Success,Failure)
+```
+
+----------------------------------
+
+
+==== Rule query
+
+
+[source,js]
+----------------------------------
+event.code: "5136" and
+winlog.event_data.AttributeLDAPDisplayName:"gPCMachineExtensionNames"
+and winlog.event_data.AttributeValue:(*827D319E-6EAC-11D2-A4EA-00C04F
+79F83A* and *803E14A0-B4FB-11D0-A0D0-00A0C90F574B*)
+----------------------------------
+
+==== Threat mapping
+
+*Framework*: MITRE ATT&CK^TM^
+
+* Tactic:
+** Name: Privilege Escalation
+** ID: TA0004
+** Reference URL: https://attack.mitre.org/tactics/TA0004/
+* Technique:
+** Name: Domain Policy Modification
+** ID: T1484
+** Reference URL: https://attack.mitre.org/techniques/T1484/
diff --git a/docs/detections/prebuilt-rules/rule-details/incoming-dcom-lateral-movement-via-mshta.asciidoc b/docs/detections/prebuilt-rules/rule-details/incoming-dcom-lateral-movement-via-mshta.asciidoc
index ab5544e6c6..7dee91b00f 100644
--- a/docs/detections/prebuilt-rules/rule-details/incoming-dcom-lateral-movement-via-mshta.asciidoc
+++ b/docs/detections/prebuilt-rules/rule-details/incoming-dcom-lateral-movement-via-mshta.asciidoc
@@ -33,11 +33,11 @@ Identifies the use of Distributed Component Object Model (DCOM) to execute comma
 * Threat Detection
 * Lateral Movement
 
-*Version*: 4 (<<incoming-dcom-lateral-movement-via-mshta-history, version history>>)
+*Version*: 5 (<<incoming-dcom-lateral-movement-via-mshta-history, version history>>)
 
 *Added ({stack} release)*: 7.11.0
 
-*Last modified ({stack} release)*: 7.16.0
+*Last modified ({stack} release)*: 8.0.0
 
 *Rule authors*: Elastic
 
@@ -54,8 +54,8 @@ process.args : "-Embedding" ] by host.id, process.entity_id
 [network where event.type == "start" and process.name : "mshta.exe"
 and network.direction : ("incoming", "ingress") and
 network.transport == "tcp" and source.port > 49151 and
-destination.port > 49151 and not source.address in ("127.0.0.1",
-"::1") ] by host.id, process.entity_id
+destination.port > 49151 and source.ip != "127.0.0.1" and source.ip !=
+"::1" ] by host.id, process.entity_id
 ----------------------------------
 
 ==== Threat mapping
@@ -84,6 +84,21 @@ destination.port > 49151 and not source.address in ("127.0.0.1",
 [[incoming-dcom-lateral-movement-via-mshta-history]]
 ==== Rule version history
 
+Version 5 (8.0.0 release)::
+* Updated query, changed from:
++
+[source, js]
+----------------------------------
+sequence with maxspan=1m [process where event.type in ("start",
+"process_started") and process.name : "mshta.exe" and
+process.args : "-Embedding" ] by host.id, process.entity_id
+[network where event.type == "start" and process.name : "mshta.exe"
+and network.direction : ("incoming", "ingress") and
+network.transport == "tcp" and source.port > 49151 and
+destination.port > 49151 and not source.address in ("127.0.0.1",
+"::1") ] by host.id, process.entity_id
+----------------------------------
+
 Version 4 (7.16.0 release)::
 * Updated query, changed from:
 +
diff --git a/docs/detections/prebuilt-rules/rule-details/incoming-dcom-lateral-movement-with-mmc.asciidoc b/docs/detections/prebuilt-rules/rule-details/incoming-dcom-lateral-movement-with-mmc.asciidoc
index cfbe633bd5..5369fbdf9c 100644
--- a/docs/detections/prebuilt-rules/rule-details/incoming-dcom-lateral-movement-with-mmc.asciidoc
+++ b/docs/detections/prebuilt-rules/rule-details/incoming-dcom-lateral-movement-with-mmc.asciidoc
@@ -33,11 +33,11 @@ Identifies the use of Distributed Component Object Model (DCOM) to run commands
 * Threat Detection
 * Lateral Movement
 
-*Version*: 4 (<<incoming-dcom-lateral-movement-with-mmc-history, version history>>)
+*Version*: 5 (<<incoming-dcom-lateral-movement-with-mmc-history, version history>>)
 
 *Added ({stack} release)*: 7.11.0
 
-*Last modified ({stack} release)*: 7.16.0
+*Last modified ({stack} release)*: 8.0.0
 
 *Rule authors*: Elastic
 
@@ -50,8 +50,8 @@ Identifies the use of Distributed Component Object Model (DCOM) to run commands
 ----------------------------------
 sequence by host.id with maxspan=1m [network where event.type ==
 "start" and process.name : "mmc.exe" and source.port >= 49152 and
-destination.port >= 49152 and source.address not in ("127.0.0.1",
-"::1") and network.direction : ("incoming", "ingress") and
+destination.port >= 49152 and source.ip != "127.0.0.1" and source.ip
+!= "::1" and network.direction : ("incoming", "ingress") and
 network.transport == "tcp" ] by process.entity_id [process where
 event.type in ("start", "process_started") and process.parent.name :
 "mmc.exe" ] by process.parent.entity_id
@@ -73,6 +73,20 @@ event.type in ("start", "process_started") and process.parent.name :
 [[incoming-dcom-lateral-movement-with-mmc-history]]
 ==== Rule version history
 
+Version 5 (8.0.0 release)::
+* Updated query, changed from:
++
+[source, js]
+----------------------------------
+sequence by host.id with maxspan=1m [network where event.type ==
+"start" and process.name : "mmc.exe" and source.port >= 49152 and
+destination.port >= 49152 and source.address not in ("127.0.0.1",
+"::1") and network.direction : ("incoming", "ingress") and
+network.transport == "tcp" ] by process.entity_id [process where
+event.type in ("start", "process_started") and process.parent.name :
+"mmc.exe" ] by process.parent.entity_id
+----------------------------------
+
 Version 4 (7.16.0 release)::
 * Updated query, changed from:
 +
diff --git a/docs/detections/prebuilt-rules/rule-details/incoming-dcom-lateral-movement-with-shellbrowserwindow-or-shellwindows.asciidoc b/docs/detections/prebuilt-rules/rule-details/incoming-dcom-lateral-movement-with-shellbrowserwindow-or-shellwindows.asciidoc
index c5fa5eb8c8..fc90700c26 100644
--- a/docs/detections/prebuilt-rules/rule-details/incoming-dcom-lateral-movement-with-shellbrowserwindow-or-shellwindows.asciidoc
+++ b/docs/detections/prebuilt-rules/rule-details/incoming-dcom-lateral-movement-with-shellbrowserwindow-or-shellwindows.asciidoc
@@ -33,11 +33,11 @@ Identifies use of Distributed Component Object Model (DCOM) to run commands from
 * Threat Detection
 * Lateral Movement
 
-*Version*: 4 (<<incoming-dcom-lateral-movement-with-shellbrowserwindow-or-shellwindows-history, version history>>)
+*Version*: 5 (<<incoming-dcom-lateral-movement-with-shellbrowserwindow-or-shellwindows-history, version history>>)
 
 *Added ({stack} release)*: 7.11.0
 
-*Last modified ({stack} release)*: 7.16.0
+*Last modified ({stack} release)*: 8.0.0
 
 *Rule authors*: Elastic
 
@@ -51,9 +51,9 @@ Identifies use of Distributed Component Object Model (DCOM) to run commands from
 sequence by host.id with maxspan=5s [network where event.type ==
 "start" and process.name : "explorer.exe" and network.direction :
 ("incoming", "ingress") and network.transport == "tcp" and
-source.port > 49151 and destination.port > 49151 and not
-source.address in ("127.0.0.1", "::1") ] by process.entity_id
-[process where event.type in ("start", "process_started") and
+source.port > 49151 and destination.port > 49151 and source.ip !=
+"127.0.0.1" and source.ip != "::1" ] by process.entity_id [process
+where event.type in ("start", "process_started") and
 process.parent.name : "explorer.exe" ] by process.parent.entity_id
 ----------------------------------
 
@@ -73,6 +73,20 @@ process.parent.name : "explorer.exe" ] by process.parent.entity_id
 [[incoming-dcom-lateral-movement-with-shellbrowserwindow-or-shellwindows-history]]
 ==== Rule version history
 
+Version 5 (8.0.0 release)::
+* Updated query, changed from:
++
+[source, js]
+----------------------------------
+sequence by host.id with maxspan=5s [network where event.type ==
+"start" and process.name : "explorer.exe" and network.direction :
+("incoming", "ingress") and network.transport == "tcp" and
+source.port > 49151 and destination.port > 49151 and not
+source.address in ("127.0.0.1", "::1") ] by process.entity_id
+[process where event.type in ("start", "process_started") and
+process.parent.name : "explorer.exe" ] by process.parent.entity_id
+----------------------------------
+
 Version 4 (7.16.0 release)::
 * Updated query, changed from:
 +
diff --git a/docs/detections/prebuilt-rules/rule-details/incoming-execution-via-powershell-remoting.asciidoc b/docs/detections/prebuilt-rules/rule-details/incoming-execution-via-powershell-remoting.asciidoc
index 1756b0b696..0041df7c2a 100644
--- a/docs/detections/prebuilt-rules/rule-details/incoming-execution-via-powershell-remoting.asciidoc
+++ b/docs/detections/prebuilt-rules/rule-details/incoming-execution-via-powershell-remoting.asciidoc
@@ -33,11 +33,11 @@ Identifies remote execution via Windows PowerShell remoting. Windows PowerShell
 * Threat Detection
 * Lateral Movement
 
-*Version*: 3 (<<incoming-execution-via-powershell-remoting-history, version history>>)
+*Version*: 4 (<<incoming-execution-via-powershell-remoting-history, version history>>)
 
 *Added ({stack} release)*: 7.11.0
 
-*Last modified ({stack} release)*: 7.16.0
+*Last modified ({stack} release)*: 8.0.0
 
 *Rule authors*: Elastic
 
@@ -54,10 +54,10 @@ PowerShell remoting is a dual-use protocol that can be used for benign or malici
 ----------------------------------
 sequence by host.id with maxspan = 30s [network where
 network.direction : ("incoming", "ingress") and destination.port in
-(5985, 5986) and network.protocol == "http" and source.address !=
-"127.0.0.1" and source.address != "::1" ] [process where
-event.type == "start" and process.parent.name : "wsmprovhost.exe" and
-not process.name : "conhost.exe"]
+(5985, 5986) and network.protocol == "http" and source.ip !=
+"127.0.0.1" and source.ip != "::1" ] [process where event.type
+== "start" and process.parent.name : "wsmprovhost.exe" and not
+process.name : "conhost.exe"]
 ----------------------------------
 
 ==== Threat mapping
@@ -76,6 +76,19 @@ not process.name : "conhost.exe"]
 [[incoming-execution-via-powershell-remoting-history]]
 ==== Rule version history
 
+Version 4 (8.0.0 release)::
+* Updated query, changed from:
++
+[source, js]
+----------------------------------
+sequence by host.id with maxspan = 30s [network where
+network.direction : ("incoming", "ingress") and destination.port in
+(5985, 5986) and network.protocol == "http" and source.address !=
+"127.0.0.1" and source.address != "::1" ] [process where
+event.type == "start" and process.parent.name : "wsmprovhost.exe" and
+not process.name : "conhost.exe"]
+----------------------------------
+
 Version 3 (7.16.0 release)::
 * Updated query, changed from:
 +
diff --git a/docs/detections/prebuilt-rules/rule-details/incoming-execution-via-winrm-remote-shell.asciidoc b/docs/detections/prebuilt-rules/rule-details/incoming-execution-via-winrm-remote-shell.asciidoc
index e5c9197448..7256b6a5e5 100644
--- a/docs/detections/prebuilt-rules/rule-details/incoming-execution-via-winrm-remote-shell.asciidoc
+++ b/docs/detections/prebuilt-rules/rule-details/incoming-execution-via-winrm-remote-shell.asciidoc
@@ -29,11 +29,11 @@ Identifies remote execution via Windows Remote Management (WinRM) remote shell o
 * Threat Detection
 * Lateral Movement
 
-*Version*: 3 (<<incoming-execution-via-winrm-remote-shell-history, version history>>)
+*Version*: 4 (<<incoming-execution-via-winrm-remote-shell-history, version history>>)
 
 *Added ({stack} release)*: 7.11.0
 
-*Last modified ({stack} release)*: 7.16.0
+*Last modified ({stack} release)*: 8.0.0
 
 *Rule authors*: Elastic
 
@@ -51,7 +51,7 @@ WinRM is a dual-use protocol that can be used for benign or malicious activity.
 sequence by host.id with maxspan=30s [network where process.pid ==
 4 and network.direction : ("incoming", "ingress") and
 destination.port in (5985, 5986) and network.protocol == "http" and
-not source.address in ("::1", "127.0.0.1") ] [process where
+source.ip != "127.0.0.1" and source.ip != "::1" ] [process where
 event.type == "start" and process.parent.name : "winrshost.exe" and
 not process.name : "conhost.exe"]
 ----------------------------------
@@ -72,6 +72,19 @@ not process.name : "conhost.exe"]
 [[incoming-execution-via-winrm-remote-shell-history]]
 ==== Rule version history
 
+Version 4 (8.0.0 release)::
+* Updated query, changed from:
++
+[source, js]
+----------------------------------
+sequence by host.id with maxspan=30s [network where process.pid ==
+4 and network.direction : ("incoming", "ingress") and
+destination.port in (5985, 5986) and network.protocol == "http" and
+not source.address in ("::1", "127.0.0.1") ] [process where
+event.type == "start" and process.parent.name : "winrshost.exe" and
+not process.name : "conhost.exe"]
+----------------------------------
+
 Version 3 (7.16.0 release)::
 * Updated query, changed from:
 +
diff --git a/docs/detections/prebuilt-rules/rule-details/lateral-tool-transfer.asciidoc b/docs/detections/prebuilt-rules/rule-details/lateral-tool-transfer.asciidoc
index 925c3b53b7..6def44c630 100644
--- a/docs/detections/prebuilt-rules/rule-details/lateral-tool-transfer.asciidoc
+++ b/docs/detections/prebuilt-rules/rule-details/lateral-tool-transfer.asciidoc
@@ -29,11 +29,11 @@ Identifies the creation or change of a Windows executable file over network shar
 * Threat Detection
 * Lateral Movement
 
-*Version*: 3 (<<lateral-tool-transfer-history, version history>>)
+*Version*: 4 (<<lateral-tool-transfer-history, version history>>)
 
 *Added ({stack} release)*: 7.11.0
 
-*Last modified ({stack} release)*: 7.16.0
+*Last modified ({stack} release)*: 8.0.0
 
 *Rule authors*: Elastic
 
@@ -46,10 +46,10 @@ Identifies the creation or change of a Windows executable file over network shar
 ----------------------------------
 sequence by host.id with maxspan=30s [network where event.type ==
 "start" and process.pid == 4 and destination.port == 445 and
-network.direction : ("incoming", "ingress") and network.transport ==
-"tcp" and source.address != "127.0.0.1" and source.address != "::1"
-] by process.entity_id /* add more executable extensions here if
-they are not noisy in your environment */ [file where event.type in
+network.direction : ("incoming", "ingress") and network.transport
+== "tcp" and source.ip != "127.0.0.1" and source.ip != "::1" ] by
+process.entity_id /* add more executable extensions here if they are
+not noisy in your environment */ [file where event.type in
 ("creation", "change") and process.pid == 4 and file.extension :
 ("exe", "dll", "bat", "cmd")] by process.entity_id
 ----------------------------------
@@ -70,6 +70,21 @@ they are not noisy in your environment */ [file where event.type in
 [[lateral-tool-transfer-history]]
 ==== Rule version history
 
+Version 4 (8.0.0 release)::
+* Updated query, changed from:
++
+[source, js]
+----------------------------------
+sequence by host.id with maxspan=30s [network where event.type ==
+"start" and process.pid == 4 and destination.port == 445 and
+network.direction : ("incoming", "ingress") and network.transport ==
+"tcp" and source.address != "127.0.0.1" and source.address != "::1"
+] by process.entity_id /* add more executable extensions here if
+they are not noisy in your environment */ [file where event.type in
+("creation", "change") and process.pid == 4 and file.extension :
+("exe", "dll", "bat", "cmd")] by process.entity_id
+----------------------------------
+
 Version 3 (7.16.0 release)::
 * Updated query, changed from:
 +
diff --git a/docs/detections/prebuilt-rules/rule-details/launchdaemon-creation-or-modification-and-immediate-loading.asciidoc b/docs/detections/prebuilt-rules/rule-details/launchdaemon-creation-or-modification-and-immediate-loading.asciidoc
index 05d362eca9..7e50b50e7e 100644
--- a/docs/detections/prebuilt-rules/rule-details/launchdaemon-creation-or-modification-and-immediate-loading.asciidoc
+++ b/docs/detections/prebuilt-rules/rule-details/launchdaemon-creation-or-modification-and-immediate-loading.asciidoc
@@ -32,11 +32,11 @@ Adversaries may create or modify launch daemons to repeatedly execute malicious
 * Threat Detection
 * Persistence
 
-*Version*: 2 (<<launchdaemon-creation-or-modification-and-immediate-loading-history, version history>>)
+*Version*: 3 (<<launchdaemon-creation-or-modification-and-immediate-loading-history, version history>>)
 
 *Added ({stack} release)*: 7.11.0
 
-*Last modified ({stack} release)*: 7.12.0
+*Last modified ({stack} release)*: 8.0.0
 
 *Rule authors*: Elastic
 
@@ -52,8 +52,8 @@ Trusted applications persisting via LaunchDaemons
 [source,js]
 ----------------------------------
 sequence by host.id with maxspan=1m [file where event.type !=
-"deletion" and file.path in ("/System/Library/LaunchDaemons/*", "
-/Library/LaunchDaemons/*")] [process where event.type in ("start",
+"deletion" and file.path in ("/System/Library/LaunchDaemons/*",
+"/Library/LaunchDaemons/*")] [process where event.type in ("start",
 "process_started") and process.name == "launchctl" and process.args ==
 "load"]
 ----------------------------------
@@ -74,6 +74,18 @@ sequence by host.id with maxspan=1m [file where event.type !=
 [[launchdaemon-creation-or-modification-and-immediate-loading-history]]
 ==== Rule version history
 
+Version 3 (8.0.0 release)::
+* Updated query, changed from:
++
+[source, js]
+----------------------------------
+sequence by host.id with maxspan=1m [file where event.type !=
+"deletion" and file.path in ("/System/Library/LaunchDaemons/*", "
+/Library/LaunchDaemons/*")] [process where event.type in ("start",
+"process_started") and process.name == "launchctl" and process.args ==
+"load"]
+----------------------------------
+
 Version 2 (7.12.0 release)::
 * Formatting only
 
diff --git a/docs/detections/prebuilt-rules/rule-details/malware-detected-elastic-endgame.asciidoc b/docs/detections/prebuilt-rules/rule-details/malware-detected-elastic-endgame.asciidoc
index 7d02df1ba4..2bd3afff13 100644
--- a/docs/detections/prebuilt-rules/rule-details/malware-detected-elastic-endgame.asciidoc
+++ b/docs/detections/prebuilt-rules/rule-details/malware-detected-elastic-endgame.asciidoc
@@ -17,18 +17,18 @@ Elastic Endgame detected Malware. Click the Elastic Endgame icon in the event.mo
 
 *Searches indices from*: now-15m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>)
 
-*Maximum alerts per execution*: 100
+*Maximum alerts per execution*: 10000
 
 *Tags*:
 
 * Elastic
 * Elastic Endgame
 
-*Version*: 6 (<<malware-detected-elastic-endgame-history, version history>>)
+*Version*: 7 (<<malware-detected-elastic-endgame-history, version history>>)
 
 *Added ({stack} release)*: 7.6.0
 
-*Last modified ({stack} release)*: 7.12.1
+*Last modified ({stack} release)*: 8.0.0
 
 *Rule authors*: Elastic
 
@@ -49,6 +49,9 @@ endgame.event_subtype_full:file_classification_event)
 [[malware-detected-elastic-endgame-history]]
 ==== Rule version history
 
+Version 7 (8.0.0 release)::
+* Formatting only
+
 Version 6 (7.12.1 release)::
 * Formatting only
 
diff --git a/docs/detections/prebuilt-rules/rule-details/malware-prevented-elastic-endgame.asciidoc b/docs/detections/prebuilt-rules/rule-details/malware-prevented-elastic-endgame.asciidoc
index 0d85304781..995bfa43ed 100644
--- a/docs/detections/prebuilt-rules/rule-details/malware-prevented-elastic-endgame.asciidoc
+++ b/docs/detections/prebuilt-rules/rule-details/malware-prevented-elastic-endgame.asciidoc
@@ -17,18 +17,18 @@ Elastic Endgame prevented Malware. Click the Elastic Endgame icon in the event.m
 
 *Searches indices from*: now-15m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>)
 
-*Maximum alerts per execution*: 100
+*Maximum alerts per execution*: 10000
 
 *Tags*:
 
 * Elastic
 * Elastic Endgame
 
-*Version*: 6 (<<malware-prevented-elastic-endgame-history, version history>>)
+*Version*: 7 (<<malware-prevented-elastic-endgame-history, version history>>)
 
 *Added ({stack} release)*: 7.6.0
 
-*Last modified ({stack} release)*: 7.12.1
+*Last modified ({stack} release)*: 8.0.0
 
 *Rule authors*: Elastic
 
@@ -49,6 +49,9 @@ endgame.event_subtype_full:file_classification_event)
 [[malware-prevented-elastic-endgame-history]]
 ==== Rule version history
 
+Version 7 (8.0.0 release)::
+* Formatting only
+
 Version 6 (7.12.1 release)::
 * Formatting only
 
diff --git a/docs/detections/prebuilt-rules/rule-details/mfa-disabled-for-google-workspace-organization.asciidoc b/docs/detections/prebuilt-rules/rule-details/mfa-disabled-for-google-workspace-organization.asciidoc
index cc2d2bc1bb..42877bbd4f 100644
--- a/docs/detections/prebuilt-rules/rule-details/mfa-disabled-for-google-workspace-organization.asciidoc
+++ b/docs/detections/prebuilt-rules/rule-details/mfa-disabled-for-google-workspace-organization.asciidoc
@@ -29,11 +29,11 @@ Detects when multi-factor authentication (MFA) is disabled for a Google Workspac
 * SecOps
 * Identity and Access
 
-*Version*: 6 (<<mfa-disabled-for-google-workspace-organization-history, version history>>)
+*Version*: 7 (<<mfa-disabled-for-google-workspace-organization-history, version history>>)
 
 *Added ({stack} release)*: 7.11.0
 
-*Last modified ({stack} release)*: 7.15.0
+*Last modified ({stack} release)*: 8.0.0
 
 *Rule authors*: Elastic
 
@@ -46,7 +46,7 @@ MFA settings may be modified by system administrators. Verify that the configura
 ==== Investigation guide
 
 
-[source, markdown, subs="attributes"]
+[source,markdown]
 ----------------------------------
 ## Config
 
@@ -59,7 +59,7 @@ The Google Workspace Fleet integration, Filebeat module, or similarly structured
 - By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).
 - See the following references for further information:
   - https://support.google.com/a/answer/7061566
-  - https://www.elastic.co/guide/en/beats/filebeat/{branch}/filebeat-module-google_workspace.html
+  - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html
 ----------------------------------
 
 
@@ -68,6 +68,21 @@ The Google Workspace Fleet integration, Filebeat module, or similarly structured
 
 [source,js]
 ----------------------------------
+event.dataset:google_workspace.admin and event.provider:admin and
+event.category:iam and event.action:(ENFORCE_STRONG_AUTHENTICATION or
+ALLOW_STRONG_AUTHENTICATION) and
+google_workspace.admin.new_value:false
+----------------------------------
+
+
+[[mfa-disabled-for-google-workspace-organization-history]]
+==== Rule version history
+
+Version 7 (8.0.0 release)::
+* Updated query, changed from:
++
+[source, js]
+----------------------------------
 event.dataset:(gsuite.admin or google_workspace.admin) and
 event.provider:admin and event.category:iam and
 event.action:(ENFORCE_STRONG_AUTHENTICATION or
@@ -75,10 +90,6 @@ ALLOW_STRONG_AUTHENTICATION) and (gsuite.admin.new_value:false or
 google_workspace.admin.new_value:false)
 ----------------------------------
 
-
-[[mfa-disabled-for-google-workspace-organization-history]]
-==== Rule version history
-
 Version 6 (7.15.0 release)::
 * Formatting only
 
diff --git a/docs/detections/prebuilt-rules/rule-details/microsoft-365-potential-ransomware-activity.asciidoc b/docs/detections/prebuilt-rules/rule-details/microsoft-365-potential-ransomware-activity.asciidoc
index e2b17b6a9d..253ce712eb 100644
--- a/docs/detections/prebuilt-rules/rule-details/microsoft-365-potential-ransomware-activity.asciidoc
+++ b/docs/detections/prebuilt-rules/rule-details/microsoft-365-potential-ransomware-activity.asciidoc
@@ -1,7 +1,7 @@
 [[microsoft-365-potential-ransomware-activity]]
 === Microsoft 365 Potential ransomware activity
 
-Identifies when Microsoft Cloud App Security reported when a user uploads files to the cloud that might be infected with ransomware.
+Identifies when Microsoft Cloud App Security reports that a user has uploaded files to the cloud that might be infected with ransomware.
 
 *Rule type*: query
 
@@ -34,10 +34,12 @@ Identifies when Microsoft Cloud App Security reported when a user uploads files
 * SecOps
 * Configuration Audit
 
-*Version*: 1
+*Version*: 2 (<<microsoft-365-potential-ransomware-activity-history, version history>>)
 
 *Added ({stack} release)*: 7.16.0
 
+*Last modified ({stack} release)*: 8.0.0
+
 *Rule authors*: Austin Songer
 
 *Rule license*: Elastic License v2
@@ -80,3 +82,10 @@ activity" and event.outcome:success
 ** Name: Data Encrypted for Impact
 ** ID: T1486
 ** Reference URL: https://attack.mitre.org/techniques/T1486/
+
+[[microsoft-365-potential-ransomware-activity-history]]
+==== Rule version history
+
+Version 2 (8.0.0 release)::
+* Formatting only
+
diff --git a/docs/detections/prebuilt-rules/rule-details/microsoft-windows-defender-tampering.asciidoc b/docs/detections/prebuilt-rules/rule-details/microsoft-windows-defender-tampering.asciidoc
new file mode 100644
index 0000000000..b58adc7924
--- /dev/null
+++ b/docs/detections/prebuilt-rules/rule-details/microsoft-windows-defender-tampering.asciidoc
@@ -0,0 +1,113 @@
+[[microsoft-windows-defender-tampering]]
+=== Microsoft Windows Defender Tampering
+
+Identifies when one or more features on Microsoft Defender are disabled. Adversaries may disable or tamper Microsoft Defender features to evade detection and conceal malicious behavior.
+
+*Rule type*: eql
+
+*Rule indices*:
+
+* winlogbeat-*
+* logs-endpoint.events.*
+* logs-windows.*
+
+*Severity*: medium
+
+*Risk score*: 47
+
+*Runs every*: 5 minutes
+
+*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>)
+
+*Maximum alerts per execution*: 100
+
+*References*:
+
+* https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/
+* https://www.tenforums.com/tutorials/32236-enable-disable-microsoft-defender-pua-protection-windows-10-a.html
+* https://www.tenforums.com/tutorials/104025-turn-off-core-isolation-memory-integrity-windows-10-a.html
+* https://www.tenforums.com/tutorials/105533-enable-disable-windows-defender-exploit-protection-settings.html
+* https://www.tenforums.com/tutorials/123792-turn-off-tamper-protection-microsoft-defender-antivirus.html
+* https://www.tenforums.com/tutorials/51514-turn-off-microsoft-defender-periodic-scanning-windows-10-a.html
+* https://www.tenforums.com/tutorials/3569-turn-off-real-time-protection-microsoft-defender-antivirus.html
+* https://www.tenforums.com/tutorials/99576-how-schedule-scan-microsoft-defender-antivirus-windows-10-a.html
+
+*Tags*:
+
+* Elastic
+* Host
+* Windows
+* Threat Detection
+* Defense Evasion
+
+*Version*: 1
+
+*Added ({stack} release)*: 8.0.0
+
+*Rule authors*: Austin Songer
+
+*Rule license*: Elastic License v2
+
+==== Potential false positives
+
+Legitimate Windows Defender configuration changes
+
+==== Rule query
+
+
+[source,js]
+----------------------------------
+registry where event.type in ("creation", "change") and
+(registry.path : "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows
+Defender\\PUAProtection" and registry.data.strings : "0") or
+(registry.path : "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows
+Defender Security Center\\App and Browser
+protection\\DisallowExploitProtectionOverride" and
+registry.data.strings : "1") or (registry.path :
+"HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows
+Defender\\DisableAntiSpyware" and registry.data.strings : "1") or
+(registry.path : "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows
+Defender\\Features\\TamperProtection" and registry.data.strings :
+"0") or (registry.path :
+"HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Real-Time
+Protection\\DisableRealtimeMonitoring" and registry.data.strings :
+"1") or (registry.path :
+"HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Real-Time
+Protection\\DisableIntrusionPreventionSystem" and
+registry.data.strings : "1") or (registry.path :
+"HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Real-Time
+Protection\\DisableScriptScanning" and registry.data.strings : "1")
+or (registry.path : "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows
+Defender\\Windows Defender Exploit Guard\\Controlled Folder
+Access\\EnableControlledFolderAccess" and registry.data.strings :
+"0") or (registry.path :
+"HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Real-Time
+Protection\\DisableIOAVProtection" and registry.data.strings : "1")
+or (registry.path : "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows
+Defender\\Reporting\\DisableEnhancedNotifications" and
+registry.data.strings : "1") or (registry.path :
+"HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows
+Defender\\SpyNet\\DisableBlockAtFirstSeen" and registry.data.strings
+: "1") or (registry.path :
+"HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows
+Defender\\SpyNet\\SpynetReporting" and registry.data.strings : "0")
+or (registry.path : "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows
+Defender\\SpyNet\\SubmitSamplesConsent" and registry.data.strings :
+"0") or (registry.path :
+"HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Real-Time
+Protection\\DisableBehaviorMonitoring" and registry.data.strings :
+"1")
+----------------------------------
+
+==== Threat mapping
+
+*Framework*: MITRE ATT&CK^TM^
+
+* Tactic:
+** Name: Defense Evasion
+** ID: TA0005
+** Reference URL: https://attack.mitre.org/tactics/TA0005/
+* Technique:
+** Name: Impair Defenses
+** ID: T1562
+** Reference URL: https://attack.mitre.org/techniques/T1562/
diff --git a/docs/detections/prebuilt-rules/rule-details/o365-excessive-single-sign-on-logon-errors.asciidoc b/docs/detections/prebuilt-rules/rule-details/o365-excessive-single-sign-on-logon-errors.asciidoc
index 68677e0bbe..ecd8af76c0 100644
--- a/docs/detections/prebuilt-rules/rule-details/o365-excessive-single-sign-on-logon-errors.asciidoc
+++ b/docs/detections/prebuilt-rules/rule-details/o365-excessive-single-sign-on-logon-errors.asciidoc
@@ -29,11 +29,11 @@ Identifies accounts with a high number of single sign-on (SSO) logon errors. Exc
 * SecOps
 * Identity and Access
 
-*Version*: 2 (<<o365-excessive-single-sign-on-logon-errors-history, version history>>)
+*Version*: 3 (<<o365-excessive-single-sign-on-logon-errors-history, version history>>)
 
 *Added ({stack} release)*: 7.14.0
 
-*Last modified ({stack} release)*: 7.15.0
+*Last modified ({stack} release)*: 8.0.0
 
 *Rule authors*: Elastic, Austin Songer
 
@@ -60,7 +60,7 @@ The Microsoft 365 Fleet integration, Filebeat module, or similarly structured da
 [source,js]
 ----------------------------------
 event.dataset:o365.audit and event.provider:AzureActiveDirectory and
-event.category:web and
+event.category:authentication and
 o365.audit.LogonError:"SsoArtifactInvalidOrExpired"
 ----------------------------------
 
@@ -80,6 +80,16 @@ o365.audit.LogonError:"SsoArtifactInvalidOrExpired"
 [[o365-excessive-single-sign-on-logon-errors-history]]
 ==== Rule version history
 
+Version 3 (8.0.0 release)::
+* Updated query, changed from:
++
+[source, js]
+----------------------------------
+event.dataset:o365.audit and event.provider:AzureActiveDirectory and
+event.category:web and
+o365.audit.LogonError:"SsoArtifactInvalidOrExpired"
+----------------------------------
+
 Version 2 (7.15.0 release)::
 * Formatting only
 
diff --git a/docs/detections/prebuilt-rules/rule-details/o365-mailbox-audit-logging-bypass.asciidoc b/docs/detections/prebuilt-rules/rule-details/o365-mailbox-audit-logging-bypass.asciidoc
new file mode 100644
index 0000000000..7eecb27e05
--- /dev/null
+++ b/docs/detections/prebuilt-rules/rule-details/o365-mailbox-audit-logging-bypass.asciidoc
@@ -0,0 +1,80 @@
+[[o365-mailbox-audit-logging-bypass]]
+=== O365 Mailbox Audit Logging Bypass
+
+Detects the occurrence of mailbox audit bypass associations. The mailbox audit is responsible for logging specified mailbox events (like accessing a folder or a message or permanently deleting a message). However, actions taken by some authorized accounts, such as accounts used by third-party tools or accounts used for lawful monitoring, can create a large number of mailbox audit log entries and may not be of interest to your organization. Because of this, administrators can create bypass associations, allowing certain accounts to perform their tasks without being logged. Attackers can abuse this allowlist mechanism to conceal actions taken, as the mailbox audit will log no activity done by the account.
+
+*Rule type*: query
+
+*Rule indices*:
+
+* filebeat-*
+* logs-o365*
+
+*Severity*: medium
+
+*Risk score*: 47
+
+*Runs every*: 5 minutes
+
+*Searches indices from*: now-30m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>)
+
+*Maximum alerts per execution*: 100
+
+*References*:
+
+* https://twitter.com/misconfig/status/1476144066807140355
+
+*Tags*:
+
+* Elastic
+* Cloud
+* Microsoft 365
+* Continuous Monitoring
+* SecOps
+* Initial Access
+
+*Version*: 1
+
+*Added ({stack} release)*: 8.0.0
+
+*Rule authors*: Elastic
+
+*Rule license*: Elastic License v2
+
+==== Potential false positives
+
+Legitimate whitelisting of noisy accounts
+
+==== Investigation guide
+
+
+[source,markdown]
+----------------------------------
+## Config
+
+The Microsoft 365 Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.
+----------------------------------
+
+
+==== Rule query
+
+
+[source,js]
+----------------------------------
+event.dataset:o365.audit and event.provider:Exchange and
+event.action:Set-MailboxAuditBypassAssociation and
+event.outcome:success
+----------------------------------
+
+==== Threat mapping
+
+*Framework*: MITRE ATT&CK^TM^
+
+* Tactic:
+** Name: Defense Evasion
+** ID: TA0005
+** Reference URL: https://attack.mitre.org/tactics/TA0005/
+* Technique:
+** Name: Impair Defenses
+** ID: T1562
+** Reference URL: https://attack.mitre.org/techniques/T1562/
diff --git a/docs/detections/prebuilt-rules/rule-details/permission-theft-detected-elastic-endgame.asciidoc b/docs/detections/prebuilt-rules/rule-details/permission-theft-detected-elastic-endgame.asciidoc
index 3dd6caba37..9663457a56 100644
--- a/docs/detections/prebuilt-rules/rule-details/permission-theft-detected-elastic-endgame.asciidoc
+++ b/docs/detections/prebuilt-rules/rule-details/permission-theft-detected-elastic-endgame.asciidoc
@@ -17,18 +17,18 @@ Elastic Endgame detected Permission Theft. Click the Elastic Endgame icon in the
 
 *Searches indices from*: now-15m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>)
 
-*Maximum alerts per execution*: 100
+*Maximum alerts per execution*: 10000
 
 *Tags*:
 
 * Elastic
 * Elastic Endgame
 
-*Version*: 6 (<<permission-theft-detected-elastic-endgame-history, version history>>)
+*Version*: 7 (<<permission-theft-detected-elastic-endgame-history, version history>>)
 
 *Added ({stack} release)*: 7.6.0
 
-*Last modified ({stack} release)*: 7.12.1
+*Last modified ({stack} release)*: 8.0.0
 
 *Rule authors*: Elastic
 
@@ -49,6 +49,9 @@ endgame.event_subtype_full:token_protection_event)
 [[permission-theft-detected-elastic-endgame-history]]
 ==== Rule version history
 
+Version 7 (8.0.0 release)::
+* Formatting only
+
 Version 6 (7.12.1 release)::
 * Formatting only
 
diff --git a/docs/detections/prebuilt-rules/rule-details/permission-theft-prevented-elastic-endgame.asciidoc b/docs/detections/prebuilt-rules/rule-details/permission-theft-prevented-elastic-endgame.asciidoc
index c1101818d0..3f43faa743 100644
--- a/docs/detections/prebuilt-rules/rule-details/permission-theft-prevented-elastic-endgame.asciidoc
+++ b/docs/detections/prebuilt-rules/rule-details/permission-theft-prevented-elastic-endgame.asciidoc
@@ -17,18 +17,18 @@ Elastic Endgame prevented Permission Theft. Click the Elastic Endgame icon in th
 
 *Searches indices from*: now-15m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>)
 
-*Maximum alerts per execution*: 100
+*Maximum alerts per execution*: 10000
 
 *Tags*:
 
 * Elastic
 * Elastic Endgame
 
-*Version*: 6 (<<permission-theft-prevented-elastic-endgame-history, version history>>)
+*Version*: 7 (<<permission-theft-prevented-elastic-endgame-history, version history>>)
 
 *Added ({stack} release)*: 7.6.0
 
-*Last modified ({stack} release)*: 7.12.1
+*Last modified ({stack} release)*: 8.0.0
 
 *Rule authors*: Elastic
 
@@ -49,6 +49,9 @@ endgame.event_subtype_full:token_protection_event)
 [[permission-theft-prevented-elastic-endgame-history]]
 ==== Rule version history
 
+Version 7 (8.0.0 release)::
+* Formatting only
+
 Version 6 (7.12.1 release)::
 * Formatting only
 
diff --git a/docs/detections/prebuilt-rules/rule-details/persistence-via-folder-action-script.asciidoc b/docs/detections/prebuilt-rules/rule-details/persistence-via-folder-action-script.asciidoc
index 3efefa9cea..bc0689c306 100644
--- a/docs/detections/prebuilt-rules/rule-details/persistence-via-folder-action-script.asciidoc
+++ b/docs/detections/prebuilt-rules/rule-details/persistence-via-folder-action-script.asciidoc
@@ -33,11 +33,11 @@ A Folder Action script is executed when the folder to which it is attached has i
 * Execution
 * Persistence
 
-*Version*: 3 (<<persistence-via-folder-action-script-history, version history>>)
+*Version*: 4 (<<persistence-via-folder-action-script-history, version history>>)
 
 *Added ({stack} release)*: 7.11.0
 
-*Last modified ({stack} release)*: 7.14.0
+*Last modified ({stack} release)*: 8.0.0
 
 *Rule authors*: Elastic
 
@@ -52,7 +52,8 @@ sequence by host.id with maxspan=5s [process where event.type in
 ("start", "process_started", "info") and process.name ==
 "com.apple.foundation.UserScriptService"] by process.pid [process
 where event.type in ("start", "process_started") and process.name in
-("osascript", "sh")] by process.parent.pid
+("osascript", "python", "tcl", "node", "perl", "ruby", "php", "bash",
+"csh", "zsh", "sh")] by process.parent.pid
 ----------------------------------
 
 ==== Threat mapping
@@ -81,6 +82,18 @@ where event.type in ("start", "process_started") and process.name in
 [[persistence-via-folder-action-script-history]]
 ==== Rule version history
 
+Version 4 (8.0.0 release)::
+* Updated query, changed from:
++
+[source, js]
+----------------------------------
+sequence by host.id with maxspan=5s [process where event.type in
+("start", "process_started", "info") and process.name ==
+"com.apple.foundation.UserScriptService"] by process.pid [process
+where event.type in ("start", "process_started") and process.name in
+("osascript", "sh")] by process.parent.pid
+----------------------------------
+
 Version 3 (7.14.0 release)::
 * Updated query, changed from:
 +
diff --git a/docs/detections/prebuilt-rules/rule-details/potential-credential-access-via-duplicatehandle-in-lsass.asciidoc b/docs/detections/prebuilt-rules/rule-details/potential-credential-access-via-duplicatehandle-in-lsass.asciidoc
index 9a36e5fa27..df168fe3d6 100644
--- a/docs/detections/prebuilt-rules/rule-details/potential-credential-access-via-duplicatehandle-in-lsass.asciidoc
+++ b/docs/detections/prebuilt-rules/rule-details/potential-credential-access-via-duplicatehandle-in-lsass.asciidoc
@@ -1,7 +1,7 @@
 [[potential-credential-access-via-duplicatehandle-in-lsass]]
 === Potential Credential Access via DuplicateHandle in LSASS
 
-Identifies suspicious access to an LSASS handle via DuplicateHandle from an unknown call trace module. This may indicate an attempt to bypass the NtOpenProcess API to evade detection and dump Lsass memory for credential access.
+Identifies suspicious access to an LSASS handle via DuplicateHandle from an unknown call trace module. This may indicate an attempt to bypass the NtOpenProcess API to evade detection and dump LSASS memory for credential access.
 
 *Rule type*: eql
 
@@ -32,10 +32,12 @@ Identifies suspicious access to an LSASS handle via DuplicateHandle from an unkn
 * Threat Detection
 * Credential Access
 
-*Version*: 1
+*Version*: 2 (<<potential-credential-access-via-duplicatehandle-in-lsass-history, version history>>)
 
 *Added ({stack} release)*: 7.16.0
 
+*Last modified ({stack} release)*: 8.0.0
+
 *Rule authors*: Elastic
 
 *Rule license*: Elastic License v2
@@ -64,3 +66,10 @@ winlog.event_data.CallTrace : "*UNKNOWN*"
 ** Name: OS Credential Dumping
 ** ID: T1003
 ** Reference URL: https://attack.mitre.org/techniques/T1003/
+
+[[potential-credential-access-via-duplicatehandle-in-lsass-history]]
+==== Rule version history
+
+Version 2 (8.0.0 release)::
+* Formatting only
+
diff --git a/docs/detections/prebuilt-rules/rule-details/potential-credential-access-via-lsass-memory-dump.asciidoc b/docs/detections/prebuilt-rules/rule-details/potential-credential-access-via-lsass-memory-dump.asciidoc
new file mode 100644
index 0000000000..084ec923a3
--- /dev/null
+++ b/docs/detections/prebuilt-rules/rule-details/potential-credential-access-via-lsass-memory-dump.asciidoc
@@ -0,0 +1,68 @@
+[[potential-credential-access-via-lsass-memory-dump]]
+=== Potential Credential Access via LSASS Memory Dump
+
+Identifies suspicious access to LSASS handle from a call trace pointing to DBGHelp.dll or DBGCore.dll, which both export the MiniDumpWriteDump method that can be used to dump LSASS memory content in preperation for credential access.
+
+*Rule type*: eql
+
+*Rule indices*:
+
+* winlogbeat-*
+* logs-windows.*
+
+*Severity*: high
+
+*Risk score*: 73
+
+*Runs every*: 5 minutes
+
+*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>)
+
+*Maximum alerts per execution*: 100
+
+*References*:
+
+* https://www.ired.team/offensive-security/credential-access-and-credential-dumping/dump-credentials-from-lsass-process-without-mimikatz
+
+*Tags*:
+
+* Elastic
+* Host
+* Windows
+* Threat Detection
+* Credential Access
+
+*Version*: 1
+
+*Added ({stack} release)*: 8.0.0
+
+*Rule authors*: Elastic
+
+*Rule license*: Elastic License v2
+
+==== Rule query
+
+
+[source,js]
+----------------------------------
+process where event.code == "10" and winlog.event_data.TargetImage :
+"?:\\WINDOWS\\system32\\lsass.exe" and /* DLLs exporting
+MiniDumpWriteDump API to create an lsass mdmp*/
+winlog.event_data.CallTrace : ("*dbhelp*", "*dbgcore*") and /*
+case of lsass crashing */ not process.executable :
+("?:\\Windows\\System32\\WerFault.exe",
+"?:\\Windows\\System32\\WerFaultSecure.exe")
+----------------------------------
+
+==== Threat mapping
+
+*Framework*: MITRE ATT&CK^TM^
+
+* Tactic:
+** Name: Credential Access
+** ID: TA0006
+** Reference URL: https://attack.mitre.org/tactics/TA0006/
+* Technique:
+** Name: OS Credential Dumping
+** ID: T1003
+** Reference URL: https://attack.mitre.org/techniques/T1003/
diff --git a/docs/detections/prebuilt-rules/rule-details/potential-credential-access-via-renamed-com-services-dll.asciidoc b/docs/detections/prebuilt-rules/rule-details/potential-credential-access-via-renamed-com-services-dll.asciidoc
new file mode 100644
index 0000000000..8698a6c07b
--- /dev/null
+++ b/docs/detections/prebuilt-rules/rule-details/potential-credential-access-via-renamed-com-services-dll.asciidoc
@@ -0,0 +1,80 @@
+[[potential-credential-access-via-renamed-com-services-dll]]
+=== Potential Credential Access via Renamed COM+ Services DLL
+
+Identifies suspicious renamed COMSVCS.DLL Image Load, which exports the MiniDump function that can be used to dump a process memory. This may indicate an attempt to dump LSASS memory while bypassing command line based detection in preparation for credential access.
+
+*Rule type*: eql
+
+*Rule indices*:
+
+* winlogbeat-*
+* logs-windows.*
+
+*Severity*: high
+
+*Risk score*: 73
+
+*Runs every*: 5 minutes
+
+*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>)
+
+*Maximum alerts per execution*: 100
+
+*References*:
+
+* https://modexp.wordpress.com/2019/08/30/minidumpwritedump-via-com-services-dll/
+
+*Tags*:
+
+* Elastic
+* Host
+* Windows
+* Threat Detection
+* Credential Access
+
+*Version*: 1
+
+*Added ({stack} release)*: 8.0.0
+
+*Rule authors*: Elastic
+
+*Rule license*: Elastic License v2
+
+==== Investigation guide
+
+
+[source,markdown]
+----------------------------------
+## Config
+
+You will need to enable logging of ImageLoads in your Sysmon configuration to include COMSVCS.DLL by Imphash or Original
+File Name.
+----------------------------------
+
+
+==== Rule query
+
+
+[source,js]
+----------------------------------
+sequence by process.entity_id with maxspan=1m [process where
+event.category == "process" and process.name : "rundll32.exe"]
+[process where event.category == "process" and event.dataset :
+"windows.sysmon_operational" and event.code == "7" and
+(file.pe.original_file_name : "COMSVCS.DLL" or file.pe.imphash :
+"EADBCCBB324829ACB5F2BBE87E5549A8") and /* renamed COMSVCS */
+not file.name : "COMSVCS.DLL"]
+----------------------------------
+
+==== Threat mapping
+
+*Framework*: MITRE ATT&CK^TM^
+
+* Tactic:
+** Name: Credential Access
+** ID: TA0006
+** Reference URL: https://attack.mitre.org/tactics/TA0006/
+* Technique:
+** Name: OS Credential Dumping
+** ID: T1003
+** Reference URL: https://attack.mitre.org/techniques/T1003/
diff --git a/docs/detections/prebuilt-rules/rule-details/potential-lsass-clone-creation-via-psscapturesnapshot.asciidoc b/docs/detections/prebuilt-rules/rule-details/potential-lsass-clone-creation-via-psscapturesnapshot.asciidoc
new file mode 100644
index 0000000000..2856ed507e
--- /dev/null
+++ b/docs/detections/prebuilt-rules/rule-details/potential-lsass-clone-creation-via-psscapturesnapshot.asciidoc
@@ -0,0 +1,76 @@
+[[potential-lsass-clone-creation-via-psscapturesnapshot]]
+=== Potential LSASS Clone Creation via PssCaptureSnapShot
+
+Identifies the creation of an LSASS process clone via PssCaptureSnapShot where the parent process is the initial LSASS process instance. This may indicate an attempt to evade detection and dump LSASS memory for credential access.
+
+*Rule type*: eql
+
+*Rule indices*:
+
+* winlogbeat-*
+* logs-windows.*
+
+*Severity*: high
+
+*Risk score*: 73
+
+*Runs every*: 5 minutes
+
+*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>)
+
+*Maximum alerts per execution*: 100
+
+*References*:
+
+* https://www.matteomalvica.com/blog/2019/12/02/win-defender-atp-cred-bypass/
+* https://medium.com/@Achilles8284/the-birth-of-a-process-part-2-97c6fb9c42a2
+
+*Tags*:
+
+* Elastic
+* Host
+* Windows
+* Threat Detection
+* Credential Access
+
+*Version*: 1
+
+*Added ({stack} release)*: 8.0.0
+
+*Rule authors*: Elastic
+
+*Rule license*: Elastic License v2
+
+==== Investigation guide
+
+
+[source,markdown]
+----------------------------------
+## Config
+
+This is meant to run only on datasources using Windows security event 4688 that captures the process clone creation.
+----------------------------------
+
+
+==== Rule query
+
+
+[source,js]
+----------------------------------
+process where event.code:"4688" and process.executable :
+"?:\\Windows\\System32\\lsass.exe" and process.parent.executable :
+"?:\\Windows\\System32\\lsass.exe"
+----------------------------------
+
+==== Threat mapping
+
+*Framework*: MITRE ATT&CK^TM^
+
+* Tactic:
+** Name: Credential Access
+** ID: TA0006
+** Reference URL: https://attack.mitre.org/tactics/TA0006/
+* Technique:
+** Name: OS Credential Dumping
+** ID: T1003
+** Reference URL: https://attack.mitre.org/techniques/T1003/
diff --git a/docs/detections/prebuilt-rules/rule-details/potential-lsass-memory-dump-via-psscapturesnapshot.asciidoc b/docs/detections/prebuilt-rules/rule-details/potential-lsass-memory-dump-via-psscapturesnapshot.asciidoc
new file mode 100644
index 0000000000..08b7434a57
--- /dev/null
+++ b/docs/detections/prebuilt-rules/rule-details/potential-lsass-memory-dump-via-psscapturesnapshot.asciidoc
@@ -0,0 +1,78 @@
+[[potential-lsass-memory-dump-via-psscapturesnapshot]]
+=== Potential LSASS Memory Dump via PssCaptureSnapShot
+
+Identifies suspicious access to an LSASS handle via PssCaptureSnapShot where two successive process access are performed by the same process and targeting two different instances of LSASS. This may indicate an attempt to evade detection and dump LSASS memory for credential access.
+
+*Rule type*: threshold
+
+*Rule indices*:
+
+* winlogbeat-*
+* logs-windows.*
+
+*Severity*: high
+
+*Risk score*: 73
+
+*Runs every*: 5 minutes
+
+*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>)
+
+*Maximum alerts per execution*: 100
+
+*References*:
+
+* https://www.matteomalvica.com/blog/2019/12/02/win-defender-atp-cred-bypass/
+* https://twitter.com/sbousseaden/status/1280619931516747777?lang=en
+
+*Tags*:
+
+* Elastic
+* Host
+* Windows
+* Threat Detection
+* Credential Access
+
+*Version*: 1
+
+*Added ({stack} release)*: 8.0.0
+
+*Rule authors*: Elastic
+
+*Rule license*: Elastic License v2
+
+==== Investigation guide
+
+
+[source,markdown]
+----------------------------------
+## Config
+
+This is meant to run only on datasources using agents v7.14+ since versions prior to that will be missing the threshold
+rule cardinality feature.
+----------------------------------
+
+
+==== Rule query
+
+
+[source,js]
+----------------------------------
+event.category:process and event.code:10 and
+winlog.event_data.TargetImage:("C:\\Windows\\system32\\lsass.exe" or
+"c:\\Windows\\system32\\lsass.exe" or
+"c:\\Windows\\System32\\lsass.exe")
+----------------------------------
+
+==== Threat mapping
+
+*Framework*: MITRE ATT&CK^TM^
+
+* Tactic:
+** Name: Credential Access
+** ID: TA0006
+** Reference URL: https://attack.mitre.org/tactics/TA0006/
+* Technique:
+** Name: OS Credential Dumping
+** ID: T1003
+** Reference URL: https://attack.mitre.org/techniques/T1003/
diff --git a/docs/detections/prebuilt-rules/rule-details/potential-privilege-escalation-via-installerfiletakeover.asciidoc b/docs/detections/prebuilt-rules/rule-details/potential-privilege-escalation-via-installerfiletakeover.asciidoc
new file mode 100644
index 0000000000..12b88c2dff
--- /dev/null
+++ b/docs/detections/prebuilt-rules/rule-details/potential-privilege-escalation-via-installerfiletakeover.asciidoc
@@ -0,0 +1,105 @@
+[[potential-privilege-escalation-via-installerfiletakeover]]
+=== Potential Privilege Escalation via InstallerFileTakeOver
+
+Identifies a potential exploitation of InstallerTakeOver (CVE-2021-41379) default PoC execution. Successful exploitation allows an unprivileged user to escalate privileges to SYSTEM.
+
+*Rule type*: eql
+
+*Rule indices*:
+
+* winlogbeat-*
+* logs-endpoint.events.*
+* logs-windows.*
+
+*Severity*: high
+
+*Risk score*: 73
+
+*Runs every*: 5 minutes
+
+*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>)
+
+*Maximum alerts per execution*: 100
+
+*References*:
+
+* https://github.com/klinix5/InstallerFileTakeOver
+
+*Tags*:
+
+* Elastic
+* Host
+* Windows
+* Threat Detection
+* Privilege Escalation
+
+*Version*: 1
+
+*Added ({stack} release)*: 8.0.0
+
+*Rule authors*: Elastic
+
+*Rule license*: Elastic License v2
+
+==== Investigation guide
+
+
+[source,markdown]
+----------------------------------
+## Triage and analysis.
+
+### Investigating Potential Priivilege Escalation via InstallerFileTakeOver
+
+InstallerFileTakeOver is a weaponized EoP PoC to the CVE-2021-41379 vulnerability. Upon successful exploitation,
+an unprivileged user will escalate privileges to SYSTEM/NT AUTHORITY.
+
+This rule detects the default execution of the PoC, which overwrites the `elevation_service.exe` DACL and copy itself
+to the location to escalate privileges. An attacker is able to still take over any file that is not in use (locked), which is outside the scope of this rule.
+
+#### Possible investigation steps:
+
+- Check for the digital signature of the executable
+- Look for additional processes spawned by the process, command lines and network communications.
+- Look for additional alerts involving the host and the user.
+
+### False Positive Analysis
+
+- Verify whether the digital signature exists in the executable, and if it is valid.
+
+### Related Rules
+
+- Suspicious DLL Loaded for Persistence or Privilege Escalation - bfeaf89b-a2a7-48a3-817f-e41829dc61ee
+
+### Response and Remediation
+
+- Immediate response should be taken to validate activity, investigate and potentially isolate activity to prevent further
+post-compromise behavior.
+
+----------------------------------
+
+
+==== Rule query
+
+
+[source,js]
+----------------------------------
+/* This rule is compatible with both Sysmon and Elastic Endpoint */
+process where event.type == "start" and user.id : "S-1-5-18" and
+( (process.name : "elevation_service.exe" and not
+process.pe.original_file_name == "elevation_service.exe") or
+(process.parent.name : "elevation_service.exe" and
+process.name : ("rundll32.exe", "cmd.exe", "powershell.exe")) )
+----------------------------------
+
+==== Threat mapping
+
+*Framework*: MITRE ATT&CK^TM^
+
+* Tactic:
+** Name: Privilege Escalation
+** ID: TA0004
+** Reference URL: https://attack.mitre.org/tactics/TA0004/
+* Technique:
+** Name: Exploitation for Privilege Escalation
+** ID: T1068
+** Reference URL: https://attack.mitre.org/techniques/T1068/
diff --git a/docs/detections/prebuilt-rules/rule-details/potential-process-injection-via-powershell.asciidoc b/docs/detections/prebuilt-rules/rule-details/potential-process-injection-via-powershell.asciidoc
new file mode 100644
index 0000000000..91f1a61bca
--- /dev/null
+++ b/docs/detections/prebuilt-rules/rule-details/potential-process-injection-via-powershell.asciidoc
@@ -0,0 +1,134 @@
+[[potential-process-injection-via-powershell]]
+=== Potential Process Injection via PowerShell
+
+Detects the use of Windows API functions that are commonly abused by malware and security tools to load malicious code or inject it into remote processes.
+
+*Rule type*: query
+
+*Rule indices*:
+
+* winlogbeat-*
+* logs-windows.*
+
+*Severity*: high
+
+*Risk score*: 73
+
+*Runs every*: 5 minutes
+
+*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>)
+
+*Maximum alerts per execution*: 100
+
+*References*:
+
+* https://github.com/EmpireProject/Empire/blob/master/data/module_source/management/Invoke-PSInject.ps1
+* https://github.com/EmpireProject/Empire/blob/master/data/module_source/management/Invoke-ReflectivePEInjection.ps1
+* https://github.com/BC-SECURITY/Empire/blob/master/empire/server/data/module_source/credentials/Invoke-Mimikatz.ps1
+
+*Tags*:
+
+* Elastic
+* Host
+* Windows
+* Threat Detection
+* Defense Evasion
+
+*Version*: 2
+
+*Added ({stack} release)*: 8.0.0
+
+*Last modified ({stack} release)*: 8.0.0
+
+*Rule authors*: Elastic
+
+*Rule license*: Elastic License v2
+
+==== Potential false positives
+
+Legitimate Powershell Scripts that make use of these Functions
+
+==== Investigation guide
+
+
+[source,markdown]
+----------------------------------
+## Triage and analysis.
+
+### Investigating Potential Process Injection via PowerShell
+
+PowerShell is one of the main tools used by system administrators for automation, report routines, and other tasks.
+
+PowerShell also has solid capabilities to make the interaction with the Win32 API in an uncomplicated and reliable way,
+like the execution of inline C# code, PSReflect, Get-ProcAddress, etc.
+
+Red Team tooling and Malware Developers take advantage of these capabilities to develop stagers and loaders that inject
+payloads directly into the memory, without touching the disk.
+
+#### Possible investigation steps:
+
+- Examine script content that triggered the detection. 
+- Investigate script execution chain (parent process tree)
+- Inspect any file or network events from the suspicious powershell host process instance.
+- If the action is suspicious for the user, check for any other activities done by the user in the last 48 hours.
+
+### False Positive Analysis
+
+- Verify whether the script content is malicious/harmful.
+
+### Related Rules
+
+- PowerShell PSReflect Script - 56f2e9b5-4803-4e44-a0a4-a52dc79d57fe
+
+### Response and Remediation
+
+- Immediate response should be taken to validate, investigate, and potentially contain the activity to prevent further
+post-compromise behavior.
+
+## Config
+
+The 'PowerShell Script Block Logging' logging policy must be enabled.
+Steps to implement the logging policy with with Advanced Audit Configuration:
+
+```
+Computer Configuration > 
+Administrative Templates > 
+Windows PowerShell > 
+Turn on PowerShell Script Block Logging (Enable)
+```
+
+Steps to implement the logging policy via registry:
+
+```
+reg add "hklm\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging" /v EnableScriptBlockLogging /t REG_DWORD /d 1
+```
+
+----------------------------------
+
+
+==== Rule query
+
+
+[source,js]
+----------------------------------
+event.category:process and powershell.file.script_block_text : (
+(VirtualAlloc or VirtualAllocEx or VirtualProtect or LdrLoadDll or
+LoadLibrary or LoadLibraryA or LoadLibraryEx or GetProcAddress
+or OpenProcess or OpenProcessToken or AdjustTokenPrivileges) and
+(WriteProcessMemory or CreateRemoteThread or NtCreateThreadEx or
+CreateThread or QueueUserAPC or SuspendThread or ResumeThread)
+)
+----------------------------------
+
+==== Threat mapping
+
+*Framework*: MITRE ATT&CK^TM^
+
+* Tactic:
+** Name: Defense Evasion
+** ID: TA0005
+** Reference URL: https://attack.mitre.org/tactics/TA0005/
+* Technique:
+** Name: Process Injection
+** ID: T1055
+** Reference URL: https://attack.mitre.org/techniques/T1055/
diff --git a/docs/detections/prebuilt-rules/rule-details/potential-sharprdp-behavior.asciidoc b/docs/detections/prebuilt-rules/rule-details/potential-sharprdp-behavior.asciidoc
index 52367235ab..97df19f705 100644
--- a/docs/detections/prebuilt-rules/rule-details/potential-sharprdp-behavior.asciidoc
+++ b/docs/detections/prebuilt-rules/rule-details/potential-sharprdp-behavior.asciidoc
@@ -34,11 +34,11 @@ Identifies potential behavior of SharpRDP, which is a tool that can be used to p
 * Threat Detection
 * Lateral Movement
 
-*Version*: 4 (<<potential-sharprdp-behavior-history, version history>>)
+*Version*: 5 (<<potential-sharprdp-behavior-history, version history>>)
 
 *Added ({stack} release)*: 7.11.0
 
-*Last modified ({stack} release)*: 7.16.0
+*Last modified ({stack} release)*: 8.0.0
 
 *Rule authors*: Elastic
 
@@ -54,8 +54,8 @@ powershell, taskmgr or tsclient, followed by process execution within
 1m */ sequence by host.id with maxspan=1m [network where event.type
 == "start" and process.name : "svchost.exe" and destination.port ==
 3389 and network.direction : ("incoming", "ingress") and
-network.transport == "tcp" and source.address != "127.0.0.1" and
-source.address != "::1" ] [registry where process.name :
+network.transport == "tcp" and source.ip != "127.0.0.1" and
+source.ip != "::1" ] [registry where process.name :
 "explorer.exe" and registry.path : ("HKEY_USERS\\*\\Software\\Micr
 osoft\\Windows\\CurrentVersion\\Explorer\\RunMRU\\*") and
 registry.data.strings : ("cmd.exe*", "powershell.exe*", "taskmgr*",
@@ -81,6 +81,27 @@ registry.data.strings : ("cmd.exe*", "powershell.exe*", "taskmgr*",
 [[potential-sharprdp-behavior-history]]
 ==== Rule version history
 
+Version 5 (8.0.0 release)::
+* Updated query, changed from:
++
+[source, js]
+----------------------------------
+/* Incoming RDP followed by a new RunMRU string value set to cmd,
+powershell, taskmgr or tsclient, followed by process execution within
+1m */ sequence by host.id with maxspan=1m [network where event.type
+== "start" and process.name : "svchost.exe" and destination.port ==
+3389 and network.direction : ("incoming", "ingress") and
+network.transport == "tcp" and source.address != "127.0.0.1" and
+source.address != "::1" ] [registry where process.name :
+"explorer.exe" and registry.path : ("HKEY_USERS\\*\\Software\\Micr
+osoft\\Windows\\CurrentVersion\\Explorer\\RunMRU\\*") and
+registry.data.strings : ("cmd.exe*", "powershell.exe*", "taskmgr*",
+"\\\\tsclient\\*.exe\\*") ] [process where event.type in
+("start", "process_started") and (process.parent.name : ("cmd.exe",
+"powershell.exe", "taskmgr.exe") or process.args :
+("\\\\tsclient\\*.exe")) and not process.name : "conhost.exe" ]
+----------------------------------
+
 Version 4 (7.16.0 release)::
 * Updated query, changed from:
 +
diff --git a/docs/detections/prebuilt-rules/rule-details/powershell-keylogging-script.asciidoc b/docs/detections/prebuilt-rules/rule-details/powershell-keylogging-script.asciidoc
new file mode 100644
index 0000000000..66122a5075
--- /dev/null
+++ b/docs/detections/prebuilt-rules/rule-details/powershell-keylogging-script.asciidoc
@@ -0,0 +1,135 @@
+[[powershell-keylogging-script]]
+=== PowerShell Keylogging Script
+
+Detects the use of Win32 API Functions that can be used to capture user Keystrokes in PowerShell Scripts. Attackers use this technique to capture user input, looking for credentials and/or other valuable data.
+
+*Rule type*: query
+
+*Rule indices*:
+
+* winlogbeat-*
+* logs-windows.*
+
+*Severity*: high
+
+*Risk score*: 73
+
+*Runs every*: 5 minutes
+
+*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>)
+
+*Maximum alerts per execution*: 100
+
+*References*:
+
+* https://github.com/EmpireProject/Empire/blob/master/data/module_source/collection/Get-Keystrokes.ps1
+* https://github.com/MojtabaTajik/FunnyKeylogger/blob/master/FunnyLogger.ps1
+
+*Tags*:
+
+* Elastic
+* Host
+* Windows
+* Threat Detection
+* Collection
+
+*Version*: 2
+
+*Added ({stack} release)*: 8.0.0
+
+*Last modified ({stack} release)*: 8.0.0
+
+*Rule authors*: Elastic
+
+*Rule license*: Elastic License v2
+
+==== Investigation guide
+
+
+[source,markdown]
+----------------------------------
+## Triage and analysis.
+
+### Investigating PowerShell Keylogging Script
+
+PowerShell is one of the main tools used by system administrators for automation, report routines, and other tasks.
+
+Attackers can abuse PowerShell capabilities to capture user Keystrokes with the goal of stealing credentials and other
+valuable information as Credit Card data and confidential conversations.
+
+#### Possible investigation steps:
+
+- Examine script content that triggered the detection. 
+- Investigate script execution chain (parent process tree)
+- Inspect any file or network events from the suspicious powershell host process instance.
+- If the action is suspicious for the user, check for any other activities done by the user in the last 48 hours.
+
+### False Positive Analysis
+
+- Verify whether the script content is malicious/harmful.
+
+### Related Rules
+
+- PowerShell PSReflect Script - 56f2e9b5-4803-4e44-a0a4-a52dc79d57fe
+
+### Response and Remediation
+
+- Immediate response should be taken to validate, investigate, and potentially contain the activity to prevent further
+post-compromise behavior.
+
+## Config
+
+The 'PowerShell Script Block Logging' logging policy must be enabled.
+Steps to implement the logging policy with with Advanced Audit Configuration:
+
+```
+Computer Configuration > 
+Administrative Templates > 
+Windows PowerShell > 
+Turn on PowerShell Script Block Logging (Enable)
+```
+
+Steps to implement the logging policy via registry:
+
+```
+reg add "hklm\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging" /v EnableScriptBlockLogging /t REG_DWORD /d 1
+```
+
+----------------------------------
+
+
+==== Rule query
+
+
+[source,js]
+----------------------------------
+event.category:process and ( powershell.file.script_block_text
+: (GetAsyncKeyState or NtUserGetAsyncKeyState or GetKeyboardState or
+Get-Keystrokes) or powershell.file.script_block_text :
+((SetWindowsHookA or SetWindowsHookW or SetWindowsHookEx or
+SetWindowsHookExA or NtUserSetWindowsHookEx) and (GetForegroundWindow
+or GetWindowTextA or GetWindowTextW or WM_KEYBOARD_LL)) )
+----------------------------------
+
+==== Threat mapping
+
+*Framework*: MITRE ATT&CK^TM^
+
+* Tactic:
+** Name: Collection
+** ID: TA0009
+** Reference URL: https://attack.mitre.org/tactics/TA0009/
+* Technique:
+** Name: Input Capture
+** ID: T1056
+** Reference URL: https://attack.mitre.org/techniques/T1056/
+
+
+* Tactic:
+** Name: Execution
+** ID: TA0002
+** Reference URL: https://attack.mitre.org/tactics/TA0002/
+* Technique:
+** Name: Command and Scripting Interpreter
+** ID: T1059
+** Reference URL: https://attack.mitre.org/techniques/T1059/
diff --git a/docs/detections/prebuilt-rules/rule-details/powershell-minidump-script.asciidoc b/docs/detections/prebuilt-rules/rule-details/powershell-minidump-script.asciidoc
index 5e44536de3..615e3cb0cb 100644
--- a/docs/detections/prebuilt-rules/rule-details/powershell-minidump-script.asciidoc
+++ b/docs/detections/prebuilt-rules/rule-details/powershell-minidump-script.asciidoc
@@ -24,6 +24,7 @@ This rule detects PowerShell scripts that have capabilities to dump process memo
 
 * https://github.com/PowerShellMafia/PowerSploit/blob/master/Exfiltration/Out-Minidump.ps1
 * https://github.com/FuzzySecurity/PowerShell-Suite/blob/master/Get-ProcessMiniDump.ps1
+* https://github.com/atc-project/atc-data/blob/master/docs/Logging_Policies/LP_0109_windows_powershell_script_block_log.md
 
 *Tags*:
 
@@ -33,10 +34,12 @@ This rule detects PowerShell scripts that have capabilities to dump process memo
 * Threat Detection
 * Credential Access
 
-*Version*: 1
+*Version*: 3 (<<powershell-minidump-script-history, version history>>)
 
 *Added ({stack} release)*: 7.16.0
 
+*Last modified ({stack} release)*: 8.0.0
+
 *Rule authors*: Elastic
 
 *Rule license*: Elastic License v2
@@ -45,12 +48,68 @@ This rule detects PowerShell scripts that have capabilities to dump process memo
 
 Powershell Scripts that use this capability for troubleshooting.
 
+==== Investigation guide
+
+
+[source,markdown]
+----------------------------------
+## Triage and analysis.
+
+### Investigating PowerShell MiniDump Script
+
+PowerShell is one of the main tools used by system administrators for automation, report routines, and other tasks.
+
+Process Memory Dump capabilities can be abused by attackers to extract credentials from LSASS or to obtain other privileged
+information stored in the process memory.
+
+#### Possible investigation steps:
+
+- Examine script content that triggered the detection. 
+- Investigate script execution chain (parent process tree)
+- Inspect any file or network events from the suspicious powershell host process instance.
+- If the action is suspicious for the user, check for any other activities done by the user in the last 48 hours.
+
+### False Positive Analysis
+
+- Verify whether the script content is malicious/harmful.
+
+### Related Rules
+
+- PowerShell PSReflect Script - 56f2e9b5-4803-4e44-a0a4-a52dc79d57fe
+- Potential Process Injection via PowerShell - 2e29e96a-b67c-455a-afe4-de6183431d0d
+
+### Response and Remediation
+
+- Immediate response should be taken to validate, investigate, and potentially contain the activity to prevent further
+post-compromise behavior.
+
+## Config
+
+The 'PowerShell Script Block Logging' logging policy must be enabled.
+Steps to implement the logging policy with with Advanced Audit Configuration:
+
+```
+Computer Configuration > 
+Administrative Templates > 
+Windows PowerShell > 
+Turn on PowerShell Script Block Logging (Enable)
+```
+
+Steps to implement the logging policy via registry:
+
+```
+reg add "hklm\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging" /v EnableScriptBlockLogging /t REG_DWORD /d 1
+```
+
+----------------------------------
+
+
 ==== Rule query
 
 
 [source,js]
 ----------------------------------
-event.code:"4104" and
+event.category:process and
 powershell.file.script_block_text:(MiniDumpWriteDump or
 MiniDumpWithFullMemory or pmuDetirWpmuDiniM)
 ----------------------------------
@@ -77,3 +136,17 @@ MiniDumpWithFullMemory or pmuDetirWpmuDiniM)
 ** Name: Command and Scripting Interpreter
 ** ID: T1059
 ** Reference URL: https://attack.mitre.org/techniques/T1059/
+
+[[powershell-minidump-script-history]]
+==== Rule version history
+
+Version 3 (8.0.0 release)::
+* Updated query, changed from:
++
+[source, js]
+----------------------------------
+event.code:"4104" and
+powershell.file.script_block_text:(MiniDumpWriteDump or
+MiniDumpWithFullMemory or pmuDetirWpmuDiniM)
+----------------------------------
+
diff --git a/docs/detections/prebuilt-rules/rule-details/powershell-psreflect-script.asciidoc b/docs/detections/prebuilt-rules/rule-details/powershell-psreflect-script.asciidoc
new file mode 100644
index 0000000000..76c340b7f0
--- /dev/null
+++ b/docs/detections/prebuilt-rules/rule-details/powershell-psreflect-script.asciidoc
@@ -0,0 +1,131 @@
+[[powershell-psreflect-script]]
+=== PowerShell PSReflect Script
+
+Detects the use of PSReflect in PowerShell scripts. Attackers leverage PSReflect as a library that enables PowerShell to access win32 API functions.
+
+*Rule type*: query
+
+*Rule indices*:
+
+* winlogbeat-*
+* logs-windows.*
+
+*Severity*: medium
+
+*Risk score*: 47
+
+*Runs every*: 5 minutes
+
+*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>)
+
+*Maximum alerts per execution*: 100
+
+*References*:
+
+* https://github.com/mattifestation/PSReflect/blob/master/PSReflect.psm1
+* https://github.com/atc-project/atc-data/blob/master/docs/Logging_Policies/LP_0109_windows_powershell_script_block_log.md
+
+*Tags*:
+
+* Elastic
+* Host
+* Windows
+* Threat Detection
+* Execution
+
+*Version*: 1
+
+*Added ({stack} release)*: 8.0.0
+
+*Rule authors*: Elastic
+
+*Rule license*: Elastic License v2
+
+==== Potential false positives
+
+Legitimate Powershell Scripts that make use of PSReflect to access the win32 API
+
+==== Investigation guide
+
+
+[source,markdown]
+----------------------------------
+## Triage and analysis
+### Investigating PowerShell PSReflect Script
+
+PowerShell is one of the main tools in the belt of system administrators for automation, report routines, and other tasks.
+
+PSReflect is a library that enables PowerShell to access win32 API functions in an uncomplicated way. It also helps to
+create enums and structs easily—all without touching the disk.
+
+Although this is an interesting project for every developer and admin out there, it is mainly used in the red team and
+malware tooling for its capabilities.
+
+Detecting the core implementation of PSReflect means detecting most of the tooling that uses windows API through
+PowerShell, enabling the defender to discover tools being dropped in the environment.
+
+#### Possible investigation steps:
+- Check for additional PowerShell logs that indicate that the script/command was run.
+- Gather the script content that may be split into multiple script blocks, and identify its capabilities.
+- If the action is suspicious for the user, check for any other activities done by the user in the last 48 hours.
+- Look for additional alerts involving the host and the user.
+
+### False Positive Analysis
+- Verify whether the script content is malicious/harmful.
+
+### Related Rules
+- PowerShell Suspicious Discovery Related Windows API Functions - 61ac3638-40a3-44b2-855a-985636ca985e
+- PowerShell Keylogging Script - bd2c86a0-8b61-4457-ab38-96943984e889
+- PowerShell Suspicious Script with Audio Capture Capabilities - 2f2f4939-0b34-40c2-a0a3-844eb7889f43
+- Potential Process Injection via PowerShell - 2e29e96a-b67c-455a-afe4-de6183431d0d
+- PowerShell Reflection Assembly Load - e26f042e-c590-4e82-8e05-41e81bd822ad
+- PowerShell Suspicious Payload Encoded and Compressed - 81fe9dc6-a2d7-4192-a2d8-eed98afc766a
+- PowerShell Suspicious Script with Screenshot Capabilities - 959a7353-1129-4aa7-9084-30746b256a70
+
+### Response and Remediation
+- Immediate response should be taken to validate activity, investigate and potentially isolate activity to prevent further
+post-compromise behavior.
+
+## Config
+The 'PowerShell Script Block Logging' logging policy is required be configured (Enable).
+
+Steps to implement the logging policy with with Advanced Audit Configuration:
+```
+Computer Configuration > 
+Administrative Templates > 
+Windows PowerShell > 
+Turn on PowerShell Script Block Logging (Enable)
+```
+Steps to implement the logging policy via registry:
+```
+reg add "hklm\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging" /v EnableScriptBlockLogging /t REG_DWORD /d 1
+```
+
+----------------------------------
+
+
+==== Rule query
+
+
+[source,js]
+----------------------------------
+event.category:process and powershell.file.script_block_text:(
+New-InMemoryModule or Add-Win32Type or psenum or
+DefineDynamicAssembly or DefineDynamicModule or
+Reflection.TypeAttributes or Reflection.Emit.OpCodes or
+Reflection.Emit.CustomAttributeBuilder or
+Runtime.InteropServices.DllImportAttribute )
+----------------------------------
+
+==== Threat mapping
+
+*Framework*: MITRE ATT&CK^TM^
+
+* Tactic:
+** Name: Execution
+** ID: TA0002
+** Reference URL: https://attack.mitre.org/tactics/TA0002/
+* Technique:
+** Name: Command and Scripting Interpreter
+** ID: T1059
+** Reference URL: https://attack.mitre.org/techniques/T1059/
diff --git a/docs/detections/prebuilt-rules/rule-details/powershell-suspicious-discovery-related-windows-api-functions.asciidoc b/docs/detections/prebuilt-rules/rule-details/powershell-suspicious-discovery-related-windows-api-functions.asciidoc
index 12e2b58b98..8144d173e8 100644
--- a/docs/detections/prebuilt-rules/rule-details/powershell-suspicious-discovery-related-windows-api-functions.asciidoc
+++ b/docs/detections/prebuilt-rules/rule-details/powershell-suspicious-discovery-related-windows-api-functions.asciidoc
@@ -1,7 +1,7 @@
 [[powershell-suspicious-discovery-related-windows-api-functions]]
 === PowerShell Suspicious Discovery Related Windows API Functions
 
-This rule detects the use of discovery-related Windows API Functions in Powershell Scripts. Attackers can use these functions to perform various situational awareness related activities, like enumerating users, shares, sessions, domain trusts, groups, etc.,
+This rule detects the use of discovery-related Windows API functions in PowerShell Scripts. Attackers can use these functions to perform various situational awareness related activities, like enumerating users, shares, sessions, domain trusts, groups, etc.
 
 *Rule type*: query
 
@@ -23,6 +23,7 @@ This rule detects the use of discovery-related Windows API Functions in Powershe
 *References*:
 
 * https://github.com/BC-SECURITY/Empire/blob/9259e5106986847d2bb770c4289c0c0f1adf2344/data/module_source/situational_awareness/network/powerview.ps1#L21413
+* https://github.com/atc-project/atc-data/blob/master/docs/Logging_Policies/LP_0109_windows_powershell_script_block_log.md
 
 *Tags*:
 
@@ -32,10 +33,12 @@ This rule detects the use of discovery-related Windows API Functions in Powershe
 * Threat Detection
 * Discovery
 
-*Version*: 1
+*Version*: 3 (<<powershell-suspicious-discovery-related-windows-api-functions-history, version history>>)
 
 *Added ({stack} release)*: 7.16.0
 
+*Last modified ({stack} release)*: 8.0.0
+
 *Rule authors*: Elastic
 
 *Rule license*: Elastic License v2
@@ -44,12 +47,67 @@ This rule detects the use of discovery-related Windows API Functions in Powershe
 
 Legitimate Powershell Scripts that make use of these Functions
 
+==== Investigation guide
+
+
+[source,markdown]
+----------------------------------
+## Triage and analysis.
+
+### Investigating PowerShell Suspicious Discovery Related Windows API Functions
+
+PowerShell is one of the main tools used by system administrators for automation, report routines, and other tasks.
+
+Attackers can use PowerShell to interact with the Win32 API to bypass file based AntiVirus detections, using libraries
+like PSReflect or Get-ProcAddress Cmdlet.
+
+#### Possible investigation steps:
+
+- Examine script content that triggered the detection. 
+- Investigate script execution chain (parent process tree).
+- Inspect any file or network events from the suspicious powershell host process instance.
+- If the action is suspicious for the user, check for any other activities done by the user in the last 48 hours.
+
+### False Positive Analysis
+
+- Verify whether the script content is malicious/harmful.
+
+### Related Rules
+
+- PowerShell PSReflect Script - 56f2e9b5-4803-4e44-a0a4-a52dc79d57fe
+
+### Response and Remediation
+
+- Immediate response should be taken to validate, investigate, and potentially contain the activity to prevent further
+post-compromise behavior.
+
+## Config
+
+The 'PowerShell Script Block Logging' logging policy must be enabled.
+Steps to implement the logging policy with with Advanced Audit Configuration:
+
+```
+Computer Configuration > 
+Administrative Templates > 
+Windows PowerShell > 
+Turn on PowerShell Script Block Logging (Enable)
+```
+
+Steps to implement the logging policy via registry:
+
+```
+reg add "hklm\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging" /v EnableScriptBlockLogging /t REG_DWORD /d 1
+```
+
+----------------------------------
+
+
 ==== Rule query
 
 
 [source,js]
 ----------------------------------
-event.code:"4104" and powershell.file.script_block_text : (
+event.category:process and powershell.file.script_block_text : (
 NetShareEnum or NetWkstaUserEnum or NetSessionEnum or
 NetLocalGroupEnum or NetLocalGroupGetMembers or DsGetSiteName
 or DsEnumerateDomainTrusts or WTSEnumerateSessionsEx or
@@ -79,3 +137,20 @@ QueryServiceObjectSecurity )
 ** Name: Command and Scripting Interpreter
 ** ID: T1059
 ** Reference URL: https://attack.mitre.org/techniques/T1059/
+
+[[powershell-suspicious-discovery-related-windows-api-functions-history]]
+==== Rule version history
+
+Version 3 (8.0.0 release)::
+* Updated query, changed from:
++
+[source, js]
+----------------------------------
+event.code:"4104" and powershell.file.script_block_text : (
+NetShareEnum or NetWkstaUserEnum or NetSessionEnum or
+NetLocalGroupEnum or NetLocalGroupGetMembers or DsGetSiteName
+or DsEnumerateDomainTrusts or WTSEnumerateSessionsEx or
+WTSQuerySessionInformation or LsaGetLogonSessionData or
+QueryServiceObjectSecurity )
+----------------------------------
+
diff --git a/docs/detections/prebuilt-rules/rule-details/powershell-suspicious-payload-encoded-and-compressed.asciidoc b/docs/detections/prebuilt-rules/rule-details/powershell-suspicious-payload-encoded-and-compressed.asciidoc
new file mode 100644
index 0000000000..3a5c1f078f
--- /dev/null
+++ b/docs/detections/prebuilt-rules/rule-details/powershell-suspicious-payload-encoded-and-compressed.asciidoc
@@ -0,0 +1,75 @@
+[[powershell-suspicious-payload-encoded-and-compressed]]
+=== PowerShell Suspicious Payload Encoded and Compressed
+
+Identifies the use of .Net functionality for decompression and base64 decoding combined in PowerShell scripts, which Malware and security tools heavily use to deobfuscate payloads and load them directly in memory to bypass defenses.
+
+*Rule type*: query
+
+*Rule indices*:
+
+* winlogbeat-*
+* logs-windows.*
+
+*Severity*: medium
+
+*Risk score*: 47
+
+*Runs every*: 5 minutes
+
+*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>)
+
+*Maximum alerts per execution*: 100
+
+*Tags*:
+
+* Elastic
+* Host
+* Windows
+* Threat Detection
+* Defense Evasion
+
+*Version*: 1
+
+*Added ({stack} release)*: 8.0.0
+
+*Rule authors*: Elastic
+
+*Rule license*: Elastic License v2
+
+==== Potential false positives
+
+Legitimate PowerShell Scripts which makes use of compression and encoding
+
+==== Rule query
+
+
+[source,js]
+----------------------------------
+event.category:process and powershell.file.script_block_text : (
+(System.IO.Compression.DeflateStream or
+System.IO.Compression.GzipStream or IO.Compression.DeflateStream or
+IO.Compression.GzipStream) and FromBase64String )
+----------------------------------
+
+==== Threat mapping
+
+*Framework*: MITRE ATT&CK^TM^
+
+* Tactic:
+** Name: Defense Evasion
+** ID: TA0005
+** Reference URL: https://attack.mitre.org/tactics/TA0005/
+* Technique:
+** Name: Deobfuscate/Decode Files or Information
+** ID: T1140
+** Reference URL: https://attack.mitre.org/techniques/T1140/
+
+
+* Tactic:
+** Name: Execution
+** ID: TA0002
+** Reference URL: https://attack.mitre.org/tactics/TA0002/
+* Technique:
+** Name: Command and Scripting Interpreter
+** ID: T1059
+** Reference URL: https://attack.mitre.org/techniques/T1059/
diff --git a/docs/detections/prebuilt-rules/rule-details/powershell-suspicious-script-with-audio-capture-capabilities.asciidoc b/docs/detections/prebuilt-rules/rule-details/powershell-suspicious-script-with-audio-capture-capabilities.asciidoc
index 87e286982b..c470f9a1d8 100644
--- a/docs/detections/prebuilt-rules/rule-details/powershell-suspicious-script-with-audio-capture-capabilities.asciidoc
+++ b/docs/detections/prebuilt-rules/rule-details/powershell-suspicious-script-with-audio-capture-capabilities.asciidoc
@@ -1,7 +1,7 @@
 [[powershell-suspicious-script-with-audio-capture-capabilities]]
 === PowerShell Suspicious Script with Audio Capture Capabilities
 
-Detects PowerShell Scripts that can record audio, a common feature in popular post-exploitation tooling.
+Detects PowerShell scripts that can record audio, a common feature in popular post-exploitation tooling.
 
 *Rule type*: query
 
@@ -32,20 +32,78 @@ Detects PowerShell Scripts that can record audio, a common feature in popular po
 * Threat Detection
 * Collection
 
-*Version*: 1
+*Version*: 3 (<<powershell-suspicious-script-with-audio-capture-capabilities-history, version history>>)
 
 *Added ({stack} release)*: 7.16.0
 
+*Last modified ({stack} release)*: 8.0.0
+
 *Rule authors*: Elastic
 
 *Rule license*: Elastic License v2
 
+==== Investigation guide
+
+
+[source,markdown]
+----------------------------------
+## Triage and analysis.
+
+### Investigating PowerShell Suspicious Script with Audio Capture Capabilities
+
+PowerShell is one of the main tools used by system administrators for automation, report routines, and other tasks.
+
+Attackers can use PowerShell to interact with the Windows API and capture audio from input devices connected to the
+computer.
+
+#### Possible investigation steps:
+
+- Examine script content that triggered the detection. 
+- Investigate script execution chain (parent process tree)
+- Inspect any file or network events from the suspicious powershell host process instance.
+- If the action is suspicious for the user, check for any other activities done by the user in the last 48 hours.
+
+### False Positive Analysis
+
+- Verify whether the script content is malicious/harmful.
+
+### Related Rules
+
+- PowerShell PSReflect Script - 56f2e9b5-4803-4e44-a0a4-a52dc79d57fe
+- Potential Process Injection via PowerShell - 2e29e96a-b67c-455a-afe4-de6183431d0d
+
+### Response and Remediation
+
+- Immediate response should be taken to validate, investigate, and potentially contain the activity to prevent further
+post-compromise behavior.
+
+## Config
+
+The 'PowerShell Script Block Logging' logging policy must be enabled.
+Steps to implement the logging policy with with Advanced Audit Configuration:
+
+```
+Computer Configuration > 
+Administrative Templates > 
+Windows PowerShell > 
+Turn on PowerShell Script Block Logging (Enable)
+```
+
+Steps to implement the logging policy via registry:
+
+```
+reg add "hklm\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging" /v EnableScriptBlockLogging /t REG_DWORD /d 1
+```
+
+----------------------------------
+
+
 ==== Rule query
 
 
 [source,js]
 ----------------------------------
-event.code:"4104" and powershell.file.script_block_text : (
+event.category:process and powershell.file.script_block_text : (
 Get-MicrophoneAudio or (waveInGetNumDevs and mciSendStringA) )
 ----------------------------------
 
@@ -71,3 +129,16 @@ Get-MicrophoneAudio or (waveInGetNumDevs and mciSendStringA) )
 ** Name: Command and Scripting Interpreter
 ** ID: T1059
 ** Reference URL: https://attack.mitre.org/techniques/T1059/
+
+[[powershell-suspicious-script-with-audio-capture-capabilities-history]]
+==== Rule version history
+
+Version 3 (8.0.0 release)::
+* Updated query, changed from:
++
+[source, js]
+----------------------------------
+event.code:"4104" and powershell.file.script_block_text : (
+Get-MicrophoneAudio or (waveInGetNumDevs and mciSendStringA) )
+----------------------------------
+
diff --git a/docs/detections/prebuilt-rules/rule-details/powershell-suspicious-script-with-screenshot-capabilities.asciidoc b/docs/detections/prebuilt-rules/rule-details/powershell-suspicious-script-with-screenshot-capabilities.asciidoc
new file mode 100644
index 0000000000..dc563583f6
--- /dev/null
+++ b/docs/detections/prebuilt-rules/rule-details/powershell-suspicious-script-with-screenshot-capabilities.asciidoc
@@ -0,0 +1,73 @@
+[[powershell-suspicious-script-with-screenshot-capabilities]]
+=== PowerShell Suspicious Script with Screenshot Capabilities
+
+Detects PowerShell Scripts that can take screenshots, which is a common feature in post-exploitation kits and RATs (Remote Access Tools).
+
+*Rule type*: query
+
+*Rule indices*:
+
+* winlogbeat-*
+* logs-windows.*
+
+*Severity*: medium
+
+*Risk score*: 47
+
+*Runs every*: 5 minutes
+
+*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>)
+
+*Maximum alerts per execution*: 100
+
+*References*:
+
+* https://docs.microsoft.com/en-us/dotnet/api/system.drawing.graphics.copyfromscreen
+
+*Tags*:
+
+* Elastic
+* Host
+* Windows
+* Threat Detection
+* Collection
+
+*Version*: 1
+
+*Added ({stack} release)*: 8.0.0
+
+*Rule authors*: Elastic
+
+*Rule license*: Elastic License v2
+
+==== Rule query
+
+
+[source,js]
+----------------------------------
+event.category:process and powershell.file.script_block_text : (
+CopyFromScreen and (System.Drawing.Bitmap or Drawing.Bitmap) )
+----------------------------------
+
+==== Threat mapping
+
+*Framework*: MITRE ATT&CK^TM^
+
+* Tactic:
+** Name: Collection
+** ID: TA0009
+** Reference URL: https://attack.mitre.org/tactics/TA0009/
+* Technique:
+** Name: Screen Capture
+** ID: T1113
+** Reference URL: https://attack.mitre.org/techniques/T1113/
+
+
+* Tactic:
+** Name: Execution
+** ID: TA0002
+** Reference URL: https://attack.mitre.org/tactics/TA0002/
+* Technique:
+** Name: Command and Scripting Interpreter
+** ID: T1059
+** Reference URL: https://attack.mitre.org/techniques/T1059/
diff --git a/docs/detections/prebuilt-rules/rule-details/privilege-escalation-via-rogue-named-pipe-impersonation.asciidoc b/docs/detections/prebuilt-rules/rule-details/privilege-escalation-via-rogue-named-pipe-impersonation.asciidoc
new file mode 100644
index 0000000000..8ef9dae1a6
--- /dev/null
+++ b/docs/detections/prebuilt-rules/rule-details/privilege-escalation-via-rogue-named-pipe-impersonation.asciidoc
@@ -0,0 +1,79 @@
+[[privilege-escalation-via-rogue-named-pipe-impersonation]]
+=== Privilege Escalation via Rogue Named Pipe Impersonation
+
+Identifies a privilege escalation attempt via rogue named pipe impersonation. An adversary may abuse this technique by masquerading as a known named pipe and manipulating a privileged process to connect to it.
+
+*Rule type*: eql
+
+*Rule indices*:
+
+* winlogbeat-*
+* logs-windows.*
+
+*Severity*: high
+
+*Risk score*: 73
+
+*Runs every*: 5 minutes
+
+*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>)
+
+*Maximum alerts per execution*: 100
+
+*References*:
+
+* https://itm4n.github.io/printspoofer-abusing-impersonate-privileges/
+* https://github.com/zcgonvh/EfsPotato
+* https://twitter.com/SBousseaden/status/1429530155291193354
+
+*Tags*:
+
+* Elastic
+* Host
+* Windows
+* Threat Detection
+* Privilege Escalation
+
+*Version*: 1
+
+*Added ({stack} release)*: 8.0.0
+
+*Rule authors*: Elastic
+
+*Rule license*: Elastic License v2
+
+==== Investigation guide
+
+
+[source,markdown]
+----------------------------------
+## Config
+
+Named Pipe Creation Events need to be enabled within the Sysmon configuration by including the following settings:
+`condition equal "contains" and keyword equal "pipe"`
+
+----------------------------------
+
+
+==== Rule query
+
+
+[source,js]
+----------------------------------
+file where event.action : "Pipe Created*" and /* normal sysmon named
+pipe creation events truncate the pipe keyword */ file.name :
+"\\*\\Pipe\\*"
+----------------------------------
+
+==== Threat mapping
+
+*Framework*: MITRE ATT&CK^TM^
+
+* Tactic:
+** Name: Privilege Escalation
+** ID: TA0004
+** Reference URL: https://attack.mitre.org/tactics/TA0004/
+* Technique:
+** Name: Access Token Manipulation
+** ID: T1134
+** Reference URL: https://attack.mitre.org/techniques/T1134/
diff --git a/docs/detections/prebuilt-rules/rule-details/process-injection-detected-elastic-endgame.asciidoc b/docs/detections/prebuilt-rules/rule-details/process-injection-detected-elastic-endgame.asciidoc
index 82b5289acf..7082d3ece9 100644
--- a/docs/detections/prebuilt-rules/rule-details/process-injection-detected-elastic-endgame.asciidoc
+++ b/docs/detections/prebuilt-rules/rule-details/process-injection-detected-elastic-endgame.asciidoc
@@ -17,18 +17,18 @@ Elastic Endgame detected Process Injection. Click the Elastic Endgame icon in th
 
 *Searches indices from*: now-15m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>)
 
-*Maximum alerts per execution*: 100
+*Maximum alerts per execution*: 10000
 
 *Tags*:
 
 * Elastic
 * Elastic Endgame
 
-*Version*: 6 (<<process-injection-detected-elastic-endgame-history, version history>>)
+*Version*: 7 (<<process-injection-detected-elastic-endgame-history, version history>>)
 
 *Added ({stack} release)*: 7.6.0
 
-*Last modified ({stack} release)*: 7.12.1
+*Last modified ({stack} release)*: 8.0.0
 
 *Rule authors*: Elastic
 
@@ -49,6 +49,9 @@ endgame.event_subtype_full:kernel_shellcode_event)
 [[process-injection-detected-elastic-endgame-history]]
 ==== Rule version history
 
+Version 7 (8.0.0 release)::
+* Formatting only
+
 Version 6 (7.12.1 release)::
 * Formatting only
 
diff --git a/docs/detections/prebuilt-rules/rule-details/process-injection-prevented-elastic-endgame.asciidoc b/docs/detections/prebuilt-rules/rule-details/process-injection-prevented-elastic-endgame.asciidoc
index 7ec3955873..344bd2818b 100644
--- a/docs/detections/prebuilt-rules/rule-details/process-injection-prevented-elastic-endgame.asciidoc
+++ b/docs/detections/prebuilt-rules/rule-details/process-injection-prevented-elastic-endgame.asciidoc
@@ -17,18 +17,18 @@ Elastic Endgame prevented Process Injection. Click the Elastic Endgame icon in t
 
 *Searches indices from*: now-15m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>)
 
-*Maximum alerts per execution*: 100
+*Maximum alerts per execution*: 10000
 
 *Tags*:
 
 * Elastic
 * Elastic Endgame
 
-*Version*: 6 (<<process-injection-prevented-elastic-endgame-history, version history>>)
+*Version*: 7 (<<process-injection-prevented-elastic-endgame-history, version history>>)
 
 *Added ({stack} release)*: 7.6.0
 
-*Last modified ({stack} release)*: 7.12.1
+*Last modified ({stack} release)*: 8.0.0
 
 *Rule authors*: Elastic
 
@@ -49,6 +49,9 @@ endgame.event_subtype_full:kernel_shellcode_event)
 [[process-injection-prevented-elastic-endgame-history]]
 ==== Rule version history
 
+Version 7 (8.0.0 release)::
+* Formatting only
+
 Version 6 (7.12.1 release)::
 * Formatting only
 
diff --git a/docs/detections/prebuilt-rules/rule-details/ransomware-detected-elastic-endgame.asciidoc b/docs/detections/prebuilt-rules/rule-details/ransomware-detected-elastic-endgame.asciidoc
index 0336517bd2..7b5dcefaf4 100644
--- a/docs/detections/prebuilt-rules/rule-details/ransomware-detected-elastic-endgame.asciidoc
+++ b/docs/detections/prebuilt-rules/rule-details/ransomware-detected-elastic-endgame.asciidoc
@@ -1,7 +1,7 @@
 [[ransomware-detected-elastic-endgame]]
 === Ransomware - Detected - Elastic Endgame
 
-Elastic Endgame detected Ransomware. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information.
+Elastic Endgame detected ransomware. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information.
 
 *Rule type*: query
 
@@ -17,18 +17,18 @@ Elastic Endgame detected Ransomware. Click the Elastic Endgame icon in the event
 
 *Searches indices from*: now-15m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>)
 
-*Maximum alerts per execution*: 100
+*Maximum alerts per execution*: 10000
 
 *Tags*:
 
 * Elastic
 * Elastic Endgame
 
-*Version*: 6 (<<ransomware-detected-elastic-endgame-history, version history>>)
+*Version*: 8 (<<ransomware-detected-elastic-endgame-history, version history>>)
 
 *Added ({stack} release)*: 7.6.0
 
-*Last modified ({stack} release)*: 7.12.1
+*Last modified ({stack} release)*: 8.0.0
 
 *Rule authors*: Elastic
 
@@ -48,6 +48,9 @@ endgame.event_subtype_full:ransomware_event)
 [[ransomware-detected-elastic-endgame-history]]
 ==== Rule version history
 
+Version 8 (8.0.0 release)::
+* Formatting only
+
 Version 6 (7.12.1 release)::
 * Formatting only
 
diff --git a/docs/detections/prebuilt-rules/rule-details/ransomware-prevented-elastic-endgame.asciidoc b/docs/detections/prebuilt-rules/rule-details/ransomware-prevented-elastic-endgame.asciidoc
index 8b716f3abc..9180c9d6ec 100644
--- a/docs/detections/prebuilt-rules/rule-details/ransomware-prevented-elastic-endgame.asciidoc
+++ b/docs/detections/prebuilt-rules/rule-details/ransomware-prevented-elastic-endgame.asciidoc
@@ -1,7 +1,7 @@
 [[ransomware-prevented-elastic-endgame]]
 === Ransomware - Prevented - Elastic Endgame
 
-Elastic Endgame prevented Ransomware. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information.
+Elastic Endgame prevented ransomware. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information.
 
 *Rule type*: query
 
@@ -17,18 +17,18 @@ Elastic Endgame prevented Ransomware. Click the Elastic Endgame icon in the even
 
 *Searches indices from*: now-15m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>)
 
-*Maximum alerts per execution*: 100
+*Maximum alerts per execution*: 10000
 
 *Tags*:
 
 * Elastic
 * Elastic Endgame
 
-*Version*: 6 (<<ransomware-prevented-elastic-endgame-history, version history>>)
+*Version*: 8 (<<ransomware-prevented-elastic-endgame-history, version history>>)
 
 *Added ({stack} release)*: 7.6.0
 
-*Last modified ({stack} release)*: 7.12.1
+*Last modified ({stack} release)*: 8.0.0
 
 *Rule authors*: Elastic
 
@@ -48,6 +48,9 @@ endgame.event_subtype_full:ransomware_event)
 [[ransomware-prevented-elastic-endgame-history]]
 ==== Rule version history
 
+Version 8 (8.0.0 release)::
+* Formatting only
+
 Version 6 (7.12.1 release)::
 * Formatting only
 
diff --git a/docs/detections/prebuilt-rules/rule-details/remote-scheduled-task-creation.asciidoc b/docs/detections/prebuilt-rules/rule-details/remote-scheduled-task-creation.asciidoc
index 99f6359731..ade20fd4eb 100644
--- a/docs/detections/prebuilt-rules/rule-details/remote-scheduled-task-creation.asciidoc
+++ b/docs/detections/prebuilt-rules/rule-details/remote-scheduled-task-creation.asciidoc
@@ -29,11 +29,11 @@ Identifies remote scheduled task creations on a target host. This could be indic
 * Threat Detection
 * Lateral Movement
 
-*Version*: 5 (<<remote-scheduled-task-creation-history, version history>>)
+*Version*: 6 (<<remote-scheduled-task-creation-history, version history>>)
 
 *Added ({stack} release)*: 7.11.0
 
-*Last modified ({stack} release)*: 7.16.0
+*Last modified ({stack} release)*: 8.0.0
 
 *Rule authors*: Elastic
 
@@ -91,8 +91,8 @@ restrict activity or configure settings that only allow Administrators to create
 registry modification */ sequence by host.id, process.entity_id with
 maxspan = 1m [network where process.name : "svchost.exe" and
 network.direction : ("incoming", "ingress") and source.port >= 49152
-and destination.port >= 49152 and source.address != "127.0.0.1" and
-source.address != "::1" ] [registry where registry.path :
+and destination.port >= 49152 and source.ip != "127.0.0.1" and
+source.ip != "::1" ] [registry where registry.path :
 "HKLM\\SOFTWARE\\Microsoft\\Windows
 NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\*\\Actions"]
 ----------------------------------
@@ -123,6 +123,21 @@ NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\*\\Actions"]
 [[remote-scheduled-task-creation-history]]
 ==== Rule version history
 
+Version 6 (8.0.0 release)::
+* Updated query, changed from:
++
+[source, js]
+----------------------------------
+/* Task Scheduler service incoming connection followed by TaskCache
+registry modification */ sequence by host.id, process.entity_id with
+maxspan = 1m [network where process.name : "svchost.exe" and
+network.direction : ("incoming", "ingress") and source.port >= 49152
+and destination.port >= 49152 and source.address != "127.0.0.1" and
+source.address != "::1" ] [registry where registry.path :
+"HKLM\\SOFTWARE\\Microsoft\\Windows
+NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\*\\Actions"]
+----------------------------------
+
 Version 5 (7.16.0 release)::
 * Updated query, changed from:
 +
diff --git a/docs/detections/prebuilt-rules/rule-details/remotely-started-services-via-rpc.asciidoc b/docs/detections/prebuilt-rules/rule-details/remotely-started-services-via-rpc.asciidoc
index 2ff67d57d5..e8ad6dd16b 100644
--- a/docs/detections/prebuilt-rules/rule-details/remotely-started-services-via-rpc.asciidoc
+++ b/docs/detections/prebuilt-rules/rule-details/remotely-started-services-via-rpc.asciidoc
@@ -29,11 +29,11 @@ Identifies remote execution of Windows services over remote procedure call (RPC)
 * Threat Detection
 * Lateral Movement
 
-*Version*: 3 (<<remotely-started-services-via-rpc-history, version history>>)
+*Version*: 4 (<<remotely-started-services-via-rpc-history, version history>>)
 
 *Added ({stack} release)*: 7.11.0
 
-*Last modified ({stack} release)*: 7.16.0
+*Last modified ({stack} release)*: 8.0.0
 
 *Rule authors*: Elastic
 
@@ -47,8 +47,8 @@ Identifies remote execution of Windows services over remote procedure call (RPC)
 sequence with maxspan=1s [network where process.name :
 "services.exe" and network.direction : ("incoming", "ingress")
 and network.transport == "tcp" and source.port >= 49152 and
-destination.port >= 49152 and source.address not in ("127.0.0.1",
-"::1") ] by host.id, process.entity_id [process where
+destination.port >= 49152 and source.ip != "127.0.0.1" and source.ip
+!= "::1" ] by host.id, process.entity_id [process where
 event.type in ("start", "process_started") and process.parent.name :
 "services.exe" and not (process.name : "svchost.exe" and
 process.args : "tiledatamodelsvc") and not (process.name :
@@ -73,6 +73,24 @@ is noisy in your environment */ /* and not process.name :
 [[remotely-started-services-via-rpc-history]]
 ==== Rule version history
 
+Version 4 (8.0.0 release)::
+* Updated query, changed from:
++
+[source, js]
+----------------------------------
+sequence with maxspan=1s [network where process.name :
+"services.exe" and network.direction : ("incoming", "ingress")
+and network.transport == "tcp" and source.port >= 49152 and
+destination.port >= 49152 and source.address not in ("127.0.0.1",
+"::1") ] by host.id, process.entity_id [process where
+event.type in ("start", "process_started") and process.parent.name :
+"services.exe" and not (process.name : "svchost.exe" and
+process.args : "tiledatamodelsvc") and not (process.name :
+"msiexec.exe" and process.args : "/V") /* uncomment if psexec
+is noisy in your environment */ /* and not process.name :
+"PSEXESVC.exe" */ ] by host.id, process.parent.entity_id
+----------------------------------
+
 Version 3 (7.16.0 release)::
 * Updated query, changed from:
 +
diff --git a/docs/detections/prebuilt-rules/rule-details/roshal-archive-rar-or-powershell-file-downloaded-from-the-internet.asciidoc b/docs/detections/prebuilt-rules/rule-details/roshal-archive-rar-or-powershell-file-downloaded-from-the-internet.asciidoc
index ae4d389707..590a8dec98 100644
--- a/docs/detections/prebuilt-rules/rule-details/roshal-archive-rar-or-powershell-file-downloaded-from-the-internet.asciidoc
+++ b/docs/detections/prebuilt-rules/rule-details/roshal-archive-rar-or-powershell-file-downloaded-from-the-internet.asciidoc
@@ -36,11 +36,11 @@ Detects a Roshal Archive (RAR) file or PowerShell script downloaded from the int
 * Command and Control
 * Host
 
-*Version*: 8 (<<roshal-archive-rar-or-powershell-file-downloaded-from-the-internet-history, version history>>)
+*Version*: 9 (<<roshal-archive-rar-or-powershell-file-downloaded-from-the-internet-history, version history>>)
 
 *Added ({stack} release)*: 7.10.0
 
-*Last modified ({stack} release)*: 7.16.0
+*Last modified ({stack} release)*: 8.0.0
 
 *Rule authors*: Elastic
 
@@ -97,6 +97,9 @@ source.ip:( 10.0.0.0/8 or 172.16.0.0/12 or
 [[roshal-archive-rar-or-powershell-file-downloaded-from-the-internet-history]]
 ==== Rule version history
 
+Version 9 (8.0.0 release)::
+* Formatting only
+
 Version 8 (7.16.0 release)::
 * Formatting only
 
diff --git a/docs/detections/prebuilt-rules/rule-details/scheduled-task-execution-at-scale-via-gpo.asciidoc b/docs/detections/prebuilt-rules/rule-details/scheduled-task-execution-at-scale-via-gpo.asciidoc
new file mode 100644
index 0000000000..f5bd23f05b
--- /dev/null
+++ b/docs/detections/prebuilt-rules/rule-details/scheduled-task-execution-at-scale-via-gpo.asciidoc
@@ -0,0 +1,135 @@
+[[scheduled-task-execution-at-scale-via-gpo]]
+=== Scheduled Task Execution at Scale via GPO
+
+Detects the modification of Group Policy Object attributes to execute a scheduled task in the objects controlled by the GPO.
+
+*Rule type*: query
+
+*Rule indices*:
+
+* winlogbeat-*
+* logs-system.*
+
+*Severity*: medium
+
+*Risk score*: 47
+
+*Runs every*: 5 minutes
+
+*Searches indices from*: now-6m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>)
+
+*Maximum alerts per execution*: 100
+
+*References*:
+
+* https://github.com/atc-project/atc-data/blob/master/docs/Logging_Policies/LP_0025_windows_audit_directory_service_changes.md
+* https://github.com/atc-project/atc-data/blob/f2bbb51ecf68e2c9f488e3c70dcdd3df51d2a46b/docs/Logging_Policies/LP_0029_windows_audit_detailed_file_share.md
+* https://labs.f-secure.com/tools/sharpgpoabuse
+* https://twitter.com/menasec1/status/1106899890377052160
+* https://github.com/SigmaHQ/sigma/blob/master/rules/windows/builtin/win_gpo_scheduledtasks.yml
+
+*Tags*:
+
+* Elastic
+* Host
+* Windows
+* Threat Detection
+* Privilege Escalation
+* Active Directory
+
+*Version*: 1
+
+*Added ({stack} release)*: 8.0.0
+
+*Rule authors*: Elastic
+
+*Rule license*: Elastic License v2
+
+==== Investigation guide
+
+
+[source,markdown]
+----------------------------------
+## Triage and analysis
+
+### Investigating Scheduled Task Execution at Scale via GPO
+
+Group Policy Objects can be used by attackers to execute Scheduled Tasks at scale to compromise Objects controlled by a given GPO,
+this is done by changing the contents of the `<GPOPath>\Machine\Preferences\ScheduledTasks\ScheduledTasks.xml` file.
+
+#### Possible investigation steps:
+- This attack abuses a legitimate mechanism of the Active Directory, so it is important to determine whether the activity is legitimate
+and the administrator is authorized to perform this operation.
+- Retrieve the contents of the `ScheduledTasks.xml` file, check the `<Command>` and `<Arguments>` XML tags for any potentially malicious
+commands and binaries.
+- If the action is suspicious for the user, check for any other activities done by the user in the last 48 hours.
+
+### False Positive Analysis
+- Verify if the execution is allowed and done under change management, and if the execution is legitimate.
+
+### Related Rules
+- Group Policy Abuse for Privilege Addition
+- Startup/Logon Script added to Group Policy Object
+
+### Response and Remediation
+- Immediate response should be taken to validate activity, investigate and potentially isolate activity to prevent further
+post-compromise behavior.
+
+## Config
+
+The 'Audit Detailed File Share' audit policy is required be configured (Success Failure).
+Steps to implement the logging policy with with Advanced Audit Configuration:
+```
+Computer Configuration > 
+Policies > 
+Windows Settings > 
+Security Settings > 
+Advanced Audit Policies Configuration > 
+Audit Policies > 
+Object Access > 
+Audit Detailed File Share (Success,Failure)
+```
+
+The 'Audit Directory Service Changes' audit policy is required be configured (Success Failure).
+Steps to implement the logging policy with with Advanced Audit Configuration:
+```
+Computer Configuration > 
+Policies > 
+Windows Settings > 
+Security Settings > 
+Advanced Audit Policies Configuration > 
+Audit Policies > 
+DS Access > 
+Audit Directory Service Changes (Success,Failure)
+```
+
+----------------------------------
+
+
+==== Rule query
+
+
+[source,js]
+----------------------------------
+(event.code: "5136" and
+winlog.event_data.AttributeLDAPDisplayName:("gPCMachineExtensionNames"
+or "gPCUserExtensionNames") and winlog.event_data.AttributeValue:(
+*CAB54552-DEEA-4691-817E-ED4A4D1AFC72* and
+*AADCED64-746C-4633-A97C-D61349046527*)) or (event.code: "5145" and
+winlog.event_data.ShareName: "\\\\*\\SYSVOL" and
+winlog.event_data.RelativeTargetName: *ScheduledTasks.xml and
+(message: WriteData or winlog.event_data.AccessList: *%%4417*))
+----------------------------------
+
+==== Threat mapping
+
+*Framework*: MITRE ATT&CK^TM^
+
+* Tactic:
+** Name: Privilege Escalation
+** ID: TA0004
+** Reference URL: https://attack.mitre.org/tactics/TA0004/
+* Technique:
+** Name: Scheduled Task/Job
+** ID: T1053
+** Reference URL: https://attack.mitre.org/techniques/T1053/
diff --git a/docs/detections/prebuilt-rules/rule-details/startup-logon-script-added-to-group-policy-object.asciidoc b/docs/detections/prebuilt-rules/rule-details/startup-logon-script-added-to-group-policy-object.asciidoc
new file mode 100644
index 0000000000..b8c457daa4
--- /dev/null
+++ b/docs/detections/prebuilt-rules/rule-details/startup-logon-script-added-to-group-policy-object.asciidoc
@@ -0,0 +1,139 @@
+[[startup-logon-script-added-to-group-policy-object]]
+=== Startup/Logon Script added to Group Policy Object
+
+Detects the modification of Group Policy Objects (GPO) to add a startup/logon script to users or computer objects.
+
+*Rule type*: query
+
+*Rule indices*:
+
+* winlogbeat-*
+* logs-system.*
+
+*Severity*: medium
+
+*Risk score*: 47
+
+*Runs every*: 5 minutes
+
+*Searches indices from*: now-6m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>)
+
+*Maximum alerts per execution*: 100
+
+*References*:
+
+* https://github.com/atc-project/atc-data/blob/master/docs/Logging_Policies/LP_0025_windows_audit_directory_service_changes.md
+* https://github.com/atc-project/atc-data/blob/f2bbb51ecf68e2c9f488e3c70dcdd3df51d2a46b/docs/Logging_Policies/LP_0029_windows_audit_detailed_file_share.md
+* https://labs.f-secure.com/tools/sharpgpoabuse
+
+*Tags*:
+
+* Elastic
+* Host
+* Windows
+* Threat Detection
+* Privilege Escalation
+* Active Directory
+
+*Version*: 1
+
+*Added ({stack} release)*: 8.0.0
+
+*Rule authors*: Elastic
+
+*Rule license*: Elastic License v2
+
+==== Potential false positives
+
+Legitimate Administrative Activity
+
+==== Investigation guide
+
+
+[source,markdown]
+----------------------------------
+## Triage and analysis
+
+### Investigating Scheduled Task Execution at Scale via GPO
+
+Group Policy Objects can be used by attackers as a mechanism for an attacker to instruct an arbitrarily large group of clients to
+execute specified commands at Startup, Logon, Shutdown, and Logoff. This is done by creating/modifying the `scripts.ini` or 
+`psscripts.ini` files. The scripts are stored in the following path: `<GPOPath>\Machine\Scripts\`, `<GPOPath>\User\Scripts\`
+
+#### Possible investigation steps:
+- This attack abuses a legitimate mechanism of the Active Directory, so it is important to determine whether the activity is legitimate
+and the administrator is authorized to perform this operation.
+- Retrieve the contents of the script file, check for any potentially malicious commands and binaries.
+- If the action is suspicious for the user, check for any other activities done by the user in the last 48 hours.
+
+### False Positive Analysis
+- Verify if the execution is allowed and done under change management, and legitimate.
+
+### Related Rules
+- Group Policy Abuse for Privilege Addition - b9554892-5e0e-424b-83a0-5aef95aa43bf
+- Scheduled Task Execution at Scale via GPO - 15a8ba77-1c13-4274-88fe-6bd14133861e
+
+### Response and Remediation
+- Immediate response should be taken to validate activity, investigate and potentially isolate activity to prevent further
+post-compromise behavior.
+
+## Config
+
+The 'Audit Detailed File Share' audit policy is required be configured (Success Failure).
+Steps to implement the logging policy with with Advanced Audit Configuration:
+```
+Computer Configuration > 
+Policies > 
+Windows Settings > 
+Security Settings > 
+Advanced Audit Policies Configuration > 
+Audit Policies > 
+Object Access > 
+Audit Detailed File Share (Success,Failure)
+```
+
+The 'Audit Directory Service Changes' audit policy is required be configured (Success Failure).
+Steps to implement the logging policy with with Advanced Audit Configuration:
+```
+Computer Configuration > 
+Policies > 
+Windows Settings > 
+Security Settings > 
+Advanced Audit Policies Configuration > 
+Audit Policies > 
+DS Access > 
+Audit Directory Service Changes (Success,Failure)
+```
+
+----------------------------------
+
+
+==== Rule query
+
+
+[source,js]
+----------------------------------
+( event.code:5136 and
+winlog.event_data.AttributeLDAPDisplayName:(gPCMachineExtensionNames
+or gPCUserExtensionNames) and winlog.event_data.AttributeValue:(*42
+B5FAAE-6536-11D2-AE5A-0000F87571E3* and
+(*40B66650-4972-11D1-A7CA-0000F87571E3* or
+*40B6664F-4972-11D1-A7CA-0000F87571E3*)) ) or ( event.code:5145 and
+winlog.event_data.ShareName:\\\\*\\SYSVOL and
+winlog.event_data.RelativeTargetName:(*\\scripts.ini or
+*\\psscripts.ini) and (message:WriteData or
+winlog.event_data.AccessList:*%%4417*) )
+----------------------------------
+
+==== Threat mapping
+
+*Framework*: MITRE ATT&CK^TM^
+
+* Tactic:
+** Name: Privilege Escalation
+** ID: TA0004
+** Reference URL: https://attack.mitre.org/tactics/TA0004/
+* Technique:
+** Name: Boot or Logon Autostart Execution
+** ID: T1547
+** Reference URL: https://attack.mitre.org/techniques/T1547/
diff --git a/docs/detections/prebuilt-rules/rule-details/suspicious-.net-reflection-via-powershell.asciidoc b/docs/detections/prebuilt-rules/rule-details/suspicious-.net-reflection-via-powershell.asciidoc
new file mode 100644
index 0000000000..4cc9fbc909
--- /dev/null
+++ b/docs/detections/prebuilt-rules/rule-details/suspicious-.net-reflection-via-powershell.asciidoc
@@ -0,0 +1,74 @@
+[[suspicious-.net-reflection-via-powershell]]
+=== Suspicious .NET Reflection via PowerShell
+
+This rule detects the use of Reflection.Assembly to load PEs and DLLs in memory in Powershell Scripts. Attackers use this method to load executables and DLLs without writing to the disk, bypassing security solutions.
+
+*Rule type*: query
+
+*Rule indices*:
+
+* winlogbeat-*
+* logs-windows.*
+
+*Severity*: high
+
+*Risk score*: 73
+
+*Runs every*: 5 minutes
+
+*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>)
+
+*Maximum alerts per execution*: 100
+
+*References*:
+
+* https://docs.microsoft.com/en-us/dotnet/api/system.reflection.assembly.load
+
+*Tags*:
+
+* Elastic
+* Host
+* Windows
+* Threat Detection
+* Defense Evasion
+
+*Version*: 1
+
+*Added ({stack} release)*: 8.0.0
+
+*Rule authors*: Elastic
+
+*Rule license*: Elastic License v2
+
+==== Rule query
+
+
+[source,js]
+----------------------------------
+event.category:process and powershell.file.script_block_text : (
+"[System.Reflection.Assembly]::Load" or
+"[Reflection.Assembly]::Load" )
+----------------------------------
+
+==== Threat mapping
+
+*Framework*: MITRE ATT&CK^TM^
+
+* Tactic:
+** Name: Defense Evasion
+** ID: TA0005
+** Reference URL: https://attack.mitre.org/tactics/TA0005/
+* Technique:
+** Name: Process Injection
+** ID: T1055
+** Reference URL: https://attack.mitre.org/techniques/T1055/
+
+
+* Tactic:
+** Name: Execution
+** ID: TA0002
+** Reference URL: https://attack.mitre.org/tactics/TA0002/
+* Technique:
+** Name: Command and Scripting Interpreter
+** ID: T1059
+** Reference URL: https://attack.mitre.org/techniques/T1059/
diff --git a/docs/detections/prebuilt-rules/rule-details/suspicious-certutil-commands.asciidoc b/docs/detections/prebuilt-rules/rule-details/suspicious-certutil-commands.asciidoc
index 61cfd633a5..980379d41b 100644
--- a/docs/detections/prebuilt-rules/rule-details/suspicious-certutil-commands.asciidoc
+++ b/docs/detections/prebuilt-rules/rule-details/suspicious-certutil-commands.asciidoc
@@ -36,13 +36,13 @@ Identifies suspicious commands being used with certutil.exe. CertUtil is a nativ
 * Threat Detection
 * Defense Evasion
 
-*Version*: 9 (<<suspicious-certutil-commands-history, version history>>)
+*Version*: 10 (<<suspicious-certutil-commands-history, version history>>)
 
 *Added ({stack} release)*: 7.6.0
 
-*Last modified ({stack} release)*: 7.14.0
+*Last modified ({stack} release)*: 8.0.0
 
-*Rule authors*: Elastic
+*Rule authors*: Elastic, Austin Songer
 
 *Rule license*: Elastic License v2
 
@@ -54,7 +54,7 @@ Identifies suspicious commands being used with certutil.exe. CertUtil is a nativ
 process where event.type == "start" and (process.name :
 "certutil.exe" or process.pe.original_file_name == "CertUtil.exe") and
 process.args : ("?decode", "?encode", "?urlcache", "?verifyctl",
-"?encodehex", "?decodehex")
+"?encodehex", "?decodehex", "?exportPFX")
 ----------------------------------
 
 ==== Threat mapping
@@ -73,6 +73,17 @@ process.args : ("?decode", "?encode", "?urlcache", "?verifyctl",
 [[suspicious-certutil-commands-history]]
 ==== Rule version history
 
+Version 10 (8.0.0 release)::
+* Updated query, changed from:
++
+[source, js]
+----------------------------------
+process where event.type == "start" and (process.name :
+"certutil.exe" or process.pe.original_file_name == "CertUtil.exe") and
+process.args : ("?decode", "?encode", "?urlcache", "?verifyctl",
+"?encodehex", "?decodehex")
+----------------------------------
+
 Version 9 (7.14.0 release)::
 * Rule name changed from: Encoding or Decoding Files via CertUtil
 +
diff --git a/docs/detections/prebuilt-rules/rule-details/suspicious-jar-child-process.asciidoc b/docs/detections/prebuilt-rules/rule-details/suspicious-java-child-process.asciidoc
similarity index 57%
rename from docs/detections/prebuilt-rules/rule-details/suspicious-jar-child-process.asciidoc
rename to docs/detections/prebuilt-rules/rule-details/suspicious-java-child-process.asciidoc
index 6e8f908739..2fa6cf5aa7 100644
--- a/docs/detections/prebuilt-rules/rule-details/suspicious-jar-child-process.asciidoc
+++ b/docs/detections/prebuilt-rules/rule-details/suspicious-java-child-process.asciidoc
@@ -1,7 +1,7 @@
-[[suspicious-jar-child-process]]
-=== Suspicious JAR Child Process
+[[suspicious-java-child-process]]
+=== Suspicious JAVA Child Process
 
-Identifies suspicious child processes of a Java Archive (JAR) file. JAR files may be used to deliver malware in order to evade detection.
+Identifies suspicious child processes of the Java interpreter process. This may indicate an attempt to execute a malicious JAR file or an exploitation attempt via a JAVA specific vulnerability.
 
 *Rule type*: eql
 
@@ -20,6 +20,12 @@ Identifies suspicious child processes of a Java Archive (JAR) file. JAR files ma
 
 *Maximum alerts per execution*: 100
 
+*References*:
+
+* https://www.lunasec.io/docs/blog/log4j-zero-day/
+* https://github.com/christophetd/log4shell-vulnerable-app
+* https://www.blackhat.com/docs/us-16/materials/us-16-Munoz-A-Journey-From-JNDI-LDAP-Manipulation-To-RCE.pdf
+
 *Tags*:
 
 * Elastic
@@ -29,11 +35,11 @@ Identifies suspicious child processes of a Java Archive (JAR) file. JAR files ma
 * Threat Detection
 * Execution
 
-*Version*: 2 (<<suspicious-jar-child-process-history, version history>>)
+*Version*: 3 (<<suspicious-java-child-process-history, version history>>)
 
 *Added ({stack} release)*: 7.12.0
 
-*Last modified ({stack} release)*: 7.15.0
+*Last modified ({stack} release)*: 8.0.0
 
 *Rule authors*: Elastic
 
@@ -46,11 +52,7 @@ Identifies suspicious child processes of a Java Archive (JAR) file. JAR files ma
 ----------------------------------
 process where event.type in ("start", "process_started") and
 process.parent.name : "java" and process.name : ("sh", "bash",
-"dash", "ksh", "tcsh", "zsh", "curl", "wget") and process.args :
-"-jar" and process.args : "*.jar" and /* Add any FP's here */ not
-process.executable : ("/Users/*/.sdkman/*",
-"/Library/Java/JavaVirtualMachines/*") and not process.args :
-("/usr/local/*", "/Users/*/github.com/*", "/Users/*/src/*")
+"dash", "ksh", "tcsh", "zsh", "curl", "wget")
 ----------------------------------
 
 ==== Threat mapping
@@ -66,9 +68,25 @@ process.executable : ("/Users/*/.sdkman/*",
 ** ID: T1059
 ** Reference URL: https://attack.mitre.org/techniques/T1059/
 
-[[suspicious-jar-child-process-history]]
+[[suspicious-java-child-process-history]]
 ==== Rule version history
 
+Version 3 (8.0.0 release)::
+* Rule name changed from: Suspicious JAR Child Process
++
+* Updated query, changed from:
++
+[source, js]
+----------------------------------
+process where event.type in ("start", "process_started") and
+process.parent.name : "java" and process.name : ("sh", "bash",
+"dash", "ksh", "tcsh", "zsh", "curl", "wget") and process.args :
+"-jar" and process.args : "*.jar" and /* Add any FP's here */ not
+process.executable : ("/Users/*/.sdkman/*",
+"/Library/Java/JavaVirtualMachines/*") and not process.args :
+("/usr/local/*", "/Users/*/github.com/*", "/Users/*/src/*")
+----------------------------------
+
 Version 2 (7.15.0 release)::
 * Formatting only
 
diff --git a/docs/detections/prebuilt-rules/rule-details/suspicious-portable-executable-encoded-in-powershell-script.asciidoc b/docs/detections/prebuilt-rules/rule-details/suspicious-portable-executable-encoded-in-powershell-script.asciidoc
index d60060672e..44c31d2438 100644
--- a/docs/detections/prebuilt-rules/rule-details/suspicious-portable-executable-encoded-in-powershell-script.asciidoc
+++ b/docs/detections/prebuilt-rules/rule-details/suspicious-portable-executable-encoded-in-powershell-script.asciidoc
@@ -1,7 +1,7 @@
 [[suspicious-portable-executable-encoded-in-powershell-script]]
 === Suspicious Portable Executable Encoded in Powershell Script
 
-This rule detects the presence of Portable Executables in a PowerShell Script by Looking for its encoded header. Attackers embed PEs into PowerShell Scripts for Injecting them into the memory, avoiding defenses by not writing to disk.,
+Detects the presence of portable executables (PE) in a PowerShell script by looking for its encoded header. Attackers embed PEs into PowerShell scripts for injecting them into the memory, avoiding defenses by not writing to disk.
 
 *Rule type*: query
 
@@ -20,6 +20,10 @@ This rule detects the presence of Portable Executables in a PowerShell Script by
 
 *Maximum alerts per execution*: 100
 
+*References*:
+
+* https://github.com/atc-project/atc-data/blob/master/docs/Logging_Policies/LP_0109_windows_powershell_script_block_log.md
+
 *Tags*:
 
 * Elastic
@@ -28,20 +32,79 @@ This rule detects the presence of Portable Executables in a PowerShell Script by
 * Threat Detection
 * Execution
 
-*Version*: 1
+*Version*: 3 (<<suspicious-portable-executable-encoded-in-powershell-script-history, version history>>)
 
 *Added ({stack} release)*: 7.16.0
 
+*Last modified ({stack} release)*: 8.0.0
+
 *Rule authors*: Elastic
 
 *Rule license*: Elastic License v2
 
+==== Investigation guide
+
+
+[source,markdown]
+----------------------------------
+## Triage and analysis.
+
+### Investigating Suspicious Portable Executable Encoded in Powershell Script
+
+PowerShell is one of the main tools used by system administrators for automation, report routines, and other tasks.
+
+Attackers can abuse PowerShell In-Memory capabilities to inject executables into memory without touching the disk, bypassing
+AntiVirus software. These executables are generally base64 encoded.
+
+#### Possible investigation steps:
+
+- Examine script content that triggered the detection. 
+- Investigate script execution chain (parent process tree).
+- Inspect any file or network events from the suspicious powershell host process instance.
+- If the action is suspicious for the user, check for any other activities done by the user in the last 48 hours.
+
+### False Positive Analysis
+
+- Verify whether the script content is malicious/harmful.
+
+### Related Rules
+
+- PowerShell Reflection Assembly Load - e26f042e-c590-4e82-8e05-41e81bd822ad
+- PowerShell Suspicious Payload Encoded and Compressed - 81fe9dc6-a2d7-4192-a2d8-eed98afc766a
+- PowerShell PSReflect Script - 56f2e9b5-4803-4e44-a0a4-a52dc79d57fe
+
+### Response and Remediation
+
+- Immediate response should be taken to validate, investigate, and potentially contain the activity to prevent further
+post-compromise behavior.
+
+## Config
+
+The 'PowerShell Script Block Logging' logging policy must be enabled.
+Steps to implement the logging policy with with Advanced Audit Configuration:
+
+```
+Computer Configuration > 
+Administrative Templates > 
+Windows PowerShell > 
+Turn on PowerShell Script Block Logging (Enable)
+```
+
+Steps to implement the logging policy via registry:
+
+```
+reg add "hklm\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging" /v EnableScriptBlockLogging /t REG_DWORD /d 1
+```
+
+----------------------------------
+
+
 ==== Rule query
 
 
 [source,js]
 ----------------------------------
-event.code:"4104" and powershell.file.script_block_text : (
+event.category:process and powershell.file.script_block_text : (
 TVqQAAMAAAAEAAAA )
 ----------------------------------
 
@@ -57,3 +120,16 @@ TVqQAAMAAAAEAAAA )
 ** Name: Command and Scripting Interpreter
 ** ID: T1059
 ** Reference URL: https://attack.mitre.org/techniques/T1059/
+
+[[suspicious-portable-executable-encoded-in-powershell-script-history]]
+==== Rule version history
+
+Version 3 (8.0.0 release)::
+* Updated query, changed from:
++
+[source, js]
+----------------------------------
+event.code:"4104" and powershell.file.script_block_text : (
+TVqQAAMAAAAEAAAA )
+----------------------------------
+
diff --git a/docs/detections/prebuilt-rules/rule-details/suspicious-process-access-via-direct-system-call.asciidoc b/docs/detections/prebuilt-rules/rule-details/suspicious-process-access-via-direct-system-call.asciidoc
index f75335f6a1..66c79cb825 100644
--- a/docs/detections/prebuilt-rules/rule-details/suspicious-process-access-via-direct-system-call.asciidoc
+++ b/docs/detections/prebuilt-rules/rule-details/suspicious-process-access-via-direct-system-call.asciidoc
@@ -1,7 +1,7 @@
 [[suspicious-process-access-via-direct-system-call]]
 === Suspicious Process Access via Direct System Call
 
-Identifies suspicious process access events from unknown memory region. Endpoint security solutions usually hook userland Windows APIs in order to decide if the code that is being executed is malicious or not. It's possible to bypass hooked functions by writing malicious functions that call syscalls directly.
+Identifies suspicious process access events from an unknown memory region. Endpoint security solutions usually hook userland Windows APIs in order to decide if the code that is being executed is malicious or not. It's possible to bypass hooked functions by writing malicious functions that call syscalls directly.
 
 *Rule type*: eql
 
@@ -33,10 +33,12 @@ Identifies suspicious process access events from unknown memory region. Endpoint
 * Threat Detection
 * Defense Evasion
 
-*Version*: 1
+*Version*: 2 (<<suspicious-process-access-via-direct-system-call-history, version history>>)
 
 *Added ({stack} release)*: 7.16.0
 
+*Last modified ({stack} release)*: 8.0.0
+
 *Rule authors*: Elastic
 
 *Rule license*: Elastic License v2
@@ -66,3 +68,10 @@ Windows NT Syscalls */ not winlog.event_data.CallTrace :
 ** Name: Process Injection
 ** ID: T1055
 ** Reference URL: https://attack.mitre.org/techniques/T1055/
+
+[[suspicious-process-access-via-direct-system-call-history]]
+==== Rule version history
+
+Version 2 (8.0.0 release)::
+* Formatting only
+
diff --git a/docs/detections/prebuilt-rules/rule-details/suspicious-process-creation-calltrace.asciidoc b/docs/detections/prebuilt-rules/rule-details/suspicious-process-creation-calltrace.asciidoc
new file mode 100644
index 0000000000..e70db0da88
--- /dev/null
+++ b/docs/detections/prebuilt-rules/rule-details/suspicious-process-creation-calltrace.asciidoc
@@ -0,0 +1,68 @@
+[[suspicious-process-creation-calltrace]]
+=== Suspicious Process Creation CallTrace
+
+Identifies when a process is created and immediately accessed from an unknown memory code region and by the same parent process. This may indicate a code injection or hollowing attempt.
+
+*Rule type*: eql
+
+*Rule indices*:
+
+* winlogbeat-*
+* logs-windows.*
+
+*Severity*: medium
+
+*Risk score*: 43
+
+*Runs every*: 5 minutes
+
+*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>)
+
+*Maximum alerts per execution*: 100
+
+*Tags*:
+
+* Elastic
+* Host
+* Windows
+* Threat Detection
+* Defense Evasion
+
+*Version*: 1
+
+*Added ({stack} release)*: 8.0.0
+
+*Rule authors*: Elastic
+
+*Rule license*: Elastic License v2
+
+==== Rule query
+
+
+[source,js]
+----------------------------------
+sequence by host.id with maxspan=1m [process where event.code == "1"
+and /* sysmon process creation */ process.parent.name :
+("winword.exe", "excel.exe", "outlook.exe", "powerpnt.exe",
+"eqnedt32.exe", "fltldr.exe", "mspub.exe",
+"msaccess.exe", "powershell.exe", "pwsh.exe",
+"cscript.exe", "wscript.exe", "rundll32.exe", "regsvr32.exe",
+"mshta.exe", "wmic.exe", "cmstp.exe",
+"msxsl.exe")] by process.parent.entity_id, process.entity_id
+[process where event.code == "10" and /* Sysmon process access
+event from unknown module */ winlog.event_data.CallTrace :
+"*UNKNOWN*"] by process.entity_id, winlog.event_data.TargetProcessGUID
+----------------------------------
+
+==== Threat mapping
+
+*Framework*: MITRE ATT&CK^TM^
+
+* Tactic:
+** Name: Defense Evasion
+** ID: TA0005
+** Reference URL: https://attack.mitre.org/tactics/TA0005/
+* Technique:
+** Name: Process Injection
+** ID: T1055
+** Reference URL: https://attack.mitre.org/techniques/T1055/
diff --git a/docs/detections/prebuilt-rules/rule-details/symbolic-link-to-shadow-copy-created.asciidoc b/docs/detections/prebuilt-rules/rule-details/symbolic-link-to-shadow-copy-created.asciidoc
new file mode 100644
index 0000000000..1048b8fe47
--- /dev/null
+++ b/docs/detections/prebuilt-rules/rule-details/symbolic-link-to-shadow-copy-created.asciidoc
@@ -0,0 +1,71 @@
+[[symbolic-link-to-shadow-copy-created]]
+=== Symbolic Link to Shadow Copy Created
+
+Identifies the creation of symbolic links to a shadow copy. Symbolic Links can be used to access files in the shadow copy, including sensitive files that may contain credential information.
+
+*Rule type*: eql
+
+*Rule indices*:
+
+* winlogbeat-*
+* logs-endpoint.events.*
+* logs-windows.*
+
+*Severity*: medium
+
+*Risk score*: 47
+
+*Runs every*: 5 minutes
+
+*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>)
+
+*Maximum alerts per execution*: 100
+
+*References*:
+
+* https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/mklink
+* https://2017.zeronights.org/wp-content/uploads/materials/ZN17_Kheirkhabarov_Hunting_for_Credentials_Dumping_in_Windows_Environment.pdf
+
+*Tags*:
+
+* Elastic
+* Host
+* Windows
+* Threat Detection
+* Credential Access
+
+*Version*: 1
+
+*Added ({stack} release)*: 8.0.0
+
+*Rule authors*: Austin Songer
+
+*Rule license*: Elastic License v2
+
+==== Potential false positives
+
+Legitimate administrative activity related to shadow copies
+
+==== Rule query
+
+
+[source,js]
+----------------------------------
+process where event.type in ("start", "process_started") and
+process.pe.original_file_name == "Cmd.Exe" and process.args :
+"*mklink*" and process.args :
+"*\\GLOBALROOT\\Device\\HarddiskVolumeShadowCopy*"
+----------------------------------
+
+==== Threat mapping
+
+*Framework*: MITRE ATT&CK^TM^
+
+* Tactic:
+** Name: Credential Access
+** ID: TA0006
+** Reference URL: https://attack.mitre.org/tactics/TA0006/
+* Technique:
+** Name: OS Credential Dumping
+** ID: T1003
+** Reference URL: https://attack.mitre.org/techniques/T1003/
diff --git a/docs/detections/prebuilt-rules/rule-details/third-party-backup-files-deleted-via-unexpected-process.asciidoc b/docs/detections/prebuilt-rules/rule-details/third-party-backup-files-deleted-via-unexpected-process.asciidoc
index da79368577..c747a3bd67 100644
--- a/docs/detections/prebuilt-rules/rule-details/third-party-backup-files-deleted-via-unexpected-process.asciidoc
+++ b/docs/detections/prebuilt-rules/rule-details/third-party-backup-files-deleted-via-unexpected-process.asciidoc
@@ -1,7 +1,7 @@
 [[third-party-backup-files-deleted-via-unexpected-process]]
 === Third-party Backup Files Deleted via Unexpected Process
 
-Identifies the deletion of backup files, saved using third-party software, by a process outside of the backup suite. Adversaries may delete Backup files to ensure that recovery from a Ransomware attack is less likely.
+Identifies the deletion of backup files, saved using third-party software, by a process outside of the backup suite. Adversaries may delete Backup files to ensure that recovery from a ransomware attack is less likely.
 
 *Rule type*: eql
 
@@ -33,10 +33,12 @@ Identifies the deletion of backup files, saved using third-party software, by a
 * Threat Detection
 * Impact
 
-*Version*: 1
+*Version*: 2 (<<third-party-backup-files-deleted-via-unexpected-process-history, version history>>)
 
 *Added ({stack} release)*: 7.16.0
 
+*Last modified ({stack} release)*: 8.0.0
+
 *Rule authors*: Elastic
 
 *Rule license*: Elastic License v2
@@ -73,3 +75,10 @@ Exec\\*", "?:\\Program Files
 ** Name: Inhibit System Recovery
 ** ID: T1490
 ** Reference URL: https://attack.mitre.org/techniques/T1490/
+
+[[third-party-backup-files-deleted-via-unexpected-process-history]]
+==== Rule version history
+
+Version 2 (8.0.0 release)::
+* Formatting only
+
diff --git a/docs/detections/prebuilt-rules/rule-details/threat-intel-filebeat-module-indicator-match.asciidoc b/docs/detections/prebuilt-rules/rule-details/threat-intel-filebeat-module-v8.x-indicator-match.asciidoc
similarity index 76%
rename from docs/detections/prebuilt-rules/rule-details/threat-intel-filebeat-module-indicator-match.asciidoc
rename to docs/detections/prebuilt-rules/rule-details/threat-intel-filebeat-module-v8.x-indicator-match.asciidoc
index d6b2bc90a6..592a0a1b44 100644
--- a/docs/detections/prebuilt-rules/rule-details/threat-intel-filebeat-module-indicator-match.asciidoc
+++ b/docs/detections/prebuilt-rules/rule-details/threat-intel-filebeat-module-v8.x-indicator-match.asciidoc
@@ -1,7 +1,7 @@
-[[threat-intel-filebeat-module-indicator-match]]
-=== Threat Intel Filebeat Module Indicator Match
+[[threat-intel-filebeat-module-v8.x-indicator-match]]
+=== Threat Intel Filebeat Module (v8.x) Indicator Match
 
-This rule is triggered when indicators from the Threat Intel Filebeat module has a match against local file or network observations.
+This rule is triggered when indicators from the Threat Intel Filebeat module (v8.x) has a match against local file or network observations.
 
 *Rule type*: threat_match
 
@@ -38,11 +38,9 @@ This rule is triggered when indicators from the Threat Intel Filebeat module has
 * SecOps
 * Monitoring
 
-*Version*: 3 (<<threat-intel-filebeat-module-indicator-match-history, version history>>)
+*Version*: 1
 
-*Added ({stack} release)*: 7.13.0
-
-*Last modified ({stack} release)*: 7.16.0
+*Added ({stack} release)*: 8.0.0
 
 *Rule authors*: Elastic
 
@@ -58,17 +56,17 @@ This rule is triggered when indicators from the Threat Intel Filebeat module has
 ### Investigating Threat Intel Indicator Matches
 
 Threat Intel indicator match rules allow matching from a local observation such as an endpoint event that records a file
-hash with an entry of a file hash stored within the Threat Intel Filebeat module. Other examples of matches can occur on
+hash with an entry of a file hash stored within the Threat Intel integrations. Other examples of matches can occur on
 an IP address, registry path, URL and imphash.
 
-The matches will be based on the incoming feed data so it's important to validate the data and review the results by
+The matches will be based on the incoming last 30 days feed data so it's important to validate the data and review the results by
 investigating the associated activity to determine if it requires further investigation.
 
 If an indicator matches a local observation, the following enriched fields will be generated to identify the indicator, field, and type matched.
 
-- `threatintel.indicator.matched.atomic` - this identifies the atomic indicator that matched the local observation
-- `threatintel.indicator.matched.field` - this identifies the indicator field that matched the local observation
-- `threatintel.indicator.matched.type` - this identifies the indicator type that matched the local observation
+- `threat.indicator.matched.atomic` - this identifies the atomic indicator that matched the local observation
+- `threat.indicator.matched.field` - this identifies the indicator field that matched the local observation
+- `threat.indicator.matched.type` - this identifies the indicator type that matched the local observation
 
 #### Possible investigation steps:
 - Investigation should be validated and reviewed based on the data (file hash, registry path, URL, imphash) that was matched
@@ -81,7 +79,7 @@ These kinds of questions can help understand if the activity is related to legit
 - For any matches found, it's important to consider the initial release date of that indicator. Threat intelligence can
 be a great tool for augmenting existing security processes, while at the same time it should be understood that threat
 intelligence can represent a specific set of activity observed at a point in time. For example, an IP address
-may have hosted malware observed in a Dridex campaign six months ago, but it's possible that IP has been remediated and
+may have hosted malware observed in a Dridex campaign month ago, but it's possible that IP has been remediated and
 no longer represents any threat.
 - Adversaries often use legitimate tools as network administrators such as `PsExec` or `AdFind`, these tools often find their
 way into indicator lists creating the potential for false positives.
@@ -107,10 +105,3 @@ file.hash.*:* or file.pe.imphash:* or source.ip:* or destination.ip:*
 or url.full:* or registry.path:*
 ----------------------------------
 
-
-[[threat-intel-filebeat-module-indicator-match-history]]
-==== Rule version history
-
-Version 3 (7.16.0 release)::
-* Formatting only
-
diff --git a/docs/detections/prebuilt-rules/rule-details/threat-intel-indicator-match.asciidoc b/docs/detections/prebuilt-rules/rule-details/threat-intel-indicator-match.asciidoc
new file mode 100644
index 0000000000..290f09d8f0
--- /dev/null
+++ b/docs/detections/prebuilt-rules/rule-details/threat-intel-indicator-match.asciidoc
@@ -0,0 +1,107 @@
+[[threat-intel-indicator-match]]
+=== Threat Intel Indicator Match
+
+This rule is triggered when indicators from the Threat Intel integrations has a match against local file or network observations.
+
+*Rule type*: threat_match
+
+*Rule indices*:
+
+* auditbeat-*
+* endgame-*
+* filebeat-*
+* logs-*
+* packetbeat-*
+* winlogbeat-*
+
+*Severity*: critical
+
+*Risk score*: 99
+
+*Runs every*: 1 hour
+
+*Searches indices from*: now-65m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>)
+
+*Maximum alerts per execution*: 100
+
+*References*:
+
+* https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-threatintel.html
+
+*Tags*:
+
+* Elastic
+* Windows
+* Elastic Endgame
+* Network
+* Continuous Monitoring
+* SecOps
+* Monitoring
+
+*Version*: 1
+
+*Added ({stack} release)*: 8.0.0
+
+*Rule authors*: Elastic
+
+*Rule license*: Elastic License v2
+
+==== Investigation guide
+
+
+[source,markdown]
+----------------------------------
+## Triage and Analysis
+
+### Investigating Threat Intel Indicator Matches
+
+Threat Intel indicator match rules allow matching from a local observation such as an endpoint event that records a file
+hash with an entry of a file hash stored within the Threat Intel integrations. Other examples of matches can occur on
+an IP address, registry path, URL and imphash.
+
+The matches will be based on the incoming last 30 days feed data so it's important to validate the data and review the results by
+investigating the associated activity to determine if it requires further investigation.
+
+If an indicator matches a local observation, the following enriched fields will be generated to identify the indicator, field, and type matched.
+
+- `threat.indicator.matched.atomic` - this identifies the atomic indicator that matched the local observation
+- `threat.indicator.matched.field` - this identifies the indicator field that matched the local observation
+- `threat.indicator.matched.type` - this identifies the indicator type that matched the local observation
+
+#### Possible investigation steps:
+- Investigation should be validated and reviewed based on the data (file hash, registry path, URL, imphash) that was matched
+and viewing the source of that activity.
+- Consider the history of the indicator that was matched. Has it happened before? Is it happening on multiple machines?
+These kinds of questions can help understand if the activity is related to legitimate behavior.
+- Consider the user and their role within the company, is this something related to their job or work function?
+
+### False Positive Analysis
+- For any matches found, it's important to consider the initial release date of that indicator. Threat intelligence can
+be a great tool for augmenting existing security processes, while at the same time it should be understood that threat
+intelligence can represent a specific set of activity observed at a point in time. For example, an IP address
+may have hosted malware observed in a Dridex campaign month ago, but it's possible that IP has been remediated and
+no longer represents any threat.
+- Adversaries often use legitimate tools as network administrators such as `PsExec` or `AdFind`, these tools often find their
+way into indicator lists creating the potential for false positives.
+- It's possible after large and publicly written campaigns, curious employees might end up going directly to attacker infrastructure and generating these rules
+
+### Response and Remediation
+- If suspicious or malicious behavior is observed, immediate response should be taken to isolate activity to prevent further
+post-compromise behavior.
+- One example of a response if a machine matched a command and control IP address would be to add an entry to a network
+device such as a firewall or proxy appliance to prevent any outbound activity from leaving that machine.
+- Another example of a response with a malicious file hash match would involve validating if the file was properly quarantined,
+review current running processes looking for any abnormal activity, and investigating for any other follow-up actions such as persistence or lateral movement
+
+----------------------------------
+
+
+==== Rule query
+
+
+[source,js]
+----------------------------------
+file.hash.*:* or file.pe.imphash:* or source.ip:* or destination.ip:*
+or url.full:* or registry.path:*
+----------------------------------
+
diff --git a/docs/detections/prebuilt-rules/rule-details/whitespace-padding-in-process-command-line.asciidoc b/docs/detections/prebuilt-rules/rule-details/whitespace-padding-in-process-command-line.asciidoc
index 1176db60d0..3d28e78701 100644
--- a/docs/detections/prebuilt-rules/rule-details/whitespace-padding-in-process-command-line.asciidoc
+++ b/docs/detections/prebuilt-rules/rule-details/whitespace-padding-in-process-command-line.asciidoc
@@ -33,11 +33,11 @@ Identifies process execution events where the command line value contains a long
 * Threat Detection
 * Defense Evasion
 
-*Version*: 2 (<<whitespace-padding-in-process-command-line-history, version history>>)
+*Version*: 4 (<<whitespace-padding-in-process-command-line-history, version history>>)
 
 *Added ({stack} release)*: 7.15.0
 
-*Last modified ({stack} release)*: 7.16.0
+*Last modified ({stack} release)*: 8.0.0
 
 *Rule authors*: Elastic
 
@@ -78,6 +78,9 @@ characters */ process.command_line regex ".*(.*[ ]{5,}[^ ]*){3,}.*"
 [[whitespace-padding-in-process-command-line-history]]
 ==== Rule version history
 
+Version 4 (8.0.0 release)::
+* Formatting only
+
 Version 2 (7.16.0 release)::
 * Formatting only
 
diff --git a/docs/detections/prebuilt-rules/rule-details/windows-defender-exclusions-added-via-powershell.asciidoc b/docs/detections/prebuilt-rules/rule-details/windows-defender-exclusions-added-via-powershell.asciidoc
index d66388ad1b..683585d13e 100644
--- a/docs/detections/prebuilt-rules/rule-details/windows-defender-exclusions-added-via-powershell.asciidoc
+++ b/docs/detections/prebuilt-rules/rule-details/windows-defender-exclusions-added-via-powershell.asciidoc
@@ -33,11 +33,11 @@ Identifies modifications to the Windows Defender configuration settings using Po
 * Threat Detection
 * Defense Evasion
 
-*Version*: 4 (<<windows-defender-exclusions-added-via-powershell-history, version history>>)
+*Version*: 5 (<<windows-defender-exclusions-added-via-powershell-history, version history>>)
 
 *Added ({stack} release)*: 7.14.0
 
-*Last modified ({stack} release)*: 7.16.0
+*Last modified ({stack} release)*: 8.0.0
 
 *Rule authors*: Elastic
 
@@ -93,8 +93,8 @@ the exclusion and ensure antimalware capability has not been disabled or deleted
 process where event.type == "start" and (process.name :
 ("powershell.exe", "pwsh.exe", "powershell_ise.exe") or
 process.pe.original_file_name in ("powershell.exe", "pwsh.dll",
-"powershell_ise.exe")) and process.args : ("*Add-
-MpPreference*-Exclusion*", "*Set-MpPreference*-Exclusion*")
+"powershell_ise.exe")) and process.args : ("*Add-MpPreference*",
+"*Set-MpPreference*") and process.args : ("*-Exclusion*")
 ----------------------------------
 
 ==== Threat mapping
@@ -123,6 +123,18 @@ MpPreference*-Exclusion*", "*Set-MpPreference*-Exclusion*")
 [[windows-defender-exclusions-added-via-powershell-history]]
 ==== Rule version history
 
+Version 5 (8.0.0 release)::
+* Updated query, changed from:
++
+[source, js]
+----------------------------------
+process where event.type == "start" and (process.name :
+("powershell.exe", "pwsh.exe", "powershell_ise.exe") or
+process.pe.original_file_name in ("powershell.exe", "pwsh.dll",
+"powershell_ise.exe")) and process.args : ("*Add-
+MpPreference*-Exclusion*", "*Set-MpPreference*-Exclusion*")
+----------------------------------
+
 Version 4 (7.16.0 release)::
 * Updated query, changed from:
 +
diff --git a/docs/detections/prebuilt-rules/rule-details/windows-firewall-disabled-via-powershell.asciidoc b/docs/detections/prebuilt-rules/rule-details/windows-firewall-disabled-via-powershell.asciidoc
new file mode 100644
index 0000000000..537ebb2576
--- /dev/null
+++ b/docs/detections/prebuilt-rules/rule-details/windows-firewall-disabled-via-powershell.asciidoc
@@ -0,0 +1,75 @@
+[[windows-firewall-disabled-via-powershell]]
+=== Windows Firewall Disabled via PowerShell
+
+Identifies when the Windows Firewall is disabled using PowerShell cmdlets, which attackers do to evade network constraints, like internet and network lateral communication restrictions.
+
+*Rule type*: eql
+
+*Rule indices*:
+
+* logs-endpoint.events.*
+* winlogbeat-*
+* logs-windows.*
+
+*Severity*: medium
+
+*Risk score*: 47
+
+*Runs every*: 5 minutes
+
+*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>)
+
+*Maximum alerts per execution*: 100
+
+*References*:
+
+* https://docs.microsoft.com/en-us/powershell/module/netsecurity/set-netfirewallprofile?view=windowsserver2019-ps
+* https://www.tutorialspoint.com/how-to-get-windows-firewall-profile-settings-using-powershell
+* http://powershellhelp.space/commands/set-netfirewallrule-psv5.php
+* http://woshub.com/manage-windows-firewall-powershell/
+
+*Tags*:
+
+* Elastic
+* Host
+* Windows
+* Threat Detection
+* Defense Evasion
+
+*Version*: 1
+
+*Added ({stack} release)*: 8.0.0
+
+*Rule authors*: Austin Songer
+
+*Rule license*: Elastic License v2
+
+==== Potential false positives
+
+Windows Firewall can be disabled may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Windows Profile being disabled from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
+
+==== Rule query
+
+
+[source,js]
+----------------------------------
+process where event.action == "start" and (process.name :
+("powershell.exe", "pwsh.exe", "powershell_ise.exe") or
+process.pe.original_file_name == "PowerShell.EXE") and process.args
+: "*Set-NetFirewallProfile*" and (process.args : "*-Enabled*" and
+process.args : "*False*") and (process.args : "*-All*" or
+process.args : ("*Public*", "*Domain*", "*Private*"))
+----------------------------------
+
+==== Threat mapping
+
+*Framework*: MITRE ATT&CK^TM^
+
+* Tactic:
+** Name: Defense Evasion
+** ID: TA0005
+** Reference URL: https://attack.mitre.org/tactics/TA0005/
+* Technique:
+** Name: Impair Defenses
+** ID: T1562
+** Reference URL: https://attack.mitre.org/techniques/T1562/
diff --git a/docs/detections/prebuilt-rules/rule-details/wmi-incoming-lateral-movement.asciidoc b/docs/detections/prebuilt-rules/rule-details/wmi-incoming-lateral-movement.asciidoc
index 9db7f16aed..b9c52fc108 100644
--- a/docs/detections/prebuilt-rules/rule-details/wmi-incoming-lateral-movement.asciidoc
+++ b/docs/detections/prebuilt-rules/rule-details/wmi-incoming-lateral-movement.asciidoc
@@ -29,11 +29,11 @@ Identifies processes executed via Windows Management Instrumentation (WMI) on a
 * Threat Detection
 * Lateral Movement
 
-*Version*: 3 (<<wmi-incoming-lateral-movement-history, version history>>)
+*Version*: 4 (<<wmi-incoming-lateral-movement-history, version history>>)
 
 *Added ({stack} release)*: 7.11.0
 
-*Last modified ({stack} release)*: 7.16.0
+*Last modified ({stack} release)*: 8.0.0
 
 *Rule authors*: Elastic
 
@@ -47,11 +47,11 @@ Identifies processes executed via Windows Management Instrumentation (WMI) on a
 sequence by host.id with maxspan = 2s /* Accepted Incoming RPC
 connection by Winmgmt service */ [network where process.name :
 "svchost.exe" and network.direction : ("incoming", "ingress") and
-source.address != "127.0.0.1" and source.address != "::1" and
-source.port >= 49152 and destination.port >= 49152 ] /* Excluding
-Common FPs Nessus and SCCM */ [process where event.type in
-("start", "process_started") and process.parent.name : "WmiPrvSE.exe"
-and not process.args : ("C:\\windows\\temp\\nessus_*.txt",
+source.ip != "127.0.0.1" and source.ip != "::1" and source.port >=
+49152 and destination.port >= 49152 ] /* Excluding Common FPs
+Nessus and SCCM */ [process where event.type in ("start",
+"process_started") and process.parent.name : "WmiPrvSE.exe" and not
+process.args : ("C:\\windows\\temp\\nessus_*.txt",
 "C:\\windows\\TEMP\\nessus_*.TMP",
 "C:\\Windows\\CCM\\SystemTemp\\*",
 "C:\\Windows\\CCMCache\\*",
@@ -80,6 +80,25 @@ and not process.args : ("C:\\windows\\temp\\nessus_*.txt",
 [[wmi-incoming-lateral-movement-history]]
 ==== Rule version history
 
+Version 4 (8.0.0 release)::
+* Updated query, changed from:
++
+[source, js]
+----------------------------------
+sequence by host.id with maxspan = 2s /* Accepted Incoming RPC
+connection by Winmgmt service */ [network where process.name :
+"svchost.exe" and network.direction : ("incoming", "ingress") and
+source.address != "127.0.0.1" and source.address != "::1" and
+source.port >= 49152 and destination.port >= 49152 ] /* Excluding
+Common FPs Nessus and SCCM */ [process where event.type in
+("start", "process_started") and process.parent.name : "WmiPrvSE.exe"
+and not process.args : ("C:\\windows\\temp\\nessus_*.txt",
+"C:\\windows\\TEMP\\nessus_*.TMP",
+"C:\\Windows\\CCM\\SystemTemp\\*",
+"C:\\Windows\\CCMCache\\*",
+"C:\\CCM\\Cache\\*") ]
+----------------------------------
+
 Version 3 (7.16.0 release)::
 * Updated query, changed from:
 +
diff --git a/prebuilt-rules-scripts/changelog-entries.yml b/prebuilt-rules-scripts/changelog-entries.yml
index 40069ad6e7..b943b5e1b6 100644
--- a/prebuilt-rules-scripts/changelog-entries.yml
+++ b/prebuilt-rules-scripts/changelog-entries.yml
@@ -13,3 +13,4 @@
 - 7.14.0
 - 7.15.0
 - 7.16.0
+- '8.0.0'
diff --git a/prebuilt-rules-scripts/diff-files/final-files/final-rule-file-8.0.0.json b/prebuilt-rules-scripts/diff-files/final-files/final-rule-file-8.0.0.json
new file mode 100644
index 0000000000..b30ccf378a
--- /dev/null
+++ b/prebuilt-rules-scripts/diff-files/final-files/final-rule-file-8.0.0.json
@@ -0,0 +1,50607 @@
+[
+  {
+    "author": [
+      "Nick Jones",
+      "Elastic"
+    ],
+    "description": "An adversary may attempt to access the secrets in secrets manager to steal certificates, credentials, or other sensitive material",
+    "false_positives": [
+      "Verify whether the user identity, user agent, and/or hostname should be using GetSecretString API for the specified SecretId. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "from": "now-60m",
+    "index": [
+      "filebeat-*",
+      "logs-aws*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "AWS Access Secret in Secrets Manager",
+    "note": "## Config\n\nThe AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:aws.cloudtrail and event.provider:secretsmanager.amazonaws.com and event.action:GetSecretValue\n",
+    "references": [
+      "https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_GetSecretValue.html",
+      "http://detectioninthe.cloud/credential_access/access_secret_in_secrets_manager/"
+    ],
+    "risk_score": 73,
+    "rule_id": "a00681e3-9ed6-447c-ab2c-be648821c622",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "AWS",
+      "Continuous Monitoring",
+      "SecOps",
+      "Data Protection"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0006",
+          "name": "Credential Access",
+          "reference": "https://attack.mitre.org/tactics/TA0006/"
+        },
+        "technique": [
+          {
+            "id": "T1528",
+            "name": "Steal Application Access Token",
+            "reference": "https://attack.mitre.org/techniques/T1528/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 5,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.10.0",
+          "pre_query": "event.dataset:aws.cloudtrail and event.provider:secretsmanager.amazonaws.com and event.action:GetSecretValue",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 3,
+          "updated": "7.11.2",
+          "pre_query": "event.dataset:aws.cloudtrail and event.provider:secretsmanager.amazonaws.com and event.action:GetSecretValue",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 4,
+          "updated": "7.12.0",
+          "pre_query": "event.dataset:aws.cloudtrail and event.provider:secretsmanager.amazonaws.com and event.action:GetSecretValue",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 5,
+          "updated": "7.13.0",
+          "pre_query": "event.dataset:aws.cloudtrail and event.provider:secretsmanager.amazonaws.com and event.action:GetSecretValue",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.13.0",
+    "added": "7.9.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the creation of an AWS log trail that specifies the settings for delivery of log data.",
+    "false_positives": [
+      "Trail creations may be made by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Trail creations from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "from": "now-60m",
+    "index": [
+      "filebeat-*",
+      "logs-aws*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "AWS CloudTrail Log Created",
+    "note": "## Config\n\nThe AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:aws.cloudtrail and event.provider:cloudtrail.amazonaws.com and event.action:CreateTrail and event.outcome:success\n",
+    "references": [
+      "https://docs.aws.amazon.com/awscloudtrail/latest/APIReference/API_CreateTrail.html",
+      "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cloudtrail/create-trail.html"
+    ],
+    "risk_score": 21,
+    "rule_id": "594e0cbf-86cc-45aa-9ff7-ff27db27d3ed",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "AWS",
+      "Continuous Monitoring",
+      "SecOps",
+      "Log Auditing"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0009",
+          "name": "Collection",
+          "reference": "https://attack.mitre.org/tactics/TA0009/"
+        },
+        "technique": [
+          {
+            "id": "T1530",
+            "name": "Data from Cloud Storage Object",
+            "reference": "https://attack.mitre.org/techniques/T1530/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 5,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.10.0",
+          "pre_query": "event.action:CreateTrail and event.dataset:aws.cloudtrail and event.provider:cloudtrail.amazonaws.com and event.outcome:success",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 3,
+          "updated": "7.11.2",
+          "pre_query": "event.action:CreateTrail and event.dataset:aws.cloudtrail and event.provider:cloudtrail.amazonaws.com and event.outcome:success",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 4,
+          "updated": "7.12.0",
+          "pre_query": "event.action:CreateTrail and event.dataset:aws.cloudtrail and event.provider:cloudtrail.amazonaws.com and event.outcome:success",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 5,
+          "updated": "7.13.0",
+          "pre_query": "event.action:CreateTrail and event.dataset:aws.cloudtrail and event.provider:cloudtrail.amazonaws.com and event.outcome:success",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.13.0",
+    "added": "7.9.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the deletion of an AWS log trail. An adversary may delete trails in an attempt to evade defenses.",
+    "false_positives": [
+      "Trail deletions may be made by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Trail deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "from": "now-60m",
+    "index": [
+      "filebeat-*",
+      "logs-aws*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "AWS CloudTrail Log Deleted",
+    "note": "## Config\n\nThe AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:aws.cloudtrail and event.provider:cloudtrail.amazonaws.com and event.action:DeleteTrail and event.outcome:success\n",
+    "references": [
+      "https://docs.aws.amazon.com/awscloudtrail/latest/APIReference/API_DeleteTrail.html",
+      "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cloudtrail/delete-trail.html"
+    ],
+    "risk_score": 47,
+    "rule_id": "7024e2a0-315d-4334-bb1a-441c593e16ab",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "AWS",
+      "Continuous Monitoring",
+      "SecOps",
+      "Log Auditing"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1562",
+            "name": "Impair Defenses",
+            "reference": "https://attack.mitre.org/techniques/T1562/",
+            "subtechnique": [
+              {
+                "id": "T1562.001",
+                "name": "Disable or Modify Tools",
+                "reference": "https://attack.mitre.org/techniques/T1562/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 6,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.10.0",
+          "pre_query": "event.action:DeleteTrail and event.dataset:aws.cloudtrail and event.provider:cloudtrail.amazonaws.com and event.outcome:success",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 3,
+          "updated": "7.11.0",
+          "pre_query": "event.action:DeleteTrail and event.dataset:aws.cloudtrail and event.provider:cloudtrail.amazonaws.com and event.outcome:success",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 4,
+          "updated": "7.11.2",
+          "pre_query": "event.action:DeleteTrail and event.dataset:aws.cloudtrail and event.provider:cloudtrail.amazonaws.com and event.outcome:success",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 5,
+          "updated": "7.12.0",
+          "pre_query": "event.action:DeleteTrail and event.dataset:aws.cloudtrail and event.provider:cloudtrail.amazonaws.com and event.outcome:success",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 6,
+          "updated": "7.13.0",
+          "pre_query": "event.action:DeleteTrail and event.dataset:aws.cloudtrail and event.provider:cloudtrail.amazonaws.com and event.outcome:success",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.13.0",
+    "added": "7.9.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies suspending the recording of AWS API calls and log file delivery for the specified trail. An adversary may suspend trails in an attempt to evade defenses.",
+    "false_positives": [
+      "Suspending the recording of a trail may be done by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Trail suspensions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "from": "now-60m",
+    "index": [
+      "filebeat-*",
+      "logs-aws*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "AWS CloudTrail Log Suspended",
+    "note": "## Config\n\nThe AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:aws.cloudtrail and event.provider:cloudtrail.amazonaws.com and event.action:StopLogging and event.outcome:success\n",
+    "references": [
+      "https://docs.aws.amazon.com/awscloudtrail/latest/APIReference/API_StopLogging.html",
+      "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cloudtrail/stop-logging.html"
+    ],
+    "risk_score": 47,
+    "rule_id": "1aa8fa52-44a7-4dae-b058-f3333b91c8d7",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "AWS",
+      "Continuous Monitoring",
+      "SecOps",
+      "Log Auditing"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1562",
+            "name": "Impair Defenses",
+            "reference": "https://attack.mitre.org/techniques/T1562/",
+            "subtechnique": [
+              {
+                "id": "T1562.001",
+                "name": "Disable or Modify Tools",
+                "reference": "https://attack.mitre.org/techniques/T1562/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 6,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.10.0",
+          "pre_query": "event.action:StopLogging and event.dataset:aws.cloudtrail and event.provider:cloudtrail.amazonaws.com and event.outcome:success",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 3,
+          "updated": "7.11.0",
+          "pre_query": "event.action:StopLogging and event.dataset:aws.cloudtrail and event.provider:cloudtrail.amazonaws.com and event.outcome:success",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 4,
+          "updated": "7.11.2",
+          "pre_query": "event.action:StopLogging and event.dataset:aws.cloudtrail and event.provider:cloudtrail.amazonaws.com and event.outcome:success",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 5,
+          "updated": "7.12.0",
+          "pre_query": "event.action:StopLogging and event.dataset:aws.cloudtrail and event.provider:cloudtrail.amazonaws.com and event.outcome:success",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 6,
+          "updated": "7.13.0",
+          "pre_query": "event.action:StopLogging and event.dataset:aws.cloudtrail and event.provider:cloudtrail.amazonaws.com and event.outcome:success",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.13.0",
+    "added": "7.9.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies an update to an AWS log trail setting that specifies the delivery of log files.",
+    "false_positives": [
+      "Trail updates may be made by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Trail updates from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "from": "now-60m",
+    "index": [
+      "filebeat-*",
+      "logs-aws*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "AWS CloudTrail Log Updated",
+    "note": "## Config\n\nThe AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:aws.cloudtrail and event.provider:cloudtrail.amazonaws.com and event.action:UpdateTrail and event.outcome:success\n",
+    "references": [
+      "https://docs.aws.amazon.com/awscloudtrail/latest/APIReference/API_UpdateTrail.html",
+      "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cloudtrail/update-trail.html"
+    ],
+    "risk_score": 21,
+    "rule_id": "3e002465-876f-4f04-b016-84ef48ce7e5d",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "AWS",
+      "Continuous Monitoring",
+      "SecOps",
+      "Log Auditing"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0040",
+          "name": "Impact",
+          "reference": "https://attack.mitre.org/tactics/TA0040/"
+        },
+        "technique": [
+          {
+            "id": "T1565",
+            "name": "Data Manipulation",
+            "reference": "https://attack.mitre.org/techniques/T1565/",
+            "subtechnique": [
+              {
+                "id": "T1565.001",
+                "name": "Stored Data Manipulation",
+                "reference": "https://attack.mitre.org/techniques/T1565/001/"
+              }
+            ]
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0009",
+          "name": "Collection",
+          "reference": "https://attack.mitre.org/tactics/TA0009/"
+        },
+        "technique": [
+          {
+            "id": "T1530",
+            "name": "Data from Cloud Storage Object",
+            "reference": "https://attack.mitre.org/techniques/T1530/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 6,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.10.0",
+          "pre_query": "event.action:UpdateTrail and event.dataset:aws.cloudtrail and event.provider:cloudtrail.amazonaws.com and event.outcome:success",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 3,
+          "updated": "7.11.0",
+          "pre_query": "event.action:UpdateTrail and event.dataset:aws.cloudtrail and event.provider:cloudtrail.amazonaws.com and event.outcome:success",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 4,
+          "updated": "7.11.2",
+          "pre_query": "event.action:UpdateTrail and event.dataset:aws.cloudtrail and event.provider:cloudtrail.amazonaws.com and event.outcome:success",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 5,
+          "updated": "7.12.0",
+          "pre_query": "event.action:UpdateTrail and event.dataset:aws.cloudtrail and event.provider:cloudtrail.amazonaws.com and event.outcome:success",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 6,
+          "updated": "7.13.0",
+          "pre_query": "event.action:UpdateTrail and event.dataset:aws.cloudtrail and event.provider:cloudtrail.amazonaws.com and event.outcome:success",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.13.0",
+    "added": "7.9.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the deletion of an AWS CloudWatch alarm. An adversary may delete alarms in an attempt to evade defenses.",
+    "false_positives": [
+      "Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Alarm deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "from": "now-60m",
+    "index": [
+      "filebeat-*",
+      "logs-aws*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "AWS CloudWatch Alarm Deletion",
+    "note": "## Config\n\nThe AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:aws.cloudtrail and event.provider:monitoring.amazonaws.com and event.action:DeleteAlarms and event.outcome:success\n",
+    "references": [
+      "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cloudwatch/delete-alarms.html",
+      "https://docs.aws.amazon.com/AmazonCloudWatch/latest/APIReference/API_DeleteAlarms.html"
+    ],
+    "risk_score": 47,
+    "rule_id": "f772ec8a-e182-483c-91d2-72058f76a44c",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "AWS",
+      "Continuous Monitoring",
+      "SecOps",
+      "Monitoring"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1562",
+            "name": "Impair Defenses",
+            "reference": "https://attack.mitre.org/techniques/T1562/",
+            "subtechnique": [
+              {
+                "id": "T1562.001",
+                "name": "Disable or Modify Tools",
+                "reference": "https://attack.mitre.org/techniques/T1562/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 6,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.10.0",
+          "pre_query": "event.action:DeleteAlarms and event.dataset:aws.cloudtrail and event.provider:monitoring.amazonaws.com and event.outcome:success",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 3,
+          "updated": "7.11.0",
+          "pre_query": "event.action:DeleteAlarms and event.dataset:aws.cloudtrail and event.provider:monitoring.amazonaws.com and event.outcome:success",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 4,
+          "updated": "7.11.2",
+          "pre_query": "event.action:DeleteAlarms and event.dataset:aws.cloudtrail and event.provider:monitoring.amazonaws.com and event.outcome:success",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 5,
+          "updated": "7.12.0",
+          "pre_query": "event.action:DeleteAlarms and event.dataset:aws.cloudtrail and event.provider:monitoring.amazonaws.com and event.outcome:success",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 6,
+          "updated": "7.13.0",
+          "pre_query": "event.action:DeleteAlarms and event.dataset:aws.cloudtrail and event.provider:monitoring.amazonaws.com and event.outcome:success",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.13.0",
+    "added": "7.9.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the deletion of a specified AWS CloudWatch log group. When a log group is deleted, all the archived log events associated with the log group are also permanently deleted.",
+    "false_positives": [
+      "Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Log group deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "from": "now-60m",
+    "index": [
+      "filebeat-*",
+      "logs-aws*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "AWS CloudWatch Log Group Deletion",
+    "note": "## Config\n\nThe AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:aws.cloudtrail and event.provider:logs.amazonaws.com and event.action:DeleteLogGroup and event.outcome:success\n",
+    "references": [
+      "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/logs/delete-log-group.html",
+      "https://docs.aws.amazon.com/AmazonCloudWatchLogs/latest/APIReference/API_DeleteLogGroup.html"
+    ],
+    "risk_score": 47,
+    "rule_id": "68a7a5a5-a2fc-4a76-ba9f-26849de881b4",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "AWS",
+      "Continuous Monitoring",
+      "SecOps",
+      "Log Auditing"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0040",
+          "name": "Impact",
+          "reference": "https://attack.mitre.org/tactics/TA0040/"
+        },
+        "technique": [
+          {
+            "id": "T1485",
+            "name": "Data Destruction",
+            "reference": "https://attack.mitre.org/techniques/T1485/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1562",
+            "name": "Impair Defenses",
+            "reference": "https://attack.mitre.org/techniques/T1562/",
+            "subtechnique": [
+              {
+                "id": "T1562.001",
+                "name": "Disable or Modify Tools",
+                "reference": "https://attack.mitre.org/techniques/T1562/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 6,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.10.0",
+          "pre_query": "event.action:DeleteLogGroup and event.dataset:aws.cloudtrail and event.provider:logs.amazonaws.com and event.outcome:success",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 3,
+          "updated": "7.11.0",
+          "pre_query": "event.action:DeleteLogGroup and event.dataset:aws.cloudtrail and event.provider:logs.amazonaws.com and event.outcome:success",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 4,
+          "updated": "7.11.2",
+          "pre_query": "event.action:DeleteLogGroup and event.dataset:aws.cloudtrail and event.provider:logs.amazonaws.com and event.outcome:success",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 5,
+          "updated": "7.12.0",
+          "pre_query": "event.action:DeleteLogGroup and event.dataset:aws.cloudtrail and event.provider:logs.amazonaws.com and event.outcome:success",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 6,
+          "updated": "7.13.0",
+          "pre_query": "event.action:DeleteLogGroup and event.dataset:aws.cloudtrail and event.provider:logs.amazonaws.com and event.outcome:success",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.13.0",
+    "added": "7.9.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the deletion of an AWS CloudWatch log stream, which permanently deletes all associated archived log events with the stream.",
+    "false_positives": [
+      "A log stream may be deleted by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Log stream deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "from": "now-60m",
+    "index": [
+      "filebeat-*",
+      "logs-aws*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "AWS CloudWatch Log Stream Deletion",
+    "note": "## Config\n\nThe AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:aws.cloudtrail and event.provider:logs.amazonaws.com and event.action:DeleteLogStream and event.outcome:success\n",
+    "references": [
+      "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/logs/delete-log-stream.html",
+      "https://docs.aws.amazon.com/AmazonCloudWatchLogs/latest/APIReference/API_DeleteLogStream.html"
+    ],
+    "risk_score": 47,
+    "rule_id": "d624f0ae-3dd1-4856-9aad-ccfe4d4bfa17",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "AWS",
+      "Continuous Monitoring",
+      "SecOps",
+      "Log Auditing"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0040",
+          "name": "Impact",
+          "reference": "https://attack.mitre.org/tactics/TA0040/"
+        },
+        "technique": [
+          {
+            "id": "T1485",
+            "name": "Data Destruction",
+            "reference": "https://attack.mitre.org/techniques/T1485/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1562",
+            "name": "Impair Defenses",
+            "reference": "https://attack.mitre.org/techniques/T1562/",
+            "subtechnique": [
+              {
+                "id": "T1562.001",
+                "name": "Disable or Modify Tools",
+                "reference": "https://attack.mitre.org/techniques/T1562/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 6,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.10.0",
+          "pre_query": "event.action:DeleteLogStream and event.dataset:aws.cloudtrail and event.provider:logs.amazonaws.com and event.outcome:success",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 3,
+          "updated": "7.11.0",
+          "pre_query": "event.action:DeleteLogStream and event.dataset:aws.cloudtrail and event.provider:logs.amazonaws.com and event.outcome:success",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 4,
+          "updated": "7.11.2",
+          "pre_query": "event.action:DeleteLogStream and event.dataset:aws.cloudtrail and event.provider:logs.amazonaws.com and event.outcome:success",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 5,
+          "updated": "7.12.0",
+          "pre_query": "event.action:DeleteLogStream and event.dataset:aws.cloudtrail and event.provider:logs.amazonaws.com and event.outcome:success",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 6,
+          "updated": "7.13.0",
+          "pre_query": "event.action:DeleteLogStream and event.dataset:aws.cloudtrail and event.provider:logs.amazonaws.com and event.outcome:success",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.13.0",
+    "added": "7.9.0"
+  },
+  {
+    "author": [
+      "Elastic",
+      "Austin Songer"
+    ],
+    "description": "Identifies attempts to delete an AWS Config Service resource. An adversary may tamper with Config services in order to reduce visibility into the security posture of an account and / or its workload instances.",
+    "false_positives": [
+      "Privileged IAM users with security responsibilities may be expected to make changes to the Config service in order to align with local security policies and requirements. Automation, orchestration, and security tools may also make changes to the Config service, where they are used to automate setup or configuration of AWS accounts. Other kinds of user or service contexts do not commonly make changes to this service."
+    ],
+    "from": "now-60m",
+    "index": [
+      "filebeat-*",
+      "logs-aws*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "AWS Config Service Tampering",
+    "note": "## Config\n\nThe AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:aws.cloudtrail and event.provider:config.amazonaws.com and\n    event.action:(DeleteConfigRule or DeleteOrganizationConfigRule or DeleteConfigurationAggregator or\n    DeleteConfigurationRecorder or DeleteConformancePack or DeleteOrganizationConformancePack or\n    DeleteDeliveryChannel or DeleteRemediationConfiguration or DeleteRetentionConfiguration)\n",
+    "references": [
+      "https://docs.aws.amazon.com/config/latest/developerguide/how-does-config-work.html",
+      "https://docs.aws.amazon.com/config/latest/APIReference/API_Operations.html"
+    ],
+    "risk_score": 47,
+    "rule_id": "7024e2a0-315d-4334-bb1a-552d604f27bc",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "AWS",
+      "Continuous Monitoring",
+      "SecOps",
+      "Monitoring"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1562",
+            "name": "Impair Defenses",
+            "reference": "https://attack.mitre.org/techniques/T1562/",
+            "subtechnique": [
+              {
+                "id": "T1562.001",
+                "name": "Disable or Modify Tools",
+                "reference": "https://attack.mitre.org/techniques/T1562/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 6,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.10.0",
+          "pre_query": "event.dataset: aws.cloudtrail and event.action: DeleteConfigRule and event.provider: config.amazonaws.com",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 3,
+          "updated": "7.11.0",
+          "pre_query": "event.dataset: aws.cloudtrail and event.action: DeleteConfigRule and event.provider: config.amazonaws.com",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 4,
+          "updated": "7.11.2",
+          "pre_query": "event.dataset: aws.cloudtrail and event.action: DeleteConfigRule and event.provider: config.amazonaws.com",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 5,
+          "updated": "7.12.0",
+          "pre_query": "event.dataset: aws.cloudtrail and event.action: DeleteConfigRule and event.provider: config.amazonaws.com",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 6,
+          "updated": "7.13.0",
+          "pre_query": "event.dataset: aws.cloudtrail and event.action: DeleteConfigRule and event.provider: config.amazonaws.com",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.13.0",
+    "added": "7.9.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies an AWS configuration change to stop recording a designated set of resources.",
+    "false_positives": [
+      "Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Recording changes from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "from": "now-60m",
+    "index": [
+      "filebeat-*",
+      "logs-aws*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "AWS Configuration Recorder Stopped",
+    "note": "## Config\n\nThe AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:aws.cloudtrail and event.provider:config.amazonaws.com and event.action:StopConfigurationRecorder and event.outcome:success\n",
+    "references": [
+      "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/configservice/stop-configuration-recorder.html",
+      "https://docs.aws.amazon.com/config/latest/APIReference/API_StopConfigurationRecorder.html"
+    ],
+    "risk_score": 73,
+    "rule_id": "fbd44836-0d69-4004-a0b4-03c20370c435",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "AWS",
+      "Continuous Monitoring",
+      "SecOps",
+      "Monitoring"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1562",
+            "name": "Impair Defenses",
+            "reference": "https://attack.mitre.org/techniques/T1562/",
+            "subtechnique": [
+              {
+                "id": "T1562.001",
+                "name": "Disable or Modify Tools",
+                "reference": "https://attack.mitre.org/techniques/T1562/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 6,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.10.0",
+          "pre_query": "event.action:StopConfigurationRecorder and event.dataset:aws.cloudtrail and event.provider:config.amazonaws.com and event.outcome:success",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 3,
+          "updated": "7.11.0",
+          "pre_query": "event.action:StopConfigurationRecorder and event.dataset:aws.cloudtrail and event.provider:config.amazonaws.com and event.outcome:success",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 4,
+          "updated": "7.11.2",
+          "pre_query": "event.action:StopConfigurationRecorder and event.dataset:aws.cloudtrail and event.provider:config.amazonaws.com and event.outcome:success",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 5,
+          "updated": "7.12.0",
+          "pre_query": "event.action:StopConfigurationRecorder and event.dataset:aws.cloudtrail and event.provider:config.amazonaws.com and event.outcome:success",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 6,
+          "updated": "7.13.0",
+          "pre_query": "event.action:StopConfigurationRecorder and event.dataset:aws.cloudtrail and event.provider:config.amazonaws.com and event.outcome:success",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.13.0",
+    "added": "7.9.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies disabling of Amazon Elastic Block Store (EBS) encryption by default in the current region. Disabling encryption by default does not change the encryption status of your existing volumes.",
+    "false_positives": [
+      "Disabling encryption may be done by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Disabling encryption by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "from": "now-60m",
+    "index": [
+      "filebeat-*",
+      "logs-aws*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "AWS EC2 Encryption Disabled",
+    "note": "## Config\n\nThe AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.action:DisableEbsEncryptionByDefault and event.outcome:success\n",
+    "references": [
+      "https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html",
+      "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/disable-ebs-encryption-by-default.html",
+      "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DisableEbsEncryptionByDefault.html"
+    ],
+    "risk_score": 47,
+    "rule_id": "bb9b13b2-1700-48a8-a750-b43b0a72ab69",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "AWS",
+      "Continuous Monitoring",
+      "SecOps",
+      "Data Protection"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0040",
+          "name": "Impact",
+          "reference": "https://attack.mitre.org/tactics/TA0040/"
+        },
+        "technique": [
+          {
+            "id": "T1565",
+            "name": "Data Manipulation",
+            "reference": "https://attack.mitre.org/techniques/T1565/",
+            "subtechnique": [
+              {
+                "id": "T1565.001",
+                "name": "Stored Data Manipulation",
+                "reference": "https://attack.mitre.org/techniques/T1565/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 6,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.10.0",
+          "pre_query": "event.action:DisableEbsEncryptionByDefault and event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.outcome:success",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 3,
+          "updated": "7.11.0",
+          "pre_query": "event.action:DisableEbsEncryptionByDefault and event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.outcome:success",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 4,
+          "updated": "7.11.2",
+          "pre_query": "event.action:DisableEbsEncryptionByDefault and event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.outcome:success",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 5,
+          "updated": "7.12.0",
+          "pre_query": "event.action:DisableEbsEncryptionByDefault and event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.outcome:success",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 6,
+          "updated": "7.13.0",
+          "pre_query": "event.action:DisableEbsEncryptionByDefault and event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.outcome:success",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.13.0",
+    "added": "7.9.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the deletion of one or more flow logs in AWS Elastic Compute Cloud (EC2). An adversary may delete flow logs in an attempt to evade defenses.",
+    "false_positives": [
+      "Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Flow log deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "from": "now-60m",
+    "index": [
+      "filebeat-*",
+      "logs-aws*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "AWS EC2 Flow Log Deletion",
+    "note": "## Config\n\nThe AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.action:DeleteFlowLogs and event.outcome:success\n",
+    "references": [
+      "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/delete-flow-logs.html",
+      "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteFlowLogs.html"
+    ],
+    "risk_score": 73,
+    "rule_id": "9395fd2c-9947-4472-86ef-4aceb2f7e872",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "AWS",
+      "Continuous Monitoring",
+      "SecOps",
+      "Log Auditing"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1562",
+            "name": "Impair Defenses",
+            "reference": "https://attack.mitre.org/techniques/T1562/",
+            "subtechnique": [
+              {
+                "id": "T1562.001",
+                "name": "Disable or Modify Tools",
+                "reference": "https://attack.mitre.org/techniques/T1562/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 6,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.10.0",
+          "pre_query": "event.action:DeleteFlowLogs and event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.outcome:success",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 3,
+          "updated": "7.11.0",
+          "pre_query": "event.action:DeleteFlowLogs and event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.outcome:success",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 4,
+          "updated": "7.11.2",
+          "pre_query": "event.action:DeleteFlowLogs and event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.outcome:success",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 5,
+          "updated": "7.12.0",
+          "pre_query": "event.action:DeleteFlowLogs and event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.outcome:success",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 6,
+          "updated": "7.13.0",
+          "pre_query": "event.action:DeleteFlowLogs and event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.outcome:success",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.13.0",
+    "added": "7.9.0"
+  },
+  {
+    "author": [
+      "Elastic",
+      "Austin Songer"
+    ],
+    "description": "Identifies potential Traffic Mirroring in an Amazon Elastic Compute Cloud (EC2) instance. Traffic Mirroring is an Amazon VPC feature that you can use to copy network traffic from an Elastic network interface. This feature can potentially be abused to exfiltrate sensitive data from unencrypted internal traffic.",
+    "false_positives": [
+      "Traffic Mirroring may be done by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Traffic Mirroring from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "from": "now-60m",
+    "index": [
+      "filebeat-*",
+      "logs-aws*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "AWS EC2 Full Network Packet Capture Detected",
+    "note": "## Config\n\nThe AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and \nevent.action:(CreateTrafficMirrorFilter or CreateTrafficMirrorFilterRule or CreateTrafficMirrorSession or CreateTrafficMirrorTarget) and \nevent.outcome:success\n",
+    "references": [
+      "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_TrafficMirrorFilter.html",
+      "https://github.com/easttimor/aws-incident-response"
+    ],
+    "risk_score": 47,
+    "rule_id": "c1812764-0788-470f-8e74-eb4a14d47573",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "AWS",
+      "Continuous Monitoring",
+      "SecOps",
+      "Network Security"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0010",
+          "name": "Exfiltration",
+          "reference": "https://attack.mitre.org/tactics/TA0010/"
+        },
+        "technique": [
+          {
+            "id": "T1020",
+            "name": "Automated Exfiltration",
+            "reference": "https://attack.mitre.org/techniques/T1020/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0009",
+          "name": "Collection",
+          "reference": "https://attack.mitre.org/tactics/TA0009/"
+        },
+        "technique": [
+          {
+            "id": "T1074",
+            "name": "Data Staged",
+            "reference": "https://attack.mitre.org/techniques/T1074/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 2,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.15.0",
+          "pre_query": "event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and \nevent.action:(CreateTrafficMirrorFilter or CreateTrafficMirrorFilterRule or CreateTrafficMirrorSession or CreateTrafficMirrorTarget) and \nevent.outcome:success\n",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.15.0",
+    "added": "7.14.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the creation of an AWS Elastic Compute Cloud (EC2) network access control list (ACL) or an entry in a network ACL with a specified rule number.",
+    "false_positives": [
+      "Network ACL's may be created by a network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Network ACL creations from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "from": "now-60m",
+    "index": [
+      "filebeat-*",
+      "logs-aws*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "AWS EC2 Network Access Control List Creation",
+    "note": "## Config\n\nThe AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.action:(CreateNetworkAcl or CreateNetworkAclEntry) and event.outcome:success\n",
+    "references": [
+      "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/create-network-acl.html",
+      "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateNetworkAcl.html",
+      "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/create-network-acl-entry.html",
+      "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateNetworkAclEntry.html"
+    ],
+    "risk_score": 21,
+    "rule_id": "39144f38-5284-4f8e-a2ae-e3fd628d90b0",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "AWS",
+      "Continuous Monitoring",
+      "SecOps",
+      "Network Security"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1133",
+            "name": "External Remote Services",
+            "reference": "https://attack.mitre.org/techniques/T1133/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 6,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.10.0",
+          "pre_query": "event.action:(CreateNetworkAcl or CreateNetworkAclEntry) and event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.outcome:success",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 3,
+          "updated": "7.11.0",
+          "pre_query": "event.action:(CreateNetworkAcl or CreateNetworkAclEntry) and event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.outcome:success",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 4,
+          "updated": "7.11.2",
+          "pre_query": "event.action:(CreateNetworkAcl or CreateNetworkAclEntry) and event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.outcome:success",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 5,
+          "updated": "7.12.0",
+          "pre_query": "event.action:(CreateNetworkAcl or CreateNetworkAclEntry) and event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.outcome:success",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 6,
+          "updated": "7.13.0",
+          "pre_query": "event.action:(CreateNetworkAcl or CreateNetworkAclEntry) and event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.outcome:success",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.13.0",
+    "added": "7.9.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the deletion of an Amazon Elastic Compute Cloud (EC2) network access control list (ACL) or one of its ingress/egress entries.",
+    "false_positives": [
+      "Network ACL's may be deleted by a network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Network ACL deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "from": "now-60m",
+    "index": [
+      "filebeat-*",
+      "logs-aws*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "AWS EC2 Network Access Control List Deletion",
+    "note": "## Config\n\nThe AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.action:(DeleteNetworkAcl or DeleteNetworkAclEntry) and event.outcome:success\n",
+    "references": [
+      "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/delete-network-acl.html",
+      "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteNetworkAcl.html",
+      "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/delete-network-acl-entry.html",
+      "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteNetworkAclEntry.html"
+    ],
+    "risk_score": 47,
+    "rule_id": "8623535c-1e17-44e1-aa97-7a0699c3037d",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "AWS",
+      "Continuous Monitoring",
+      "SecOps",
+      "Network Security"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1562",
+            "name": "Impair Defenses",
+            "reference": "https://attack.mitre.org/techniques/T1562/",
+            "subtechnique": [
+              {
+                "id": "T1562.001",
+                "name": "Disable or Modify Tools",
+                "reference": "https://attack.mitre.org/techniques/T1562/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 6,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.10.0",
+          "pre_query": "event.action:(DeleteNetworkAcl or DeleteNetworkAclEntry) and event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.outcome:success",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 3,
+          "updated": "7.11.0",
+          "pre_query": "event.action:(DeleteNetworkAcl or DeleteNetworkAclEntry) and event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.outcome:success",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 4,
+          "updated": "7.11.2",
+          "pre_query": "event.action:(DeleteNetworkAcl or DeleteNetworkAclEntry) and event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.outcome:success",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 5,
+          "updated": "7.12.0",
+          "pre_query": "event.action:(DeleteNetworkAcl or DeleteNetworkAclEntry) and event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.outcome:success",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 6,
+          "updated": "7.13.0",
+          "pre_query": "event.action:(DeleteNetworkAcl or DeleteNetworkAclEntry) and event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.outcome:success",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.13.0",
+    "added": "7.9.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "An attempt was made to modify AWS EC2 snapshot attributes. Snapshots are sometimes shared by threat actors in order to exfiltrate bulk data from an EC2 fleet. If the permissions were modified, verify the snapshot was not shared with an unauthorized or unexpected AWS account.",
+    "false_positives": [
+      "IAM users may occasionally share EC2 snapshots with another AWS account belonging to the same organization. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "from": "now-60m",
+    "index": [
+      "filebeat-*",
+      "logs-aws*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "AWS EC2 Snapshot Activity",
+    "note": "## Config\n\nThe AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.action:ModifySnapshotAttribute\n",
+    "references": [
+      "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/modify-snapshot-attribute.html",
+      "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ModifySnapshotAttribute.html"
+    ],
+    "risk_score": 47,
+    "rule_id": "98fd7407-0bd5-5817-cda0-3fcc33113a56",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "AWS",
+      "Continuous Monitoring",
+      "SecOps",
+      "Asset Visibility"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0010",
+          "name": "Exfiltration",
+          "reference": "https://attack.mitre.org/tactics/TA0010/"
+        },
+        "technique": [
+          {
+            "id": "T1537",
+            "name": "Transfer Data to Cloud Account",
+            "reference": "https://attack.mitre.org/techniques/T1537/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 5,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.10.0",
+          "pre_query": "event.module:aws and event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.action:ModifySnapshotAttribute",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        },
+        {
+          "version": 3,
+          "updated": "7.11.2",
+          "pre_query": "event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.action:ModifySnapshotAttribute",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 4,
+          "updated": "7.12.0",
+          "pre_query": "event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.action:ModifySnapshotAttribute",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 5,
+          "updated": "7.13.0",
+          "pre_query": "event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.action:ModifySnapshotAttribute",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.13.0",
+    "added": "7.9.0"
+  },
+  {
+    "author": [
+      "Elastic",
+      "Austin Songer"
+    ],
+    "description": "Identifies an attempt to export an AWS EC2 instance. A virtual machine (VM) export may indicate an attempt to extract or exfiltrate information.",
+    "false_positives": [
+      "VM exports may be done by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. VM exports from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "from": "now-60m",
+    "index": [
+      "filebeat-*",
+      "logs-aws*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "AWS EC2 VM Export Failure",
+    "note": "## Config\n\nThe AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.action:CreateInstanceExportTask and event.outcome:failure\n",
+    "references": [
+      "https://docs.aws.amazon.com/vm-import/latest/userguide/vmexport.html#export-instance"
+    ],
+    "risk_score": 21,
+    "rule_id": "e919611d-6b6f-493b-8314-7ed6ac2e413b",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "AWS",
+      "Continuous Monitoring",
+      "SecOps",
+      "Asset Visibility"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0010",
+          "name": "Exfiltration",
+          "reference": "https://attack.mitre.org/tactics/TA0010/"
+        },
+        "technique": [
+          {
+            "id": "T1537",
+            "name": "Transfer Data to Cloud Account",
+            "reference": "https://attack.mitre.org/techniques/T1537/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0009",
+          "name": "Collection",
+          "reference": "https://attack.mitre.org/tactics/TA0009/"
+        },
+        "technique": [
+          {
+            "id": "T1005",
+            "name": "Data from Local System",
+            "reference": "https://attack.mitre.org/techniques/T1005/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 2,
+    "last_update": "7.14.0",
+    "added": "7.14.0"
+  },
+  {
+    "author": [
+      "Austin Songer"
+    ],
+    "description": "Detects when a EFS File System or Mount is deleted. An adversary could break any file system using the mount target that is being deleted, which might disrupt instances or applications using those mounts. The mount must be deleted prior to deleting the File System, or the adversary will be unable to delete the File System.",
+    "false_positives": [
+      "File System or Mount being deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. File System Mount deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "from": "now-60m",
+    "index": [
+      "filebeat-*",
+      "logs-aws*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "AWS EFS File System or Mount Deleted",
+    "note": "## Config\n\nThe AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:aws.cloudtrail and event.provider:elasticfilesystem.amazonaws.com and \nevent.action:(DeleteMountTarget or DeleteFileSystem) and event.outcome:success\n",
+    "references": [
+      "https://docs.aws.amazon.com/efs/latest/ug/API_DeleteFileSystem.html",
+      "https://docs.aws.amazon.com/efs/latest/ug/API_DeleteMountTarget.html"
+    ],
+    "risk_score": 47,
+    "rule_id": "536997f7-ae73-447d-a12d-bff1e8f5f0a0",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "AWS",
+      "Continuous Monitoring",
+      "SecOps",
+      "Data Protection"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0040",
+          "name": "Impact",
+          "reference": "https://attack.mitre.org/tactics/TA0040/"
+        },
+        "technique": [
+          {
+            "id": "T1485",
+            "name": "Data Destruction",
+            "reference": "https://attack.mitre.org/techniques/T1485/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 1,
+    "last_update": "7.16.0",
+    "added": "7.16.0"
+  },
+  {
+    "author": [
+      "Austin Songer"
+    ],
+    "description": "Identifies when an ElastiCache security group has been created.",
+    "false_positives": [
+      "A ElastiCache security group may be created by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Security group creations from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "from": "now-60m",
+    "index": [
+      "filebeat-*",
+      "logs-aws*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "AWS ElastiCache Security Group Created",
+    "note": "## Config\n\nThe AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:aws.cloudtrail and event.provider:elasticache.amazonaws.com and event.action:\"Create Cache Security Group\" and \nevent.outcome:success\n",
+    "references": [
+      "https://docs.aws.amazon.com/AmazonElastiCache/latest/APIReference/API_CreateCacheSecurityGroup.html"
+    ],
+    "risk_score": 21,
+    "rule_id": "7b3da11a-60a2-412e-8aa7-011e1eb9ed47",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "AWS",
+      "Continuous Monitoring",
+      "SecOps",
+      "Monitoring"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1562",
+            "name": "Impair Defenses",
+            "reference": "https://attack.mitre.org/techniques/T1562/",
+            "subtechnique": [
+              {
+                "id": "T1562.007",
+                "name": "Disable or Modify Cloud Firewall",
+                "reference": "https://attack.mitre.org/techniques/T1562/007/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 1,
+    "last_update": "7.16.0",
+    "added": "7.16.0"
+  },
+  {
+    "author": [
+      "Austin Songer"
+    ],
+    "description": "Identifies when an ElastiCache security group has been modified or deleted.",
+    "false_positives": [
+      "A ElastiCache security group deletion may be done by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Security Group deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "from": "now-60m",
+    "index": [
+      "filebeat-*",
+      "logs-aws*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "AWS ElastiCache Security Group Modified or Deleted",
+    "note": "## Config\n\nThe AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:aws.cloudtrail and event.provider:elasticache.amazonaws.com and event.action:(\"Delete Cache Security Group\" or \n\"Authorize Cache Security Group Ingress\" or  \"Revoke Cache Security Group Ingress\" or \"AuthorizeCacheSecurityGroupEgress\" or \n\"RevokeCacheSecurityGroupEgress\") and event.outcome:success\n",
+    "references": [
+      "https://docs.aws.amazon.com/AmazonElastiCache/latest/APIReference/Welcome.html"
+    ],
+    "risk_score": 21,
+    "rule_id": "1ba5160d-f5a2-4624-b0ff-6a1dc55d2516",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "AWS",
+      "Continuous Monitoring",
+      "SecOps",
+      "Monitoring"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1562",
+            "name": "Impair Defenses",
+            "reference": "https://attack.mitre.org/techniques/T1562/",
+            "subtechnique": [
+              {
+                "id": "T1562.007",
+                "name": "Disable or Modify Cloud Firewall",
+                "reference": "https://attack.mitre.org/techniques/T1562/007/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 1,
+    "last_update": "7.16.0",
+    "added": "7.16.0"
+  },
+  {
+    "author": [
+      "Austin Songer"
+    ],
+    "description": "Identifies when a user has disabled or deleted an EventBridge rule. This activity can result in an unintended loss of visibility in applications or a break in the flow with other AWS services.",
+    "false_positives": [
+      "EventBridge Rules could be deleted or disabled by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. EventBridge Rules being deleted or disabled from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "from": "now-20m",
+    "index": [
+      "filebeat-*",
+      "logs-aws*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "AWS EventBridge Rule Disabled or Deleted",
+    "note": "## Config\n\nThe AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:aws.cloudtrail and event.provider:eventbridge.amazonaws.com and event.action:(DeleteRule or DisableRule) and \nevent.outcome:success\n",
+    "references": [
+      "https://docs.aws.amazon.com/eventbridge/latest/APIReference/API_DeleteRule.html",
+      "https://docs.aws.amazon.com/eventbridge/latest/APIReference/API_DisableRule.html"
+    ],
+    "risk_score": 21,
+    "rule_id": "87594192-4539-4bc4-8543-23bc3d5bd2b4",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "AWS",
+      "Continuous Monitoring",
+      "SecOps",
+      "Monitoring"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0040",
+          "name": "Impact",
+          "reference": "https://attack.mitre.org/tactics/TA0040/"
+        },
+        "technique": []
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 2,
+    "last_update": "8.0.0",
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "8.0.0",
+          "pre_query": "event.dataset:aws.cloudtrail and event.provider:eventbridge.amazonaws.com and event.action:(DeleteRule or DisableRule) and \nevent.outcome:success\n",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "added": "7.16.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the execution of commands and scripts via System Manager. Execution methods such as RunShellScript, RunPowerShellScript, and alike can be abused by an authenticated attacker to install a backdoor or to interact with a compromised instance via reverse-shell using system only commands.",
+    "false_positives": [
+      "Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Suspicious commands from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "from": "now-60m",
+    "index": [
+      "filebeat-*",
+      "logs-aws*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "AWS Execution via System Manager",
+    "note": "## Config\n\nThe AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:aws.cloudtrail and event.provider:ssm.amazonaws.com and event.action:SendCommand and event.outcome:success\n",
+    "references": [
+      "https://docs.aws.amazon.com/systems-manager/latest/userguide/ssm-plugins.html"
+    ],
+    "risk_score": 21,
+    "rule_id": "37b211e8-4e2f-440f-86d8-06cc8f158cfa",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "AWS",
+      "Continuous Monitoring",
+      "SecOps",
+      "Log Auditing"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0001",
+          "name": "Initial Access",
+          "reference": "https://attack.mitre.org/tactics/TA0001/"
+        },
+        "technique": [
+          {
+            "id": "T1566",
+            "name": "Phishing",
+            "reference": "https://attack.mitre.org/techniques/T1566/",
+            "subtechnique": [
+              {
+                "id": "T1566.002",
+                "name": "Spearphishing Link",
+                "reference": "https://attack.mitre.org/techniques/T1566/002/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 6,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.10.0",
+          "pre_query": "event.module:aws and event.dataset:aws.cloudtrail and event.provider:ssm.amazonaws.com and event.action:SendCommand and event.outcome:success",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        },
+        {
+          "version": 3,
+          "updated": "7.11.0",
+          "pre_query": "event.dataset:aws.cloudtrail and event.provider:ssm.amazonaws.com and event.action:SendCommand and event.outcome:success",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 4,
+          "updated": "7.11.2",
+          "pre_query": "event.dataset:aws.cloudtrail and event.provider:ssm.amazonaws.com and event.action:SendCommand and event.outcome:success",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 5,
+          "updated": "7.12.0",
+          "pre_query": "event.dataset:aws.cloudtrail and event.provider:ssm.amazonaws.com and event.action:SendCommand and event.outcome:success",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 6,
+          "updated": "7.13.0",
+          "pre_query": "event.dataset:aws.cloudtrail and event.provider:ssm.amazonaws.com and event.action:SendCommand and event.outcome:success",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.13.0",
+    "added": "7.9.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the deletion of an Amazon GuardDuty detector. Upon deletion, GuardDuty stops monitoring the environment and all existing findings are lost.",
+    "false_positives": [
+      "The GuardDuty detector may be deleted by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Detector deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "from": "now-60m",
+    "index": [
+      "filebeat-*",
+      "logs-aws*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "AWS GuardDuty Detector Deletion",
+    "note": "## Config\n\nThe AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:aws.cloudtrail and event.provider:guardduty.amazonaws.com and event.action:DeleteDetector and event.outcome:success\n",
+    "references": [
+      "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/guardduty/delete-detector.html",
+      "https://docs.aws.amazon.com/guardduty/latest/APIReference/API_DeleteDetector.html"
+    ],
+    "risk_score": 73,
+    "rule_id": "523116c0-d89d-4d7c-82c2-39e6845a78ef",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "AWS",
+      "Continuous Monitoring",
+      "SecOps",
+      "Monitoring"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1562",
+            "name": "Impair Defenses",
+            "reference": "https://attack.mitre.org/techniques/T1562/",
+            "subtechnique": [
+              {
+                "id": "T1562.001",
+                "name": "Disable or Modify Tools",
+                "reference": "https://attack.mitre.org/techniques/T1562/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 6,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.10.0",
+          "pre_query": "event.action:DeleteDetector and event.dataset:aws.cloudtrail and event.provider:guardduty.amazonaws.com and event.outcome:success",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 3,
+          "updated": "7.11.0",
+          "pre_query": "event.action:DeleteDetector and event.dataset:aws.cloudtrail and event.provider:guardduty.amazonaws.com and event.outcome:success",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 4,
+          "updated": "7.11.2",
+          "pre_query": "event.action:DeleteDetector and event.dataset:aws.cloudtrail and event.provider:guardduty.amazonaws.com and event.outcome:success",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 5,
+          "updated": "7.12.0",
+          "pre_query": "event.action:DeleteDetector and event.dataset:aws.cloudtrail and event.provider:guardduty.amazonaws.com and event.outcome:success",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 6,
+          "updated": "7.13.0",
+          "pre_query": "event.action:DeleteDetector and event.dataset:aws.cloudtrail and event.provider:guardduty.amazonaws.com and event.outcome:success",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.13.0",
+    "added": "7.9.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies attempts to modify an AWS IAM Assume Role Policy. An adversary may attempt to modify the AssumeRolePolicy of a misconfigured role in order to gain the privileges of that role.",
+    "false_positives": [
+      "Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Policy updates from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "from": "now-60m",
+    "index": [
+      "filebeat-*",
+      "logs-aws*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "AWS IAM Assume Role Policy Update",
+    "note": "## Config\n\nThe AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.action:UpdateAssumeRolePolicy and event.outcome:success\n",
+    "references": [
+      "https://labs.bishopfox.com/tech-blog/5-privesc-attack-vectors-in-aws"
+    ],
+    "risk_score": 21,
+    "rule_id": "a60326d7-dca7-4fb7-93eb-1ca03a1febbd",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "AWS",
+      "Continuous Monitoring",
+      "SecOps",
+      "Identity and Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0004",
+          "name": "Privilege Escalation",
+          "reference": "https://attack.mitre.org/tactics/TA0004/"
+        },
+        "technique": [
+          {
+            "id": "T1078",
+            "name": "Valid Accounts",
+            "reference": "https://attack.mitre.org/techniques/T1078/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 5,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.10.0",
+          "pre_query": "event.module:aws and event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.action:UpdateAssumeRolePolicy and event.outcome:success",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        },
+        {
+          "version": 3,
+          "updated": "7.11.2",
+          "pre_query": "event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.action:UpdateAssumeRolePolicy and event.outcome:success",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 4,
+          "updated": "7.12.0",
+          "pre_query": "event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.action:UpdateAssumeRolePolicy and event.outcome:success",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 5,
+          "updated": "7.13.0",
+          "pre_query": "event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.action:UpdateAssumeRolePolicy and event.outcome:success",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.13.0",
+    "added": "7.9.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies a high number of failed attempts to assume an AWS Identity and Access Management (IAM) role. IAM roles are used to delegate access to users or services. An adversary may attempt to enumerate IAM roles in order to determine if a role exists before attempting to assume or hijack the discovered role.",
+    "from": "now-20m",
+    "index": [
+      "filebeat-*",
+      "logs-aws*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "AWS IAM Brute Force of Assume Role Policy",
+    "note": "## Config\n\nThe AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:aws.cloudtrail and\n  event.provider:iam.amazonaws.com and event.action:UpdateAssumeRolePolicy and\n  aws.cloudtrail.error_code:MalformedPolicyDocumentException and event.outcome:failure\n",
+    "references": [
+      "https://www.praetorian.com/blog/aws-iam-assume-role-vulnerabilities",
+      "https://rhinosecuritylabs.com/aws/assume-worst-aws-assume-role-enumeration/"
+    ],
+    "risk_score": 47,
+    "rule_id": "ea248a02-bc47-4043-8e94-2885b19b2636",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "AWS",
+      "Continuous Monitoring",
+      "SecOps",
+      "Identity and Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0006",
+          "name": "Credential Access",
+          "reference": "https://attack.mitre.org/tactics/TA0006/"
+        },
+        "technique": [
+          {
+            "id": "T1110",
+            "name": "Brute Force",
+            "reference": "https://attack.mitre.org/techniques/T1110/"
+          }
+        ]
+      }
+    ],
+    "threshold": {
+      "field": [],
+      "value": 25
+    },
+    "type": "threshold",
+    "version": 5,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.10.0",
+          "pre_query": "event.module:aws and event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.action:UpdateAssumeRolePolicy and aws.cloudtrail.error_code:MalformedPolicyDocumentException and event.outcome:failure",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        },
+        {
+          "version": 3,
+          "updated": "7.12.0",
+          "pre_query": "event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.action:UpdateAssumeRolePolicy and aws.cloudtrail.error_code:MalformedPolicyDocumentException and event.outcome:failure",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 4,
+          "updated": "7.12.1",
+          "pre_query": "event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.action:UpdateAssumeRolePolicy and aws.cloudtrail.error_code:MalformedPolicyDocumentException and event.outcome:failure",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 5,
+          "updated": "7.13.0",
+          "pre_query": "event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.action:UpdateAssumeRolePolicy and aws.cloudtrail.error_code:MalformedPolicyDocumentException and event.outcome:failure",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.13.0",
+    "added": "7.9.0"
+  },
+  {
+    "author": [
+      "Elastic",
+      "Austin Songer"
+    ],
+    "description": "Identifies the deactivation of a specified multi-factor authentication (MFA) device and removes it from association with the user name for which it was originally enabled. In AWS Identity and Access Management (IAM), a device must be deactivated before it can be deleted.",
+    "false_positives": [
+      "A MFA device may be deactivated by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. MFA device deactivations from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "from": "now-60m",
+    "index": [
+      "filebeat-*",
+      "logs-aws*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "AWS IAM Deactivation of MFA Device",
+    "note": "## Config\n\nThe AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.action:(DeactivateMFADevice or DeleteVirtualMFADevice) and event.outcome:success\n",
+    "references": [
+      "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/deactivate-mfa-device.html",
+      "https://docs.aws.amazon.com/IAM/latest/APIReference/API_DeactivateMFADevice.html"
+    ],
+    "risk_score": 47,
+    "rule_id": "d8fc1cca-93ed-43c1-bbb6-c0dd3eff2958",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "AWS",
+      "Continuous Monitoring",
+      "SecOps",
+      "Monitoring"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0040",
+          "name": "Impact",
+          "reference": "https://attack.mitre.org/tactics/TA0040/"
+        },
+        "technique": [
+          {
+            "id": "T1531",
+            "name": "Account Access Removal",
+            "reference": "https://attack.mitre.org/techniques/T1531/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 5,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.10.0",
+          "pre_query": "event.action:DeactivateMFADevice and event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.outcome:success",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 3,
+          "updated": "7.11.2",
+          "pre_query": "event.action:DeactivateMFADevice and event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.outcome:success",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 4,
+          "updated": "7.12.0",
+          "pre_query": "event.action:DeactivateMFADevice and event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.outcome:success",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 5,
+          "updated": "7.13.0",
+          "pre_query": "event.action:DeactivateMFADevice and event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.outcome:success",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.13.0",
+    "added": "7.9.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the creation of a group in AWS Identity and Access Management (IAM). Groups specify permissions for multiple users. Any user in a group automatically has the permissions that are assigned to the group.",
+    "false_positives": [
+      "A group may be created by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Group creations from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "from": "now-60m",
+    "index": [
+      "filebeat-*",
+      "logs-aws*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "AWS IAM Group Creation",
+    "note": "## Config\n\nThe AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.action:CreateGroup and event.outcome:success\n",
+    "references": [
+      "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/create-group.html",
+      "https://docs.aws.amazon.com/IAM/latest/APIReference/API_CreateGroup.html"
+    ],
+    "risk_score": 21,
+    "rule_id": "169f3a93-efc7-4df2-94d6-0d9438c310d1",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "AWS",
+      "Continuous Monitoring",
+      "SecOps",
+      "Identity and Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1136",
+            "name": "Create Account",
+            "reference": "https://attack.mitre.org/techniques/T1136/",
+            "subtechnique": [
+              {
+                "id": "T1136.003",
+                "name": "Cloud Account",
+                "reference": "https://attack.mitre.org/techniques/T1136/003/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 6,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.10.0",
+          "pre_query": "event.action:CreateGroup and event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.outcome:success",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 3,
+          "updated": "7.11.0",
+          "pre_query": "event.action:CreateGroup and event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.outcome:success",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 4,
+          "updated": "7.11.2",
+          "pre_query": "event.action:CreateGroup and event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.outcome:success",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 5,
+          "updated": "7.12.0",
+          "pre_query": "event.action:CreateGroup and event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.outcome:success",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 6,
+          "updated": "7.13.0",
+          "pre_query": "event.action:CreateGroup and event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.outcome:success",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.13.0",
+    "added": "7.9.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the deletion of a specified AWS Identity and Access Management (IAM) resource group. Deleting a resource group does not delete resources that are members of the group; it only deletes the group structure.",
+    "false_positives": [
+      "A resource group may be deleted by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Resource group deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "from": "now-60m",
+    "index": [
+      "filebeat-*",
+      "logs-aws*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "AWS IAM Group Deletion",
+    "note": "## Config\n\nThe AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.action:DeleteGroup and event.outcome:success\n",
+    "references": [
+      "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/delete-group.html",
+      "https://docs.aws.amazon.com/IAM/latest/APIReference/API_DeleteGroup.html"
+    ],
+    "risk_score": 21,
+    "rule_id": "867616ec-41e5-4edc-ada2-ab13ab45de8a",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "AWS",
+      "Continuous Monitoring",
+      "SecOps",
+      "Monitoring"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0040",
+          "name": "Impact",
+          "reference": "https://attack.mitre.org/tactics/TA0040/"
+        },
+        "technique": [
+          {
+            "id": "T1531",
+            "name": "Account Access Removal",
+            "reference": "https://attack.mitre.org/techniques/T1531/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 5,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.10.0",
+          "pre_query": "event.action:DeleteGroup and event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.outcome:success",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 3,
+          "updated": "7.11.2",
+          "pre_query": "event.action:DeleteGroup and event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.outcome:success",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 4,
+          "updated": "7.12.0",
+          "pre_query": "event.action:DeleteGroup and event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.outcome:success",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 5,
+          "updated": "7.13.0",
+          "pre_query": "event.action:DeleteGroup and event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.outcome:success",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.13.0",
+    "added": "7.9.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies AWS IAM password recovery requests. An adversary may attempt to gain unauthorized AWS access by abusing password recovery mechanisms.",
+    "false_positives": [
+      "Verify whether the user identity, user agent, and/or hostname should be requesting changes in your environment. Password reset attempts from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "from": "now-60m",
+    "index": [
+      "filebeat-*",
+      "logs-aws*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "AWS IAM Password Recovery Requested",
+    "note": "## Config\n\nThe AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:aws.cloudtrail and event.provider:signin.amazonaws.com and event.action:PasswordRecoveryRequested and event.outcome:success\n",
+    "references": [
+      "https://www.cadosecurity.com/2020/06/11/an-ongoing-aws-phishing-campaign/"
+    ],
+    "risk_score": 21,
+    "rule_id": "69c420e8-6c9e-4d28-86c0-8a2be2d1e78c",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "AWS",
+      "Continuous Monitoring",
+      "SecOps",
+      "Identity and Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0001",
+          "name": "Initial Access",
+          "reference": "https://attack.mitre.org/tactics/TA0001/"
+        },
+        "technique": [
+          {
+            "id": "T1078",
+            "name": "Valid Accounts",
+            "reference": "https://attack.mitre.org/techniques/T1078/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 5,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.10.0",
+          "pre_query": "event.action:PasswordRecoveryRequested and event.provider:signin.amazonaws.com and event.outcome:success",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 3,
+          "updated": "7.11.2",
+          "pre_query": "event.action:PasswordRecoveryRequested and event.provider:signin.amazonaws.com and event.outcome:success",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 4,
+          "updated": "7.12.0",
+          "pre_query": "event.action:PasswordRecoveryRequested and event.provider:signin.amazonaws.com and event.outcome:success",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 5,
+          "updated": "7.13.0",
+          "pre_query": "event.action:PasswordRecoveryRequested and event.provider:signin.amazonaws.com and event.outcome:success",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.13.0",
+    "added": "7.9.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the addition of a user to a specified group in AWS Identity and Access Management (IAM).",
+    "false_positives": [
+      "Adding users to a specified group may be done by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. User additions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "from": "now-60m",
+    "index": [
+      "filebeat-*",
+      "logs-aws*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "AWS IAM User Addition to Group",
+    "note": "## Config\n\nThe AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.action:AddUserToGroup and event.outcome:success\n",
+    "references": [
+      "https://docs.aws.amazon.com/IAM/latest/APIReference/API_AddUserToGroup.html"
+    ],
+    "risk_score": 21,
+    "rule_id": "333de828-8190-4cf5-8d7c-7575846f6fe0",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "AWS",
+      "Continuous Monitoring",
+      "SecOps",
+      "Identity and Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0006",
+          "name": "Credential Access",
+          "reference": "https://attack.mitre.org/tactics/TA0006/"
+        },
+        "technique": []
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1098",
+            "name": "Account Manipulation",
+            "reference": "https://attack.mitre.org/techniques/T1098/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 6,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.10.0",
+          "pre_query": "event.action:AddUserToGroup and event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.outcome:success",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 3,
+          "updated": "7.11.0",
+          "pre_query": "event.action:AddUserToGroup and event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.outcome:success",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 4,
+          "updated": "7.11.2",
+          "pre_query": "event.action:AddUserToGroup and event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.outcome:success",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 5,
+          "updated": "7.12.0",
+          "pre_query": "event.action:AddUserToGroup and event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.outcome:success",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 6,
+          "updated": "7.13.0",
+          "pre_query": "event.action:AddUserToGroup and event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.outcome:success",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.13.0",
+    "added": "7.9.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies a high number of failed authentication attempts to the AWS management console for the Root user identity. An adversary may attempt to brute force the password for the Root user identity, as it has complete access to all services and resources for the AWS account.",
+    "false_positives": [
+      "Automated processes that attempt to authenticate using expired credentials and unbounded retries may lead to false positives."
+    ],
+    "from": "now-20m",
+    "index": [
+      "filebeat-*",
+      "logs-aws*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "AWS Management Console Brute Force of Root User Identity",
+    "note": "## Config\n\nThe AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:aws.cloudtrail and event.provider:signin.amazonaws.com and event.action:ConsoleLogin and aws.cloudtrail.user_identity.type:Root and event.outcome:failure\n",
+    "references": [
+      "https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html"
+    ],
+    "risk_score": 73,
+    "rule_id": "4d50a94f-2844-43fa-8395-6afbd5e1c5ef",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "AWS",
+      "Continuous Monitoring",
+      "SecOps",
+      "Identity and Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0006",
+          "name": "Credential Access",
+          "reference": "https://attack.mitre.org/tactics/TA0006/"
+        },
+        "technique": [
+          {
+            "id": "T1110",
+            "name": "Brute Force",
+            "reference": "https://attack.mitre.org/techniques/T1110/"
+          }
+        ]
+      }
+    ],
+    "threshold": {
+      "field": [
+        "cloud.account.id"
+      ],
+      "value": 10
+    },
+    "type": "threshold",
+    "version": 3,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.12.0",
+          "pre_query": "event.dataset:aws.cloudtrail and event.provider:signin.amazonaws.com and event.action:ConsoleLogin and aws.cloudtrail.user_identity.type:Root and event.outcome:failure",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 3,
+          "updated": "7.13.0",
+          "pre_query": "event.dataset:aws.cloudtrail and event.provider:signin.amazonaws.com and event.action:ConsoleLogin and aws.cloudtrail.user_identity.type:Root and event.outcome:failure",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.13.0",
+    "added": "7.10.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies a successful login to the AWS Management Console by the Root user.",
+    "false_positives": [
+      "It's strongly recommended that the root user is not used for everyday tasks, including the administrative ones. Verify whether the IP address, location, and/or hostname should be logging in as root in your environment. Unfamiliar root logins should be investigated immediately. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "from": "now-60m",
+    "index": [
+      "filebeat-*",
+      "logs-aws*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "AWS Management Console Root Login",
+    "note": "## Config\n\nThe AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:aws.cloudtrail and event.provider:signin.amazonaws.com and event.action:ConsoleLogin and aws.cloudtrail.user_identity.type:Root and event.outcome:success\n",
+    "references": [
+      "https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html"
+    ],
+    "risk_score": 73,
+    "rule_id": "e2a67480-3b79-403d-96e3-fdd2992c50ef",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "AWS",
+      "Continuous Monitoring",
+      "SecOps",
+      "Identity and Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0001",
+          "name": "Initial Access",
+          "reference": "https://attack.mitre.org/tactics/TA0001/"
+        },
+        "technique": [
+          {
+            "id": "T1078",
+            "name": "Valid Accounts",
+            "reference": "https://attack.mitre.org/techniques/T1078/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1078",
+            "name": "Valid Accounts",
+            "reference": "https://attack.mitre.org/techniques/T1078/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 5,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.10.0",
+          "pre_query": "event.action:ConsoleLogin and event.module:aws and event.dataset:aws.cloudtrail and event.provider:signin.amazonaws.com and aws.cloudtrail.user_identity.type:Root and event.outcome:success",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        },
+        {
+          "version": 3,
+          "updated": "7.11.2",
+          "pre_query": "event.action:ConsoleLogin and event.dataset:aws.cloudtrail and event.provider:signin.amazonaws.com and aws.cloudtrail.user_identity.type:Root and event.outcome:success",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 4,
+          "updated": "7.12.0",
+          "pre_query": "event.action:ConsoleLogin and event.dataset:aws.cloudtrail and event.provider:signin.amazonaws.com and aws.cloudtrail.user_identity.type:Root and event.outcome:success",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 5,
+          "updated": "7.13.0",
+          "pre_query": "event.action:ConsoleLogin and event.dataset:aws.cloudtrail and event.provider:signin.amazonaws.com and aws.cloudtrail.user_identity.type:Root and event.outcome:success",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.13.0",
+    "added": "7.9.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the creation of a new Amazon Relational Database Service (RDS) Aurora DB cluster or global database spread across multiple regions.",
+    "false_positives": [
+      "Valid clusters may be created by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Cluster creations from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "from": "now-60m",
+    "index": [
+      "filebeat-*",
+      "logs-aws*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "AWS RDS Cluster Creation",
+    "note": "## Config\n\nThe AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.action:(CreateDBCluster or CreateGlobalCluster) and event.outcome:success\n",
+    "references": [
+      "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/rds/create-db-cluster.html",
+      "https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_CreateDBCluster.html",
+      "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/rds/create-global-cluster.html",
+      "https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_CreateGlobalCluster.html"
+    ],
+    "risk_score": 21,
+    "rule_id": "e14c5fd7-fdd7-49c2-9e5b-ec49d817bc8d",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "AWS",
+      "Continuous Monitoring",
+      "SecOps",
+      "Asset Visibility"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1133",
+            "name": "External Remote Services",
+            "reference": "https://attack.mitre.org/techniques/T1133/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": []
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 6,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.10.0",
+          "pre_query": "event.action:(CreateDBCluster or CreateGlobalCluster) and event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.outcome:success",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 3,
+          "updated": "7.11.0",
+          "pre_query": "event.action:(CreateDBCluster or CreateGlobalCluster) and event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.outcome:success",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 4,
+          "updated": "7.11.2",
+          "pre_query": "event.action:(CreateDBCluster or CreateGlobalCluster) and event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.outcome:success",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 5,
+          "updated": "7.12.0",
+          "pre_query": "event.action:(CreateDBCluster or CreateGlobalCluster) and event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.outcome:success",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 6,
+          "updated": "7.13.0",
+          "pre_query": "event.action:(CreateDBCluster or CreateGlobalCluster) and event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.outcome:success",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.13.0",
+    "added": "7.9.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the deletion of an Amazon Relational Database Service (RDS) Aurora database cluster or global database cluster.",
+    "false_positives": [
+      "Clusters may be deleted by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Cluster deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "from": "now-60m",
+    "index": [
+      "filebeat-*",
+      "logs-aws*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "AWS RDS Cluster Deletion",
+    "note": "## Config\n\nThe AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.action:(DeleteDBCluster or DeleteGlobalCluster) and event.outcome:success\n",
+    "references": [
+      "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/rds/delete-db-cluster.html",
+      "https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_DeleteDBCluster.html",
+      "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/rds/delete-global-cluster.html",
+      "https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_DeleteGlobalCluster.html"
+    ],
+    "risk_score": 47,
+    "rule_id": "9055ece6-2689-4224-a0e0-b04881e1f8ad",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "AWS",
+      "Continuous Monitoring",
+      "SecOps",
+      "Asset Visibility"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0040",
+          "name": "Impact",
+          "reference": "https://attack.mitre.org/tactics/TA0040/"
+        },
+        "technique": [
+          {
+            "id": "T1485",
+            "name": "Data Destruction",
+            "reference": "https://attack.mitre.org/techniques/T1485/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 5,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.10.0",
+          "pre_query": "event.action:(DeleteDBCluster or DeleteGlobalCluster) and event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.outcome:success",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 3,
+          "updated": "7.11.2",
+          "pre_query": "event.action:(DeleteDBCluster or DeleteGlobalCluster) and event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.outcome:success",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 4,
+          "updated": "7.12.0",
+          "pre_query": "event.action:(DeleteDBCluster or DeleteGlobalCluster) and event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.outcome:success",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 5,
+          "updated": "7.13.0",
+          "pre_query": "event.action:(DeleteDBCluster or DeleteGlobalCluster) and event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.outcome:success",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.13.0",
+    "added": "7.9.0"
+  },
+  {
+    "author": [
+      "Elastic",
+      "Austin Songer"
+    ],
+    "description": "Identifies the creation of an Amazon Relational Database Service (RDS) Aurora database instance.",
+    "false_positives": [
+      "A database instance may be created by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Instances creations from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "from": "now-60m",
+    "index": [
+      "filebeat-*",
+      "logs-aws*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "AWS RDS Instance Creation",
+    "note": "## Config\n\nThe AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.action:CreateDBInstance and event.outcome:success\n",
+    "references": [
+      "https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_CreateDBInstance.html"
+    ],
+    "risk_score": 21,
+    "rule_id": "f30f3443-4fbb-4c27-ab89-c3ad49d62315",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "AWS",
+      "Continuous Monitoring",
+      "SecOps",
+      "Asset Visibility"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": []
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 2,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.16.0",
+          "pre_query": "event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.action:CreateDBInstance and event.outcome:success\n",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.16.0",
+    "added": "7.14.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies that an Amazon Relational Database Service (RDS) cluster or instance has been stopped.",
+    "false_positives": [
+      "Valid clusters or instances may be stopped by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Cluster or instance stoppages from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "from": "now-60m",
+    "index": [
+      "filebeat-*",
+      "logs-aws*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "AWS RDS Instance/Cluster Stoppage",
+    "note": "## Config\n\nThe AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.action:(StopDBCluster or StopDBInstance) and event.outcome:success\n",
+    "references": [
+      "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/rds/stop-db-cluster.html",
+      "https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_StopDBCluster.html",
+      "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/rds/stop-db-instance.html",
+      "https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_StopDBInstance.html"
+    ],
+    "risk_score": 47,
+    "rule_id": "ecf2b32c-e221-4bd4-aa3b-c7d59b3bc01d",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "AWS",
+      "Continuous Monitoring",
+      "SecOps",
+      "Asset Visibility"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0040",
+          "name": "Impact",
+          "reference": "https://attack.mitre.org/tactics/TA0040/"
+        },
+        "technique": [
+          {
+            "id": "T1489",
+            "name": "Service Stop",
+            "reference": "https://attack.mitre.org/techniques/T1489/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 5,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.10.0",
+          "pre_query": "event.action:(StopDBCluster or StopDBInstance) and event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.outcome:success",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 3,
+          "updated": "7.11.2",
+          "pre_query": "event.action:(StopDBCluster or StopDBInstance) and event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.outcome:success",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 4,
+          "updated": "7.12.0",
+          "pre_query": "event.action:(StopDBCluster or StopDBInstance) and event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.outcome:success",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 5,
+          "updated": "7.13.0",
+          "pre_query": "event.action:(StopDBCluster or StopDBInstance) and event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.outcome:success",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.13.0",
+    "added": "7.9.0"
+  },
+  {
+    "author": [
+      "Elastic",
+      "Austin Songer"
+    ],
+    "description": "Identifies the creation of an Amazon Relational Database Service (RDS) Security group.",
+    "false_positives": [
+      "An RDS security group may be created by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Security group creations from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "from": "now-60m",
+    "index": [
+      "filebeat-*",
+      "logs-aws*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "AWS RDS Security Group Creation",
+    "note": "## Config\n\nThe AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.action:CreateDBSecurityGroup and event.outcome:success\n",
+    "references": [
+      "https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_CreateDBSecurityGroup.html"
+    ],
+    "risk_score": 21,
+    "rule_id": "378f9024-8a0c-46a5-aa08-ce147ac73a4e",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "AWS",
+      "Continuous Monitoring",
+      "SecOps",
+      "Monitoring"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1136",
+            "name": "Create Account",
+            "reference": "https://attack.mitre.org/techniques/T1136/",
+            "subtechnique": [
+              {
+                "id": "T1136.003",
+                "name": "Cloud Account",
+                "reference": "https://attack.mitre.org/techniques/T1136/003/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 2,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.15.0",
+          "pre_query": "event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.action:CreateDBSecurityGroup and event.outcome:success\n",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.15.0",
+    "added": "7.14.0"
+  },
+  {
+    "author": [
+      "Elastic",
+      "Austin Songer"
+    ],
+    "description": "Identifies the deletion of an Amazon Relational Database Service (RDS) Security group.",
+    "false_positives": [
+      "An RDS security group deletion may be done by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Security group deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "from": "now-60m",
+    "index": [
+      "filebeat-*",
+      "logs-aws*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "AWS RDS Security Group Deletion",
+    "note": "## Config\n\nThe AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.action:DeleteDBSecurityGroup and event.outcome:success\n",
+    "references": [
+      "https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_DeleteDBSecurityGroup.html"
+    ],
+    "risk_score": 21,
+    "rule_id": "863cdf31-7fd3-41cf-a185-681237ea277b",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "AWS",
+      "Continuous Monitoring",
+      "SecOps",
+      "Monitoring"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0040",
+          "name": "Impact",
+          "reference": "https://attack.mitre.org/tactics/TA0040/"
+        },
+        "technique": [
+          {
+            "id": "T1531",
+            "name": "Account Access Removal",
+            "reference": "https://attack.mitre.org/techniques/T1531/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 2,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.15.0",
+          "pre_query": "event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.action:DeleteDBSecurityGroup and event.outcome:success\n",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.15.0",
+    "added": "7.14.0"
+  },
+  {
+    "author": [
+      "Elastic",
+      "Austin Songer"
+    ],
+    "description": "Identifies the export of an Amazon Relational Database Service (RDS) Aurora database snapshot.",
+    "false_positives": [
+      "Exporting snapshots may be done by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Snapshot exports from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "from": "now-60m",
+    "index": [
+      "filebeat-*",
+      "logs-aws*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "AWS RDS Snapshot Export",
+    "note": "## Config\n\nThe AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.action:StartExportTask and event.outcome:success\n",
+    "references": [
+      "https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_StartExportTask.html"
+    ],
+    "risk_score": 21,
+    "rule_id": "119c8877-8613-416d-a98a-96b6664ee73a",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "AWS",
+      "Continuous Monitoring",
+      "SecOps",
+      "Asset Visibility"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0010",
+          "name": "Exfiltration",
+          "reference": "https://attack.mitre.org/tactics/TA0010/"
+        },
+        "technique": []
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 1,
+    "last_update": "7.16.0",
+    "added": "7.16.0"
+  },
+  {
+    "author": [
+      "Austin Songer"
+    ],
+    "description": "Identifies when an attempt was made to restore an RDS Snapshot. Snapshots are sometimes shared by threat actors in order to exfiltrate bulk data. If the permissions were modified, verify if the snapshot was shared with an unauthorized or unexpected AWS account.",
+    "false_positives": [
+      "Restoring snapshots may be done by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Snapshot restoration from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "index": [
+      "filebeat-*",
+      "logs-aws*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "AWS RDS Snapshot Restored",
+    "note": "## Config\n\nThe AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.action:RestoreDBInstanceFromDBSnapshot and\nevent.outcome:success\n",
+    "references": [
+      "https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_RestoreDBInstanceFromDBSnapshot.html",
+      "https://github.com/RhinoSecurityLabs/pacu/blob/master/pacu/modules/rds__explore_snapshots/main.py"
+    ],
+    "risk_score": 47,
+    "rule_id": "bf1073bf-ce26-4607-b405-ba1ed8e9e204",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "AWS",
+      "Continuous Monitoring",
+      "SecOps",
+      "Asset Visibility"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0010",
+          "name": "Exfiltration",
+          "reference": "https://attack.mitre.org/tactics/TA0010/"
+        },
+        "technique": []
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 2,
+    "last_update": "8.0.0",
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "8.0.0",
+          "pre_query": "event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.action:RestoreDBInstanceFromDBSnapshot and\nevent.outcome:success\n",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "added": "7.16.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies attempts to login to AWS as the root user without using multi-factor authentication (MFA). Amazon AWS best practices indicate that the root user should be protected by MFA.",
+    "false_positives": [
+      "Some organizations allow login with the root user without MFA, however, this is not considered best practice by AWS and increases the risk of compromised credentials."
+    ],
+    "from": "now-60m",
+    "index": [
+      "filebeat-*",
+      "logs-aws*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "AWS Root Login Without MFA",
+    "note": "## Config\n\nThe AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:aws.cloudtrail and event.provider:signin.amazonaws.com and event.action:ConsoleLogin and\n  aws.cloudtrail.user_identity.type:Root and\n  aws.cloudtrail.console_login.additional_eventdata.mfa_used:false and\n  event.outcome:success\n",
+    "references": [
+      "https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html"
+    ],
+    "risk_score": 73,
+    "rule_id": "bc0c6f0d-dab0-47a3-b135-0925f0a333bc",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "AWS",
+      "Continuous Monitoring",
+      "SecOps",
+      "Identity and Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0004",
+          "name": "Privilege Escalation",
+          "reference": "https://attack.mitre.org/tactics/TA0004/"
+        },
+        "technique": [
+          {
+            "id": "T1078",
+            "name": "Valid Accounts",
+            "reference": "https://attack.mitre.org/techniques/T1078/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 5,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.10.0",
+          "pre_query": "event.module:aws and event.dataset:aws.cloudtrail and event.provider:signin.amazonaws.com and event.action:ConsoleLogin and aws.cloudtrail.user_identity.type:Root and aws.cloudtrail.console_login.additional_eventdata.mfa_used:false and event.outcome:success",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        },
+        {
+          "version": 3,
+          "updated": "7.11.2",
+          "pre_query": "event.dataset:aws.cloudtrail and event.provider:signin.amazonaws.com and event.action:ConsoleLogin and aws.cloudtrail.user_identity.type:Root and aws.cloudtrail.console_login.additional_eventdata.mfa_used:false and event.outcome:success",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 4,
+          "updated": "7.12.0",
+          "pre_query": "event.dataset:aws.cloudtrail and event.provider:signin.amazonaws.com and event.action:ConsoleLogin and aws.cloudtrail.user_identity.type:Root and aws.cloudtrail.console_login.additional_eventdata.mfa_used:false and event.outcome:success",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 5,
+          "updated": "7.13.0",
+          "pre_query": "event.dataset:aws.cloudtrail and event.provider:signin.amazonaws.com and event.action:ConsoleLogin and aws.cloudtrail.user_identity.type:Root and aws.cloudtrail.console_login.additional_eventdata.mfa_used:false and event.outcome:success",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.13.0",
+    "added": "7.9.0"
+  },
+  {
+    "author": [
+      "Elastic",
+      "Austin Songer"
+    ],
+    "description": "Identifies when a transfer lock was removed from a Route 53 domain. It is recommended to refrain from performing this action unless intending to transfer the domain to a different registrar.",
+    "false_positives": [
+      "A domain transfer lock may be disabled by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Activity from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "from": "now-60m",
+    "index": [
+      "filebeat-*",
+      "logs-aws*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "AWS Route 53 Domain Transfer Lock Disabled",
+    "note": "## Config\n\nThe AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:aws.cloudtrail and event.provider:route53.amazonaws.com and event.action:DisableDomainTransferLock and event.outcome:success\n",
+    "references": [
+      "https://docs.aws.amazon.com/Route53/latest/APIReference/API_Operations_Amazon_Route_53.html",
+      "https://docs.aws.amazon.com/Route53/latest/APIReference/API_domains_DisableDomainTransferLock.html"
+    ],
+    "risk_score": 21,
+    "rule_id": "12051077-0124-4394-9522-8f4f4db1d674",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "AWS",
+      "Continuous Monitoring",
+      "SecOps",
+      "Asset Visibility"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1098",
+            "name": "Account Manipulation",
+            "reference": "https://attack.mitre.org/techniques/T1098/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0006",
+          "name": "Credential Access",
+          "reference": "https://attack.mitre.org/tactics/TA0006/"
+        },
+        "technique": []
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 1,
+    "last_update": "7.14.0",
+    "added": "7.14.0"
+  },
+  {
+    "author": [
+      "Elastic",
+      "Austin Songer"
+    ],
+    "description": "Identifies when a request has been made to transfer a Route 53 domain to another AWS account.",
+    "false_positives": [
+      "A domain may be transferred to another AWS account by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Domain transfers from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "from": "now-60m",
+    "index": [
+      "filebeat-*",
+      "logs-aws*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "AWS Route 53 Domain Transferred to Another Account",
+    "note": "## Config\n\nThe AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:aws.cloudtrail and event.provider:route53.amazonaws.com and event.action:TransferDomainToAnotherAwsAccount and event.outcome:success\n",
+    "references": [
+      "https://docs.aws.amazon.com/Route53/latest/APIReference/API_Operations_Amazon_Route_53.html"
+    ],
+    "risk_score": 21,
+    "rule_id": "2045567e-b0af-444a-8c0b-0b6e2dae9e13",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "AWS",
+      "Continuous Monitoring",
+      "SecOps",
+      "Asset Visibility"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1098",
+            "name": "Account Manipulation",
+            "reference": "https://attack.mitre.org/techniques/T1098/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0006",
+          "name": "Credential Access",
+          "reference": "https://attack.mitre.org/tactics/TA0006/"
+        },
+        "technique": []
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 1,
+    "last_update": "7.14.0",
+    "added": "7.14.0"
+  },
+  {
+    "author": [
+      "Elastic",
+      "Austin Songer"
+    ],
+    "description": "Identifies when an AWS Route Table has been created.",
+    "false_positives": [
+      "Route Table being created may be done by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Route Table being created from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule.  Automated processes that uses Terraform may lead to false positives."
+    ],
+    "from": "now-60m",
+    "index": [
+      "filebeat-*",
+      "logs-aws*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "AWS Route Table Created",
+    "note": "## Config\n\nThe AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:aws.cloudtrail and event.provider:cloudtrail.amazonaws.com and event.action:(CreateRoute or CreateRouteTable) and \nevent.outcome:success\n",
+    "references": [
+      "https://docs.datadoghq.com/security_platform/default_rules/cloudtrail-aws-route-table-modified/",
+      "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateRoute.html",
+      "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateRouteTable"
+    ],
+    "risk_score": 21,
+    "rule_id": "e12c0318-99b1-44f2-830c-3a38a43207ca",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "AWS",
+      "Continuous Monitoring",
+      "SecOps",
+      "Network Security"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": []
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 1,
+    "last_update": "7.16.0",
+    "added": "7.16.0"
+  },
+  {
+    "author": [
+      "Elastic",
+      "Austin Songer"
+    ],
+    "description": "Identifies when an AWS Route Table has been modified or deleted.",
+    "false_positives": [
+      "Route Table could be modified or deleted by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Route Table being modified from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.  Also automated processes that uses Terraform may lead to false positives."
+    ],
+    "from": "now-60m",
+    "index": [
+      "filebeat-*",
+      "logs-aws*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "AWS Route Table Modified or Deleted",
+    "note": "## Config\n\nThe AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:aws.cloudtrail and event.provider:cloudtrail.amazonaws.com and event.action:(ReplaceRoute or ReplaceRouteTableAssociation or\nDeleteRouteTable or DeleteRoute or DisassociateRouteTable) and event.outcome:success\n",
+    "references": [
+      "https://github.com/easttimor/aws-incident-response#network-routing",
+      "https://docs.datadoghq.com/security_platform/default_rules/cloudtrail-aws-route-table-modified",
+      "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ReplaceRoute.html",
+      "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ReplaceRouteTableAssociation",
+      "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteRouteTable.html",
+      "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteRoute.html",
+      "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DisassociateRouteTable.html"
+    ],
+    "risk_score": 21,
+    "rule_id": "e7cd5982-17c8-4959-874c-633acde7d426",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "AWS",
+      "Continuous Monitoring",
+      "SecOps",
+      "Network Security"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": []
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 1,
+    "last_update": "7.16.0",
+    "added": "7.16.0"
+  },
+  {
+    "author": [
+      "Austin Songer"
+    ],
+    "description": "Identifies when a Route53 private hosted zone has been associated with VPC.",
+    "false_positives": [
+      "A private hosted zone may be asssociated with a VPC by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "from": "now-60m",
+    "index": [
+      "filebeat-*",
+      "logs-aws*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "AWS Route53 private hosted zone associated with a VPC",
+    "note": "## Config\n\nThe AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:aws.cloudtrail and event.provider:route53.amazonaws.com and event.action:AssociateVPCWithHostedZone and \nevent.outcome:success\n",
+    "references": [
+      "https://docs.aws.amazon.com/Route53/latest/APIReference/API_AssociateVPCWithHostedZone.html"
+    ],
+    "risk_score": 21,
+    "rule_id": "e3c27562-709a-42bd-82f2-3ed926cced19",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "AWS",
+      "Continuous Monitoring",
+      "SecOps",
+      "Asset Visibility"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1098",
+            "name": "Account Manipulation",
+            "reference": "https://attack.mitre.org/techniques/T1098/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 1,
+    "last_update": "7.16.0",
+    "added": "7.16.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the deletion of various Amazon Simple Storage Service (S3) bucket configuration components.",
+    "false_positives": [
+      "Bucket components may be deleted by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Bucket component deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "from": "now-60m",
+    "index": [
+      "filebeat-*",
+      "logs-aws*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "AWS S3 Bucket Configuration Deletion",
+    "note": "## Config\n\nThe AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:aws.cloudtrail and event.provider:s3.amazonaws.com and\n  event.action:(DeleteBucketPolicy or DeleteBucketReplication or DeleteBucketCors or\n                DeleteBucketEncryption or DeleteBucketLifecycle)\n  and event.outcome:success\n",
+    "references": [
+      "https://docs.aws.amazon.com/AmazonS3/latest/API/API_DeleteBucketPolicy.html",
+      "https://docs.aws.amazon.com/AmazonS3/latest/API/API_DeleteBucketReplication.html",
+      "https://docs.aws.amazon.com/AmazonS3/latest/API/API_DeleteBucketCors.html",
+      "https://docs.aws.amazon.com/AmazonS3/latest/API/API_DeleteBucketEncryption.html",
+      "https://docs.aws.amazon.com/AmazonS3/latest/API/API_DeleteBucketLifecycle.html"
+    ],
+    "risk_score": 21,
+    "rule_id": "227dc608-e558-43d9-b521-150772250bae",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "AWS",
+      "Continuous Monitoring",
+      "SecOps",
+      "Asset Visibility"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1070",
+            "name": "Indicator Removal on Host",
+            "reference": "https://attack.mitre.org/techniques/T1070/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 5,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.10.0",
+          "pre_query": "event.action:(DeleteBucketPolicy or DeleteBucketReplication or DeleteBucketCors or DeleteBucketEncryption or DeleteBucketLifecycle) and event.dataset:aws.cloudtrail and event.provider:s3.amazonaws.com and event.outcome:success",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 3,
+          "updated": "7.11.2",
+          "pre_query": "event.action:(DeleteBucketPolicy or DeleteBucketReplication or DeleteBucketCors or DeleteBucketEncryption or DeleteBucketLifecycle) and event.dataset:aws.cloudtrail and event.provider:s3.amazonaws.com and event.outcome:success",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 4,
+          "updated": "7.12.0",
+          "pre_query": "event.action:(DeleteBucketPolicy or DeleteBucketReplication or DeleteBucketCors or DeleteBucketEncryption or DeleteBucketLifecycle) and event.dataset:aws.cloudtrail and event.provider:s3.amazonaws.com and event.outcome:success",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 5,
+          "updated": "7.13.0",
+          "pre_query": "event.action:(DeleteBucketPolicy or DeleteBucketReplication or DeleteBucketCors or DeleteBucketEncryption or DeleteBucketLifecycle) and event.dataset:aws.cloudtrail and event.provider:s3.amazonaws.com and event.outcome:success",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.13.0",
+    "added": "7.9.0"
+  },
+  {
+    "author": [
+      "Austin Songer"
+    ],
+    "description": "Identifies when SAML activity has occurred in AWS. An adversary could manipulate SAML to maintain access to the target.",
+    "false_positives": [
+      "SAML Provider could be updated by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. SAML Provider being updated from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "from": "now-25m",
+    "index": [
+      "filebeat-*",
+      "logs-aws*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "AWS SAML Activity",
+    "note": "## Config\n\nThe AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:aws.cloudtrail and event.provider:(iam.amazonaws.com or sts.amazonaws.com) and event.action:(Assumerolewithsaml or \nUpdateSAMLProvider) and event.outcome:success\n",
+    "references": [
+      "https://docs.aws.amazon.com/IAM/latest/APIReference/API_UpdateSAMLProvider.html",
+      "https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRoleWithSAML.html"
+    ],
+    "risk_score": 21,
+    "rule_id": "979729e7-0c52-4c4c-b71e-88103304a79f",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "AWS",
+      "Continuous Monitoring",
+      "SecOps",
+      "Identity and Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1550",
+            "name": "Use Alternate Authentication Material",
+            "reference": "https://attack.mitre.org/techniques/T1550/",
+            "subtechnique": [
+              {
+                "id": "T1550.001",
+                "name": "Application Access Token",
+                "reference": "https://attack.mitre.org/techniques/T1550/001/"
+              }
+            ]
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0001",
+          "name": "Initial Access",
+          "reference": "https://attack.mitre.org/tactics/TA0001/"
+        },
+        "technique": [
+          {
+            "id": "T1078",
+            "name": "Valid Accounts",
+            "reference": "https://attack.mitre.org/techniques/T1078/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 1,
+    "last_update": "7.16.0",
+    "added": "7.16.0"
+  },
+  {
+    "author": [
+      "Austin Songer"
+    ],
+    "description": "Identifies the suspicious use of GetSessionToken. Tokens could be created and used by attackers to move laterally and escalate privileges.",
+    "false_positives": [
+      "GetSessionToken may be done by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. GetSessionToken from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "index": [
+      "filebeat-*",
+      "logs-aws*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "AWS STS GetSessionToken Abuse",
+    "note": "## Config\n\nThe AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:aws.cloudtrail and event.provider:sts.amazonaws.com and event.action:GetSessionToken and \naws.cloudtrail.user_identity.type:IAMUser and event.outcome:success\n",
+    "references": [
+      "https://docs.aws.amazon.com/STS/latest/APIReference/API_GetSessionToken.html"
+    ],
+    "risk_score": 21,
+    "rule_id": "b45ab1d2-712f-4f01-a751-df3826969807",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "AWS",
+      "Continuous Monitoring",
+      "SecOps",
+      "Identity and Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0004",
+          "name": "Privilege Escalation",
+          "reference": "https://attack.mitre.org/tactics/TA0004/"
+        },
+        "technique": [
+          {
+            "id": "T1548",
+            "name": "Abuse Elevation Control Mechanism",
+            "reference": "https://attack.mitre.org/techniques/T1548/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0008",
+          "name": "Lateral Movement",
+          "reference": "https://attack.mitre.org/tactics/TA0008/"
+        },
+        "technique": [
+          {
+            "id": "T1550",
+            "name": "Use Alternate Authentication Material",
+            "reference": "https://attack.mitre.org/techniques/T1550/",
+            "subtechnique": [
+              {
+                "id": "T1550.001",
+                "name": "Application Access Token",
+                "reference": "https://attack.mitre.org/techniques/T1550/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 1,
+    "last_update": "7.16.0",
+    "added": "7.16.0"
+  },
+  {
+    "author": [
+      "Elastic",
+      "Austin Songer"
+    ],
+    "description": "Identifies a change to an AWS Security Group Configuration. A security group is like a virtual firewall, and modifying configurations may allow unauthorized access. Threat actors may abuse this to establish persistence, exfiltrate data, or pivot in an AWS environment.",
+    "false_positives": [
+      "A security group may be created by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Security group creations from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "from": "now-30m",
+    "index": [
+      "filebeat-*",
+      "logs-aws*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "AWS Security Group Configuration Change Detection",
+    "note": "## Config\n\nThe AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.action:(AuthorizeSecurityGroupEgress or \nCreateSecurityGroup or ModifyInstanceAttribute or ModifySecurityGroupRules or RevokeSecurityGroupEgress or \nRevokeSecurityGroupIngress) and event.outcome:success\n",
+    "references": [
+      "https://docs.aws.amazon.com/AWSEC2/latest/WindowsGuide/ec2-security-groups.html"
+    ],
+    "risk_score": 21,
+    "rule_id": "29052c19-ff3e-42fd-8363-7be14d7c5469",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "AWS",
+      "Continuous Monitoring",
+      "SecOps",
+      "Network Security"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": []
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1562",
+            "name": "Impair Defenses",
+            "reference": "https://attack.mitre.org/techniques/T1562/",
+            "subtechnique": [
+              {
+                "id": "T1562.007",
+                "name": "Disable or Modify Cloud Firewall",
+                "reference": "https://attack.mitre.org/techniques/T1562/007/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 2,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.16.0",
+          "pre_query": "event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.action:(AuthorizeSecurityGroupEgress or \nCreateSecurityGroup or ModifyInstanceAttribute or ModifySecurityGroupRules or RevokeSecurityGroupEgress or \nRevokeSecurityGroupIngress) and event.outcome:success\n",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.16.0",
+    "added": "7.15.0"
+  },
+  {
+    "author": [
+      "Austin Songer"
+    ],
+    "description": "Identifies the use of AssumeRole. AssumeRole returns a set of temporary security credentials that can be used to access AWS resources. An adversary could use those credentials to move laterally and escalate privileges.",
+    "false_positives": [
+      "Automated processes that uses Terraform may lead to false positives."
+    ],
+    "index": [
+      "filebeat-*",
+      "logs-aws*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "AWS Security Token Service (STS) AssumeRole Usage",
+    "note": "## Config\n\nThe AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:aws.cloudtrail and event.provider:sts.amazonaws.com and event.action:AssumedRole and \naws.cloudtrail.user_identity.session_context.session_issuer.type:Role and event.outcome:success\n",
+    "references": [
+      "https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html"
+    ],
+    "risk_score": 21,
+    "rule_id": "93075852-b0f5-4b8b-89c3-a226efae5726",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "AWS",
+      "Continuous Monitoring",
+      "SecOps",
+      "Identity and Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0004",
+          "name": "Privilege Escalation",
+          "reference": "https://attack.mitre.org/tactics/TA0004/"
+        },
+        "technique": [
+          {
+            "id": "T1548",
+            "name": "Abuse Elevation Control Mechanism",
+            "reference": "https://attack.mitre.org/techniques/T1548/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0008",
+          "name": "Lateral Movement",
+          "reference": "https://attack.mitre.org/tactics/TA0008/"
+        },
+        "technique": [
+          {
+            "id": "T1550",
+            "name": "Use Alternate Authentication Material",
+            "reference": "https://attack.mitre.org/techniques/T1550/",
+            "subtechnique": [
+              {
+                "id": "T1550.001",
+                "name": "Application Access Token",
+                "reference": "https://attack.mitre.org/techniques/T1550/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 1,
+    "last_update": "7.16.0",
+    "added": "7.16.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the deletion of a specified AWS Web Application Firewall (WAF) access control list.",
+    "false_positives": [
+      "Firewall ACL's may be deleted by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Web ACL deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "from": "now-60m",
+    "index": [
+      "filebeat-*",
+      "logs-aws*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "AWS WAF Access Control List Deletion",
+    "note": "## Config\n\nThe AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:aws.cloudtrail and event.action:DeleteWebACL and event.outcome:success\n",
+    "references": [
+      "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/waf-regional/delete-web-acl.html",
+      "https://docs.aws.amazon.com/waf/latest/APIReference/API_wafRegional_DeleteWebACL.html"
+    ],
+    "risk_score": 47,
+    "rule_id": "91d04cd4-47a9-4334-ab14-084abe274d49",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "AWS",
+      "Continuous Monitoring",
+      "SecOps",
+      "Network Security"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1562",
+            "name": "Impair Defenses",
+            "reference": "https://attack.mitre.org/techniques/T1562/",
+            "subtechnique": [
+              {
+                "id": "T1562.001",
+                "name": "Disable or Modify Tools",
+                "reference": "https://attack.mitre.org/techniques/T1562/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 6,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.10.0",
+          "pre_query": "event.action:DeleteWebACL and event.dataset:aws.cloudtrail and event.outcome:success",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 3,
+          "updated": "7.11.0",
+          "pre_query": "event.action:DeleteWebACL and event.dataset:aws.cloudtrail and event.outcome:success",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 4,
+          "updated": "7.11.2",
+          "pre_query": "event.action:DeleteWebACL and event.dataset:aws.cloudtrail and event.outcome:success",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 5,
+          "updated": "7.12.0",
+          "pre_query": "event.action:DeleteWebACL and event.dataset:aws.cloudtrail and event.outcome:success",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 6,
+          "updated": "7.13.0",
+          "pre_query": "event.action:DeleteWebACL and event.dataset:aws.cloudtrail and event.outcome:success",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.13.0",
+    "added": "7.9.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the deletion of a specified AWS Web Application Firewall (WAF) rule or rule group.",
+    "false_positives": [
+      "WAF rules or rule groups may be deleted by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Rule deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "from": "now-60m",
+    "index": [
+      "filebeat-*",
+      "logs-aws*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "AWS WAF Rule or Rule Group Deletion",
+    "note": "## Config\n\nThe AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:aws.cloudtrail and event.action:(DeleteRule or DeleteRuleGroup) and event.outcome:success\n",
+    "references": [
+      "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/waf/delete-rule-group.html",
+      "https://docs.aws.amazon.com/waf/latest/APIReference/API_waf_DeleteRuleGroup.html"
+    ],
+    "risk_score": 47,
+    "rule_id": "5beaebc1-cc13-4bfc-9949-776f9e0dc318",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "AWS",
+      "Continuous Monitoring",
+      "SecOps",
+      "Network Security"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1562",
+            "name": "Impair Defenses",
+            "reference": "https://attack.mitre.org/techniques/T1562/",
+            "subtechnique": [
+              {
+                "id": "T1562.001",
+                "name": "Disable or Modify Tools",
+                "reference": "https://attack.mitre.org/techniques/T1562/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 6,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.10.0",
+          "pre_query": "event.module:aws and event.dataset:aws.cloudtrail and event.action:(DeleteRule or DeleteRuleGroup) and event.outcome:success",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        },
+        {
+          "version": 3,
+          "updated": "7.11.0",
+          "pre_query": "event.dataset:aws.cloudtrail and event.action:(DeleteRule or DeleteRuleGroup) and event.outcome:success",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 4,
+          "updated": "7.11.2",
+          "pre_query": "event.dataset:aws.cloudtrail and event.action:(DeleteRule or DeleteRuleGroup) and event.outcome:success",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 5,
+          "updated": "7.12.0",
+          "pre_query": "event.dataset:aws.cloudtrail and event.action:(DeleteRule or DeleteRuleGroup) and event.outcome:success",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 6,
+          "updated": "7.13.0",
+          "pre_query": "event.dataset:aws.cloudtrail and event.action:(DeleteRule or DeleteRuleGroup) and event.outcome:success",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.13.0",
+    "added": "7.9.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Specially crafted DNS requests can manipulate a known overflow vulnerability in some Windows DNS servers which result in Remote Code Execution (RCE) or a Denial of Service (DoS) from crashing the service.",
+    "false_positives": [
+      "Environments that leverage DNS responses over 60k bytes will result in false positives - if this traffic is predictable and expected, it should be filtered out. Additionally, this detection rule could be triggered by an authorized vulnerability scan or compromise assessment."
+    ],
+    "index": [
+      "packetbeat-*",
+      "filebeat-*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Abnormally Large DNS Response",
+    "note": "## Triage and analysis\n\n### Investigating Large DNS Responses\nDetection alerts from this rule indicate possible anomalous activity around large byte DNS responses from a Windows DNS\nserver. This detection rule was created based on activity represented in exploitation of vulnerability (CVE-2020-1350)\nalso known as [SigRed](https://www.elastic.co/blog/detection-rules-for-sigred-vulnerability) during July 2020.\n\n#### Possible investigation steps:\n- This specific rule is sourced from network log activity such as DNS or network level data. It's important to validate\nthe source of the incoming traffic and determine if this activity has been observed previously within an environment.\n- Activity can be further investigated and validated by reviewing available corresponding Intrusion Detection Signatures (IDS) alerts associated with activity.\n- Further examination can be made by reviewing the `dns.question_type` network fieldset with a protocol analyzer, such as Zeek, Packetbeat, or Suricata, for `SIG` or `RRSIG` data.\n- Validate the patch level and OS of the targeted DNS server to validate the observed activity was not large-scale Internet vulnerability scanning.\n- Validate that the source of the network activity was not from an authorized vulnerability scan or compromise assessment.\n\n#### False Positive Analysis\n- Based on this rule which looks for a threshold of 60k bytes, it is possible for activity to be generated under 65k bytes\nand related to legitimate behavior.  In packet capture files received by the [SANS Internet Storm Center](https://isc.sans.edu/forums/diary/PATCH+NOW+SIGRed+CVE20201350+Microsoft+DNS+Server+Vulnerability/26356/), byte responses\nwere all observed as greater than 65k bytes.\n- This activity has the ability to be triggered from compliance/vulnerability scanning or compromise assessment, it's\nimportant to determine the source of the activity and potential whitelist the source host\n\n\n### Related Rules\n- Unusual Child Process of dns.exe\n- Unusual File Modification by dns.exe\n\n### Response and Remediation\n- Review and implement the above detection logic within your environment using technology such as Endpoint security, Winlogbeat, Packetbeat, or network security monitoring (NSM) platforms such as Zeek or Suricata.\n- Ensure that you have deployed the latest Microsoft [Security Update](https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1350) (Monthly Rollup or Security Only) and restart the\npatched machines. If unable to patch immediately: Microsoft [released](https://support.microsoft.com/en-us/help/4569509/windows-dns-server-remote-code-execution-vulnerability) a registry-based workaround that doesn\u2019t require a\nrestart. This can be used as a temporary solution before the patch is applied.\n- Maintain backups of your critical systems to aid in quick recovery.\n- Perform routine vulnerability scans of your systems, monitor [CISA advisories](https://us-cert.cisa.gov/ncas/current-activity) and patch identified vulnerabilities.\n- If observed true positive activity, implement a remediation plan and monitor host-based artifacts for additional post-exploitation behavior.\n",
+    "query": "event.category:(network or network_traffic) and destination.port:53 and\n  (event.dataset:zeek.dns or type:dns or event.type:connection) and network.bytes > 60000\n",
+    "references": [
+      "https://research.checkpoint.com/2020/resolving-your-way-into-domain-admin-exploiting-a-17-year-old-bug-in-windows-dns-servers/",
+      "https://msrc-blog.microsoft.com/2020/07/14/july-2020-security-update-cve-2020-1350-vulnerability-in-windows-domain-name-system-dns-server/",
+      "https://github.com/maxpl0it/CVE-2020-1350-DoS"
+    ],
+    "risk_score": 47,
+    "rule_id": "11013227-0301-4a8c-b150-4db924484475",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Network",
+      "Threat Detection",
+      "Lateral Movement"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0008",
+          "name": "Lateral Movement",
+          "reference": "https://attack.mitre.org/tactics/TA0008/"
+        },
+        "technique": [
+          {
+            "id": "T1210",
+            "name": "Exploitation of Remote Services",
+            "reference": "https://attack.mitre.org/techniques/T1210/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 5,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.11.2",
+          "pre_query": "event.category:(network or network_traffic) and destination.port:53 and (event.dataset:zeek.dns or type:dns or event.type:connection) and network.bytes > 60000",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 3,
+          "updated": "7.12.0",
+          "pre_query": "event.category:(network or network_traffic) and destination.port:53 and (event.dataset:zeek.dns or type:dns or event.type:connection) and network.bytes > 60000",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 4,
+          "updated": "7.13.0",
+          "pre_query": "event.category:(network or network_traffic) and destination.port:53 and (event.dataset:zeek.dns or type:dns or event.type:connection) and network.bytes > 60000",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 5,
+          "updated": "7.16.0",
+          "pre_query": "event.category:(network or network_traffic) and destination.port:53 and\n  (event.dataset:zeek.dns or type:dns or event.type:connection) and network.bytes > 60000\n",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.16.0",
+    "added": "7.10.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the execution of a process with arguments pointing to known browser files that store passwords and cookies. Adversaries may acquire credentials from web browsers by reading files specific to the target browser.",
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Access of Stored Browser Credentials",
+    "query": "process where event.type in (\"start\", \"process_started\") and\n  process.args :\n    (\n      \"/Users/*/Library/Application Support/Google/Chrome/Default/Login Data\", \n      \"/Users/*/Library/Application Support/Google/Chrome/Default/Cookies\", \n      \"/Users/*/Library/Cookies*\", \n      \"/Users/*/Library/Application Support/Firefox/Profiles/*.default/cookies.sqlite\", \n      \"/Users/*/Library/Application Support/Firefox/Profiles/*.default/key*.db\", \n      \"/Users/*/Library/Application Support/Firefox/Profiles/*.default/logins.json\", \n      \"Login Data\",\n      \"Cookies.binarycookies\", \n      \"key4.db\", \n      \"key3.db\", \n      \"logins.json\", \n      \"cookies.sqlite\"\n    )\n",
+    "references": [
+      "https://securelist.com/calisto-trojan-for-macos/86543/"
+    ],
+    "risk_score": 73,
+    "rule_id": "20457e4f-d1de-4b92-ae69-142e27a4342a",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "macOS",
+      "Threat Detection",
+      "Credential Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0006",
+          "name": "Credential Access",
+          "reference": "https://attack.mitre.org/tactics/TA0006/"
+        },
+        "technique": [
+          {
+            "id": "T1555",
+            "name": "Credentials from Password Stores",
+            "reference": "https://attack.mitre.org/techniques/T1555/",
+            "subtechnique": [
+              {
+                "id": "T1555.003",
+                "name": "Credentials from Web Browsers",
+                "reference": "https://attack.mitre.org/techniques/T1555/003/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 1,
+    "last_update": "7.12.0",
+    "added": "7.12.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Adversaries may collect the keychain storage data from a system to acquire credentials. Keychains are the built-in way for macOS to keep track of users' passwords and credentials for many services and features such as WiFi passwords, websites, secure notes and certificates.",
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Access to Keychain Credentials Directories",
+    "query": "process where event.type in (\"start\", \"process_started\") and\n  process.args :\n    (\n      \"/Users/*/Library/Keychains/*\",\n      \"/Library/Keychains/*\",\n      \"/Network/Library/Keychains/*\",\n      \"System.keychain\",\n      \"login.keychain-db\",\n      \"login.keychain\"\n    ) and\n    not process.args : (\"find-certificate\",\n                      \"add-trusted-cert\",\n                      \"set-keychain-settings\",\n                      \"delete-certificate\",\n                      \"/Users/*/Library/Keychains/openvpn.keychain-db\",\n                      \"show-keychain-info\",\n                      \"lock-keychain\",\n                      \"set-key-partition-list\",\n                      \"import\",\n                      \"find-identity\") and\n    not process.parent.executable : \"/Applications/OpenVPN Connect/OpenVPN Connect.app/Contents/MacOS/OpenVPN Connect\"\n",
+    "references": [
+      "https://objective-see.com/blog/blog_0x25.html",
+      "https://securelist.com/calisto-trojan-for-macos/86543/"
+    ],
+    "risk_score": 73,
+    "rule_id": "96e90768-c3b7-4df6-b5d9-6237f8bc36a8",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "macOS",
+      "Threat Detection",
+      "Credential Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0006",
+          "name": "Credential Access",
+          "reference": "https://attack.mitre.org/tactics/TA0006/"
+        },
+        "technique": [
+          {
+            "id": "T1555",
+            "name": "Credentials from Password Stores",
+            "reference": "https://attack.mitre.org/techniques/T1555/",
+            "subtechnique": [
+              {
+                "id": "T1555.001",
+                "name": "Keychain",
+                "reference": "https://attack.mitre.org/techniques/T1555/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 5,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.11.0",
+          "pre_query": "event.category:process and event.type:(start or process_started) and process.name:(zip or tar or gzip or 7za or hdiutil) and process.args:(\"/Library/Keychains/\" or \"/Network/Library/Keychains/\" or \"~/Library/Keychains/\")",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 3,
+          "updated": "7.11.2",
+          "pre_query": "event.category:process and event.type:(start or process_started) and process.name:(zip or tar or gzip or 7za or hdiutil) and process.args:(\"/Library/Keychains/\" or \"/Network/Library/Keychains/\" or \"~/Library/Keychains/\")",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 4,
+          "updated": "7.12.0",
+          "pre_query": "event.category:process and event.type:(start or process_started) and process.name:(zip or tar or gzip or 7za or hdiutil) and process.args:(\"/Library/Keychains/\" or \"/Network/Library/Keychains/\" or \"~/Library/Keychains/\")",
+          "doc_text": "Updated query.",
+          "pre_name": "Compression of Keychain Credentials Directories",
+          "duplicate_old_file": "compression-of-keychain-credentials-directories"
+        },
+        {
+          "version": 5,
+          "updated": "7.13.0",
+          "pre_query": "process where event.type in (\"start\", \"process_started\") and\n  process.args :\n    (\n      \"/Users/*/Library/Keychains/*\",\n      \"/Library/Keychains/*\",\n      \"/Network/Library/Keychains/*\",\n      \"System.keychain\",\n      \"login.keychain-db\",\n      \"login.keychain\"\n    )\n",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.13.0",
+    "added": "7.10.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies an attempt to reset an account password remotely. Adversaries may manipulate account passwords to maintain access or evade password duration policies and preserve compromised credentials.",
+    "false_positives": [
+      "Legitimate remote account administration."
+    ],
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Account Password Reset Remotely",
+    "query": "sequence by host.id with maxspan=5m\n  [authentication where event.action == \"logged-in\" and\n    /* event 4624 need to be logged */\n    winlog.logon.type : \"Network\" and event.outcome == \"success\" and source.ip != null and\n    not source.ip in (\"127.0.0.1\", \"::1\")] by winlog.event_data.TargetLogonId\n   /* event 4724 need to be logged */\n  [iam where event.action == \"reset-password\"] by winlog.event_data.SubjectLogonId\n",
+    "references": [
+      "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4724",
+      "https://stealthbits.com/blog/manipulating-user-passwords-with-mimikatz/",
+      "https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES/blob/master/Credential%20Access/remote_pwd_reset_rpc_mimikatz_postzerologon_target_DC.evtx"
+    ],
+    "risk_score": 47,
+    "rule_id": "2820c9c2-bcd7-4d6e-9eba-faf3891ba450",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Persistence"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1098",
+            "name": "Account Manipulation",
+            "reference": "https://attack.mitre.org/techniques/T1098/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 1,
+    "last_update": "8.0.0",
+    "added": "8.0.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "This rule detects the Active Directory query tool, AdFind.exe. AdFind has legitimate purposes, but it is frequently leveraged by threat actors to perform post-exploitation Active Directory reconnaissance. The AdFind tool has been observed in Trickbot, Ryuk, Maze, and FIN6 campaigns. For Winlogbeat, this rule requires Sysmon.",
+    "from": "now-9m",
+    "index": [
+      "logs-endpoint.events.*",
+      "winlogbeat-*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "AdFind Command Activity",
+    "note": "## Triage and analysis\n\n### Investigating AdFind Command Activity\n\n[AdFind](http://www.joeware.net/freetools/tools/adfind/) is a freely available command-line tool used to retrieve information from\nActivity Directory (AD). Network discovery and enumeration tools like `AdFind` are useful to adversaries in the same ways\nthey are effective for network administrators. This tool provides quick ability to scope AD person/computer objects and\nunderstand subnets and domain information. There are many [examples](https://thedfirreport.com/category/adfind/)\nobserved where this tool has been adopted by ransomware and criminal groups and used in compromises.\n\n#### Possible investigation steps:\n- `AdFind` is a legitimate Active Directory enumeration tool used by network administrators, it's important to understand\nthe source of the activity.  This could involve identifying the account using `AdFind` and determining based on the command-lines\nwhat information was retrieved, then further determining if these actions are in scope of that user's traditional responsibilities.\n- In multiple public references, `AdFind` is leveraged after initial access is achieved, review previous activity on impacted\nmachine looking for suspicious indicators such as previous anti-virus/EDR alerts, phishing emails received, or network traffic\nto suspicious infrastructure\n\n### False Positive Analysis\n- This rule has the high chance to produce false positives as it is a legitimate tool used by network administrators. One\noption could be whitelisting specific users or groups who use the tool as part of their daily responsibilities. This can\nbe done by leveraging the exception workflow in the Kibana Security App or Elasticsearch API to tune this rule to your environment\n- Malicious behavior with `AdFind` should be investigated as part of a step within an attack chain. It doesn't happen in\nisolation, so reviewing previous logs/activity from impacted machines could be very telling.\n\n### Related Rules\n- Windows Network Enumeration\n- Enumeration of Administrator Accounts\n- Enumeration Command Spawned via WMIPrvSE\n\n### Response and Remediation\n- Immediate response should be taken to validate activity, investigate and potentially isolate activity to prevent further\npost-compromise behavior\n- It's important to understand that `AdFind` is an Active Directory enumeration tool and can be used for malicious or legitimate\npurposes, so understanding the intent behind the activity will help determine the appropropriate response.\n",
+    "query": "process where event.type in (\"start\", \"process_started\") and \n  (process.name : \"AdFind.exe\" or process.pe.original_file_name == \"AdFind.exe\") and \n  process.args : (\"objectcategory=computer\", \"(objectcategory=computer)\", \n                  \"objectcategory=person\", \"(objectcategory=person)\",\n                  \"objectcategory=subnet\", \"(objectcategory=subnet)\",\n                  \"objectcategory=group\", \"(objectcategory=group)\", \n                  \"objectcategory=organizationalunit\", \"(objectcategory=organizationalunit)\",\n                  \"objectcategory=attributeschema\", \"(objectcategory=attributeschema)\",\n                  \"domainlist\", \"dcmodes\", \"adinfo\", \"dclist\", \"computers_pwnotreqd\", \"trustdmp\")\n",
+    "references": [
+      "http://www.joeware.net/freetools/tools/adfind/",
+      "https://thedfirreport.com/2020/05/08/adfind-recon/",
+      "https://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html",
+      "https://www.cybereason.com/blog/dropping-anchor-from-a-trickbot-infection-to-the-discovery-of-the-anchor-malware",
+      "https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html",
+      "https://usa.visa.com/dam/VCOM/global/support-legal/documents/fin6-cybercrime-group-expands-threat-To-ecommerce-merchants.pdf"
+    ],
+    "risk_score": 21,
+    "rule_id": "eda499b8-a073-4e35-9733-22ec71f57f3a",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Discovery"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0007",
+          "name": "Discovery",
+          "reference": "https://attack.mitre.org/tactics/TA0007/"
+        },
+        "technique": [
+          {
+            "id": "T1069",
+            "name": "Permission Groups Discovery",
+            "reference": "https://attack.mitre.org/techniques/T1069/",
+            "subtechnique": [
+              {
+                "id": "T1069.002",
+                "name": "Domain Groups",
+                "reference": "https://attack.mitre.org/techniques/T1069/002/"
+              }
+            ]
+          },
+          {
+            "id": "T1087",
+            "name": "Account Discovery",
+            "reference": "https://attack.mitre.org/techniques/T1087/",
+            "subtechnique": [
+              {
+                "id": "T1087.002",
+                "name": "Domain Account",
+                "reference": "https://attack.mitre.org/techniques/T1087/002/"
+              }
+            ]
+          },
+          {
+            "id": "T1482",
+            "name": "Domain Trust Discovery",
+            "reference": "https://attack.mitre.org/techniques/T1482/"
+          },
+          {
+            "id": "T1018",
+            "name": "Remote System Discovery",
+            "reference": "https://attack.mitre.org/techniques/T1018/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 5,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.11.2",
+          "pre_query": "process where event.type in (\"start\", \"process_started\") and \n  (process.name : \"AdFind.exe\" or process.pe.original_file_name == \"AdFind.exe\") and \n  process.args : (\"objectcategory=computer\", \"(objectcategory=computer)\", \n                  \"objectcategory=person\", \"(objectcategory=person)\",\n                  \"objectcategory=subnet\", \"(objectcategory=subnet)\",\n                  \"objectcategory=group\", \"(objectcategory=group)\", \n                  \"objectcategory=organizationalunit\", \"(objectcategory=organizationalunit)\",\n                  \"objectcategory=attributeschema\", \"(objectcategory=attributeschema)\",\n                  \"domainlist\", \"dcmodes\", \"adinfo\", \"dclist\", \"computers_pwnotreqd\", \"trustdmp\")\n",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 3,
+          "updated": "7.12.0",
+          "pre_query": "process where event.type in (\"start\", \"process_started\") and \n  (process.name : \"AdFind.exe\" or process.pe.original_file_name == \"AdFind.exe\") and \n  process.args : (\"objectcategory=computer\", \"(objectcategory=computer)\", \n                  \"objectcategory=person\", \"(objectcategory=person)\",\n                  \"objectcategory=subnet\", \"(objectcategory=subnet)\",\n                  \"objectcategory=group\", \"(objectcategory=group)\", \n                  \"objectcategory=organizationalunit\", \"(objectcategory=organizationalunit)\",\n                  \"objectcategory=attributeschema\", \"(objectcategory=attributeschema)\",\n                  \"domainlist\", \"dcmodes\", \"adinfo\", \"dclist\", \"computers_pwnotreqd\", \"trustdmp\")\n",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 4,
+          "updated": "7.13.0",
+          "pre_query": "process where event.type in (\"start\", \"process_started\") and \n  (process.name : \"AdFind.exe\" or process.pe.original_file_name == \"AdFind.exe\") and \n  process.args : (\"objectcategory=computer\", \"(objectcategory=computer)\", \n                  \"objectcategory=person\", \"(objectcategory=person)\",\n                  \"objectcategory=subnet\", \"(objectcategory=subnet)\",\n                  \"objectcategory=group\", \"(objectcategory=group)\", \n                  \"objectcategory=organizationalunit\", \"(objectcategory=organizationalunit)\",\n                  \"objectcategory=attributeschema\", \"(objectcategory=attributeschema)\",\n                  \"domainlist\", \"dcmodes\", \"adinfo\", \"dclist\", \"computers_pwnotreqd\", \"trustdmp\")\n",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 5,
+          "updated": "7.16.0",
+          "pre_query": "process where event.type in (\"start\", \"process_started\") and \n  (process.name : \"AdFind.exe\" or process.pe.original_file_name == \"AdFind.exe\") and \n  process.args : (\"objectcategory=computer\", \"(objectcategory=computer)\", \n                  \"objectcategory=person\", \"(objectcategory=person)\",\n                  \"objectcategory=subnet\", \"(objectcategory=subnet)\",\n                  \"objectcategory=group\", \"(objectcategory=group)\", \n                  \"objectcategory=organizationalunit\", \"(objectcategory=organizationalunit)\",\n                  \"objectcategory=attributeschema\", \"(objectcategory=attributeschema)\",\n                  \"domainlist\", \"dcmodes\", \"adinfo\", \"dclist\", \"computers_pwnotreqd\", \"trustdmp\")\n",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.16.0",
+    "added": "7.11.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Adversaries can add the 'hidden' attribute to files to hide them from the user in an attempt to evade detection.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Adding Hidden File Attribute via Attrib",
+    "query": "process where event.type in (\"start\", \"process_started\") and\n  process.name : \"attrib.exe\" and process.args : \"+h\"\n",
+    "risk_score": 21,
+    "rule_id": "4630d948-40d4-4cef-ac69-4002e29bc3db",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1564",
+            "name": "Hide Artifacts",
+            "reference": "https://attack.mitre.org/techniques/T1564/",
+            "subtechnique": [
+              {
+                "id": "T1564.001",
+                "name": "Hidden Files and Directories",
+                "reference": "https://attack.mitre.org/techniques/T1564/001/"
+              }
+            ]
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": []
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 9,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.7.0",
+          "pre_query": "event.action:\"Process Create (rule: ProcessCreate)\" and process.name:\"attrib.exe\" and process.args:\"+h\"",
+          "doc_text": "Updated query."
+        },
+        {
+          "version": 3,
+          "updated": "7.9.0",
+          "pre_query": "event.action:\"Process Create (rule: ProcessCreate)\" and process.name:attrib.exe and process.args:+h",
+          "doc_text": "Updated query."
+        },
+        {
+          "version": 4,
+          "updated": "7.9.1",
+          "pre_query": "event.category:process and event.type:(start or process_started) and process.name:attrib.exe and process.args:+h",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 5,
+          "updated": "7.10.0",
+          "pre_query": "event.category:process and event.type:(start or process_started) and process.name:attrib.exe and process.args:+h",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 6,
+          "updated": "7.11.0",
+          "pre_query": "event.category:process and event.type:(start or process_started) and process.name:attrib.exe and process.args:+h",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 7,
+          "updated": "7.11.2",
+          "pre_query": "event.category:process and event.type:(start or process_started) and process.name:attrib.exe and process.args:+h",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 8,
+          "updated": "7.12.0",
+          "pre_query": "event.category:process and event.type:(start or process_started) and process.name:attrib.exe and process.args:+h",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 9,
+          "updated": "7.13.0",
+          "pre_query": "event.category:process and event.type:(start or process_started) and process.name:attrib.exe and process.args:+h",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.13.0",
+    "added": "7.6.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Detects when an administrator role is assigned to an Okta group. An adversary may attempt to assign administrator privileges to an Okta group in order to assign additional permissions to compromised user accounts and maintain access to their target organization.",
+    "false_positives": [
+      "Administrator roles may be assigned to Okta users by a Super Admin user. Verify that the behavior was expected. Exceptions can be added to this rule to filter expected behavior."
+    ],
+    "index": [
+      "filebeat-*",
+      "logs-okta*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Administrator Privileges Assigned to an Okta Group",
+    "note": "## Config\n\nThe Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:okta.system and event.action:group.privilege.grant\n",
+    "references": [
+      "https://help.okta.com/en/prod/Content/Topics/Security/administrators-admin-comparison.htm",
+      "https://developer.okta.com/docs/reference/api/system-log/",
+      "https://developer.okta.com/docs/reference/api/event-types/"
+    ],
+    "risk_score": 47,
+    "rule_id": "b8075894-0b62-46e5-977c-31275da34419",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Identity",
+      "Okta",
+      "Continuous Monitoring",
+      "SecOps",
+      "Monitoring"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1098",
+            "name": "Account Manipulation",
+            "reference": "https://attack.mitre.org/techniques/T1098/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 6,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.10.0",
+          "pre_query": "event.module:okta and event.dataset:okta.system and event.action:group.privilege.grant",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        },
+        {
+          "version": 3,
+          "updated": "7.11.0",
+          "pre_query": "event.dataset:okta.system and event.action:group.privilege.grant",
+          "doc_text": "Formatting only",
+          "pre_name": "Administrator Privileges Assigned to Okta Group"
+        },
+        {
+          "version": 4,
+          "updated": "7.11.2",
+          "pre_query": "event.dataset:okta.system and event.action:group.privilege.grant",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 5,
+          "updated": "7.12.0",
+          "pre_query": "event.dataset:okta.system and event.action:group.privilege.grant",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 6,
+          "updated": "7.13.0",
+          "pre_query": "event.dataset:okta.system and event.action:group.privilege.grant",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.13.0",
+    "added": "7.9.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies when an administrator role is assigned to an Okta user. An adversary may attempt to assign an administrator role to an Okta user in order to assign additional permissions to a user account and maintain access to their target's environment.",
+    "false_positives": [
+      "Administrator roles may be assigned to Okta users by a Super Admin user. Verify that the behavior was expected. Exceptions can be added to this rule to filter expected behavior."
+    ],
+    "index": [
+      "filebeat-*",
+      "logs-okta*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Administrator Role Assigned to an Okta User",
+    "note": "## Config\n\nThe Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:okta.system and event.action:user.account.privilege.grant\n",
+    "references": [
+      "https://help.okta.com/en/prod/Content/Topics/Security/administrators-admin-comparison.htm",
+      "https://developer.okta.com/docs/reference/api/system-log/",
+      "https://developer.okta.com/docs/reference/api/event-types/"
+    ],
+    "risk_score": 47,
+    "rule_id": "f06414a6-f2a4-466d-8eba-10f85e8abf71",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Okta",
+      "SecOps",
+      "Monitoring",
+      "Continuous Monitoring"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1098",
+            "name": "Account Manipulation",
+            "reference": "https://attack.mitre.org/techniques/T1098/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 4,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.11.2",
+          "pre_query": "event.dataset:okta.system and event.action:user.account.privilege.grant",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 3,
+          "updated": "7.12.0",
+          "pre_query": "event.dataset:okta.system and event.action:user.account.privilege.grant",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 4,
+          "updated": "7.13.0",
+          "pre_query": "event.dataset:okta.system and event.action:user.account.privilege.grant",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.13.0",
+    "added": "7.11.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Detects writing executable files that will be automatically launched by Adobe on launch.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Adobe Hijack Persistence",
+    "query": "file where event.type == \"creation\" and\n  file.path : (\"?:\\\\Program Files (x86)\\\\Adobe\\\\Acrobat Reader DC\\\\Reader\\\\AcroCEF\\\\RdrCEF.exe\",\n               \"?:\\\\Program Files\\\\Adobe\\\\Acrobat Reader DC\\\\Reader\\\\AcroCEF\\\\RdrCEF.exe\") and\n  not process.name : \"msiexec.exe\"\n",
+    "risk_score": 21,
+    "rule_id": "2bf78aa2-9c56-48de-b139-f169bf99cf86",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Persistence"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1574",
+            "name": "Hijack Execution Flow",
+            "reference": "https://attack.mitre.org/techniques/T1574/",
+            "subtechnique": [
+              {
+                "id": "T1574.010",
+                "name": "Services File Permissions Weakness",
+                "reference": "https://attack.mitre.org/techniques/T1574/010/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 9,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.6.2",
+          "pre_query": "file.path:(\"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Reader\\AcroCEF\\RdrCEF.exe\" or \"C:\\Program Files\\Adobe\\Acrobat Reader DC\\Reader\\AcroCEF\\RdrCEF.exe\") and event.action:\"File created (rule: FileCreate)\" and not process.name:msiexeec.exe",
+          "doc_text": "Updated query."
+        },
+        {
+          "version": 3,
+          "updated": "7.9.0",
+          "pre_query": "file.path:(\"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Reader\\AcroCEF\\RdrCEF.exe\" or \"C:\\Program Files\\Adobe\\Acrobat Reader DC\\Reader\\AcroCEF\\RdrCEF.exe\") and event.action:\"File created (rule: FileCreate)\" and not process.name:msiexec.exe",
+          "doc_text": "Updated query."
+        },
+        {
+          "version": 4,
+          "updated": "7.9.1",
+          "pre_query": "event.category:file and event.type:creation and file.path:(\"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Reader\\AcroCEF\\RdrCEF.exe\" or \"C:\\Program Files\\Adobe\\Acrobat Reader DC\\Reader\\AcroCEF\\RdrCEF.exe\") and not process.name:msiexec.exe",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 5,
+          "updated": "7.10.0",
+          "pre_query": "event.category:file and event.type:creation and file.path:(\"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Reader\\AcroCEF\\RdrCEF.exe\" or \"C:\\Program Files\\Adobe\\Acrobat Reader DC\\Reader\\AcroCEF\\RdrCEF.exe\") and not process.name:msiexec.exe",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 6,
+          "updated": "7.11.0",
+          "pre_query": "event.category:file and event.type:creation and file.path:(\"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Reader\\AcroCEF\\RdrCEF.exe\" or \"C:\\Program Files\\Adobe\\Acrobat Reader DC\\Reader\\AcroCEF\\RdrCEF.exe\") and not process.name:msiexec.exe",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 7,
+          "updated": "7.11.2",
+          "pre_query": "event.category:file and event.type:creation and file.path:(\"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Reader\\AcroCEF\\RdrCEF.exe\" or \"C:\\Program Files\\Adobe\\Acrobat Reader DC\\Reader\\AcroCEF\\RdrCEF.exe\") and not process.name:msiexec.exe",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 8,
+          "updated": "7.12.0",
+          "pre_query": "event.category:file and event.type:creation and file.path:(\"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Reader\\AcroCEF\\RdrCEF.exe\" or \"C:\\Program Files\\Adobe\\Acrobat Reader DC\\Reader\\AcroCEF\\RdrCEF.exe\") and not process.name:msiexec.exe",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 9,
+          "updated": "7.13.0",
+          "pre_query": "event.category:file and event.type:creation and file.path:(\"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Reader\\AcroCEF\\RdrCEF.exe\" or \"C:\\Program Files\\Adobe\\Acrobat Reader DC\\Reader\\AcroCEF\\RdrCEF.exe\") and not process.name:msiexec.exe",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.13.0",
+    "added": "7.6.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Elastic Endgame detected an Adversary Behavior. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information.",
+    "from": "now-15m",
+    "index": [
+      "endgame-*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "max_signals": 10000,
+    "name": "Adversary Behavior - Detected - Elastic Endgame",
+    "query": "event.kind:alert and event.module:endgame and (event.action:rules_engine_event or endgame.event_subtype_full:rules_engine_event)\n",
+    "risk_score": 47,
+    "rule_id": "77a3c3df-8ec4-4da4-b758-878f551dee69",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Elastic Endgame"
+    ],
+    "type": "query",
+    "version": 7,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.7.0",
+          "pre_query": "event.kind:alert and event.module:endgame and event.action:rules_engine_event",
+          "doc_text": "Updated query."
+        },
+        {
+          "version": 3,
+          "updated": "7.9.0",
+          "pre_query": "event.kind:alert and event.module:endgame and (event.action:rules_engine_event or endgame.event_subtype_full:rules_engine_event)",
+          "doc_text": "Formatting only",
+          "pre_name": "Adversary Behavior - Detected - Elastic Endpoint"
+        },
+        {
+          "version": 4,
+          "updated": "7.10.0",
+          "pre_query": "event.kind:alert and event.module:endgame and (event.action:rules_engine_event or endgame.event_subtype_full:rules_engine_event)",
+          "doc_text": "Formatting only",
+          "pre_name": "Adversary Behavior - Detected - Elastic Endpoint Security"
+        },
+        {
+          "version": 5,
+          "updated": "7.12.0",
+          "pre_query": "event.kind:alert and event.module:endgame and (event.action:rules_engine_event or endgame.event_subtype_full:rules_engine_event)",
+          "doc_text": "Formatting only",
+          "pre_name": "Adversary Behavior - Detected - Endpoint Security",
+          "duplicate_old_file": "adversary-behavior-detected-endpoint-security"
+        },
+        {
+          "version": 6,
+          "updated": "7.12.1",
+          "pre_query": "event.kind:alert and event.module:endgame and (event.action:rules_engine_event or endgame.event_subtype_full:rules_engine_event)",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 7,
+          "updated": "8.0.0",
+          "pre_query": "event.kind:alert and event.module:endgame and (event.action:rules_engine_event or endgame.event_subtype_full:rules_engine_event)\n",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "8.0.0",
+    "added": "7.6.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Detects events which have a mismatch on the expected event agent ID. The status \"agent_id_mismatch\" occurs when the expected agent ID associated with the API key does not match the actual agent ID in an event. This could indicate attempts to spoof events in order to masquerade actual activity to evade detection.",
+    "false_positives": [
+      "This is meant to run only on datasources using agents v7.14+ since versions prior to that will be missing the necessary field, resulting in false positives."
+    ],
+    "from": "now-9m",
+    "index": [
+      "logs-*",
+      "metrics-*",
+      "traces-*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Agent Spoofing - Mismatched Agent ID",
+    "query": "event.agent_id_status:agent_id_mismatch\n",
+    "risk_score": 73,
+    "rule_id": "3115bd2c-0baa-4df0-80ea-45e474b5ef93",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1036",
+            "name": "Masquerading",
+            "reference": "https://attack.mitre.org/techniques/T1036/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 1,
+    "last_update": "7.14.0",
+    "added": "7.14.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Detects when multiple hosts are using the same agent ID. This could occur in the event of an agent being taken over and used to inject illegitimate documents into an instance as an attempt to spoof events in order to masquerade actual activity to evade detection.",
+    "false_positives": [
+      "This is meant to run only on datasources using agents v7.14+ since versions prior to that will be missing the necessary field, resulting in false positives."
+    ],
+    "from": "now-9m",
+    "index": [
+      "logs-*",
+      "metrics-*",
+      "traces-*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Agent Spoofing - Multiple Hosts Using Same Agent",
+    "query": "event.agent_id_status:*\n",
+    "risk_score": 73,
+    "rule_id": "493834ca-f861-414c-8602-150d5505b777",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1036",
+            "name": "Masquerading",
+            "reference": "https://attack.mitre.org/techniques/T1036/"
+          }
+        ]
+      }
+    ],
+    "threshold": {
+      "cardinality": [
+        {
+          "field": "host.id",
+          "value": 2
+        }
+      ],
+      "field": [
+        "agent.id"
+      ],
+      "value": 2
+    },
+    "timestamp_override": "event.ingested",
+    "type": "threshold",
+    "version": 1,
+    "last_update": "7.14.0",
+    "added": "7.14.0"
+  },
+  {
+    "anomaly_threshold": 25,
+    "author": [
+      "Elastic"
+    ],
+    "description": "Looks for unusual kernel module activity. Kernel modules are sometimes used by malware and persistence mechanisms for stealth.",
+    "false_positives": [
+      "A Linux host running unusual device drivers or other kinds of kernel modules could trigger this detection. Troubleshooting or debugging activity using unusual arguments could also trigger this detection."
+    ],
+    "from": "now-45m",
+    "interval": "15m",
+    "license": "Elastic License v2",
+    "machine_learning_job_id": "linux_rare_kernel_module_arguments",
+    "name": "Anomalous Kernel Module Activity",
+    "risk_score": 21,
+    "rule_id": "37b0816d-af40-40b4-885f-bb162b3c88a9",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "Threat Detection",
+      "ML"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1547",
+            "name": "Boot or Logon Autostart Execution",
+            "reference": "https://attack.mitre.org/techniques/T1547/",
+            "subtechnique": [
+              {
+                "id": "T1547.006",
+                "name": "Kernel Modules and Extensions",
+                "reference": "https://attack.mitre.org/techniques/T1547/006/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "type": "machine_learning",
+    "version": 4,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.11.0",
+          "pre_query": "N/A",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 3,
+          "updated": "7.12.0",
+          "pre_query": "N/A",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 4,
+          "updated": "7.15.0",
+          "pre_query": "N/A",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.15.0",
+    "added": "7.10.0"
+  },
+  {
+    "anomaly_threshold": 50,
+    "author": [
+      "Elastic"
+    ],
+    "description": "Looks for compiler activity by a user context which does not normally run compilers. This can be the result of ad-hoc software changes or unauthorized software deployment. This can also be due to local privilege elevation via locally run exploits or malware activity.",
+    "false_positives": [
+      "Uncommon compiler activity can be due to an engineer running a local build on a production or staging instance in the course of troubleshooting or fixing a software issue."
+    ],
+    "from": "now-45m",
+    "interval": "15m",
+    "license": "Elastic License v2",
+    "machine_learning_job_id": "linux_rare_user_compiler",
+    "name": "Anomalous Linux Compiler Activity",
+    "risk_score": 21,
+    "rule_id": "cd66a419-9b3f-4f57-8ff8-ac4cd2d5f530",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "Threat Detection",
+      "ML"
+    ],
+    "type": "machine_learning",
+    "version": 3,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.12.0",
+          "pre_query": "N/A",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 3,
+          "updated": "7.15.0",
+          "pre_query": "N/A",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.15.0",
+    "added": "7.10.0"
+  },
+  {
+    "anomaly_threshold": 50,
+    "author": [
+      "Elastic"
+    ],
+    "description": "Searches for rare processes running on multiple Linux hosts in an entire fleet or network. This reduces the detection of false positives since automated maintenance processes usually only run occasionally on a single machine but are common to all or many hosts in a fleet.",
+    "false_positives": [
+      "A newly installed program or one that runs rarely as part of a monthly or quarterly workflow could trigger this alert."
+    ],
+    "from": "now-45m",
+    "interval": "15m",
+    "license": "Elastic License v2",
+    "machine_learning_job_id": [
+      "linux_anomalous_process_all_hosts_ecs",
+      "v2_linux_anomalous_process_all_hosts_ecs"
+    ],
+    "name": "Anomalous Process For a Linux Population",
+    "note": "## Triage and analysis\n\n### Investigating an Unusual Linux Process\nDetection alerts from this rule indicate the presence of a Linux process that is rare and unusual for all of the monitored Linux hosts for which Auditbeat data is available. Here are some possible avenues of investigation:\n- Consider the user as identified by the username field. Is this program part of an expected workflow for the user who ran this program on this host?\n- Examine the history of execution. If this process only manifested recently, it might be part of a new software package. If it has a consistent cadence (for example if it runs monthly or quarterly), it might be part of a monthly or quarterly business process.\n- Examine the process arguments, title and working directory. These may provide indications as to the source of the program or the nature of the tasks it is performing.",
+    "references": [
+      "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"
+    ],
+    "risk_score": 21,
+    "rule_id": "647fc812-7996-4795-8869-9c4ea595fe88",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "Threat Detection",
+      "ML"
+    ],
+    "type": "machine_learning",
+    "version": 7,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.9.0",
+          "pre_query": "N/A",
+          "doc_text": "Formatting only"
+        },
+        {
+          "version": 3,
+          "updated": "7.10.0",
+          "pre_query": "N/A",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 4,
+          "updated": "7.12.0",
+          "pre_query": "N/A",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 5,
+          "updated": "7.13.0",
+          "pre_query": "N/A",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 6,
+          "updated": "7.14.0",
+          "pre_query": "N/A",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 7,
+          "updated": "7.15.0",
+          "pre_query": "N/A",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.15.0",
+    "added": "7.7.0"
+  },
+  {
+    "anomaly_threshold": 50,
+    "author": [
+      "Elastic"
+    ],
+    "description": "Searches for rare processes running on multiple hosts in an entire fleet or network. This reduces the detection of false positives since automated maintenance processes usually only run occasionally on a single machine but are common to all or many hosts in a fleet.",
+    "false_positives": [
+      "A newly installed program or one that runs rarely as part of a monthly or quarterly workflow could trigger this alert."
+    ],
+    "from": "now-45m",
+    "interval": "15m",
+    "license": "Elastic License v2",
+    "machine_learning_job_id": [
+      "windows_anomalous_process_all_hosts_ecs",
+      "v2_windows_anomalous_process_all_hosts_ecs"
+    ],
+    "name": "Anomalous Process For a Windows Population",
+    "note": "## Triage and analysis\n\n### Investigating an Unusual Windows Process\nDetection alerts from this rule indicate the presence of a Windows process that is rare and unusual for all of the Windows hosts for which Winlogbeat data is available. Here are some possible avenues of investigation:\n- Consider the user as identified by the username field. Is this program part of an expected workflow for the user who ran this program on this host?\n- Examine the history of execution. If this process only manifested recently, it might be part of a new software package. If it has a consistent cadence (for example if it runs monthly or quarterly), it might be part of a monthly or quarterly business process.\n- Examine the process metadata like the values of the Company, Description and Product fields which may indicate whether the program is associated with an expected software vendor or package.\n- Examine arguments and working directory. These may provide indications as to the source of the program or the nature of the tasks it is performing.\n- Consider the same for the parent process. If the parent process is a legitimate system utility or service, this could be related to software updates or system management. If the parent process is something user-facing like an Office application, this process could be more suspicious.\n- If you have file hash values in the event data, and you suspect malware, you can optionally run a search for the file hash to see if the file is identified as malware by anti-malware tools. ",
+    "references": [
+      "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"
+    ],
+    "risk_score": 21,
+    "rule_id": "6e40d56f-5c0e-4ac6-aece-bee96645b172",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "ML"
+    ],
+    "type": "machine_learning",
+    "version": 7,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.9.0",
+          "pre_query": "N/A",
+          "doc_text": "Formatting only"
+        },
+        {
+          "version": 3,
+          "updated": "7.10.0",
+          "pre_query": "N/A",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 4,
+          "updated": "7.12.0",
+          "pre_query": "N/A",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 5,
+          "updated": "7.13.0",
+          "pre_query": "N/A",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 6,
+          "updated": "7.14.0",
+          "pre_query": "N/A",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 7,
+          "updated": "7.15.0",
+          "pre_query": "N/A",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.15.0",
+    "added": "7.7.0"
+  },
+  {
+    "anomaly_threshold": 50,
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies unusual parent-child process relationships that can indicate malware execution or persistence mechanisms. Malicious scripts often call on other applications and processes as part of their exploit payload. For example, when a malicious Office document runs scripts as part of an exploit payload, Excel or Word may start a script interpreter process, which, in turn, runs a script that downloads and executes malware. Another common scenario is Outlook running an unusual process when malware is downloaded in an email. Monitoring and identifying anomalous process relationships is a method of detecting new and emerging malware that is not yet recognized by anti-virus scanners.",
+    "false_positives": [
+      "Users running scripts in the course of technical support operations of software upgrades could trigger this alert. A newly installed program or one that runs rarely as part of a monthly or quarterly workflow could trigger this alert."
+    ],
+    "from": "now-45m",
+    "interval": "15m",
+    "license": "Elastic License v2",
+    "machine_learning_job_id": [
+      "windows_anomalous_process_creation",
+      "v2_windows_anomalous_process_creation"
+    ],
+    "name": "Anomalous Windows Process Creation",
+    "references": [
+      "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"
+    ],
+    "risk_score": 21,
+    "rule_id": "0b29cab4-dbbd-4a3f-9e8e-1287c7c11ae5",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "ML"
+    ],
+    "type": "machine_learning",
+    "version": 5,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.9.0",
+          "pre_query": "N/A",
+          "doc_text": "Formatting only"
+        },
+        {
+          "version": 3,
+          "updated": "7.10.0",
+          "pre_query": "N/A",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 4,
+          "updated": "7.12.0",
+          "pre_query": "N/A",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 5,
+          "updated": "7.14.0",
+          "pre_query": "N/A",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.14.0",
+    "added": "7.7.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Detects execution via the Apple script interpreter (osascript) followed by a network connection from the same process within a short time period. Adversaries may use malicious scripts for execution and command and control.",
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Apple Script Execution followed by Network Connection",
+    "query": "sequence by host.id, process.entity_id with maxspan=30s\n [process where event.type == \"start\" and process.name == \"osascript\"]\n [network where event.type != \"end\" and process.name == \"osascript\" and destination.ip != \"::1\" and\n  not cidrmatch(destination.ip,\n    \"10.0.0.0/8\", \"127.0.0.0/8\", \"169.254.0.0/16\", \"172.16.0.0/12\", \"192.0.0.0/24\", \"192.0.0.0/29\", \"192.0.0.8/32\",\n    \"192.0.0.9/32\", \"192.0.0.10/32\", \"192.0.0.170/32\", \"192.0.0.171/32\", \"192.0.2.0/24\", \"192.31.196.0/24\",\n    \"192.52.193.0/24\", \"192.168.0.0/16\", \"192.88.99.0/24\", \"224.0.0.0/4\", \"100.64.0.0/10\", \"192.175.48.0/24\",\n    \"198.18.0.0/15\", \"198.51.100.0/24\", \"203.0.113.0/24\", \"240.0.0.0/4\", \"::1\", \"FE80::/10\", \"FF00::/8\")]\n",
+    "references": [
+      "https://developer.apple.com/library/archive/documentation/LanguagesUtilities/Conceptual/MacAutomationScriptingGuide/index.html",
+      "https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml"
+    ],
+    "risk_score": 47,
+    "rule_id": "47f76567-d58a-4fed-b32b-21f571e28910",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "macOS",
+      "Threat Detection",
+      "Command and Control",
+      "Execution"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0002",
+          "name": "Execution",
+          "reference": "https://attack.mitre.org/tactics/TA0002/"
+        },
+        "technique": [
+          {
+            "id": "T1059",
+            "name": "Command and Scripting Interpreter",
+            "reference": "https://attack.mitre.org/techniques/T1059/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0011",
+          "name": "Command and Control",
+          "reference": "https://attack.mitre.org/tactics/TA0011/"
+        },
+        "technique": [
+          {
+            "id": "T1105",
+            "name": "Ingress Tool Transfer",
+            "reference": "https://attack.mitre.org/techniques/T1105/"
+          }
+        ]
+      }
+    ],
+    "type": "eql",
+    "version": 3,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.12.0",
+          "pre_query": "sequence by host.id, process.entity_id with maxspan=30s\n [process where event.type == \"start\" and process.name == \"osascript\"]\n [network where event.type != \"end\" and process.name == \"osascript\" and destination.ip != \"::1\" and\n  not cidrmatch(destination.ip, \"10.0.0.0/8\",  \n                                \"172.16.0.0/12\", \n                                \"192.168.0.0/16\", \n                                \"127.0.0.0/8\", \n                                \"169.254.0.0/16\", \n                                \"224.0.0.0/4\", \n                                \"FE80::/10\", \n                                \"FF00::/8\")\n ]\n",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 3,
+          "updated": "7.14.0",
+          "pre_query": "sequence by host.id, process.entity_id with maxspan=30s\n [process where event.type == \"start\" and process.name == \"osascript\"]\n [network where event.type != \"end\" and process.name == \"osascript\" and destination.ip != \"::1\" and\n  not cidrmatch(destination.ip, \"10.0.0.0/8\",  \n                                \"172.16.0.0/12\", \n                                \"192.168.0.0/16\", \n                                \"127.0.0.0/8\", \n                                \"169.254.0.0/16\", \n                                \"224.0.0.0/4\", \n                                \"FE80::/10\", \n                                \"FF00::/8\")\n ]\n",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.14.0",
+    "added": "7.11.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies execution of the Apple script interpreter (osascript) without a password prompt and with administrator privileges.",
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Apple Scripting Execution with Administrator Privileges",
+    "query": "process where event.type in (\"start\", \"process_started\") and process.name : \"osascript\" and\n  process.command_line : \"osascript*with administrator privileges\"\n",
+    "references": [
+      "https://discussions.apple.com/thread/2266150"
+    ],
+    "risk_score": 47,
+    "rule_id": "827f8d8f-4117-4ae4-b551-f56d54b9da6b",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "macOS",
+      "Threat Detection",
+      "Execution",
+      "Privilege Escalation"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0004",
+          "name": "Privilege Escalation",
+          "reference": "https://attack.mitre.org/tactics/TA0004/"
+        },
+        "technique": [
+          {
+            "id": "T1078",
+            "name": "Valid Accounts",
+            "reference": "https://attack.mitre.org/techniques/T1078/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0002",
+          "name": "Execution",
+          "reference": "https://attack.mitre.org/tactics/TA0002/"
+        },
+        "technique": [
+          {
+            "id": "T1059",
+            "name": "Command and Scripting Interpreter",
+            "reference": "https://attack.mitre.org/techniques/T1059/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 1,
+    "last_update": "7.12.0",
+    "added": "7.12.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Detects when a Google marketplace application is added to the Google Workspace domain. An adversary may add a malicious application to an organization\u2019s Google Workspace domain in order to maintain a presence in their target\u2019s organization and steal data.",
+    "false_positives": [
+      "Applications can be added to a Google Workspace domain by system administrators. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior."
+    ],
+    "from": "now-130m",
+    "index": [
+      "filebeat-*",
+      "logs-google_workspace*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Application Added to Google Workspace Domain",
+    "note": "## Config\n\nThe Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\n\n### Important Information Regarding Google Workspace Event Lag Times\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information:\n  - https://support.google.com/a/answer/7061566\n  - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html",
+    "query": "event.dataset:google_workspace.admin and event.provider:admin and event.category:iam and event.action:ADD_APPLICATION\n",
+    "references": [
+      "https://support.google.com/a/answer/6328701?hl=en#"
+    ],
+    "risk_score": 47,
+    "rule_id": "785a404b-75aa-4ffd-8be5-3334a5a544dd",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "Google Workspace",
+      "Continuous Monitoring",
+      "SecOps",
+      "Configuration Audit"
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 6,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.11.2",
+          "pre_query": "event.dataset:(gsuite.admin or google_workspace.admin) and event.provider:admin and event.category:iam and event.action:ADD_APPLICATION",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 3,
+          "updated": "7.12.0",
+          "pre_query": "event.dataset:(gsuite.admin or google_workspace.admin) and event.provider:admin and event.category:iam and event.action:ADD_APPLICATION",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 4,
+          "updated": "7.13.0",
+          "pre_query": "event.dataset:(gsuite.admin or google_workspace.admin) and event.provider:admin and event.category:iam and event.action:ADD_APPLICATION",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 5,
+          "updated": "7.15.0",
+          "pre_query": "event.dataset:(gsuite.admin or google_workspace.admin) and event.provider:admin and event.category:iam and event.action:ADD_APPLICATION\n",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 6,
+          "updated": "8.0.0",
+          "pre_query": "event.dataset:(gsuite.admin or google_workspace.admin) and event.provider:admin and event.category:iam and event.action:ADD_APPLICATION\n",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "8.0.0",
+    "added": "7.11.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Detects attempts to create an Okta API token. An adversary may create an Okta API token to maintain access to an organization's network while they work to achieve their objectives. An attacker may abuse an API token to execute techniques such as creating user accounts or disabling security rules or policies.",
+    "false_positives": [
+      "If the behavior of creating Okta API tokens is expected, consider adding exceptions to this rule to filter false positives."
+    ],
+    "index": [
+      "filebeat-*",
+      "logs-okta*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Attempt to Create Okta API Token",
+    "note": "## Config\n\nThe Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:okta.system and event.action:system.api_token.create\n",
+    "references": [
+      "https://developer.okta.com/docs/reference/api/system-log/",
+      "https://developer.okta.com/docs/reference/api/event-types/"
+    ],
+    "risk_score": 47,
+    "rule_id": "96b9f4ea-0e8c-435b-8d53-2096e75fcac5",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Identity",
+      "Okta",
+      "Continuous Monitoring",
+      "SecOps",
+      "Monitoring"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1136",
+            "name": "Create Account",
+            "reference": "https://attack.mitre.org/techniques/T1136/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 6,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.10.0",
+          "pre_query": "event.module:okta and event.dataset:okta.system and event.action:system.api_token.create",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        },
+        {
+          "version": 3,
+          "updated": "7.11.0",
+          "pre_query": "event.dataset:okta.system and event.action:system.api_token.create",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 4,
+          "updated": "7.11.2",
+          "pre_query": "event.dataset:okta.system and event.action:system.api_token.create",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 5,
+          "updated": "7.12.0",
+          "pre_query": "event.dataset:okta.system and event.action:system.api_token.create",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 6,
+          "updated": "7.13.0",
+          "pre_query": "event.dataset:okta.system and event.action:system.api_token.create",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.13.0",
+    "added": "7.9.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Detects attempts to deactivate multi-factor authentication (MFA) for an Okta user. An adversary may deactivate MFA for an Okta user account in order to weaken the authentication requirements for the account.",
+    "false_positives": [
+      "If the behavior of deactivating MFA for Okta user accounts is expected, consider adding exceptions to this rule to filter false positives."
+    ],
+    "index": [
+      "filebeat-*",
+      "logs-okta*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Attempt to Deactivate MFA for an Okta User Account",
+    "note": "## Config\n\nThe Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:okta.system and event.action:user.mfa.factor.deactivate\n",
+    "references": [
+      "https://developer.okta.com/docs/reference/api/system-log/",
+      "https://developer.okta.com/docs/reference/api/event-types/"
+    ],
+    "risk_score": 21,
+    "rule_id": "cd89602e-9db0-48e3-9391-ae3bf241acd8",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Identity",
+      "Okta",
+      "Continuous Monitoring",
+      "SecOps",
+      "Identity and Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1098",
+            "name": "Account Manipulation",
+            "reference": "https://attack.mitre.org/techniques/T1098/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 6,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.10.0",
+          "pre_query": "event.module:okta and event.dataset:okta.system and event.action:user.mfa.factor.deactivate",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        },
+        {
+          "version": 3,
+          "updated": "7.11.0",
+          "pre_query": "event.dataset:okta.system and event.action:user.mfa.factor.deactivate",
+          "doc_text": "Formatting only",
+          "pre_name": "Attempt to Deactivate MFA for Okta User Account"
+        },
+        {
+          "version": 4,
+          "updated": "7.11.2",
+          "pre_query": "event.dataset:okta.system and event.action:user.mfa.factor.deactivate",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 5,
+          "updated": "7.12.0",
+          "pre_query": "event.dataset:okta.system and event.action:user.mfa.factor.deactivate",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 6,
+          "updated": "7.13.0",
+          "pre_query": "event.dataset:okta.system and event.action:user.mfa.factor.deactivate",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.13.0",
+    "added": "7.9.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Detects attempts to deactivate an Okta application. An adversary may attempt to modify, deactivate, or delete an Okta application in order to weaken an organization's security controls or disrupt their business operations.",
+    "false_positives": [
+      "Consider adding exceptions to this rule to filter false positives if your organization's Okta applications are regularly deactivated and the behavior is expected."
+    ],
+    "index": [
+      "filebeat-*",
+      "logs-okta*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Attempt to Deactivate an Okta Application",
+    "note": "## Config\n\nThe Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:okta.system and event.action:application.lifecycle.deactivate\n",
+    "references": [
+      "https://help.okta.com/en/prod/Content/Topics/Apps/Apps_Apps.htm",
+      "https://developer.okta.com/docs/reference/api/system-log/",
+      "https://developer.okta.com/docs/reference/api/event-types/"
+    ],
+    "risk_score": 21,
+    "rule_id": "edb91186-1c7e-4db8-b53e-bfa33a1a0a8a",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Identity",
+      "Okta",
+      "Continuous Monitoring",
+      "SecOps",
+      "Monitoring"
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 4,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.11.2",
+          "pre_query": "event.dataset:okta.system and event.action:application.lifecycle.deactivate",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 3,
+          "updated": "7.12.0",
+          "pre_query": "event.dataset:okta.system and event.action:application.lifecycle.deactivate",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 4,
+          "updated": "7.13.0",
+          "pre_query": "event.dataset:okta.system and event.action:application.lifecycle.deactivate",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.13.0",
+    "added": "7.11.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Detects attempts to deactivate an Okta network zone. Okta network zones can be configured to limit or restrict access to a network based on IP addresses or geolocations. An adversary may attempt to modify, delete, or deactivate an Okta network zone in order to remove or weaken an organization's security controls.",
+    "false_positives": [
+      "Consider adding exceptions to this rule to filter false positives if your organization's Okta network zones are regularly modified."
+    ],
+    "index": [
+      "filebeat-*",
+      "logs-okta*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Attempt to Deactivate an Okta Network Zone",
+    "note": "## Config\n\nThe Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:okta.system and event.action:zone.deactivate\n",
+    "references": [
+      "https://help.okta.com/en/prod/Content/Topics/Security/network/network-zones.htm",
+      "https://developer.okta.com/docs/reference/api/system-log/",
+      "https://developer.okta.com/docs/reference/api/event-types/"
+    ],
+    "risk_score": 47,
+    "rule_id": "8a5c1e5f-ad63-481e-b53a-ef959230f7f1",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Identity",
+      "Okta",
+      "Continuous Monitoring",
+      "SecOps",
+      "Network Security"
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 4,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.11.2",
+          "pre_query": "event.dataset:okta.system and event.action:zone.deactivate",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 3,
+          "updated": "7.12.0",
+          "pre_query": "event.dataset:okta.system and event.action:zone.deactivate",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 4,
+          "updated": "7.13.0",
+          "pre_query": "event.dataset:okta.system and event.action:zone.deactivate",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.13.0",
+    "added": "7.11.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Detects attempts to deactivate an Okta policy. An adversary may attempt to deactivate an Okta policy in order to weaken an organization's security controls. For example, an adversary may attempt to deactivate an Okta multi-factor authentication (MFA) policy in order to weaken the authentication requirements for user accounts.",
+    "false_positives": [
+      "If the behavior of deactivating Okta policies is expected, consider adding exceptions to this rule to filter false positives."
+    ],
+    "index": [
+      "filebeat-*",
+      "logs-okta*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Attempt to Deactivate an Okta Policy",
+    "note": "## Config\n\nThe Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:okta.system and event.action:policy.lifecycle.deactivate\n",
+    "references": [
+      "https://help.okta.com/en/prod/Content/Topics/Security/Security_Policies.htm",
+      "https://developer.okta.com/docs/reference/api/system-log/",
+      "https://developer.okta.com/docs/reference/api/event-types/"
+    ],
+    "risk_score": 21,
+    "rule_id": "b719a170-3bdb-4141-b0e3-13e3cf627bfe",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Identity",
+      "Okta",
+      "Continuous Monitoring",
+      "SecOps",
+      "Monitoring"
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 6,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.10.0",
+          "pre_query": "event.module:okta and event.dataset:okta.system and event.action:policy.lifecycle.deactivate",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        },
+        {
+          "version": 3,
+          "updated": "7.11.0",
+          "pre_query": "event.dataset:okta.system and event.action:policy.lifecycle.deactivate",
+          "doc_text": "Formatting only",
+          "pre_name": "Attempt to Deactivate Okta Policy"
+        },
+        {
+          "version": 4,
+          "updated": "7.11.2",
+          "pre_query": "event.dataset:okta.system and event.action:policy.lifecycle.deactivate",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 5,
+          "updated": "7.12.0",
+          "pre_query": "event.dataset:okta.system and event.action:policy.lifecycle.deactivate",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 6,
+          "updated": "7.13.0",
+          "pre_query": "event.dataset:okta.system and event.action:policy.lifecycle.deactivate",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.13.0",
+    "added": "7.9.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Detects attempts to deactivate a rule within an Okta policy. An adversary may attempt to deactivate a rule within an Okta policy in order to remove or weaken an organization's security controls.",
+    "false_positives": [
+      "Consider adding exceptions to this rule to filter false positives if Okta MFA rules are regularly deactivated in your organization."
+    ],
+    "index": [
+      "filebeat-*",
+      "logs-okta*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Attempt to Deactivate an Okta Policy Rule",
+    "note": "## Config\n\nThe Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:okta.system and event.action:policy.rule.deactivate\n",
+    "references": [
+      "https://help.okta.com/en/prod/Content/Topics/Security/Security_Policies.htm",
+      "https://developer.okta.com/docs/reference/api/system-log/",
+      "https://developer.okta.com/docs/reference/api/event-types/"
+    ],
+    "risk_score": 47,
+    "rule_id": "cc92c835-da92-45c9-9f29-b4992ad621a0",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Identity",
+      "Okta",
+      "Continuous Monitoring",
+      "SecOps",
+      "Identity and Access"
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 6,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.10.0",
+          "pre_query": "event.module:okta and event.dataset:okta.system and event.action:policy.rule.deactivate",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        },
+        {
+          "version": 3,
+          "updated": "7.11.0",
+          "pre_query": "event.dataset:okta.system and event.action:policy.rule.deactivate",
+          "doc_text": "Formatting only",
+          "pre_name": "Attempt to Deactivate Okta MFA Rule"
+        },
+        {
+          "version": 4,
+          "updated": "7.11.2",
+          "pre_query": "event.dataset:okta.system and event.action:policy.rule.deactivate",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 5,
+          "updated": "7.12.0",
+          "pre_query": "event.dataset:okta.system and event.action:policy.rule.deactivate",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 6,
+          "updated": "7.13.0",
+          "pre_query": "event.dataset:okta.system and event.action:policy.rule.deactivate",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.13.0",
+    "added": "7.9.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Detects attempts to delete an Okta application. An adversary may attempt to modify, deactivate, or delete an Okta application in order to weaken an organization's security controls or disrupt their business operations.",
+    "false_positives": [
+      "Consider adding exceptions to this rule to filter false positives if your organization's Okta applications are regularly deleted and the behavior is expected."
+    ],
+    "index": [
+      "filebeat-*",
+      "logs-okta*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Attempt to Delete an Okta Application",
+    "note": "## Config\n\nThe Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:okta.system and event.action:application.lifecycle.delete\n",
+    "references": [
+      "https://developer.okta.com/docs/reference/api/system-log/",
+      "https://developer.okta.com/docs/reference/api/event-types/"
+    ],
+    "risk_score": 21,
+    "rule_id": "d48e1c13-4aca-4d1f-a7b1-a9161c0ad86f",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Identity",
+      "Okta",
+      "Continuous Monitoring",
+      "SecOps",
+      "Monitoring"
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 4,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.11.2",
+          "pre_query": "event.dataset:okta.system and event.action:application.lifecycle.delete",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 3,
+          "updated": "7.12.0",
+          "pre_query": "event.dataset:okta.system and event.action:application.lifecycle.delete",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 4,
+          "updated": "7.13.0",
+          "pre_query": "event.dataset:okta.system and event.action:application.lifecycle.delete",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.13.0",
+    "added": "7.11.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Detects attempts to delete an Okta network zone. Okta network zones can be configured to limit or restrict access to a network based on IP addresses or geolocations. An adversary may attempt to modify, delete, or deactivate an Okta network zone in order to remove or weaken an organization's security controls.",
+    "false_positives": [
+      "Consider adding exceptions to this rule to filter false positives if Oyour organization's Okta network zones are regularly deleted."
+    ],
+    "index": [
+      "filebeat-*",
+      "logs-okta*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Attempt to Delete an Okta Network Zone",
+    "note": "## Config\n\nThe Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:okta.system and event.action:zone.delete\n",
+    "references": [
+      "https://help.okta.com/en/prod/Content/Topics/Security/network/network-zones.htm",
+      "https://developer.okta.com/docs/reference/api/system-log/",
+      "https://developer.okta.com/docs/reference/api/event-types/"
+    ],
+    "risk_score": 47,
+    "rule_id": "c749e367-a069-4a73-b1f2-43a3798153ad",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Identity",
+      "Okta",
+      "Continuous Monitoring",
+      "SecOps",
+      "Network Security"
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 4,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.11.2",
+          "pre_query": "event.dataset:okta.system and event.action:zone.delete",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 3,
+          "updated": "7.12.0",
+          "pre_query": "event.dataset:okta.system and event.action:zone.delete",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 4,
+          "updated": "7.13.0",
+          "pre_query": "event.dataset:okta.system and event.action:zone.delete",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.13.0",
+    "added": "7.11.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Detects attempts to delete an Okta policy. An adversary may attempt to delete an Okta policy in order to weaken an organization's security controls. For example, an adversary may attempt to delete an Okta multi-factor authentication (MFA) policy in order to weaken the authentication requirements for user accounts.",
+    "false_positives": [
+      "Consider adding exceptions to this rule to filter false positives if Okta policies are regularly deleted in your organization."
+    ],
+    "index": [
+      "filebeat-*",
+      "logs-okta*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Attempt to Delete an Okta Policy",
+    "note": "## Config\n\nThe Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:okta.system and event.action:policy.lifecycle.delete\n",
+    "references": [
+      "https://help.okta.com/en/prod/Content/Topics/Security/Security_Policies.htm",
+      "https://developer.okta.com/docs/reference/api/system-log/",
+      "https://developer.okta.com/docs/reference/api/event-types/"
+    ],
+    "risk_score": 47,
+    "rule_id": "b4bb1440-0fcb-4ed1-87e5-b06d58efc5e9",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Identity",
+      "Okta",
+      "Continuous Monitoring",
+      "SecOps",
+      "Monitoring"
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 6,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.10.0",
+          "pre_query": "event.module:okta and event.dataset:okta.system and event.action:policy.lifecycle.delete",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        },
+        {
+          "version": 3,
+          "updated": "7.11.0",
+          "pre_query": "event.dataset:okta.system and event.action:policy.lifecycle.delete",
+          "doc_text": "Formatting only",
+          "pre_name": "Attempt to Delete Okta Policy"
+        },
+        {
+          "version": 4,
+          "updated": "7.11.2",
+          "pre_query": "event.dataset:okta.system and event.action:policy.lifecycle.delete",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 5,
+          "updated": "7.12.0",
+          "pre_query": "event.dataset:okta.system and event.action:policy.lifecycle.delete",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 6,
+          "updated": "7.13.0",
+          "pre_query": "event.dataset:okta.system and event.action:policy.lifecycle.delete",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.13.0",
+    "added": "7.9.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Detects attempts to delete a rule within an Okta policy. An adversary may attempt to delete an Okta policy rule in order to weaken an organization's security controls.",
+    "false_positives": [
+      "Consider adding exceptions to this rule to filter false positives if Okta MFA rules are regularly modified in your organization."
+    ],
+    "index": [
+      "filebeat-*",
+      "logs-okta*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Attempt to Delete an Okta Policy Rule",
+    "note": "## Config\n\nThe Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:okta.system and event.action:policy.rule.delete\n",
+    "references": [
+      "https://help.okta.com/en/prod/Content/Topics/Security/Security_Policies.htm",
+      "https://developer.okta.com/docs/reference/api/system-log/",
+      "https://developer.okta.com/docs/reference/api/event-types/"
+    ],
+    "risk_score": 21,
+    "rule_id": "d5d86bf5-cf0c-4c06-b688-53fdc072fdfd",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Identity",
+      "Okta",
+      "Continuous Monitoring",
+      "SecOps",
+      "Monitoring"
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 4,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.11.2",
+          "pre_query": "event.dataset:okta.system and event.action:policy.rule.delete",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 3,
+          "updated": "7.12.0",
+          "pre_query": "event.dataset:okta.system and event.action:policy.rule.delete",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 4,
+          "updated": "7.13.0",
+          "pre_query": "event.dataset:okta.system and event.action:policy.rule.delete",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.13.0",
+    "added": "7.11.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Detects attempts to disable Gatekeeper on macOS. Gatekeeper is a security feature that's designed to ensure that only trusted software is run. Adversaries may attempt to disable Gatekeeper before executing malicious code.",
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Attempt to Disable Gatekeeper",
+    "query": "event.category:process and event.type:(start or process_started) and \n  process.args:(spctl and \"--master-disable\")\n",
+    "references": [
+      "https://support.apple.com/en-us/HT202491",
+      "https://www.carbonblack.com/blog/tau-threat-intelligence-notification-new-macos-malware-variant-of-shlayer-osx-discovered/"
+    ],
+    "risk_score": 47,
+    "rule_id": "4da13d6e-904f-4636-81d8-6ab14b4e6ae9",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "macOS",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1553",
+            "name": "Subvert Trust Controls",
+            "reference": "https://attack.mitre.org/techniques/T1553/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 1,
+    "last_update": "7.12.0",
+    "added": "7.12.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Adversaries may attempt to disable the iptables or firewall service in an attempt to affect how a host is allowed to receive or send network traffic.",
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Attempt to Disable IPTables or Firewall",
+    "query": "event.category:process and event.type:(start or process_started) and\n  process.name:ufw and process.args:(allow or disable or reset) or\n\n  (((process.name:service and process.args:stop) or\n     (process.name:chkconfig and process.args:off) or\n     (process.name:systemctl and process.args:(disable or stop or kill))) and\n   process.args:(firewalld or ip6tables or iptables))\n",
+    "risk_score": 47,
+    "rule_id": "125417b8-d3df-479f-8418-12d7e034fee3",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1562",
+            "name": "Impair Defenses",
+            "reference": "https://attack.mitre.org/techniques/T1562/",
+            "subtechnique": [
+              {
+                "id": "T1562.001",
+                "name": "Disable or Modify Tools",
+                "reference": "https://attack.mitre.org/techniques/T1562/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 7,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.9.0",
+          "pre_query": "event.action:(executed or process_started) and (process.name:service and process.args:stop or process.name:chkconfig and process.args:off) and process.args:(ip6tables or iptables) or process.name:systemctl and process.args:(firewalld and (disable or stop or kill))",
+          "doc_text": "Updated query."
+        },
+        {
+          "version": 3,
+          "updated": "7.9.1",
+          "pre_query": "event.category:process and event.type:(start or process_started) and process.name:ufw and process.args:(allow or disable or reset) or  (((process.name:service and process.args:stop) or (process.name:chkconfig and process.args:off) or (process.name:systemctl and process.args:(disable or stop or kill))) and process.args:(firewalld or ip6tables or iptables))",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 4,
+          "updated": "7.10.0",
+          "pre_query": "event.category:process and event.type:(start or process_started) and process.name:ufw and process.args:(allow or disable or reset) or  (((process.name:service and process.args:stop) or (process.name:chkconfig and process.args:off) or (process.name:systemctl and process.args:(disable or stop or kill))) and process.args:(firewalld or ip6tables or iptables))",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 5,
+          "updated": "7.11.0",
+          "pre_query": "event.category:process and event.type:(start or process_started) and process.name:ufw and process.args:(allow or disable or reset) or  (((process.name:service and process.args:stop) or (process.name:chkconfig and process.args:off) or (process.name:systemctl and process.args:(disable or stop or kill))) and process.args:(firewalld or ip6tables or iptables))",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 6,
+          "updated": "7.11.2",
+          "pre_query": "event.category:process and event.type:(start or process_started) and process.name:ufw and process.args:(allow or disable or reset) or  (((process.name:service and process.args:stop) or (process.name:chkconfig and process.args:off) or (process.name:systemctl and process.args:(disable or stop or kill))) and process.args:(firewalld or ip6tables or iptables))",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 7,
+          "updated": "7.12.0",
+          "pre_query": "event.category:process and event.type:(start or process_started) and process.name:ufw and process.args:(allow or disable or reset) or  (((process.name:service and process.args:stop) or (process.name:chkconfig and process.args:off) or (process.name:systemctl and process.args:(disable or stop or kill))) and process.args:(firewalld or ip6tables or iptables))",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.12.0",
+    "added": "7.8.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Adversaries may attempt to disable the syslog service in an attempt to an attempt to disrupt event logging and evade detection by security controls.",
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Attempt to Disable Syslog Service",
+    "query": "event.category:process and event.type:(start or process_started) and\n  ((process.name:service and process.args:stop) or\n     (process.name:chkconfig and process.args:off) or\n     (process.name:systemctl and process.args:(disable or stop or kill)))\n  and process.args:(syslog or rsyslog or \"syslog-ng\")\n",
+    "risk_score": 47,
+    "rule_id": "2f8a1226-5720-437d-9c20-e0029deb6194",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1562",
+            "name": "Impair Defenses",
+            "reference": "https://attack.mitre.org/techniques/T1562/",
+            "subtechnique": [
+              {
+                "id": "T1562.001",
+                "name": "Disable or Modify Tools",
+                "reference": "https://attack.mitre.org/techniques/T1562/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 7,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.9.0",
+          "pre_query": "event.action:(executed or process_started) and ((process.name:service and process.args:stop) or (process.name:chkconfig and process.args:off) or (process.name:systemctl and process.args:(disable or stop or kill))) and process.args:(syslog or rsyslog or \"syslog-ng\")",
+          "doc_text": "Updated query."
+        },
+        {
+          "version": 3,
+          "updated": "7.9.1",
+          "pre_query": "event.category:process and event.type:(start or process_started) and ((process.name:service and process.args:stop) or (process.name:chkconfig and process.args:off) or (process.name:systemctl and process.args:(disable or stop or kill))) and process.args:(syslog or rsyslog or \"syslog-ng\")",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 4,
+          "updated": "7.10.0",
+          "pre_query": "event.category:process and event.type:(start or process_started) and ((process.name:service and process.args:stop) or (process.name:chkconfig and process.args:off) or (process.name:systemctl and process.args:(disable or stop or kill))) and process.args:(syslog or rsyslog or \"syslog-ng\")",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 5,
+          "updated": "7.11.0",
+          "pre_query": "event.category:process and event.type:(start or process_started) and ((process.name:service and process.args:stop) or (process.name:chkconfig and process.args:off) or (process.name:systemctl and process.args:(disable or stop or kill))) and process.args:(syslog or rsyslog or \"syslog-ng\")",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 6,
+          "updated": "7.11.2",
+          "pre_query": "event.category:process and event.type:(start or process_started) and ((process.name:service and process.args:stop) or (process.name:chkconfig and process.args:off) or (process.name:systemctl and process.args:(disable or stop or kill))) and process.args:(syslog or rsyslog or \"syslog-ng\")",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 7,
+          "updated": "7.12.0",
+          "pre_query": "event.category:process and event.type:(start or process_started) and ((process.name:service and process.args:stop) or (process.name:chkconfig and process.args:off) or (process.name:systemctl and process.args:(disable or stop or kill))) and process.args:(syslog or rsyslog or \"syslog-ng\")",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.12.0",
+    "added": "7.8.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies attempts to enable the root account using the dsenableroot command. This command may be abused by adversaries for persistence, as the root account is disabled by default.",
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Attempt to Enable the Root Account",
+    "query": "event.category:process and event.type:(start or process_started) and\n process.name:dsenableroot and not process.args:\"-d\"\n",
+    "references": [
+      "https://ss64.com/osx/dsenableroot.html"
+    ],
+    "risk_score": 47,
+    "rule_id": "cc2fd2d0-ba3a-4939-b87f-2901764ed036",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "macOS",
+      "Threat Detection",
+      "Persistence"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1078",
+            "name": "Valid Accounts",
+            "reference": "https://attack.mitre.org/techniques/T1078/",
+            "subtechnique": [
+              {
+                "id": "T1078.003",
+                "name": "Local Accounts",
+                "reference": "https://attack.mitre.org/techniques/T1078/003/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 1,
+    "last_update": "7.12.0",
+    "added": "7.12.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to their command and control servers. Root certificates are used in public key cryptography to identify a root certificate authority (CA). When a root certificate is installed, the system or application will trust certificates in the root's chain of trust that have been signed by the root certificate.",
+    "false_positives": [
+      "Certain applications may install root certificates for the purpose of inspecting SSL traffic."
+    ],
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Attempt to Install Root Certificate",
+    "query": "event.category:process and event.type:(start or process_started) and\n  process.name:security and process.args:\"add-trusted-cert\"\n",
+    "references": [
+      "https://ss64.com/osx/security-cert.html"
+    ],
+    "risk_score": 47,
+    "rule_id": "bc1eeacf-2972-434f-b782-3a532b100d67",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "macOS",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1553",
+            "name": "Subvert Trust Controls",
+            "reference": "https://attack.mitre.org/techniques/T1553/",
+            "subtechnique": [
+              {
+                "id": "T1553.004",
+                "name": "Install Root Certificate",
+                "reference": "https://attack.mitre.org/techniques/T1553/004/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 1,
+    "last_update": "7.12.0",
+    "added": "7.12.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Detects attempts to modify an Okta application. An adversary may attempt to modify, deactivate, or delete an Okta application in order to weaken an organization's security controls or disrupt their business operations.",
+    "false_positives": [
+      "Consider adding exceptions to this rule to filter false positives if your organization's Okta applications are regularly modified and the behavior is expected."
+    ],
+    "index": [
+      "filebeat-*",
+      "logs-okta*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Attempt to Modify an Okta Application",
+    "note": "## Config\n\nThe Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:okta.system and event.action:application.lifecycle.update\n",
+    "references": [
+      "https://help.okta.com/en/prod/Content/Topics/Apps/Apps_Apps.htm",
+      "https://developer.okta.com/docs/reference/api/system-log/",
+      "https://developer.okta.com/docs/reference/api/event-types/"
+    ],
+    "risk_score": 21,
+    "rule_id": "c74fd275-ab2c-4d49-8890-e2943fa65c09",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Identity",
+      "Okta",
+      "Continuous Monitoring",
+      "SecOps",
+      "Monitoring"
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 4,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.11.2",
+          "pre_query": "event.dataset:okta.system and event.action:application.lifecycle.update",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 3,
+          "updated": "7.12.0",
+          "pre_query": "event.dataset:okta.system and event.action:application.lifecycle.update",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 4,
+          "updated": "7.13.0",
+          "pre_query": "event.dataset:okta.system and event.action:application.lifecycle.update",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.13.0",
+    "added": "7.11.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Detects attempts to modify an Okta network zone. Okta network zones can be configured to limit or restrict access to a network based on IP addresses or geolocations. An adversary may attempt to modify, delete, or deactivate an Okta network zone in order to remove or weaken an organization's security controls.",
+    "false_positives": [
+      "Consider adding exceptions to this rule to filter false positives if Oyour organization's Okta network zones are regularly modified."
+    ],
+    "index": [
+      "filebeat-*",
+      "logs-okta*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Attempt to Modify an Okta Network Zone",
+    "note": "## Config\n\nThe Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:okta.system and event.action:(zone.update or network_zone.rule.disabled or zone.remove_blacklist)\n",
+    "references": [
+      "https://help.okta.com/en/prod/Content/Topics/Security/network/network-zones.htm",
+      "https://developer.okta.com/docs/reference/api/system-log/",
+      "https://developer.okta.com/docs/reference/api/event-types/"
+    ],
+    "risk_score": 47,
+    "rule_id": "e48236ca-b67a-4b4e-840c-fdc7782bc0c3",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Identity",
+      "Okta",
+      "Continuous Monitoring",
+      "SecOps",
+      "Network Security"
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 6,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.10.0",
+          "pre_query": "event.module:okta and event.dataset:okta.system and event.action:(zone.update or zone.deactivate or zone.delete or network_zone.rule.disabled or zone.remove_blacklist)",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        },
+        {
+          "version": 3,
+          "updated": "7.11.0",
+          "pre_query": "event.dataset:okta.system and event.action:(zone.update or zone.deactivate or zone.delete or network_zone.rule.disabled or zone.remove_blacklist)",
+          "doc_text": "Updated query.",
+          "pre_name": "Attempt to Modify Okta Network Zone"
+        },
+        {
+          "version": 4,
+          "updated": "7.11.2",
+          "pre_query": "event.dataset:okta.system and event.action:(zone.update or network_zone.rule.disabled or zone.remove_blacklist)",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 5,
+          "updated": "7.12.0",
+          "pre_query": "event.dataset:okta.system and event.action:(zone.update or network_zone.rule.disabled or zone.remove_blacklist)",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 6,
+          "updated": "7.13.0",
+          "pre_query": "event.dataset:okta.system and event.action:(zone.update or network_zone.rule.disabled or zone.remove_blacklist)",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.13.0",
+    "added": "7.9.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Detects attempts to modify an Okta policy. An adversary may attempt to modify an Okta policy in order to weaken an organization's security controls. For example, an adversary may attempt to modify an Okta multi-factor authentication (MFA) policy in order to weaken the authentication requirements for user accounts.",
+    "false_positives": [
+      "Consider adding exceptions to this rule to filter false positives if Okta policies are regularly modified in your organization."
+    ],
+    "index": [
+      "filebeat-*",
+      "logs-okta*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Attempt to Modify an Okta Policy",
+    "note": "## Config\n\nThe Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:okta.system and event.action:policy.lifecycle.update\n",
+    "references": [
+      "https://developer.okta.com/docs/reference/api/system-log/",
+      "https://developer.okta.com/docs/reference/api/event-types/"
+    ],
+    "risk_score": 21,
+    "rule_id": "6731fbf2-8f28-49ed-9ab9-9a918ceb5a45",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Identity",
+      "Okta",
+      "Continuous Monitoring",
+      "SecOps",
+      "Monitoring"
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 6,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.10.0",
+          "pre_query": "event.module:okta and event.dataset:okta.system and event.action:policy.lifecycle.update",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        },
+        {
+          "version": 3,
+          "updated": "7.11.0",
+          "pre_query": "event.dataset:okta.system and event.action:policy.lifecycle.update",
+          "doc_text": "Formatting only",
+          "pre_name": "Attempt to Modify Okta Policy"
+        },
+        {
+          "version": 4,
+          "updated": "7.11.2",
+          "pre_query": "event.dataset:okta.system and event.action:policy.lifecycle.update",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 5,
+          "updated": "7.12.0",
+          "pre_query": "event.dataset:okta.system and event.action:policy.lifecycle.update",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 6,
+          "updated": "7.13.0",
+          "pre_query": "event.dataset:okta.system and event.action:policy.lifecycle.update",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.13.0",
+    "added": "7.9.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Detects attempts to modify a rule within an Okta policy. An adversary may attempt to modify an Okta policy rule in order to weaken an organization's security controls.",
+    "false_positives": [
+      "Consider adding exceptions to this rule to filter false positives if Okta MFA rules are regularly modified in your organization."
+    ],
+    "index": [
+      "filebeat-*",
+      "logs-okta*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Attempt to Modify an Okta Policy Rule",
+    "note": "## Config\n\nThe Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:okta.system and event.action:policy.rule.update\n",
+    "references": [
+      "https://help.okta.com/en/prod/Content/Topics/Security/Security_Policies.htm",
+      "https://developer.okta.com/docs/reference/api/system-log/",
+      "https://developer.okta.com/docs/reference/api/event-types/"
+    ],
+    "risk_score": 21,
+    "rule_id": "000047bb-b27a-47ec-8b62-ef1a5d2c9e19",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Identity",
+      "Okta",
+      "Continuous Monitoring",
+      "SecOps",
+      "Identity and Access"
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 6,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.10.0",
+          "pre_query": "event.module:okta and event.dataset:okta.system and event.action:(policy.rule.update or policy.rule.delete)",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        },
+        {
+          "version": 3,
+          "updated": "7.11.0",
+          "pre_query": "event.dataset:okta.system and event.action:(policy.rule.update or policy.rule.delete)",
+          "doc_text": "Updated query.",
+          "pre_name": "Attempt to Modify Okta MFA Rule"
+        },
+        {
+          "version": 4,
+          "updated": "7.11.2",
+          "pre_query": "event.dataset:okta.system and event.action:policy.rule.update",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 5,
+          "updated": "7.12.0",
+          "pre_query": "event.dataset:okta.system and event.action:policy.rule.update",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 6,
+          "updated": "7.13.0",
+          "pre_query": "event.dataset:okta.system and event.action:policy.rule.update",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.13.0",
+    "added": "7.9.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the execution of macOS built-in commands to mount a Server Message Block (SMB) network share. Adversaries may use valid accounts to interact with a remote network share using SMB.",
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Attempt to Mount SMB Share via Command Line",
+    "query": "process where event.type in (\"start\", \"process_started\") and\n  (\n    process.name : \"mount_smbfs\" or\n    (process.name : \"open\" and process.args : \"smb://*\") or\n    (process.name : \"mount\" and process.args : \"smbfs\") or\n    (process.name : \"osascript\" and process.command_line : \"osascript*mount volume*smb://*\")\n  )\n",
+    "references": [
+      "https://www.freebsd.org/cgi/man.cgi?mount_smbfs",
+      "https://ss64.com/osx/mount.html"
+    ],
+    "risk_score": 21,
+    "rule_id": "661545b4-1a90-4f45-85ce-2ebd7c6a15d0",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "macOS",
+      "Threat Detection",
+      "Lateral Movement"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0008",
+          "name": "Lateral Movement",
+          "reference": "https://attack.mitre.org/tactics/TA0008/"
+        },
+        "technique": [
+          {
+            "id": "T1021",
+            "name": "Remote Services",
+            "reference": "https://attack.mitre.org/techniques/T1021/",
+            "subtechnique": [
+              {
+                "id": "T1021.002",
+                "name": "SMB/Windows Admin Shares",
+                "reference": "https://attack.mitre.org/techniques/T1021/002/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 1,
+    "last_update": "7.12.0",
+    "added": "7.12.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies a potential Gatekeeper bypass. In macOS, when applications or programs are downloaded from the internet, there is a quarantine flag set on the file. This attribute is read by Apple's Gatekeeper defense program at execution time. An adversary may disable this attribute to evade defenses.",
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Attempt to Remove File Quarantine Attribute",
+    "query": "process where event.type in (\"start\", \"process_started\") and\n  process.args : \"xattr\" and\n  (\n    (process.args : \"com.apple.quarantine\" and process.args : (\"-d\", \"-w\")) or\n    (process.args : \"-c\" and process.command_line :\n      (\n        \"/bin/bash -c xattr -c *\",\n        \"/bin/zsh -c xattr -c *\",\n        \"/bin/sh -c xattr -c *\"\n      )\n    )\n  )\n",
+    "references": [
+      "https://www.trendmicro.com/en_us/research/20/k/new-macos-backdoor-connected-to-oceanlotus-surfaces.html",
+      "https://ss64.com/osx/xattr.html"
+    ],
+    "risk_score": 47,
+    "rule_id": "f0b48bbc-549e-4bcf-8ee0-a7a72586c6a7",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "macOS",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1562",
+            "name": "Impair Defenses",
+            "reference": "https://attack.mitre.org/techniques/T1562/",
+            "subtechnique": [
+              {
+                "id": "T1562.001",
+                "name": "Disable or Modify Tools",
+                "reference": "https://attack.mitre.org/techniques/T1562/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 3,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.11.2",
+          "pre_query": "process where event.type in (\"start\", \"process_started\") and\n  process.name == \"xattr\" and process.args == \"com.apple.quarantine\" and process.args == \"-d\"\n",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 3,
+          "updated": "7.12.0",
+          "pre_query": "process where event.type in (\"start\", \"process_started\") and\n  process.name == \"xattr\" and process.args == \"com.apple.quarantine\" and process.args == \"-d\"\n",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.12.0",
+    "added": "7.11.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Detects attempts to reset an Okta user's enrolled multi-factor authentication (MFA) factors. An adversary may attempt to reset the MFA factors for an Okta user's account in order to register new MFA factors and abuse the account to blend in with normal activity in the victim's environment.",
+    "false_positives": [
+      "Consider adding exceptions to this rule to filter false positives if the MFA factors for Okta user accounts are regularly reset in your organization."
+    ],
+    "index": [
+      "filebeat-*",
+      "logs-okta*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Attempt to Reset MFA Factors for an Okta User Account",
+    "note": "## Config\n\nThe Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:okta.system and event.action:user.mfa.factor.reset_all\n",
+    "references": [
+      "https://developer.okta.com/docs/reference/api/system-log/",
+      "https://developer.okta.com/docs/reference/api/event-types/"
+    ],
+    "risk_score": 21,
+    "rule_id": "729aa18d-06a6-41c7-b175-b65b739b1181",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Identity",
+      "Okta",
+      "Continuous Monitoring",
+      "SecOps",
+      "Identity and Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1098",
+            "name": "Account Manipulation",
+            "reference": "https://attack.mitre.org/techniques/T1098/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 6,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.10.0",
+          "pre_query": "event.module:okta and event.dataset:okta.system and event.action:user.mfa.factor.reset_all",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        },
+        {
+          "version": 3,
+          "updated": "7.11.0",
+          "pre_query": "event.dataset:okta.system and event.action:user.mfa.factor.reset_all",
+          "doc_text": "Formatting only",
+          "pre_name": "Attempt to Reset MFA Factors for Okta User Account"
+        },
+        {
+          "version": 4,
+          "updated": "7.11.2",
+          "pre_query": "event.dataset:okta.system and event.action:user.mfa.factor.reset_all",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 5,
+          "updated": "7.12.0",
+          "pre_query": "event.dataset:okta.system and event.action:user.mfa.factor.reset_all",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 6,
+          "updated": "7.13.0",
+          "pre_query": "event.dataset:okta.system and event.action:user.mfa.factor.reset_all",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.13.0",
+    "added": "7.9.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies attempts to revoke an Okta API token. An adversary may attempt to revoke or delete an Okta API token to disrupt an organization's business operations.",
+    "false_positives": [
+      "If the behavior of revoking Okta API tokens is expected, consider adding exceptions to this rule to filter false positives."
+    ],
+    "index": [
+      "filebeat-*",
+      "logs-okta*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Attempt to Revoke Okta API Token",
+    "note": "## Config\n\nThe Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:okta.system and event.action:system.api_token.revoke\n",
+    "references": [
+      "https://developer.okta.com/docs/reference/api/system-log/",
+      "https://developer.okta.com/docs/reference/api/event-types/"
+    ],
+    "risk_score": 21,
+    "rule_id": "676cff2b-450b-4cf1-8ed2-c0c58a4a2dd7",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Identity",
+      "Okta",
+      "Continuous Monitoring",
+      "SecOps",
+      "Monitoring"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0040",
+          "name": "Impact",
+          "reference": "https://attack.mitre.org/tactics/TA0040/"
+        },
+        "technique": [
+          {
+            "id": "T1531",
+            "name": "Account Access Removal",
+            "reference": "https://attack.mitre.org/techniques/T1531/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 6,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.10.0",
+          "pre_query": "event.module:okta and event.dataset:okta.system and event.action:system.api_token.revoke",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        },
+        {
+          "version": 3,
+          "updated": "7.11.0",
+          "pre_query": "event.dataset:okta.system and event.action:system.api_token.revoke",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 4,
+          "updated": "7.11.2",
+          "pre_query": "event.dataset:okta.system and event.action:system.api_token.revoke",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 5,
+          "updated": "7.12.0",
+          "pre_query": "event.dataset:okta.system and event.action:system.api_token.revoke",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 6,
+          "updated": "7.13.0",
+          "pre_query": "event.dataset:okta.system and event.action:system.api_token.revoke",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.13.0",
+    "added": "7.9.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies attempts to unload the Elastic Endpoint Security kernel extension via the kextunload command.",
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Attempt to Unload Elastic Endpoint Security Kernel Extension",
+    "query": "event.category:process and event.type:(start or process_started) and\n process.name:kextunload and process.args:(\"/System/Library/Extensions/EndpointSecurity.kext\" or \"EndpointSecurity.kext\")\n",
+    "risk_score": 73,
+    "rule_id": "70fa1af4-27fd-4f26-bd03-50b6af6b9e24",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "macOS",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1562",
+            "name": "Impair Defenses",
+            "reference": "https://attack.mitre.org/techniques/T1562/",
+            "subtechnique": [
+              {
+                "id": "T1562.001",
+                "name": "Disable or Modify Tools",
+                "reference": "https://attack.mitre.org/techniques/T1562/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 1,
+    "last_update": "7.12.0",
+    "added": "7.12.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Detects attempts to bypass Okta multi-factor authentication (MFA). An adversary may attempt to bypass the Okta MFA policies configured for an organization in order to obtain unauthorized access to an application.",
+    "index": [
+      "filebeat-*",
+      "logs-okta*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Attempted Bypass of Okta MFA",
+    "note": "## Config\n\nThe Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:okta.system and event.action:user.mfa.attempt_bypass\n",
+    "references": [
+      "https://developer.okta.com/docs/reference/api/system-log/",
+      "https://developer.okta.com/docs/reference/api/event-types/"
+    ],
+    "risk_score": 73,
+    "rule_id": "3805c3dc-f82c-4f8d-891e-63c24d3102b0",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Identity",
+      "Okta",
+      "Continuous Monitoring",
+      "SecOps",
+      "Identity and Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0006",
+          "name": "Credential Access",
+          "reference": "https://attack.mitre.org/tactics/TA0006/"
+        },
+        "technique": [
+          {
+            "id": "T1111",
+            "name": "Two-Factor Authentication Interception",
+            "reference": "https://attack.mitre.org/techniques/T1111/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 6,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.10.0",
+          "pre_query": "event.module:okta and event.dataset:okta.system and event.action:user.mfa.attempt_bypass",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        },
+        {
+          "version": 3,
+          "updated": "7.11.0",
+          "pre_query": "event.dataset:okta.system and event.action:user.mfa.attempt_bypass",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 4,
+          "updated": "7.11.2",
+          "pre_query": "event.dataset:okta.system and event.action:user.mfa.attempt_bypass",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 5,
+          "updated": "7.12.0",
+          "pre_query": "event.dataset:okta.system and event.action:user.mfa.attempt_bypass",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 6,
+          "updated": "7.13.0",
+          "pre_query": "event.dataset:okta.system and event.action:user.mfa.attempt_bypass",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.13.0",
+    "added": "7.9.0"
+  },
+  {
+    "author": [
+      "Elastic",
+      "Willem D'Haese",
+      "Austin Songer"
+    ],
+    "description": "Identifies attempts to brute force a Microsoft 365 user account. An adversary may attempt a brute force attack to obtain unauthorized access to user accounts.",
+    "false_positives": [
+      "Automated processes that attempt to authenticate using expired credentials and unbounded retries may lead to false positives."
+    ],
+    "from": "now-30m",
+    "index": [
+      "filebeat-*",
+      "logs-o365*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Attempts to Brute Force a Microsoft 365 User Account",
+    "note": "## Config\n\nThe Microsoft 365 Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:o365.audit and event.provider:(AzureActiveDirectory or Exchange) and\n  event.category:authentication and event.action:(UserLoginFailed or PasswordLogonInitialAuthUsingPassword) and\n  not o365.audit.LogonError:(UserAccountNotFound or EntitlementGrantsNotFound or UserStrongAuthEnrollmentRequired or\n                             UserStrongAuthClientAuthNRequired or InvalidReplyTo) and event.outcome:failure\n",
+    "references": [
+      "https://blueteamblog.com/7-ways-to-monitor-your-office-365-logs-using-siem"
+    ],
+    "risk_score": 73,
+    "rule_id": "26f68dba-ce29-497b-8e13-b4fde1db5a2d",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "Microsoft 365",
+      "Continuous Monitoring",
+      "SecOps",
+      "Identity and Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0006",
+          "name": "Credential Access",
+          "reference": "https://attack.mitre.org/tactics/TA0006/"
+        },
+        "technique": [
+          {
+            "id": "T1110",
+            "name": "Brute Force",
+            "reference": "https://attack.mitre.org/techniques/T1110/"
+          }
+        ]
+      }
+    ],
+    "threshold": {
+      "field": [
+        "user.id"
+      ],
+      "value": 10
+    },
+    "type": "threshold",
+    "version": 5,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.12.0",
+          "pre_query": "event.dataset:o365.audit and event.provider:AzureActiveDirectory and event.category:authentication and event.action:UserLoginFailed and event.outcome:failure",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 3,
+          "updated": "7.13.0",
+          "pre_query": "event.dataset:o365.audit and event.provider:AzureActiveDirectory and event.category:authentication and event.action:UserLoginFailed and event.outcome:failure",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 5,
+          "updated": "7.14.0",
+          "pre_query": "event.dataset:o365.audit and event.provider:AzureActiveDirectory and event.category:authentication and event.action:UserLoginFailed and event.outcome:failure",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.14.0",
+    "added": "7.11.0"
+  },
+  {
+    "author": [
+      "Elastic",
+      "@BenB196",
+      "Austin Songer"
+    ],
+    "description": "Identifies when an Okta user account is locked out 3 times within a 3 hour window. An adversary may attempt a brute force or password spraying attack to obtain unauthorized access to user accounts. The default Okta authentication policy ensures that a user account is locked out after 10 failed authentication attempts.",
+    "from": "now-180m",
+    "index": [
+      "filebeat-*",
+      "logs-okta*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Attempts to Brute Force an Okta User Account",
+    "note": "## Config\n\nThe Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:okta.system and event.action:user.account.lock\n",
+    "references": [
+      "https://developer.okta.com/docs/reference/api/system-log/",
+      "https://developer.okta.com/docs/reference/api/event-types/"
+    ],
+    "risk_score": 47,
+    "rule_id": "e08ccd49-0380-4b2b-8d71-8000377d6e49",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Identity",
+      "Okta",
+      "Continuous Monitoring",
+      "SecOps",
+      "Identity and Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0006",
+          "name": "Credential Access",
+          "reference": "https://attack.mitre.org/tactics/TA0006/"
+        },
+        "technique": [
+          {
+            "id": "T1110",
+            "name": "Brute Force",
+            "reference": "https://attack.mitre.org/techniques/T1110/"
+          }
+        ]
+      }
+    ],
+    "threshold": {
+      "field": [
+        "okta.actor.alternate_id"
+      ],
+      "value": 3
+    },
+    "type": "threshold",
+    "version": 5,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.11.0",
+          "pre_query": "event.dataset:okta.system and event.action:user.account.lock",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 3,
+          "updated": "7.12.0",
+          "pre_query": "event.dataset:okta.system and event.action:user.account.lock",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 4,
+          "updated": "7.13.0",
+          "pre_query": "event.dataset:okta.system and event.action:user.account.lock",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 5,
+          "updated": "7.14.0",
+          "pre_query": "event.dataset:okta.system and event.action:user.account.lock",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.14.0",
+    "added": "7.10.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies that a login attempt occurred at a forbidden time.",
+    "index": [
+      "auditbeat-*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Auditd Login Attempt at Forbidden Time",
+    "query": "event.module:auditd and event.action:\"attempted-log-in-during-unusual-hour-to\"\n",
+    "references": [
+      "https://github.com/linux-pam/linux-pam/blob/aac5a8fdc4aa3f7e56335a6343774cc1b63b408d/modules/pam_time/pam_time.c#L666"
+    ],
+    "risk_score": 47,
+    "rule_id": "90e28af7-1d96-4582-bf11-9a1eff21d0e5",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "Threat Detection",
+      "Initial Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0001",
+          "name": "Initial Access",
+          "reference": "https://attack.mitre.org/tactics/TA0001/"
+        },
+        "technique": [
+          {
+            "id": "T1078",
+            "name": "Valid Accounts",
+            "reference": "https://attack.mitre.org/techniques/T1078/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1078",
+            "name": "Valid Accounts",
+            "reference": "https://attack.mitre.org/techniques/T1078/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 1,
+    "last_update": "7.12.0",
+    "added": "7.12.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies that a login attempt has happened from a forbidden location.",
+    "index": [
+      "auditbeat-*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Auditd Login from Forbidden Location",
+    "query": "event.module:auditd and event.action:\"attempted-log-in-from-unusual-place-to\"\n",
+    "references": [
+      "https://github.com/linux-pam/linux-pam/blob/aac5a8fdc4aa3f7e56335a6343774cc1b63b408d/modules/pam_access/pam_access.c#L412"
+    ],
+    "risk_score": 73,
+    "rule_id": "cab4f01c-793f-4a54-a03e-e5d85b96d7af",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "Threat Detection",
+      "Initial Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0001",
+          "name": "Initial Access",
+          "reference": "https://attack.mitre.org/tactics/TA0001/"
+        },
+        "technique": [
+          {
+            "id": "T1078",
+            "name": "Valid Accounts",
+            "reference": "https://attack.mitre.org/techniques/T1078/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1078",
+            "name": "Valid Accounts",
+            "reference": "https://attack.mitre.org/techniques/T1078/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 1,
+    "last_update": "7.12.0",
+    "added": "7.12.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies that the maximum number of failed login attempts has been reached for a user.",
+    "index": [
+      "auditbeat-*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Auditd Max Failed Login Attempts",
+    "query": "event.module:auditd and event.action:\"failed-log-in-too-many-times-to\"\n",
+    "references": [
+      "https://github.com/linux-pam/linux-pam/blob/0adbaeb273da1d45213134aa271e95987103281c/modules/pam_faillock/pam_faillock.c#L574"
+    ],
+    "risk_score": 47,
+    "rule_id": "fb9937ce-7e21-46bf-831d-1ad96eac674d",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "Threat Detection",
+      "Initial Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0001",
+          "name": "Initial Access",
+          "reference": "https://attack.mitre.org/tactics/TA0001/"
+        },
+        "technique": [
+          {
+            "id": "T1078",
+            "name": "Valid Accounts",
+            "reference": "https://attack.mitre.org/techniques/T1078/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1078",
+            "name": "Valid Accounts",
+            "reference": "https://attack.mitre.org/techniques/T1078/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 1,
+    "last_update": "7.12.0",
+    "added": "7.12.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies that the maximum number login sessions has been reached for a user.",
+    "index": [
+      "auditbeat-*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Auditd Max Login Sessions",
+    "query": "event.module:auditd and event.action:\"opened-too-many-sessions-to\"\n",
+    "references": [
+      "https://github.com/linux-pam/linux-pam/blob/70c32cc6fca51338f92afa58eb75b1107a5c2430/modules/pam_limits/pam_limits.c#L1007"
+    ],
+    "risk_score": 47,
+    "rule_id": "20dc4620-3b68-4269-8124-ca5091e00ea8",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "Threat Detection",
+      "Initial Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0001",
+          "name": "Initial Access",
+          "reference": "https://attack.mitre.org/tactics/TA0001/"
+        },
+        "technique": [
+          {
+            "id": "T1078",
+            "name": "Valid Accounts",
+            "reference": "https://attack.mitre.org/techniques/T1078/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1078",
+            "name": "Valid Accounts",
+            "reference": "https://attack.mitre.org/techniques/T1078/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 1,
+    "last_update": "7.12.0",
+    "added": "7.12.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Authorization plugins are used to extend the authorization services API and implement mechanisms that are not natively supported by the OS, such as multi-factor authentication with third party software. Adversaries may abuse this feature to persist and/or collect clear text credentials as they traverse the registered plugins during user logon.",
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Authorization Plugin Modification",
+    "query": "event.category:file and not event.type:deletion and\n  file.path:(/Library/Security/SecurityAgentPlugins/* and\n  not /Library/Security/SecurityAgentPlugins/TeamViewerAuthPlugin.bundle/Contents/*)\n",
+    "references": [
+      "https://developer.apple.com/documentation/security/authorization_plug-ins",
+      "https://www.xorrior.com/persistent-credential-theft/"
+    ],
+    "risk_score": 47,
+    "rule_id": "e6c98d38-633d-4b3e-9387-42112cd5ac10",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "macOS",
+      "Threat Detection",
+      "Persistence"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1547",
+            "name": "Boot or Logon Autostart Execution",
+            "reference": "https://attack.mitre.org/techniques/T1547/",
+            "subtechnique": [
+              {
+                "id": "T1547.002",
+                "name": "Authentication Package",
+                "reference": "https://attack.mitre.org/techniques/T1547/002/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 1,
+    "last_update": "7.12.0",
+    "added": "7.12.0"
+  },
+  {
+    "author": [
+      "Elastic",
+      "Willem D'Haese"
+    ],
+    "description": "Identifies high risk Azure Active Directory (AD) sign-ins by leveraging Microsoft's Identity Protection machine learning and heuristics. Identity Protection categorizes risk into three tiers: low, medium, and high. While Microsoft does not provide specific details about how risk is calculated, each level brings higher confidence that the user or sign-in is compromised.",
+    "from": "now-25m",
+    "index": [
+      "filebeat-*",
+      "logs-azure*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Azure Active Directory High Risk Sign-in",
+    "note": "## Config\n\nThe Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:azure.signinlogs and\n  (azure.signinlogs.properties.risk_level_during_signin:high or azure.signinlogs.properties.risk_level_aggregated:high) and\n  event.outcome:(success or Success)\n",
+    "references": [
+      "https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/howto-conditional-access-policy-risk",
+      "https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/overview-identity-protection",
+      "https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/howto-identity-protection-investigate-risk"
+    ],
+    "risk_score": 73,
+    "rule_id": "37994bca-0611-4500-ab67-5588afe73b77",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "Azure",
+      "Continuous Monitoring",
+      "SecOps",
+      "Identity and Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0001",
+          "name": "Initial Access",
+          "reference": "https://attack.mitre.org/tactics/TA0001/"
+        },
+        "technique": [
+          {
+            "id": "T1078",
+            "name": "Valid Accounts",
+            "reference": "https://attack.mitre.org/techniques/T1078/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 3,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.13.0",
+          "pre_query": "event.dataset:azure.signinlogs and azure.signinlogs.properties.risk_level_during_signin:high and event.outcome:(success or Success)",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 3,
+          "updated": "7.15.0",
+          "pre_query": "event.dataset:azure.signinlogs and\n  azure.signinlogs.properties.risk_level_during_signin:high and\n  event.outcome:(success or Success)\n",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.15.0",
+    "added": "7.12.0"
+  },
+  {
+    "author": [
+      "Austin Songer"
+    ],
+    "description": "Identifies high risk Azure Active Directory (AD) sign-ins by leveraging Microsoft Identity Protection machine learning and heuristics.",
+    "from": "now-25m",
+    "index": [
+      "filebeat-*",
+      "logs-azure*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Azure Active Directory High Risk User Sign-in Heuristic",
+    "note": "## Config\n\nThe Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:azure.signinlogs and\n  azure.signinlogs.properties.risk_state:(\"confirmedCompromised\" or \"atRisk\") and event.outcome:(success or Success)\n",
+    "references": [
+      "https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/reference-azure-monitor-sign-ins-log-schema",
+      "https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/overview-identity-protection",
+      "https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/howto-identity-protection-investigate-risk"
+    ],
+    "risk_score": 47,
+    "rule_id": "26edba02-6979-4bce-920a-70b080a7be81",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "Azure",
+      "Continuous Monitoring",
+      "SecOps",
+      "Identity and Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0001",
+          "name": "Initial Access",
+          "reference": "https://attack.mitre.org/tactics/TA0001/"
+        },
+        "technique": [
+          {
+            "id": "T1078",
+            "name": "Valid Accounts",
+            "reference": "https://attack.mitre.org/techniques/T1078/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 1,
+    "last_update": "8.0.0",
+    "added": "8.0.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies a sign-in using the Azure Active Directory PowerShell module. PowerShell for Azure Active Directory allows for managing settings from the command line, which is intended for users who are members of an admin role.",
+    "false_positives": [
+      "Sign-ins using PowerShell may be done by a system or network administrator. Verify whether the username, hostname, and/or resource name should be signing into your environment. Sign-ins from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "from": "now-25m",
+    "index": [
+      "filebeat-*",
+      "logs-azure*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Azure Active Directory PowerShell Sign-in",
+    "note": "## Config\n\nThe Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:azure.signinlogs and\n  azure.signinlogs.properties.app_display_name:\"Azure Active Directory PowerShell\" and\n  azure.signinlogs.properties.token_issuer_type:AzureAD and event.outcome:(success or Success)\n",
+    "references": [
+      "https://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber-attacks/",
+      "https://docs.microsoft.com/en-us/microsoft-365/enterprise/connect-to-microsoft-365-powershell?view=o365-worldwide"
+    ],
+    "risk_score": 21,
+    "rule_id": "a605c51a-73ad-406d-bf3a-f24cc41d5c97",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "Azure",
+      "Continuous Monitoring",
+      "SecOps",
+      "Identity and Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0001",
+          "name": "Initial Access",
+          "reference": "https://attack.mitre.org/tactics/TA0001/"
+        },
+        "technique": [
+          {
+            "id": "T1078",
+            "name": "Valid Accounts",
+            "reference": "https://attack.mitre.org/techniques/T1078/",
+            "subtechnique": [
+              {
+                "id": "T1078.004",
+                "name": "Cloud Accounts",
+                "reference": "https://attack.mitre.org/techniques/T1078/004/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 4,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.11.2",
+          "pre_query": "event.dataset:azure.signinlogs and azure.signinlogs.properties.app_display_name:\"Azure Active Directory PowerShell\" and azure.signinlogs.properties.token_issuer_type:AzureAD and event.outcome:(success or Success)",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 3,
+          "updated": "7.12.0",
+          "pre_query": "event.dataset:azure.signinlogs and azure.signinlogs.properties.app_display_name:\"Azure Active Directory PowerShell\" and azure.signinlogs.properties.token_issuer_type:AzureAD and event.outcome:(success or Success)",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 4,
+          "updated": "7.13.0",
+          "pre_query": "event.dataset:azure.signinlogs and azure.signinlogs.properties.app_display_name:\"Azure Active Directory PowerShell\" and azure.signinlogs.properties.token_issuer_type:AzureAD and event.outcome:(success or Success)",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.13.0",
+    "added": "7.11.0"
+  },
+  {
+    "author": [
+      "Austin Songer"
+    ],
+    "description": "Identifies the creation of suppression rules in Azure. Suppression rules are a mechanism used to suppress alerts previously identified as False Positives or too noisy to be in Production. This mechanism can be abused or mistakenly configured, resulting in defense evasions and loss of security visibility.",
+    "false_positives": [
+      "Suppression Rules can be created legitimately by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Suppression Rules created by unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "from": "now-25m",
+    "index": [
+      "filebeat-*",
+      "logs-azure*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Azure Alert Suppression Rule Created or Modified",
+    "note": "## Config\n\nThe Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:\"MICROSOFT.SECURITY/ALERTSSUPPRESSIONRULES/WRITE\" and \nevent.outcome: \"success\"\n",
+    "references": [
+      "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations",
+      "https://docs.microsoft.com/en-us/rest/api/securitycenter/alerts-suppression-rules/update"
+    ],
+    "risk_score": 21,
+    "rule_id": "f0bc081a-2346-4744-a6a4-81514817e888",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "Azure",
+      "Continuous Monitoring",
+      "SecOps",
+      "Configuration Audit"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1562",
+            "name": "Impair Defenses",
+            "reference": "https://attack.mitre.org/techniques/T1562/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 1,
+    "last_update": "8.0.0",
+    "added": "8.0.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies when a new credential is added to an application in Azure. An application may use a certificate or secret string to prove its identity when requesting a token. Multiple certificates and secrets can be added for an application and an adversary may abuse this by creating an additional authentication method to evade defenses or persist in an environment.",
+    "false_positives": [
+      "Application credential additions may be done by a system or network administrator. Verify whether the username, hostname, and/or resource name should be making changes in your environment. Application credential additions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "from": "now-25m",
+    "index": [
+      "filebeat-*",
+      "logs-azure*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Azure Application Credential Modification",
+    "note": "## Config\n\nThe Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:azure.auditlogs and azure.auditlogs.operation_name:\"Update application - Certificates and secrets management\" and event.outcome:(success or Success)\n",
+    "references": [
+      "https://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber-attacks/"
+    ],
+    "risk_score": 47,
+    "rule_id": "1a36cace-11a7-43a8-9a10-b497c5a02cd3",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "Azure",
+      "Continuous Monitoring",
+      "SecOps",
+      "Identity and Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1550",
+            "name": "Use Alternate Authentication Material",
+            "reference": "https://attack.mitre.org/techniques/T1550/",
+            "subtechnique": [
+              {
+                "id": "T1550.001",
+                "name": "Application Access Token",
+                "reference": "https://attack.mitre.org/techniques/T1550/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 4,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.11.2",
+          "pre_query": "event.dataset:azure.auditlogs and azure.auditlogs.operation_name:\"Update application - Certificates and secrets management\" and event.outcome:(success or Success)",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 3,
+          "updated": "7.12.0",
+          "pre_query": "event.dataset:azure.auditlogs and azure.auditlogs.operation_name:\"Update application - Certificates and secrets management\" and event.outcome:(success or Success)",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 4,
+          "updated": "7.13.0",
+          "pre_query": "event.dataset:azure.auditlogs and azure.auditlogs.operation_name:\"Update application - Certificates and secrets management\" and event.outcome:(success or Success)",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.13.0",
+    "added": "7.11.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies when an Azure Automation account is created. Azure Automation accounts can be used to automate management tasks and orchestrate actions across systems. An adversary may create an Automation account in order to maintain persistence in their target's environment.",
+    "from": "now-25m",
+    "index": [
+      "filebeat-*",
+      "logs-azure*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Azure Automation Account Created",
+    "note": "## Config\n\nThe Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:\"MICROSOFT.AUTOMATION/AUTOMATIONACCOUNTS/WRITE\" and event.outcome:(Success or success)\n",
+    "references": [
+      "https://powerzure.readthedocs.io/en/latest/Functions/operational.html#create-backdoor",
+      "https://github.com/hausec/PowerZure",
+      "https://posts.specterops.io/attacking-azure-azure-ad-and-introducing-powerzure-ca70b330511a",
+      "https://azure.microsoft.com/en-in/blog/azure-automation-runbook-management/"
+    ],
+    "risk_score": 21,
+    "rule_id": "df26fd74-1baa-4479-b42e-48da84642330",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "Azure",
+      "Continuous Monitoring",
+      "SecOps",
+      "Identity and Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1078",
+            "name": "Valid Accounts",
+            "reference": "https://attack.mitre.org/techniques/T1078/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1078",
+            "name": "Valid Accounts",
+            "reference": "https://attack.mitre.org/techniques/T1078/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 5,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.11.0",
+          "pre_query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:MICROSOFT.AUTOMATION/AUTOMATIONACCOUNTS/WRITE and event.outcome:Success",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        },
+        {
+          "version": 3,
+          "updated": "7.11.2",
+          "pre_query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:MICROSOFT.AUTOMATION/AUTOMATIONACCOUNTS/WRITE and event.outcome:(Success or success)",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 4,
+          "updated": "7.12.0",
+          "pre_query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:MICROSOFT.AUTOMATION/AUTOMATIONACCOUNTS/WRITE and event.outcome:(Success or success)",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        },
+        {
+          "version": 5,
+          "updated": "7.13.0",
+          "pre_query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:\"MICROSOFT.AUTOMATION/AUTOMATIONACCOUNTS/WRITE\" and event.outcome:(Success or success)",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.13.0",
+    "added": "7.10.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies when an Azure Automation runbook is created or modified. An adversary may create or modify an Azure Automation runbook to execute malicious code and maintain persistence in their target's environment.",
+    "from": "now-25m",
+    "index": [
+      "filebeat-*",
+      "logs-azure*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Azure Automation Runbook Created or Modified",
+    "note": "## Config\n\nThe Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:azure.activitylogs and\n  azure.activitylogs.operation_name:\n  (\n    \"MICROSOFT.AUTOMATION/AUTOMATIONACCOUNTS/RUNBOOKS/DRAFT/WRITE\" or\n    \"MICROSOFT.AUTOMATION/AUTOMATIONACCOUNTS/RUNBOOKS/WRITE\" or\n    \"MICROSOFT.AUTOMATION/AUTOMATIONACCOUNTS/RUNBOOKS/PUBLISH/ACTION\"\n  ) and\n  event.outcome:(Success or success)\n",
+    "references": [
+      "https://powerzure.readthedocs.io/en/latest/Functions/operational.html#create-backdoor",
+      "https://github.com/hausec/PowerZure",
+      "https://posts.specterops.io/attacking-azure-azure-ad-and-introducing-powerzure-ca70b330511a",
+      "https://azure.microsoft.com/en-in/blog/azure-automation-runbook-management/"
+    ],
+    "risk_score": 21,
+    "rule_id": "16280f1e-57e6-4242-aa21-bb4d16f13b2f",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "Azure",
+      "Continuous Monitoring",
+      "SecOps",
+      "Configuration Audit"
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 5,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.11.0",
+          "pre_query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:(MICROSOFT.AUTOMATION/AUTOMATIONACCOUNTS/RUNBOOKS/DRAFT/WRITE or MICROSOFT.AUTOMATION/AUTOMATIONACCOUNTS/RUNBOOKS/WRITE or MICROSOFT.AUTOMATION/AUTOMATIONACCOUNTS/RUNBOOKS/PUBLISH/ACTION) and event.outcome:Success",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        },
+        {
+          "version": 3,
+          "updated": "7.11.2",
+          "pre_query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:(MICROSOFT.AUTOMATION/AUTOMATIONACCOUNTS/RUNBOOKS/DRAFT/WRITE or MICROSOFT.AUTOMATION/AUTOMATIONACCOUNTS/RUNBOOKS/WRITE or MICROSOFT.AUTOMATION/AUTOMATIONACCOUNTS/RUNBOOKS/PUBLISH/ACTION) and event.outcome:(Success or success)",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 4,
+          "updated": "7.12.0",
+          "pre_query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:(MICROSOFT.AUTOMATION/AUTOMATIONACCOUNTS/RUNBOOKS/DRAFT/WRITE or MICROSOFT.AUTOMATION/AUTOMATIONACCOUNTS/RUNBOOKS/WRITE or MICROSOFT.AUTOMATION/AUTOMATIONACCOUNTS/RUNBOOKS/PUBLISH/ACTION) and event.outcome:(Success or success)",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        },
+        {
+          "version": 5,
+          "updated": "7.13.0",
+          "pre_query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name: ( \"MICROSOFT.AUTOMATION/AUTOMATIONACCOUNTS/RUNBOOKS/DRAFT/WRITE\" or \"MICROSOFT.AUTOMATION/AUTOMATIONACCOUNTS/RUNBOOKS/WRITE\" or \"MICROSOFT.AUTOMATION/AUTOMATIONACCOUNTS/RUNBOOKS/PUBLISH/ACTION\" ) and event.outcome:(Success or success)",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.13.0",
+    "added": "7.10.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies when an Azure Automation runbook is deleted. An adversary may delete an Azure Automation runbook in order to disrupt their target's automated business operations or to remove a malicious runbook that was used for persistence.",
+    "from": "now-25m",
+    "index": [
+      "filebeat-*",
+      "logs-azure*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Azure Automation Runbook Deleted",
+    "note": "## Config\n\nThe Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:\"MICROSOFT.AUTOMATION/AUTOMATIONACCOUNTS/RUNBOOKS/DELETE\" and event.outcome:(Success or success)\n",
+    "references": [
+      "https://powerzure.readthedocs.io/en/latest/Functions/operational.html#create-backdoor",
+      "https://github.com/hausec/PowerZure",
+      "https://posts.specterops.io/attacking-azure-azure-ad-and-introducing-powerzure-ca70b330511a",
+      "https://azure.microsoft.com/en-in/blog/azure-automation-runbook-management/"
+    ],
+    "risk_score": 21,
+    "rule_id": "8ddab73b-3d15-4e5d-9413-47f05553c1d7",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "Azure",
+      "Continuous Monitoring",
+      "SecOps",
+      "Configuration Audit"
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 5,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.11.0",
+          "pre_query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:MICROSOFT.AUTOMATION/AUTOMATIONACCOUNTS/RUNBOOKS/DELETE and event.outcome:Success",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        },
+        {
+          "version": 3,
+          "updated": "7.11.2",
+          "pre_query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:MICROSOFT.AUTOMATION/AUTOMATIONACCOUNTS/RUNBOOKS/DELETE and event.outcome:(Success or success)",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 4,
+          "updated": "7.12.0",
+          "pre_query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:MICROSOFT.AUTOMATION/AUTOMATIONACCOUNTS/RUNBOOKS/DELETE and event.outcome:(Success or success)",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        },
+        {
+          "version": 5,
+          "updated": "7.13.0",
+          "pre_query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:\"MICROSOFT.AUTOMATION/AUTOMATIONACCOUNTS/RUNBOOKS/DELETE\" and event.outcome:(Success or success)",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.13.0",
+    "added": "7.10.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies when an Azure Automation webhook is created. Azure Automation runbooks can be configured to execute via a webhook. A webhook uses a custom URL passed to Azure Automation along with a data payload specific to the runbook. An adversary may create a webhook in order to trigger a runbook that contains malicious code.",
+    "from": "now-25m",
+    "index": [
+      "filebeat-*",
+      "logs-azure*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Azure Automation Webhook Created",
+    "note": "## Config\n\nThe Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:azure.activitylogs and\n  azure.activitylogs.operation_name:\n    (\n      \"MICROSOFT.AUTOMATION/AUTOMATIONACCOUNTS/WEBHOOKS/ACTION\" or\n      \"MICROSOFT.AUTOMATION/AUTOMATIONACCOUNTS/WEBHOOKS/WRITE\"\n    ) and\n  event.outcome:(Success or success)\n",
+    "references": [
+      "https://powerzure.readthedocs.io/en/latest/Functions/operational.html#create-backdoor",
+      "https://github.com/hausec/PowerZure",
+      "https://posts.specterops.io/attacking-azure-azure-ad-and-introducing-powerzure-ca70b330511a",
+      "https://www.ciraltos.com/webhooks-and-azure-automation-runbooks/"
+    ],
+    "risk_score": 21,
+    "rule_id": "e9ff9c1c-fe36-4d0d-b3fd-9e0bf4853a62",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "Azure",
+      "Continuous Monitoring",
+      "SecOps",
+      "Configuration Audit"
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 5,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.11.0",
+          "pre_query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:(MICROSOFT.AUTOMATION/AUTOMATIONACCOUNTS/WEBHOOKS/ACTION or MICROSOFT.AUTOMATION/AUTOMATIONACCOUNTS/WEBHOOKS/WRITE) and event.outcome:Success",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        },
+        {
+          "version": 3,
+          "updated": "7.11.2",
+          "pre_query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:(MICROSOFT.AUTOMATION/AUTOMATIONACCOUNTS/WEBHOOKS/ACTION or MICROSOFT.AUTOMATION/AUTOMATIONACCOUNTS/WEBHOOKS/WRITE) and event.outcome:(Success or success)",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 4,
+          "updated": "7.12.0",
+          "pre_query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:(MICROSOFT.AUTOMATION/AUTOMATIONACCOUNTS/WEBHOOKS/ACTION or MICROSOFT.AUTOMATION/AUTOMATIONACCOUNTS/WEBHOOKS/WRITE) and event.outcome:(Success or success)",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        },
+        {
+          "version": 5,
+          "updated": "7.13.0",
+          "pre_query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name: ( \"MICROSOFT.AUTOMATION/AUTOMATIONACCOUNTS/WEBHOOKS/ACTION\" or \"MICROSOFT.AUTOMATION/AUTOMATIONACCOUNTS/WEBHOOKS/WRITE\" ) and event.outcome:(Success or success)",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.13.0",
+    "added": "7.10.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies changes to container access levels in Azure. Anonymous public read access to containers and blobs in Azure is a way to share data broadly, but can present a security risk if access to sensitive data is not managed judiciously.",
+    "false_positives": [
+      "Access level modifications may be done by a system or network administrator. Verify whether the username, hostname, and/or resource name should be making changes in your environment. Access level modifications from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "from": "now-25m",
+    "index": [
+      "filebeat-*",
+      "logs-azure*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Azure Blob Container Access Level Modification",
+    "note": "## Config\n\nThe Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:\"MICROSOFT.STORAGE/STORAGEACCOUNTS/BLOBSERVICES/CONTAINERS/WRITE\" and event.outcome:(Success or success)\n",
+    "references": [
+      "https://docs.microsoft.com/en-us/azure/storage/blobs/anonymous-read-access-prevent"
+    ],
+    "risk_score": 21,
+    "rule_id": "2636aa6c-88b5-4337-9c31-8d0192a8ef45",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "Azure",
+      "Continuous Monitoring",
+      "SecOps",
+      "Asset Visibility"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0007",
+          "name": "Discovery",
+          "reference": "https://attack.mitre.org/tactics/TA0007/"
+        },
+        "technique": [
+          {
+            "id": "T1526",
+            "name": "Cloud Service Discovery",
+            "reference": "https://attack.mitre.org/techniques/T1526/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0001",
+          "name": "Initial Access",
+          "reference": "https://attack.mitre.org/tactics/TA0001/"
+        },
+        "technique": [
+          {
+            "id": "T1190",
+            "name": "Exploit Public-Facing Application",
+            "reference": "https://attack.mitre.org/techniques/T1190/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 5,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.11.0",
+          "pre_query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:MICROSOFT.STORAGE/STORAGEACCOUNTS/BLOBSERVICES/CONTAINERS/WRITE and event.outcome:Success",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        },
+        {
+          "version": 3,
+          "updated": "7.11.2",
+          "pre_query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:MICROSOFT.STORAGE/STORAGEACCOUNTS/BLOBSERVICES/CONTAINERS/WRITE and event.outcome:(Success or success)",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 4,
+          "updated": "7.12.0",
+          "pre_query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:MICROSOFT.STORAGE/STORAGEACCOUNTS/BLOBSERVICES/CONTAINERS/WRITE and event.outcome:(Success or success)",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        },
+        {
+          "version": 5,
+          "updated": "7.13.0",
+          "pre_query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:\"MICROSOFT.STORAGE/STORAGEACCOUNTS/BLOBSERVICES/CONTAINERS/WRITE\" and event.outcome:(Success or success)",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.13.0",
+    "added": "7.10.0"
+  },
+  {
+    "author": [
+      "Austin Songer"
+    ],
+    "description": "Identifies when the Azure role-based access control (Azure RBAC) permissions are modified for an Azure Blob. An adversary may modify the permissions on a blob to weaken their target's security controls or an administrator may inadvertently modify the permissions, which could lead to data exposure or loss.",
+    "false_positives": [
+      "Blob permissions may be modified by system administrators. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior."
+    ],
+    "index": [
+      "filebeat-*",
+      "logs-azure*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Azure Blob Permissions Modification",
+    "note": "## Config\n\nThe Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:(\n     \"MICROSOFT.STORAGE/STORAGEACCOUNTS/BLOBSERVICES/CONTAINERS/BLOBS/MANAGEOWNERSHIP/ACTION\" or\n     \"MICROSOFT.STORAGE/STORAGEACCOUNTS/BLOBSERVICES/CONTAINERS/BLOBS/MODIFYPERMISSIONS/ACTION\") and \n  event.outcome:(Success or success)\n",
+    "references": [
+      "https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles"
+    ],
+    "risk_score": 47,
+    "rule_id": "d79c4b2a-6134-4edd-86e6-564a92a933f9",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "Azure",
+      "Continuous Monitoring",
+      "SecOps",
+      "Identity and Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1222",
+            "name": "File and Directory Permissions Modification",
+            "reference": "https://attack.mitre.org/techniques/T1222/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 1,
+    "last_update": "7.16.0",
+    "added": "7.16.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies command execution on a virtual machine (VM) in Azure. A Virtual Machine Contributor role lets you manage virtual machines, but not access them, nor access the virtual network or storage account they\u2019re connected to. However, commands can be run via PowerShell on the VM, which execute as System. Other roles, such as certain Administrator roles may be able to execute commands on a VM as well.",
+    "false_positives": [
+      "Command execution on a virtual machine may be done by a system or network administrator. Verify whether the username, hostname, and/or resource name should be making changes in your environment. Command execution from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "from": "now-25m",
+    "index": [
+      "filebeat-*",
+      "logs-azure*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Azure Command Execution on Virtual Machine",
+    "note": "## Config\n\nThe Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:\"MICROSOFT.COMPUTE/VIRTUALMACHINES/RUNCOMMAND/ACTION\" and event.outcome:(Success or success)\n",
+    "references": [
+      "https://adsecurity.org/?p=4277",
+      "https://posts.specterops.io/attacking-azure-azure-ad-and-introducing-powerzure-ca70b330511a",
+      "https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#virtual-machine-contributor"
+    ],
+    "risk_score": 47,
+    "rule_id": "60884af6-f553-4a6c-af13-300047455491",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "Azure",
+      "Continuous Monitoring",
+      "SecOps",
+      "Log Auditing"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0002",
+          "name": "Execution",
+          "reference": "https://attack.mitre.org/tactics/TA0002/"
+        },
+        "technique": [
+          {
+            "id": "T1059",
+            "name": "Command and Scripting Interpreter",
+            "reference": "https://attack.mitre.org/techniques/T1059/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 5,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.11.0",
+          "pre_query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:MICROSOFT.COMPUTE/VIRTUALMACHINES/RUNCOMMAND/ACTION and event.outcome:Success",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        },
+        {
+          "version": 3,
+          "updated": "7.11.2",
+          "pre_query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:MICROSOFT.COMPUTE/VIRTUALMACHINES/RUNCOMMAND/ACTION and event.outcome:(Success or success)",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 4,
+          "updated": "7.12.0",
+          "pre_query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:MICROSOFT.COMPUTE/VIRTUALMACHINES/RUNCOMMAND/ACTION and event.outcome:(Success or success)",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        },
+        {
+          "version": 5,
+          "updated": "7.13.0",
+          "pre_query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:\"MICROSOFT.COMPUTE/VIRTUALMACHINES/RUNCOMMAND/ACTION\" and event.outcome:(Success or success)",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.13.0",
+    "added": "7.10.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies when an Azure Conditional Access policy is modified. Azure Conditional Access policies control access to resources via if-then statements. For example, if a user wants to access a resource, then they must complete an action such as using multi-factor authentication to access it. An adversary may modify a Conditional Access policy in order to weaken their target's security controls.",
+    "from": "now-25m",
+    "index": [
+      "filebeat-*",
+      "logs-azure*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Azure Conditional Access Policy Modified",
+    "note": "## Config\n\nThe Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:(azure.activitylogs or azure.auditlogs) and\n  (\n    azure.activitylogs.operation_name:\"Update policy\" or\n    azure.auditlogs.operation_name:\"Update policy\"\n  ) and\n  event.outcome:(Success or success)\n",
+    "references": [
+      "https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/overview"
+    ],
+    "risk_score": 47,
+    "rule_id": "bc48bba7-4a23-4232-b551-eca3ca1e3f20",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "Azure",
+      "Continuous Monitoring",
+      "SecOps",
+      "Configuration Audit"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1098",
+            "name": "Account Manipulation",
+            "reference": "https://attack.mitre.org/techniques/T1098/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 5,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.11.0",
+          "pre_query": "event.dataset:(azure.activitylogs or azure.auditlogs) and ( azure.activitylogs.operation_name:\"Update policy\" or azure.auditlogs.operation_name:\"Update policy\" ) and event.outcome:success",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        },
+        {
+          "version": 3,
+          "updated": "7.11.2",
+          "pre_query": "event.dataset:(azure.activitylogs or azure.auditlogs) and ( azure.activitylogs.operation_name:\"Update policy\" or azure.auditlogs.operation_name:\"Update policy\" ) and event.outcome:(Success or success)",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 4,
+          "updated": "7.12.0",
+          "pre_query": "event.dataset:(azure.activitylogs or azure.auditlogs) and ( azure.activitylogs.operation_name:\"Update policy\" or azure.auditlogs.operation_name:\"Update policy\" ) and event.outcome:(Success or success)",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 5,
+          "updated": "7.13.0",
+          "pre_query": "event.dataset:(azure.activitylogs or azure.auditlogs) and ( azure.activitylogs.operation_name:\"Update policy\" or azure.auditlogs.operation_name:\"Update policy\" ) and event.outcome:(Success or success)",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.13.0",
+    "added": "7.10.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the deletion of diagnostic settings in Azure, which send platform logs and metrics to different destinations. An adversary may delete diagnostic settings in an attempt to evade defenses.",
+    "false_positives": [
+      "Deletion of diagnostic settings may be done by a system or network administrator. Verify whether the username, hostname, and/or resource name should be making changes in your environment. Diagnostic settings deletion from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "from": "now-25m",
+    "index": [
+      "filebeat-*",
+      "logs-azure*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Azure Diagnostic Settings Deletion",
+    "note": "## Config\n\nThe Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:\"MICROSOFT.INSIGHTS/DIAGNOSTICSETTINGS/DELETE\" and event.outcome:(Success or success)\n",
+    "references": [
+      "https://docs.microsoft.com/en-us/azure/azure-monitor/platform/diagnostic-settings"
+    ],
+    "risk_score": 47,
+    "rule_id": "5370d4cd-2bb3-4d71-abf5-1e1d0ff5a2de",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "Azure",
+      "Continuous Monitoring",
+      "SecOps",
+      "Monitoring"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1562",
+            "name": "Impair Defenses",
+            "reference": "https://attack.mitre.org/techniques/T1562/",
+            "subtechnique": [
+              {
+                "id": "T1562.001",
+                "name": "Disable or Modify Tools",
+                "reference": "https://attack.mitre.org/techniques/T1562/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 5,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.11.0",
+          "pre_query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:MICROSOFT.INSIGHTS/DIAGNOSTICSETTINGS/DELETE and event.outcome:Success",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        },
+        {
+          "version": 3,
+          "updated": "7.11.2",
+          "pre_query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:MICROSOFT.INSIGHTS/DIAGNOSTICSETTINGS/DELETE and event.outcome:(Success or success)",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 4,
+          "updated": "7.12.0",
+          "pre_query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:MICROSOFT.INSIGHTS/DIAGNOSTICSETTINGS/DELETE and event.outcome:(Success or success)",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        },
+        {
+          "version": 5,
+          "updated": "7.13.0",
+          "pre_query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:\"MICROSOFT.INSIGHTS/DIAGNOSTICSETTINGS/DELETE\" and event.outcome:(Success or success)",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.13.0",
+    "added": "7.10.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies when an Event Hub Authorization Rule is created or updated in Azure. An authorization rule is associated with specific rights, and carries a pair of cryptographic keys. When you create an Event Hubs namespace, a policy rule named RootManageSharedAccessKey is created for the namespace. This has manage permissions for the entire namespace and it's recommended that you treat this rule like an administrative root account and don't use it in your application.",
+    "false_positives": [
+      "Authorization rule additions or modifications may be done by a system or network administrator. Verify whether the username, hostname, and/or resource name should be making changes in your environment. Authorization rule additions or modifications from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "from": "now-25m",
+    "index": [
+      "filebeat-*",
+      "logs-azure*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Azure Event Hub Authorization Rule Created or Updated",
+    "note": "## Config\n\nThe Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:\"MICROSOFT.EVENTHUB/NAMESPACES/AUTHORIZATIONRULES/WRITE\" and event.outcome:(Success or success)\n",
+    "references": [
+      "https://docs.microsoft.com/en-us/azure/event-hubs/authorize-access-shared-access-signature"
+    ],
+    "risk_score": 47,
+    "rule_id": "b6dce542-2b75-4ffb-b7d6-38787298ba9d",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "Azure",
+      "Continuous Monitoring",
+      "SecOps",
+      "Log Auditing"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0009",
+          "name": "Collection",
+          "reference": "https://attack.mitre.org/tactics/TA0009/"
+        },
+        "technique": [
+          {
+            "id": "T1530",
+            "name": "Data from Cloud Storage Object",
+            "reference": "https://attack.mitre.org/techniques/T1530/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0010",
+          "name": "Exfiltration",
+          "reference": "https://attack.mitre.org/tactics/TA0010/"
+        },
+        "technique": [
+          {
+            "id": "T1537",
+            "name": "Transfer Data to Cloud Account",
+            "reference": "https://attack.mitre.org/techniques/T1537/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 5,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.11.0",
+          "pre_query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:MICROSOFT.EVENTHUB/NAMESPACES/AUTHORIZATIONRULES/WRITE and event.outcome:Success",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        },
+        {
+          "version": 3,
+          "updated": "7.11.2",
+          "pre_query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:MICROSOFT.EVENTHUB/NAMESPACES/AUTHORIZATIONRULES/WRITE and event.outcome:(Success or success)",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 4,
+          "updated": "7.12.0",
+          "pre_query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:MICROSOFT.EVENTHUB/NAMESPACES/AUTHORIZATIONRULES/WRITE and event.outcome:(Success or success)",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        },
+        {
+          "version": 5,
+          "updated": "7.13.0",
+          "pre_query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:\"MICROSOFT.EVENTHUB/NAMESPACES/AUTHORIZATIONRULES/WRITE\" and event.outcome:(Success or success)",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.13.0",
+    "added": "7.10.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies an Event Hub deletion in Azure. An Event Hub is an event processing service that ingests and processes large volumes of events and data. An adversary may delete an Event Hub in an attempt to evade detection.",
+    "false_positives": [
+      "Event Hub deletions may be done by a system or network administrator. Verify whether the username, hostname, and/or resource name should be making changes in your environment. Event Hub deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "from": "now-25m",
+    "index": [
+      "filebeat-*",
+      "logs-azure*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Azure Event Hub Deletion",
+    "note": "## Config\n\nThe Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:\"MICROSOFT.EVENTHUB/NAMESPACES/EVENTHUBS/DELETE\" and event.outcome:(Success or success)\n",
+    "references": [
+      "https://docs.microsoft.com/en-us/azure/event-hubs/event-hubs-about",
+      "https://azure.microsoft.com/en-in/services/event-hubs/",
+      "https://docs.microsoft.com/en-us/azure/event-hubs/event-hubs-features"
+    ],
+    "risk_score": 47,
+    "rule_id": "e0f36de1-0342-453d-95a9-a068b257b053",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "Azure",
+      "Continuous Monitoring",
+      "SecOps",
+      "Log Auditing"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1562",
+            "name": "Impair Defenses",
+            "reference": "https://attack.mitre.org/techniques/T1562/",
+            "subtechnique": [
+              {
+                "id": "T1562.001",
+                "name": "Disable or Modify Tools",
+                "reference": "https://attack.mitre.org/techniques/T1562/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 5,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.11.0",
+          "pre_query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:MICROSOFT.EVENTHUB/NAMESPACES/EVENTHUBS/DELETE and event.outcome:Success",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        },
+        {
+          "version": 3,
+          "updated": "7.11.2",
+          "pre_query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:MICROSOFT.EVENTHUB/NAMESPACES/EVENTHUBS/DELETE and event.outcome:(Success or success)",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 4,
+          "updated": "7.12.0",
+          "pre_query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:MICROSOFT.EVENTHUB/NAMESPACES/EVENTHUBS/DELETE and event.outcome:(Success or success)",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        },
+        {
+          "version": 5,
+          "updated": "7.13.0",
+          "pre_query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:\"MICROSOFT.EVENTHUB/NAMESPACES/EVENTHUBS/DELETE\" and event.outcome:(Success or success)",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.13.0",
+    "added": "7.10.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies an invitation to an external user in Azure Active Directory (AD). Azure AD is extended to include collaboration, allowing you to invite people from outside your organization to be guest users in your cloud account. Unless there is a business need to provision guest access, it is best practice avoid creating guest users. Guest users could potentially be overlooked indefinitely leading to a potential vulnerability.",
+    "false_positives": [
+      "Guest user invitations may be sent out by a system or network administrator. Verify whether the username, hostname, and/or resource name should be making changes in your environment. Guest user invitations from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "from": "now-25m",
+    "index": [
+      "filebeat-*",
+      "logs-azure*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Azure External Guest User Invitation",
+    "note": "## Config\n\nThe Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:azure.auditlogs and azure.auditlogs.operation_name:\"Invite external user\" and azure.auditlogs.properties.target_resources.*.display_name:guest and event.outcome:(Success or success)\n",
+    "references": [
+      "https://docs.microsoft.com/en-us/azure/governance/policy/samples/cis-azure-1-1-0"
+    ],
+    "risk_score": 21,
+    "rule_id": "141e9b3a-ff37-4756-989d-05d7cbf35b0e",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "Azure",
+      "Continuous Monitoring",
+      "SecOps",
+      "Identity and Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0001",
+          "name": "Initial Access",
+          "reference": "https://attack.mitre.org/tactics/TA0001/"
+        },
+        "technique": [
+          {
+            "id": "T1078",
+            "name": "Valid Accounts",
+            "reference": "https://attack.mitre.org/techniques/T1078/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1078",
+            "name": "Valid Accounts",
+            "reference": "https://attack.mitre.org/techniques/T1078/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 5,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.11.0",
+          "pre_query": "event.dataset:azure.auditlogs and azure.auditlogs.operation_name:\"Invite external user\" and azure.auditlogs.properties.target_resources.*.display_name:guest and event.outcome:Success",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        },
+        {
+          "version": 3,
+          "updated": "7.11.2",
+          "pre_query": "event.dataset:azure.auditlogs and azure.auditlogs.operation_name:\"Invite external user\" and azure.auditlogs.properties.target_resources.*.display_name:guest and event.outcome:(Success or success)",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 4,
+          "updated": "7.12.0",
+          "pre_query": "event.dataset:azure.auditlogs and azure.auditlogs.operation_name:\"Invite external user\" and azure.auditlogs.properties.target_resources.*.display_name:guest and event.outcome:(Success or success)",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 5,
+          "updated": "7.13.0",
+          "pre_query": "event.dataset:azure.auditlogs and azure.auditlogs.operation_name:\"Invite external user\" and azure.auditlogs.properties.target_resources.*.display_name:guest and event.outcome:(Success or success)",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.13.0",
+    "added": "7.10.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the deletion of a firewall policy in Azure. An adversary may delete a firewall policy in an attempt to evade defenses and/or to eliminate barriers in carrying out their initiative.",
+    "false_positives": [
+      "Firewall policy deletions may be done by a system or network administrator. Verify whether the username, hostname, and/or resource name should be making changes in your environment. Firewall policy deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "from": "now-25m",
+    "index": [
+      "filebeat-*",
+      "logs-azure*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Azure Firewall Policy Deletion",
+    "note": "## Config\n\nThe Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:\"MICROSOFT.NETWORK/FIREWALLPOLICIES/DELETE\" and event.outcome:(Success or success)\n",
+    "references": [
+      "https://docs.microsoft.com/en-us/azure/firewall-manager/policy-overview"
+    ],
+    "risk_score": 21,
+    "rule_id": "e02bd3ea-72c6-4181-ac2b-0f83d17ad969",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "Azure",
+      "Continuous Monitoring",
+      "SecOps",
+      "Network Security"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1562",
+            "name": "Impair Defenses",
+            "reference": "https://attack.mitre.org/techniques/T1562/",
+            "subtechnique": [
+              {
+                "id": "T1562.001",
+                "name": "Disable or Modify Tools",
+                "reference": "https://attack.mitre.org/techniques/T1562/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 5,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.11.0",
+          "pre_query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:MICROSOFT.NETWORK/FIREWALLPOLICIES/DELETE and event.outcome:Success",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        },
+        {
+          "version": 3,
+          "updated": "7.11.2",
+          "pre_query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:MICROSOFT.NETWORK/FIREWALLPOLICIES/DELETE and event.outcome:(Success or success)",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 4,
+          "updated": "7.12.0",
+          "pre_query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:MICROSOFT.NETWORK/FIREWALLPOLICIES/DELETE and event.outcome:(Success or success)",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        },
+        {
+          "version": 5,
+          "updated": "7.13.0",
+          "pre_query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:\"MICROSOFT.NETWORK/FIREWALLPOLICIES/DELETE\" and event.outcome:(Success or success)",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.13.0",
+    "added": "7.10.0"
+  },
+  {
+    "author": [
+      "Austin Songer"
+    ],
+    "description": "Identifies the deletion of a Frontdoor Web Application Firewall (WAF) Policy in Azure. An adversary may delete a Frontdoor Web Application Firewall (WAF) Policy in an attempt to evade defenses and/or to eliminate barriers in carrying out their initiative.",
+    "false_positives": [
+      "Azure Front Web Application Firewall (WAF) Policy deletions may be done by a system or network administrator. Verify whether the username, hostname, and/or resource name should be making changes in your environment. Azure Front Web Application Firewall (WAF) Policy deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "from": "now-25m",
+    "index": [
+      "filebeat-*",
+      "logs-azure*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Azure Frontdoor Web Application Firewall (WAF) Policy Deleted",
+    "note": "## Config\n\nThe Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:\"MICROSOFT.NETWORK/FRONTDOORWEBAPPLICATIONFIREWALLPOLICIES/DELETE\" and event.outcome:(Success or success)\n",
+    "references": [
+      "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#networking"
+    ],
+    "risk_score": 21,
+    "rule_id": "09d028a5-dcde-409f-8ae0-557cef1b7082",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "Azure",
+      "Continuous Monitoring",
+      "SecOps",
+      "Network Security"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1562",
+            "name": "Impair Defenses",
+            "reference": "https://attack.mitre.org/techniques/T1562/",
+            "subtechnique": [
+              {
+                "id": "T1562.001",
+                "name": "Disable or Modify Tools",
+                "reference": "https://attack.mitre.org/techniques/T1562/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 1,
+    "last_update": "7.16.0",
+    "added": "7.16.0"
+  },
+  {
+    "author": [
+      "Austin Songer"
+    ],
+    "description": "Identifies potential full network packet capture in Azure. Packet Capture is an Azure Network Watcher feature that can be used to inspect network traffic. This feature can potentially be abused to read sensitive data from unencrypted internal traffic.",
+    "false_positives": [
+      "Full Network Packet Capture may be done by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Full Network Packet Capture from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "from": "now-25m",
+    "index": [
+      "filebeat-*",
+      "logs-azure*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Azure Full Network Packet Capture Detected",
+    "note": "## Config\n\nThe Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:\n    (\n        \"MICROSOFT.NETWORK/*/STARTPACKETCAPTURE/ACTION\" or\n        \"MICROSOFT.NETWORK/*/VPNCONNECTIONS/STARTPACKETCAPTURE/ACTION\" or\n        \"MICROSOFT.NETWORK/*/PACKETCAPTURES/WRITE\"\n    ) and \nevent.outcome:(Success or success)\n",
+    "references": [
+      "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"
+    ],
+    "risk_score": 47,
+    "rule_id": "3ad77ed4-4dcf-4c51-8bfc-e3f7ce316b2f",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "Azure",
+      "Continuous Monitoring",
+      "SecOps",
+      "Monitoring"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0006",
+          "name": "Credential Access",
+          "reference": "https://attack.mitre.org/tactics/TA0006/"
+        },
+        "technique": [
+          {
+            "id": "T1040",
+            "name": "Network Sniffing",
+            "reference": "https://attack.mitre.org/techniques/T1040/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 1,
+    "last_update": "7.16.0",
+    "added": "7.16.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies an Azure Active Directory (AD) Global Administrator role addition to a Privileged Identity Management (PIM) user account. PIM is a service that enables you to manage, control, and monitor access to important resources in an organization. Users who are assigned to the Global administrator role can read and modify any administrative setting in your Azure AD organization.",
+    "false_positives": [
+      "Global administrator additions may be done by a system or network administrator. Verify whether the username, hostname, and/or resource name should be making changes in your environment. Global administrator additions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "index": [
+      "filebeat-*",
+      "logs-azure*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Azure Global Administrator Role Addition to PIM User",
+    "note": "## Config\n\nThe Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:azure.auditlogs and azure.auditlogs.properties.category:RoleManagement and\n    azure.auditlogs.operation_name:(\"Add eligible member to role in PIM completed (permanent)\" or\n                                    \"Add member to role in PIM completed (timebound)\") and\n    azure.auditlogs.properties.target_resources.*.display_name:\"Global Administrator\" and\n    event.outcome:(Success or success)\n",
+    "references": [
+      "https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/directory-assign-admin-roles"
+    ],
+    "risk_score": 73,
+    "rule_id": "ed9ecd27-e3e6-4fd9-8586-7754803f7fc8",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "Azure",
+      "Continuous Monitoring",
+      "SecOps",
+      "Identity and Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1098",
+            "name": "Account Manipulation",
+            "reference": "https://attack.mitre.org/techniques/T1098/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 5,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.11.0",
+          "pre_query": "event.dataset:azure.auditlogs and azure.auditlogs.properties.category:RoleManagement and azure.auditlogs.operation_name:(\"Add eligible member to role in PIM completed (permanent)\" or \"Add member to role in PIM completed (timebound)\") and azure.auditlogs.properties.target_resources.*.display_name:\"Global Administrator\" and event.outcome:Success",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        },
+        {
+          "version": 3,
+          "updated": "7.11.2",
+          "pre_query": "event.dataset:azure.auditlogs and azure.auditlogs.properties.category:RoleManagement and azure.auditlogs.operation_name:(\"Add eligible member to role in PIM completed (permanent)\" or \"Add member to role in PIM completed (timebound)\") and azure.auditlogs.properties.target_resources.*.display_name:\"Global Administrator\" and event.outcome:(Success or success)",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 4,
+          "updated": "7.12.0",
+          "pre_query": "event.dataset:azure.auditlogs and azure.auditlogs.properties.category:RoleManagement and azure.auditlogs.operation_name:(\"Add eligible member to role in PIM completed (permanent)\" or \"Add member to role in PIM completed (timebound)\") and azure.auditlogs.properties.target_resources.*.display_name:\"Global Administrator\" and event.outcome:(Success or success)",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 5,
+          "updated": "7.13.0",
+          "pre_query": "event.dataset:azure.auditlogs and azure.auditlogs.properties.category:RoleManagement and azure.auditlogs.operation_name:(\"Add eligible member to role in PIM completed (permanent)\" or \"Add member to role in PIM completed (timebound)\") and azure.auditlogs.properties.target_resources.*.display_name:\"Global Administrator\" and event.outcome:(Success or success)",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.13.0",
+    "added": "7.10.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies modifications to a Key Vault in Azure. The Key Vault is a service that safeguards encryption keys and secrets like certificates, connection strings, and passwords. Because this data is sensitive and business critical, access to key vaults should be secured to allow only authorized applications and users.",
+    "false_positives": [
+      "Key vault modifications may be done by a system or network administrator. Verify whether the username, hostname, and/or resource name should be making changes in your environment. Key vault modifications from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "from": "now-25m",
+    "index": [
+      "filebeat-*",
+      "logs-azure*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Azure Key Vault Modified",
+    "note": "## Config\n\nThe Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:\"MICROSOFT.KEYVAULT/VAULTS/WRITE\" and event.outcome:(Success or success)\n",
+    "references": [
+      "https://docs.microsoft.com/en-us/azure/key-vault/general/basic-concepts",
+      "https://docs.microsoft.com/en-us/azure/key-vault/general/secure-your-key-vault"
+    ],
+    "risk_score": 47,
+    "rule_id": "792dd7a6-7e00-4a0a-8a9a-a7c24720b5ec",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "Azure",
+      "Continuous Monitoring",
+      "SecOps",
+      "Data Protection"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0006",
+          "name": "Credential Access",
+          "reference": "https://attack.mitre.org/tactics/TA0006/"
+        },
+        "technique": [
+          {
+            "id": "T1552",
+            "name": "Unsecured Credentials",
+            "reference": "https://attack.mitre.org/techniques/T1552/",
+            "subtechnique": [
+              {
+                "id": "T1552.001",
+                "name": "Credentials In Files",
+                "reference": "https://attack.mitre.org/techniques/T1552/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 5,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.11.0",
+          "pre_query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:MICROSOFT.KEYVAULT/VAULTS/WRITE and event.outcome:Success",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        },
+        {
+          "version": 3,
+          "updated": "7.11.2",
+          "pre_query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:MICROSOFT.KEYVAULT/VAULTS/WRITE and event.outcome:(Success or success)",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 4,
+          "updated": "7.12.0",
+          "pre_query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:MICROSOFT.KEYVAULT/VAULTS/WRITE and event.outcome:(Success or success)",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        },
+        {
+          "version": 5,
+          "updated": "7.13.0",
+          "pre_query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:\"MICROSOFT.KEYVAULT/VAULTS/WRITE\" and event.outcome:(Success or success)",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.13.0",
+    "added": "7.10.0"
+  },
+  {
+    "author": [
+      "Austin Songer"
+    ],
+    "description": "Identifies when events are deleted in Azure Kubernetes. Kubernetes events are objects that log any state changes. Example events are a container creation, an image pull, or a pod scheduling on a node.  An adversary may delete events in Azure Kubernetes in an attempt to evade detection.",
+    "false_positives": [
+      "Events deletions may be done by a system or network administrator. Verify whether the username, hostname, and/or resource name should be making changes in your environment. Events deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "from": "now-25m",
+    "index": [
+      "filebeat-*",
+      "logs-azure*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Azure Kubernetes Events Deleted",
+    "note": "## Config\n\nThe Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:\"MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/EVENTS.K8S.IO/EVENTS/DELETE\" and \nevent.outcome:(Success or success)\n",
+    "references": [
+      "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes"
+    ],
+    "risk_score": 47,
+    "rule_id": "8b64d36a-1307-4b2e-a77b-a0027e4d27c8",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "Azure",
+      "Continuous Monitoring",
+      "SecOps",
+      "Log Auditing"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1562",
+            "name": "Impair Defenses",
+            "reference": "https://attack.mitre.org/techniques/T1562/",
+            "subtechnique": [
+              {
+                "id": "T1562.001",
+                "name": "Disable or Modify Tools",
+                "reference": "https://attack.mitre.org/techniques/T1562/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 2,
+    "last_update": "8.0.0",
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "8.0.0",
+          "pre_query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:\"MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/EVENTS.K8S.IO/EVENTS/DELETE\" and \nevent.outcome:(Success or success)\n",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "added": "7.16.0"
+  },
+  {
+    "author": [
+      "Austin Songer"
+    ],
+    "description": "Identifies the deletion of Azure Kubernetes Pods. Adversaries may delete a Kubernetes pod to disrupt the normal behavior of the environment.",
+    "false_positives": [
+      "Pods may be deleted by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Pods deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "from": "now-25m",
+    "index": [
+      "filebeat-*",
+      "logs-azure*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Azure Kubernetes Pods Deleted",
+    "note": "## Config\n\nThe Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:\"MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/PODS/DELETE\" and \nevent.outcome:(Success or success)\n",
+    "references": [
+      "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes"
+    ],
+    "risk_score": 47,
+    "rule_id": "83a1931d-8136-46fc-b7b9-2db4f639e014",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "Azure",
+      "Continuous Monitoring",
+      "SecOps",
+      "Asset Visibility"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0040",
+          "name": "Impact",
+          "reference": "https://attack.mitre.org/tactics/TA0040/"
+        },
+        "technique": []
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 2,
+    "last_update": "8.0.0",
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "8.0.0",
+          "pre_query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:\"MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/PODS/DELETE\" and \nevent.outcome:(Success or success)\n",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "added": "7.16.0"
+  },
+  {
+    "author": [
+      "Austin Songer"
+    ],
+    "description": "Identifies the creation of role binding or cluster role bindings. You can assign these roles to Kubernetes subjects (users, groups, or service accounts) with role bindings and cluster role bindings. An adversary who has permissions to create bindings and cluster-bindings in the cluster can create a binding to the cluster-admin ClusterRole or to other high privileges roles.",
+    "from": "now-20m",
+    "index": [
+      "filebeat-*",
+      "logs-azure*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Azure Kubernetes Rolebindings Created",
+    "note": "## Config\n\nThe Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:\n\t(\"MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/RBAC.AUTHORIZATION.K8S.IO/ROLEBINDINGS/WRITE\" or\n\t \"MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/RBAC.AUTHORIZATION.K8S.IO/CLUSTERROLEBINDINGS/WRITE\") and \nevent.outcome:(Success or success)\n",
+    "references": [
+      "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes",
+      "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/"
+    ],
+    "risk_score": 21,
+    "rule_id": "1c966416-60c1-436b-bfd0-e002fddbfd89",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "Azure",
+      "Continuous Monitoring",
+      "SecOps",
+      "Identity and Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0004",
+          "name": "Privilege Escalation",
+          "reference": "https://attack.mitre.org/tactics/TA0004/"
+        },
+        "technique": []
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 1,
+    "last_update": "8.0.0",
+    "added": "8.0.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the deletion of a Network Watcher in Azure. Network Watchers are used to monitor, diagnose, view metrics, and enable or disable logs for resources in an Azure virtual network. An adversary may delete a Network Watcher in an attempt to evade defenses.",
+    "false_positives": [
+      "Network Watcher deletions may be done by a system or network administrator. Verify whether the username, hostname, and/or resource name should be making changes in your environment. Network Watcher deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "from": "now-25m",
+    "index": [
+      "filebeat-*",
+      "logs-azure*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Azure Network Watcher Deletion",
+    "note": "## Config\n\nThe Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:\"MICROSOFT.NETWORK/NETWORKWATCHERS/DELETE\" and event.outcome:(Success or success)\n",
+    "references": [
+      "https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-monitoring-overview"
+    ],
+    "risk_score": 47,
+    "rule_id": "323cb487-279d-4218-bcbd-a568efe930c6",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "Azure",
+      "Continuous Monitoring",
+      "SecOps",
+      "Network Security"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1562",
+            "name": "Impair Defenses",
+            "reference": "https://attack.mitre.org/techniques/T1562/",
+            "subtechnique": [
+              {
+                "id": "T1562.001",
+                "name": "Disable or Modify Tools",
+                "reference": "https://attack.mitre.org/techniques/T1562/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 5,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.11.0",
+          "pre_query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:MICROSOFT.NETWORK/NETWORKWATCHERS/DELETE and event.outcome:Success",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        },
+        {
+          "version": 3,
+          "updated": "7.11.2",
+          "pre_query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:MICROSOFT.NETWORK/NETWORKWATCHERS/DELETE and event.outcome:(Success or success)",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 4,
+          "updated": "7.12.0",
+          "pre_query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:MICROSOFT.NETWORK/NETWORKWATCHERS/DELETE and event.outcome:(Success or success)",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        },
+        {
+          "version": 5,
+          "updated": "7.13.0",
+          "pre_query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:\"MICROSOFT.NETWORK/NETWORKWATCHERS/DELETE\" and event.outcome:(Success or success)",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.13.0",
+    "added": "7.10.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Azure Active Directory (AD) Privileged Identity Management (PIM) is a service that enables you to manage, control, and monitor access to important resources in an organization. PIM can be used to manage the built-in Azure resource roles such as Global Administrator and Application Administrator. An adversary may add a user to a PIM role in order to maintain persistence in their target's environment or modify a PIM role to weaken their target's security controls.",
+    "from": "now-25m",
+    "index": [
+      "filebeat-*",
+      "logs-azure*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Azure Privilege Identity Management Role Modified",
+    "note": "## Config\n\nThe Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:azure.auditlogs and azure.auditlogs.operation_name:\"Update role setting in PIM\" and event.outcome:(Success or success)\n",
+    "references": [
+      "https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-resource-roles-assign-roles",
+      "https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-configure"
+    ],
+    "risk_score": 47,
+    "rule_id": "7882cebf-6cf1-4de3-9662-213aa13e8b80",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "Azure",
+      "Continuous Monitoring",
+      "SecOps",
+      "Identity and Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1078",
+            "name": "Valid Accounts",
+            "reference": "https://attack.mitre.org/techniques/T1078/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1078",
+            "name": "Valid Accounts",
+            "reference": "https://attack.mitre.org/techniques/T1078/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 5,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.11.0",
+          "pre_query": "event.dataset:azure.auditlogs and azure.auditlogs.operation_name:\"Update role setting in PIM\" and event.outcome:Success",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        },
+        {
+          "version": 3,
+          "updated": "7.11.2",
+          "pre_query": "event.dataset:azure.auditlogs and azure.auditlogs.operation_name:\"Update role setting in PIM\" and event.outcome:(Success or success)",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 4,
+          "updated": "7.12.0",
+          "pre_query": "event.dataset:azure.auditlogs and azure.auditlogs.operation_name:\"Update role setting in PIM\" and event.outcome:(Success or success)",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 5,
+          "updated": "7.13.0",
+          "pre_query": "event.dataset:azure.auditlogs and azure.auditlogs.operation_name:\"Update role setting in PIM\" and event.outcome:(Success or success)",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.13.0",
+    "added": "7.10.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the deletion of a resource group in Azure, which includes all resources within the group. Deletion is permanent and irreversible. An adversary may delete a resource group in an attempt to evade defenses or intentionally destroy data.",
+    "false_positives": [
+      "Deletion of a resource group may be done by a system or network administrator. Verify whether the username, hostname, and/or resource name should be making changes in your environment. Resource group deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "from": "now-25m",
+    "index": [
+      "filebeat-*",
+      "logs-azure*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Azure Resource Group Deletion",
+    "note": "## Config\n\nThe Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:\"MICROSOFT.RESOURCES/SUBSCRIPTIONS/RESOURCEGROUPS/DELETE\" and event.outcome:(Success or success)\n",
+    "references": [
+      "https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/manage-resource-groups-portal"
+    ],
+    "risk_score": 47,
+    "rule_id": "bb4fe8d2-7ae2-475c-8b5d-55b449e4264f",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "Azure",
+      "Continuous Monitoring",
+      "SecOps",
+      "Log Auditing"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0040",
+          "name": "Impact",
+          "reference": "https://attack.mitre.org/tactics/TA0040/"
+        },
+        "technique": [
+          {
+            "id": "T1485",
+            "name": "Data Destruction",
+            "reference": "https://attack.mitre.org/techniques/T1485/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1562",
+            "name": "Impair Defenses",
+            "reference": "https://attack.mitre.org/techniques/T1562/",
+            "subtechnique": [
+              {
+                "id": "T1562.001",
+                "name": "Disable or Modify Tools",
+                "reference": "https://attack.mitre.org/techniques/T1562/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 5,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.11.0",
+          "pre_query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:MICROSOFT.RESOURCES/SUBSCRIPTIONS/RESOURCEGROUPS/DELETE and event.outcome:Success",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        },
+        {
+          "version": 3,
+          "updated": "7.11.2",
+          "pre_query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:MICROSOFT.RESOURCES/SUBSCRIPTIONS/RESOURCEGROUPS/DELETE and event.outcome:(Success or success)",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 4,
+          "updated": "7.12.0",
+          "pre_query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:MICROSOFT.RESOURCES/SUBSCRIPTIONS/RESOURCEGROUPS/DELETE and event.outcome:(Success or success)",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        },
+        {
+          "version": 5,
+          "updated": "7.13.0",
+          "pre_query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:\"MICROSOFT.RESOURCES/SUBSCRIPTIONS/RESOURCEGROUPS/DELETE\" and event.outcome:(Success or success)",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.13.0",
+    "added": "7.10.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies when a new service principal is added in Azure. An application, hosted service, or automated tool that accesses or modifies resources needs an identity created. This identity is known as a service principal. For security reasons, it's always recommended to use service principals with automated tools rather than allowing them to log in with a user identity.",
+    "false_positives": [
+      "A service principal may be created by a system or network administrator. Verify whether the username, hostname, and/or resource name should be making changes in your environment. Service principal additions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "from": "now-25m",
+    "index": [
+      "filebeat-*",
+      "logs-azure*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Azure Service Principal Addition",
+    "note": "## Config\n\nThe Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:azure.auditlogs and azure.auditlogs.operation_name:\"Add service principal\" and event.outcome:(success or Success)\n",
+    "references": [
+      "https://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber-attacks/",
+      "https://docs.microsoft.com/en-us/azure/active-directory/develop/howto-create-service-principal-portal"
+    ],
+    "risk_score": 47,
+    "rule_id": "60b6b72f-0fbc-47e7-9895-9ba7627a8b50",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "Azure",
+      "Continuous Monitoring",
+      "SecOps",
+      "Identity and Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1550",
+            "name": "Use Alternate Authentication Material",
+            "reference": "https://attack.mitre.org/techniques/T1550/",
+            "subtechnique": [
+              {
+                "id": "T1550.001",
+                "name": "Application Access Token",
+                "reference": "https://attack.mitre.org/techniques/T1550/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 4,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.11.2",
+          "pre_query": "event.dataset:azure.auditlogs and azure.auditlogs.operation_name:\"Add service principal\" and event.outcome:(success or Success)",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 3,
+          "updated": "7.12.0",
+          "pre_query": "event.dataset:azure.auditlogs and azure.auditlogs.operation_name:\"Add service principal\" and event.outcome:(success or Success)",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 4,
+          "updated": "7.13.0",
+          "pre_query": "event.dataset:azure.auditlogs and azure.auditlogs.operation_name:\"Add service principal\" and event.outcome:(success or Success)",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.13.0",
+    "added": "7.11.0"
+  },
+  {
+    "author": [
+      "Elastic",
+      "Austin Songer"
+    ],
+    "description": "Identifies when new Service Principal credentials have been added in Azure. In most organizations, credentials will be added to service principals infrequently. Hijacking an application (by adding a rogue secret or certificate) with granted permissions will allow the attacker to access data that is normally protected by MFA requirements.",
+    "false_positives": [
+      "Service principal credential additions may be done by a system or network administrator. Verify whether the username, hostname, and/or resource name should be making changes in your environment. Credential additions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "from": "now-25m",
+    "index": [
+      "filebeat-*",
+      "logs-azure*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Azure Service Principal Credentials Added",
+    "note": "## Config\n\nThe Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:azure.auditlogs and azure.auditlogs.operation_name:\"Add service principal credentials.\" and event.outcome:(success or Success)\n",
+    "references": [
+      "https://www.fireeye.com/content/dam/collateral/en/wp-m-unc2452.pdf"
+    ],
+    "risk_score": 47,
+    "rule_id": "f766ffaf-9568-4909-b734-75d19b35cbf4",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "Azure",
+      "Continuous Monitoring",
+      "SecOps",
+      "Identity and Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0040",
+          "name": "Impact",
+          "reference": "https://attack.mitre.org/tactics/TA0040/"
+        },
+        "technique": [
+          {
+            "id": "T1496",
+            "name": "Resource Hijacking",
+            "reference": "https://attack.mitre.org/techniques/T1496/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 1,
+    "last_update": "7.14.0",
+    "added": "7.14.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies a rotation to storage account access keys in Azure. Regenerating access keys can affect any applications or Azure services that are dependent on the storage account key. Adversaries may regenerate a key as a means of acquiring credentials to access systems and resources.",
+    "false_positives": [
+      "It's recommended that you rotate your access keys periodically to help keep your storage account secure. Normal key rotation can be exempted from the rule. An abnormal time frame and/or a key rotation from unfamiliar users, hosts, or locations should be investigated."
+    ],
+    "from": "now-25m",
+    "index": [
+      "filebeat-*",
+      "logs-azure*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Azure Storage Account Key Regenerated",
+    "note": "## Config\n\nThe Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:\"MICROSOFT.STORAGE/STORAGEACCOUNTS/REGENERATEKEY/ACTION\" and event.outcome:(Success or success)\n",
+    "references": [
+      "https://docs.microsoft.com/en-us/azure/storage/common/storage-account-keys-manage?tabs=azure-portal"
+    ],
+    "risk_score": 21,
+    "rule_id": "1e0b832e-957e-43ae-b319-db82d228c908",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "Azure",
+      "Continuous Monitoring",
+      "SecOps",
+      "Identity and Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0006",
+          "name": "Credential Access",
+          "reference": "https://attack.mitre.org/tactics/TA0006/"
+        },
+        "technique": [
+          {
+            "id": "T1528",
+            "name": "Steal Application Access Token",
+            "reference": "https://attack.mitre.org/techniques/T1528/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 5,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.11.0",
+          "pre_query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:MICROSOFT.STORAGE/STORAGEACCOUNTS/REGENERATEKEY/ACTION and event.outcome:Success",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        },
+        {
+          "version": 3,
+          "updated": "7.11.2",
+          "pre_query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:MICROSOFT.STORAGE/STORAGEACCOUNTS/REGENERATEKEY/ACTION and event.outcome:(Success or success)",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 4,
+          "updated": "7.12.0",
+          "pre_query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:MICROSOFT.STORAGE/STORAGEACCOUNTS/REGENERATEKEY/ACTION and event.outcome:(Success or success)",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        },
+        {
+          "version": 5,
+          "updated": "7.13.0",
+          "pre_query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:\"MICROSOFT.STORAGE/STORAGEACCOUNTS/REGENERATEKEY/ACTION\" and event.outcome:(Success or success)",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.13.0",
+    "added": "7.10.0"
+  },
+  {
+    "author": [
+      "Austin Songer"
+    ],
+    "description": "Identifies when a virtual network device is being modified or deleted. This can be a network virtual appliance, virtual hub, or virtual router.",
+    "false_positives": [
+      "Virtual Network Device being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Virtual Network Device modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "from": "now-25m",
+    "index": [
+      "filebeat-*",
+      "logs-azure*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Azure Virtual Network Device Modified or Deleted",
+    "note": "## Config\n\nThe Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:(\"MICROSOFT.NETWORK/NETWORKINTERFACES/TAPCONFIGURATIONS/WRITE\" or\n\"MICROSOFT.NETWORK/NETWORKINTERFACES/TAPCONFIGURATIONS/DELETE\" or \"MICROSOFT.NETWORK/NETWORKINTERFACES/WRITE\" or\n\"MICROSOFT.NETWORK/NETWORKINTERFACES/JOIN/ACTION\" or \"MICROSOFT.NETWORK/NETWORKINTERFACES/DELETE\"or\n\"MICROSOFT.NETWORK/NETWORKVIRTUALAPPLIANCES/DELETE\" or \"MICROSOFT.NETWORK/NETWORKVIRTUALAPPLIANCES/WRITE\" or\n\"MICROSOFT.NETWORK/VIRTUALHUBS/DELETE\" or \"MICROSOFT.NETWORK/VIRTUALHUBS/WRITE\" or\n\"MICROSOFT.NETWORK/VIRTUALROUTERS/WRITE\" or \"MICROSOFT.NETWORK/VIRTUALROUTERS/DELETE\") and \nevent.outcome:(Success or success)\n",
+    "references": [
+      "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"
+    ],
+    "risk_score": 21,
+    "rule_id": "573f6e7a-7acf-4bcd-ad42-c4969124d3c0",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "Azure",
+      "Continuous Monitoring",
+      "SecOps",
+      "Network Security"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0040",
+          "name": "Impact",
+          "reference": "https://attack.mitre.org/tactics/TA0040/"
+        },
+        "technique": []
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 1,
+    "last_update": "7.16.0",
+    "added": "7.16.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Adversaries may encode/decode data in an attempt to evade detection by host- or network-based security controls.",
+    "false_positives": [
+      "Automated tools such as Jenkins may encode or decode files as part of their normal behavior. These events can be filtered by the process executable or username values."
+    ],
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Base16 or Base32 Encoding/Decoding Activity",
+    "query": "event.category:process and event.type:(start or process_started) and\n  process.name:(base16 or base32 or base32plain or base32hex)\n",
+    "risk_score": 21,
+    "rule_id": "debff20a-46bc-4a4d-bae5-5cdd14222795",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1140",
+            "name": "Deobfuscate/Decode Files or Information",
+            "reference": "https://attack.mitre.org/techniques/T1140/"
+          },
+          {
+            "id": "T1027",
+            "name": "Obfuscated Files or Information",
+            "reference": "https://attack.mitre.org/techniques/T1027/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 7,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.9.0",
+          "pre_query": "event.action:(executed or process_started) and process.name:(base16 or base32 or base32plain or base32hex)",
+          "doc_text": "Updated query."
+        },
+        {
+          "version": 3,
+          "updated": "7.9.1",
+          "pre_query": "event.category:process and event.type:(start or process_started) and process.name:(base16 or base32 or base32plain or base32hex)",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 4,
+          "updated": "7.10.0",
+          "pre_query": "event.category:process and event.type:(start or process_started) and process.name:(base16 or base32 or base32plain or base32hex)",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 5,
+          "updated": "7.11.0",
+          "pre_query": "event.category:process and event.type:(start or process_started) and process.name:(base16 or base32 or base32plain or base32hex)",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 6,
+          "updated": "7.11.2",
+          "pre_query": "event.category:process and event.type:(start or process_started) and process.name:(base16 or base32 or base32plain or base32hex)",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 7,
+          "updated": "7.12.0",
+          "pre_query": "event.category:process and event.type:(start or process_started) and process.name:(base16 or base32 or base32plain or base32hex)",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.12.0",
+    "added": "7.8.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Both ~/.bash_profile and ~/.bashrc are files containing shell commands that are run when Bash is invoked. These files are executed in a user's context, either interactively or non-interactively, when a user logs in so that their environment is set correctly. Adversaries may abuse this to establish persistence by executing malicious content triggered by a user\u2019s shell.",
+    "false_positives": [
+      "Changes to the Shell Profile tend to be noisy, a tuning per your environment will be required."
+    ],
+    "from": "now-9m",
+    "index": [
+      "logs-endpoint.events.*",
+      "auditbeat-*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Bash Shell Profile Modification",
+    "query": "event.category:file and event.type:change and\n  process.name:(* and not (sudo or\n                           vim or\n                           zsh or\n                           env or\n                           nano or\n                           bash or\n                           Terminal or\n                           xpcproxy or\n                           login or\n                           cat or\n                           cp or\n                           launchctl or\n                           java)) and\n  not process.executable:(/Applications/* or /private/var/folders/* or /usr/local/*) and\n  file.path:(/private/etc/rc.local or\n             /etc/rc.local or\n             /home/*/.profile or\n             /home/*/.profile1 or\n             /home/*/.bash_profile or\n             /home/*/.bash_profile1 or\n             /home/*/.bashrc or\n             /Users/*/.bash_profile or\n             /Users/*/.zshenv)\n",
+    "references": [
+      "https://www.anomali.com/blog/pulling-linux-rabbit-rabbot-malware-out-of-a-hat"
+    ],
+    "risk_score": 47,
+    "rule_id": "e6c1a552-7776-44ad-ae0f-8746cc07773c",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "macOS",
+      "Linux",
+      "Threat Detection",
+      "Persistence"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1546",
+            "name": "Event Triggered Execution",
+            "reference": "https://attack.mitre.org/techniques/T1546/",
+            "subtechnique": [
+              {
+                "id": "T1546.004",
+                "name": "Unix Shell Configuration Modification",
+                "reference": "https://attack.mitre.org/techniques/T1546/004/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 2,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.15.0",
+          "pre_query": "event.category:file and event.type:change and\n  process.name:(* and not (sudo or\n                           vim or\n                           zsh or\n                           env or\n                           nano or\n                           bash or\n                           Terminal or\n                           xpcproxy or\n                           login or\n                           cat or\n                           cp or\n                           launchctl or\n                           java)) and\n  not process.executable:(/Applications/* or /private/var/folders/* or /usr/local/*) and\n  file.path:(/private/etc/rc.local or\n             /etc/rc.local or\n             /home/*/.profile or\n             /home/*/.profile1 or\n             /home/*/.bash_profile or\n             /home/*/.bash_profile1 or\n             /home/*/.bashrc or\n             /Users/*/.bash_profile or\n             /Users/*/.zshenv)\n",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.15.0",
+    "added": "7.12.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies User Account Control (UAC) bypass via eventvwr.exe. Attackers bypass UAC to stealthily execute code with elevated permissions.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Bypass UAC via Event Viewer",
+    "query": "process where event.type in (\"start\", \"process_started\") and\n  process.parent.name : \"eventvwr.exe\" and\n  not process.executable : \n            (\"?:\\\\Windows\\\\SysWOW64\\\\mmc.exe\", \n             \"?:\\\\Windows\\\\System32\\\\mmc.exe\",\n             \"?:\\\\Windows\\\\SysWOW64\\\\WerFault.exe\",\n             \"?:\\\\Windows\\\\System32\\\\WerFault.exe\")\n",
+    "risk_score": 73,
+    "rule_id": "31b4c719-f2b4-41f6-a9bd-fce93c2eaf62",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Privilege Escalation"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0004",
+          "name": "Privilege Escalation",
+          "reference": "https://attack.mitre.org/tactics/TA0004/"
+        },
+        "technique": [
+          {
+            "id": "T1548",
+            "name": "Abuse Elevation Control Mechanism",
+            "reference": "https://attack.mitre.org/techniques/T1548/",
+            "subtechnique": [
+              {
+                "id": "T1548.002",
+                "name": "Bypass User Account Control",
+                "reference": "https://attack.mitre.org/techniques/T1548/002/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 9,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.9.0",
+          "pre_query": "process.parent.name:eventvwr.exe and event.action:\"Process Create (rule: ProcessCreate)\" and not process.executable:(\"C:\\Windows\\SysWOW64\\mmc.exe\" or \"C:\\Windows\\System32\\mmc.exe\")",
+          "doc_text": "Updated query."
+        },
+        {
+          "version": 3,
+          "updated": "7.9.1",
+          "pre_query": "event.category:process and event.type:(start or process_started) and process.parent.name:eventvwr.exe and not process.executable:(\"C:\\Windows\\SysWOW64\\mmc.exe\" or \"C:\\Windows\\System32\\mmc.exe\")",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 4,
+          "updated": "7.10.0",
+          "pre_query": "event.category:process and event.type:(start or process_started) and process.parent.name:eventvwr.exe and not process.executable:(\"C:\\Windows\\SysWOW64\\mmc.exe\" or \"C:\\Windows\\System32\\mmc.exe\")",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 5,
+          "updated": "7.11.0",
+          "pre_query": "event.category:process and event.type:(start or process_started) and process.parent.name:eventvwr.exe and not process.executable:(\"C:\\Windows\\SysWOW64\\mmc.exe\" or \"C:\\Windows\\System32\\mmc.exe\")",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 6,
+          "updated": "7.11.2",
+          "pre_query": "event.category:process and event.type:(start or process_started) and process.parent.name:eventvwr.exe and not process.executable:(\"C:\\Windows\\SysWOW64\\mmc.exe\" or \"C:\\Windows\\System32\\mmc.exe\")",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 7,
+          "updated": "7.12.0",
+          "pre_query": "event.category:process and event.type:(start or process_started) and process.parent.name:eventvwr.exe and not process.executable:(\"C:\\Windows\\SysWOW64\\mmc.exe\" or \"C:\\Windows\\System32\\mmc.exe\")",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 8,
+          "updated": "7.13.0",
+          "pre_query": "event.category:process and event.type:(start or process_started) and process.parent.name:eventvwr.exe and not process.executable:(\"C:\\Windows\\SysWOW64\\mmc.exe\" or \"C:\\Windows\\System32\\mmc.exe\")",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        },
+        {
+          "version": 9,
+          "updated": "7.15.0",
+          "pre_query": "process where event.type in (\"start\", \"process_started\") and\n  process.parent.name : \"eventvwr.exe\" and\n  not process.executable : \n            (\"?:\\\\Windows\\\\SysWOW64\\\\mmc.exe\", \n             \"?:\\\\Windows\\\\System32\\\\mmc.exe\",\n             \"?:\\\\Windows\\\\SysWOW64\\\\WerFault.exe\",\n             \"?:\\\\Windows\\\\System32\\\\WerFault.exe\")\n",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.15.0",
+    "added": "7.7.0"
+  },
+  {
+    "author": [
+      "Austin Songer"
+    ],
+    "description": "Identifies when a user attempts to clear console history. An adversary may clear the command history of a compromised account to conceal the actions undertaken during an intrusion.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Clearing Windows Console History",
+    "query": "process where event.action == \"start\" and\n  (process.name : (\"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\") or process.pe.original_file_name == \"PowerShell.EXE\") and\n     (process.args : \"*Clear-History*\" or\n     (process.args : (\"*Remove-Item*\", \"rm\") and process.args : (\"*ConsoleHost_history.txt*\", \"*(Get-PSReadlineOption).HistorySavePath*\")) or\n     (process.args : \"*Set-PSReadlineOption*\" and process.args : \"*SaveNothing*\"))\n",
+    "references": [
+      "https://stefanos.cloud/blog/kb/how-to-clear-the-powershell-command-history/",
+      "https://www.shellhacks.com/clear-history-powershell/",
+      "https://community.sophos.com/sophos-labs/b/blog/posts/powershell-command-history-forensics"
+    ],
+    "risk_score": 47,
+    "rule_id": "b5877334-677f-4fb9-86d5-a9721274223b",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1070",
+            "name": "Indicator Removal on Host",
+            "reference": "https://attack.mitre.org/techniques/T1070/",
+            "subtechnique": [
+              {
+                "id": "T1070.003",
+                "name": "Clear Command History",
+                "reference": "https://attack.mitre.org/techniques/T1070/003/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 1,
+    "last_update": "8.0.0",
+    "added": "8.0.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies attempts to clear or disable Windows event log stores using Windows wevetutil command. This is often done by attackers in an attempt to evade detection or destroy forensic evidence on a system.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Clearing Windows Event Logs",
+    "query": "process where event.type in (\"process_started\", \"start\") and\n  (process.name : \"wevtutil.exe\" or process.pe.original_file_name == \"wevtutil.exe\") and\n    process.args : (\"/e:false\", \"cl\", \"clear-log\") or\n  process.name : (\"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\") and process.args : \"Clear-EventLog\"\n",
+    "risk_score": 21,
+    "rule_id": "d331bbe2-6db4-4941-80a5-8270db72eb61",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1070",
+            "name": "Indicator Removal on Host",
+            "reference": "https://attack.mitre.org/techniques/T1070/",
+            "subtechnique": [
+              {
+                "id": "T1070.001",
+                "name": "Clear Windows Event Logs",
+                "reference": "https://attack.mitre.org/techniques/T1070/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 11,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.7.0",
+          "pre_query": "event.action:\"Process Create (rule: ProcessCreate)\" and (process.name:\"wevtutil.exe\" and process.args:\"cl\") or (process.name:\"powershell.exe\" and process.args:\"Clear-EventLog\")",
+          "doc_text": "Updated query."
+        },
+        {
+          "version": 3,
+          "updated": "7.9.0",
+          "pre_query": "event.action:\"Process Create (rule: ProcessCreate)\" and process.name:wevtutil.exe and process.args:cl or process.name:powershell.exe and process.args:Clear-EventLog",
+          "doc_text": "Updated query."
+        },
+        {
+          "version": 4,
+          "updated": "7.9.1",
+          "pre_query": "event.category:process and event.type:(start or process_started) and process.name:wevtutil.exe and process.args:cl or process.name:powershell.exe and process.args:Clear-EventLog",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 5,
+          "updated": "7.10.0",
+          "pre_query": "event.category:process and event.type:(start or process_started) and process.name:wevtutil.exe and process.args:cl or process.name:powershell.exe and process.args:Clear-EventLog",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 6,
+          "updated": "7.11.0",
+          "pre_query": "event.category:process and event.type:(start or process_started) and process.name:wevtutil.exe and process.args:cl or process.name:powershell.exe and process.args:Clear-EventLog",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        },
+        {
+          "version": 7,
+          "updated": "7.11.2",
+          "pre_query": "event.category:process and event.type:(process_started or start) and (process.name:\"wevtutil.exe\" or process.pe.original_file_name:\"wevtutil.exe\") and process.args:(\"/e:false\" or cl or \"clear-log\") or process.name:\"powershell.exe\" and process.args:\"Clear-EventLog\"",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 8,
+          "updated": "7.12.0",
+          "pre_query": "event.category:process and event.type:(process_started or start) and (process.name:\"wevtutil.exe\" or process.pe.original_file_name:\"wevtutil.exe\") and process.args:(\"/e:false\" or cl or \"clear-log\") or process.name:\"powershell.exe\" and process.args:\"Clear-EventLog\"",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 9,
+          "updated": "7.13.0",
+          "pre_query": "event.category:process and event.type:(process_started or start) and (process.name:\"wevtutil.exe\" or process.pe.original_file_name:\"wevtutil.exe\") and process.args:(\"/e:false\" or cl or \"clear-log\") or process.name:\"powershell.exe\" and process.args:\"Clear-EventLog\"",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        },
+        {
+          "version": 11,
+          "updated": "7.16.0",
+          "pre_query": "process where event.type in (\"process_started\", \"start\") and\n  (process.name : \"wevtutil.exe\" or process.pe.original_file_name == \"wevtutil.exe\") and\n    process.args : (\"/e:false\", \"cl\", \"clear-log\") or\n  process.name : \"powershell.exe\" and process.args : \"Clear-EventLog\"\n",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.16.0",
+    "added": "7.6.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Cobalt Strike is a threat emulation platform commonly modified and used by adversaries to conduct network attack and exploitation campaigns. This rule detects a network activity algorithm leveraged by Cobalt Strike implant beacons for command and control.",
+    "false_positives": [
+      "This rule should be tailored to either exclude systems, as sources or destinations, in which this behavior is expected."
+    ],
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "filebeat-*",
+      "packetbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "lucene",
+    "license": "Elastic License v2",
+    "name": "Cobalt Strike Command and Control Beacon",
+    "note": "## Threat intel\n\nThis activity has been observed in FIN7 campaigns.",
+    "query": "event.category:(network OR network_traffic) AND type:(tls OR http) AND network.transport:tcp AND destination.domain:/[a-z]{3}.stage.[0-9]{8}\\..*/\n",
+    "references": [
+      "https://blog.morphisec.com/fin7-attacks-restaurant-industry",
+      "https://www.fireeye.com/blog/threat-research/2017/04/fin7-phishing-lnk.html"
+    ],
+    "risk_score": 73,
+    "rule_id": "cf53f532-9cc9-445a-9ae7-fced307ec53c",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Network",
+      "Threat Detection",
+      "Command and Control",
+      "Host"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0011",
+          "name": "Command and Control",
+          "reference": "https://attack.mitre.org/tactics/TA0011/"
+        },
+        "technique": [
+          {
+            "id": "T1071",
+            "name": "Application Layer Protocol",
+            "reference": "https://attack.mitre.org/techniques/T1071/"
+          },
+          {
+            "id": "T1568",
+            "name": "Dynamic Resolution",
+            "reference": "https://attack.mitre.org/techniques/T1568/",
+            "subtechnique": [
+              {
+                "id": "T1568.002",
+                "name": "Domain Generation Algorithms",
+                "reference": "https://attack.mitre.org/techniques/T1568/002/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 6,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.11.0",
+          "pre_query": "event.category:(network OR network_traffic) AND type:(tls OR http) AND network.transport:tcp AND destination.domain:/[a-z]{3}.stage.[0-9]{8}\\..*/",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 3,
+          "updated": "7.11.2",
+          "pre_query": "event.category:(network OR network_traffic) AND type:(tls OR http) AND network.transport:tcp AND destination.domain:/[a-z]{3}.stage.[0-9]{8}\\..*/",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 4,
+          "updated": "7.12.0",
+          "pre_query": "event.category:(network OR network_traffic) AND type:(tls OR http) AND network.transport:tcp AND destination.domain:/[a-z]{3}.stage.[0-9]{8}\\..*/",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 5,
+          "updated": "7.13.0",
+          "pre_query": "event.category:(network OR network_traffic) AND type:(tls OR http) AND network.transport:tcp AND destination.domain:/[a-z]{3}.stage.[0-9]{8}\\..*/",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 6,
+          "updated": "7.14.0",
+          "pre_query": "event.category:(network OR network_traffic) AND type:(tls OR http) AND network.transport:tcp AND destination.domain:/[a-z]{3}.stage.[0-9]{8}\\..*/",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.14.0",
+    "added": "7.10.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "A suspicious SolarWinds child process (Cmd.exe or Powershell.exe) was detected.",
+    "false_positives": [
+      "Trusted SolarWinds child processes. Verify process details such as network connections and file writes."
+    ],
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Command Execution via SolarWinds Process",
+    "query": "process where event.type in (\"start\", \"process_started\") and process.name: (\"cmd.exe\", \"powershell.exe\") and\nprocess.parent.name: (\n     \"ConfigurationWizard*.exe\",\n     \"NetflowDatabaseMaintenance*.exe\",\n     \"NetFlowService*.exe\",\n     \"SolarWinds.Administration*.exe\",\n     \"SolarWinds.Collector.Service*.exe\",\n     \"SolarwindsDiagnostics*.exe\"\n     )\n",
+    "references": [
+      "https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html",
+      "https://github.com/fireeye/sunburst_countermeasures/blob/main/rules/SUNBURST/hxioc/SOLARWINDS%20SUSPICIOUS%20FILEWRITES%20(METHODOLOGY).ioc"
+    ],
+    "risk_score": 47,
+    "rule_id": "d72e33fc-6e91-42ff-ac8b-e573268c5a87",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Execution"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0002",
+          "name": "Execution",
+          "reference": "https://attack.mitre.org/tactics/TA0002/"
+        },
+        "technique": [
+          {
+            "id": "T1059",
+            "name": "Command and Scripting Interpreter",
+            "reference": "https://attack.mitre.org/techniques/T1059/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0001",
+          "name": "Initial Access",
+          "reference": "https://attack.mitre.org/tactics/TA0001/"
+        },
+        "technique": [
+          {
+            "id": "T1195",
+            "name": "Supply Chain Compromise",
+            "reference": "https://attack.mitre.org/techniques/T1195/",
+            "subtechnique": [
+              {
+                "id": "T1195.002",
+                "name": "Compromise Software Supply Chain",
+                "reference": "https://attack.mitre.org/techniques/T1195/002/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 3,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.11.2",
+          "pre_query": "process where event.type in (\"start\", \"process_started\") and process.name: (\"cmd.exe\", \"powershell.exe\") and\nprocess.parent.name: (\n     \"ConfigurationWizard*.exe\",\n     \"NetflowDatabaseMaintenance*.exe\",\n     \"NetFlowService*.exe\",\n     \"SolarWinds.Administration*.exe\",\n     \"SolarWinds.Collector.Service*.exe\",\n     \"SolarwindsDiagnostics*.exe\"\n     )\n",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 3,
+          "updated": "7.12.0",
+          "pre_query": "process where event.type in (\"start\", \"process_started\") and process.name: (\"cmd.exe\", \"powershell.exe\") and\nprocess.parent.name: (\n     \"ConfigurationWizard*.exe\",\n     \"NetflowDatabaseMaintenance*.exe\",\n     \"NetFlowService*.exe\",\n     \"SolarWinds.Administration*.exe\",\n     \"SolarWinds.Collector.Service*.exe\",\n     \"SolarwindsDiagnostics*.exe\"\n     )\n",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.12.0",
+    "added": "7.11.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies cmd.exe making a network connection. Adversaries could abuse cmd.exe to download or execute malware from a remote URL.",
+    "false_positives": [
+      "Administrators may use the command prompt for regular administrative tasks. It's important to baseline your environment for network connections being made from the command prompt to determine any abnormal use of this tool."
+    ],
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Command Prompt Network Connection",
+    "query": "sequence by process.entity_id\n  [process where process.name : \"cmd.exe\" and event.type == \"start\"]\n  [network where process.name : \"cmd.exe\" and\n     not cidrmatch(destination.ip, \"10.0.0.0/8\", \"127.0.0.0/8\", \"169.254.0.0/16\", \"172.16.0.0/12\", \"192.0.0.0/24\",\n                                  \"192.0.0.0/29\", \"192.0.0.8/32\", \"192.0.0.9/32\", \"192.0.0.10/32\", \"192.0.0.170/32\",\n                                  \"192.0.0.171/32\", \"192.0.2.0/24\", \"192.31.196.0/24\", \"192.52.193.0/24\",\n                                  \"192.168.0.0/16\", \"192.88.99.0/24\", \"224.0.0.0/4\", \"100.64.0.0/10\", \"192.175.48.0/24\",\n                                  \"198.18.0.0/15\", \"198.51.100.0/24\", \"203.0.113.0/24\", \"240.0.0.0/4\", \"::1\",\n                                  \"FE80::/10\", \"FF00::/8\")]\n",
+    "references": [
+      "https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml"
+    ],
+    "risk_score": 21,
+    "rule_id": "89f9a4b0-9f8f-4ee0-8823-c4751a6d6696",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Execution"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0002",
+          "name": "Execution",
+          "reference": "https://attack.mitre.org/tactics/TA0002/"
+        },
+        "technique": [
+          {
+            "id": "T1059",
+            "name": "Command and Scripting Interpreter",
+            "reference": "https://attack.mitre.org/techniques/T1059/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0011",
+          "name": "Command and Control",
+          "reference": "https://attack.mitre.org/tactics/TA0011/"
+        },
+        "technique": [
+          {
+            "id": "T1105",
+            "name": "Ingress Tool Transfer",
+            "reference": "https://attack.mitre.org/techniques/T1105/"
+          }
+        ]
+      }
+    ],
+    "type": "eql",
+    "version": 7,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.7.0",
+          "pre_query": "process.name:cmd.exe and event.action:\"Network connection detected (rule: NetworkConnect)\" and not destination.ip:10.0.0.0/8 and not destination.ip:172.16.0.0/12 and not destination.ip:192.168.0.0/16",
+          "doc_text": "Updated query."
+        },
+        {
+          "version": 3,
+          "updated": "7.9.0",
+          "pre_query": "process.name:cmd.exe and event.action:\"Network connection detected (rule: NetworkConnect)\" and not destination.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16)",
+          "doc_text": "Updated query."
+        },
+        {
+          "version": 4,
+          "updated": "7.9.1",
+          "pre_query": "event.category:network and event.type:connection and process.name:cmd.exe and not destination.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16)",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 5,
+          "updated": "7.10.0",
+          "pre_query": "event.category:network and event.type:connection and process.name:cmd.exe and not destination.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16)",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        },
+        {
+          "version": 6,
+          "updated": "7.12.0",
+          "pre_query": "sequence by process.entity_id\n  [process where process.name : \"cmd.exe\" and event.type == \"start\"]\n  [network where process.name : \"cmd.exe\" and\n     not cidrmatch(destination.ip, \"10.0.0.0/8\", \"172.16.0.0/12\", \"192.168.0.0/16\")]\n",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 7,
+          "updated": "7.14.0",
+          "pre_query": "sequence by process.entity_id\n  [process where process.name : \"cmd.exe\" and event.type == \"start\"]\n  [network where process.name : \"cmd.exe\" and\n     not cidrmatch(destination.ip, \"10.0.0.0/8\", \"172.16.0.0/12\", \"192.168.0.0/16\")]\n",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.14.0",
+    "added": "7.6.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies command shell activity started via RunDLL32, which is commonly abused by attackers to host malicious code.",
+    "false_positives": [
+      "Microsoft Windows installers leveraging RunDLL32 for installation."
+    ],
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Command Shell Activity Started via RunDLL32",
+    "query": "process where event.type == \"start\" and\n process.name : (\"cmd.exe\", \"powershell.exe\") and\n  process.parent.name : \"rundll32.exe\" and process.parent.command_line != null and\n  /* common FPs can be added here */\n  not process.parent.args : (\"C:\\\\Windows\\\\System32\\\\SHELL32.dll,RunAsNewUser_RunDLL\",\n                             \"C:\\\\WINDOWS\\\\*.tmp,zzzzInvokeManagedCustomActionOutOfProc\")\n",
+    "risk_score": 21,
+    "rule_id": "9ccf3ce0-0057-440a-91f5-870c6ad39093",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Execution"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0002",
+          "name": "Execution",
+          "reference": "https://attack.mitre.org/tactics/TA0002/"
+        },
+        "technique": [
+          {
+            "id": "T1059",
+            "name": "Command and Scripting Interpreter",
+            "reference": "https://attack.mitre.org/techniques/T1059/",
+            "subtechnique": [
+              {
+                "id": "T1059.001",
+                "name": "PowerShell",
+                "reference": "https://attack.mitre.org/techniques/T1059/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 4,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.11.2",
+          "pre_query": "process where event.type in (\"start\", \"process_started\") and\n process.name : (\"cmd.exe\", \"powershell.exe\") and\n  process.parent.name : \"rundll32.exe\" and \n  /* common FPs can be added here */\n  not process.parent.args : \"C:\\\\Windows\\\\System32\\\\SHELL32.dll,RunAsNewUser_RunDLL\"\n",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 3,
+          "updated": "7.12.0",
+          "pre_query": "process where event.type in (\"start\", \"process_started\") and\n process.name : (\"cmd.exe\", \"powershell.exe\") and\n  process.parent.name : \"rundll32.exe\" and \n  /* common FPs can be added here */\n  not process.parent.args : \"C:\\\\Windows\\\\System32\\\\SHELL32.dll,RunAsNewUser_RunDLL\"\n",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 4,
+          "updated": "7.13.0",
+          "pre_query": "process where event.type in (\"start\", \"process_started\") and\n process.name : (\"cmd.exe\", \"powershell.exe\") and\n  process.parent.name : \"rundll32.exe\" and \n  /* common FPs can be added here */\n  not process.parent.args : \"C:\\\\Windows\\\\System32\\\\SHELL32.dll,RunAsNewUser_RunDLL\"\n",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.13.0",
+    "added": "7.11.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies Component Object Model (COM) hijacking via registry modification. Adversaries may establish persistence by executing malicious content triggered by hijacked references to COM objects.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Component Object Model Hijacking",
+    "query": "registry where\n /* uncomment once length is stable length(bytes_written_string) > 0 and */\n (registry.path : \"HK*}\\\\InprocServer32\\\\\" and registry.data.strings: (\"scrobj.dll\", \"C:\\\\*\\\\scrobj.dll\") and\n not registry.path : \"*\\\\{06290BD*-48AA-11D2-8432-006008C3FBFC}\\\\*\") \n or\n /* in general COM Registry changes on Users Hive is less noisy and worth alerting */\n (registry.path : (\"HKEY_USERS\\\\*Classes\\\\*\\\\InprocServer32\\\\\",\n                   \"HKEY_USERS\\\\*Classes\\\\*\\\\LocalServer32\\\\\",\n                   \"HKEY_USERS\\\\*Classes\\\\*\\\\DelegateExecute\\\\\", \n                   \"HKEY_USERS\\\\*Classes\\\\*\\\\TreatAs\\\\\", \n                   \"HKEY_USERS\\\\*Classes\\\\CLSID\\\\*\\\\ScriptletURL\\\\\") and\n not (process.executable : \"?:\\\\Program Files*\\\\Veeam\\\\Backup and Replication\\\\Console\\\\veeam.backup.shell.exe\" and\n      registry.path : \"HKEY_USERS\\\\S-1-5-21-*_Classes\\\\CLSID\\\\*\\\\LocalServer32\\\\\") and\n /* not necessary but good for filtering privileged installations */\n user.domain != \"NT AUTHORITY\")\n",
+    "references": [
+      "https://bohops.com/2018/08/18/abusing-the-com-registry-structure-part-2-loading-techniques-for-evasion-and-persistence/"
+    ],
+    "risk_score": 47,
+    "rule_id": "16a52c14-7883-47af-8745-9357803f0d4c",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Persistence"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1546",
+            "name": "Event Triggered Execution",
+            "reference": "https://attack.mitre.org/techniques/T1546/",
+            "subtechnique": [
+              {
+                "id": "T1546.015",
+                "name": "Component Object Model Hijacking",
+                "reference": "https://attack.mitre.org/techniques/T1546/015/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 5,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.11.2",
+          "pre_query": "registry where\n /* uncomment once length is stable length(bytes_written_string) > 0 and */\n (registry.path : \"HK*}\\\\InprocServer32\\\\\" and registry.data.strings: (\"scrobj.dll\", \"C:\\\\*\\\\scrobj.dll\") and\n not registry.path : \"*\\\\{06290BD*-48AA-11D2-8432-006008C3FBFC}\\\\*\") \n or\n /* in general COM Registry changes on Users Hive is less noisy and worth alerting */\n (registry.path : (\"HKEY_USERS\\\\*Classes\\\\*\\\\InprocXServer32\\\\\",  \n                   \"HKEY_USERS\\\\*Classes\\\\*\\\\LocalServer32\\\\\", \n                   \"HKEY_USERS\\\\*Classes\\\\*\\\\DelegateExecute\\\\\", \n                   \"HKEY_USERS\\\\*Classes\\\\*\\\\TreatAs\\\\\", \n                   \"HKEY_USERS\\\\*Classes\\\\CLSID\\\\*\\\\ScriptletURL\\\\\") and\n /* not necessary but good for filtering privileged installations */\n user.domain != \"NT AUTHORITY\")\n",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 3,
+          "updated": "7.12.0",
+          "pre_query": "registry where\n /* uncomment once length is stable length(bytes_written_string) > 0 and */\n (registry.path : \"HK*}\\\\InprocServer32\\\\\" and registry.data.strings: (\"scrobj.dll\", \"C:\\\\*\\\\scrobj.dll\") and\n not registry.path : \"*\\\\{06290BD*-48AA-11D2-8432-006008C3FBFC}\\\\*\") \n or\n /* in general COM Registry changes on Users Hive is less noisy and worth alerting */\n (registry.path : (\"HKEY_USERS\\\\*Classes\\\\*\\\\InprocXServer32\\\\\",  \n                   \"HKEY_USERS\\\\*Classes\\\\*\\\\LocalServer32\\\\\", \n                   \"HKEY_USERS\\\\*Classes\\\\*\\\\DelegateExecute\\\\\", \n                   \"HKEY_USERS\\\\*Classes\\\\*\\\\TreatAs\\\\\", \n                   \"HKEY_USERS\\\\*Classes\\\\CLSID\\\\*\\\\ScriptletURL\\\\\") and\n /* not necessary but good for filtering privileged installations */\n user.domain != \"NT AUTHORITY\")\n",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 4,
+          "updated": "7.14.0",
+          "pre_query": "registry where\n /* uncomment once length is stable length(bytes_written_string) > 0 and */\n (registry.path : \"HK*}\\\\InprocServer32\\\\\" and registry.data.strings: (\"scrobj.dll\", \"C:\\\\*\\\\scrobj.dll\") and\n not registry.path : \"*\\\\{06290BD*-48AA-11D2-8432-006008C3FBFC}\\\\*\") \n or\n /* in general COM Registry changes on Users Hive is less noisy and worth alerting */\n (registry.path : (\"HKEY_USERS\\\\*Classes\\\\*\\\\InprocXServer32\\\\\",  \n                   \"HKEY_USERS\\\\*Classes\\\\*\\\\LocalServer32\\\\\", \n                   \"HKEY_USERS\\\\*Classes\\\\*\\\\DelegateExecute\\\\\", \n                   \"HKEY_USERS\\\\*Classes\\\\*\\\\TreatAs\\\\\", \n                   \"HKEY_USERS\\\\*Classes\\\\CLSID\\\\*\\\\ScriptletURL\\\\\") and\n /* not necessary but good for filtering privileged installations */\n user.domain != \"NT AUTHORITY\")\n",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        },
+        {
+          "version": 5,
+          "updated": "8.0.0",
+          "pre_query": "registry where\n /* uncomment once length is stable length(bytes_written_string) > 0 and */\n (registry.path : \"HK*}\\\\InprocServer32\\\\\" and registry.data.strings: (\"scrobj.dll\", \"C:\\\\*\\\\scrobj.dll\") and\n not registry.path : \"*\\\\{06290BD*-48AA-11D2-8432-006008C3FBFC}\\\\*\") \n or\n /* in general COM Registry changes on Users Hive is less noisy and worth alerting */\n (registry.path : (\"HKEY_USERS\\\\*Classes\\\\*\\\\InprocServer32\\\\\",\n                   \"HKEY_USERS\\\\*Classes\\\\*\\\\LocalServer32\\\\\", \n                   \"HKEY_USERS\\\\*Classes\\\\*\\\\DelegateExecute\\\\\", \n                   \"HKEY_USERS\\\\*Classes\\\\*\\\\TreatAs\\\\\", \n                   \"HKEY_USERS\\\\*Classes\\\\CLSID\\\\*\\\\ScriptletURL\\\\\") and\n /* not necessary but good for filtering privileged installations */\n user.domain != \"NT AUTHORITY\")\n",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "8.0.0",
+    "added": "7.11.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Detects when the Console Window Host (conhost.exe) process is spawned by a suspicious parent process, which could be indicative of code injection.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Conhost Spawned By Suspicious Parent Process",
+    "query": "process where event.type in (\"start\", \"process_started\") and\n  process.name : \"conhost.exe\" and\n  process.parent.name : (\"svchost.exe\", \"lsass.exe\", \"services.exe\", \"smss.exe\", \"winlogon.exe\", \"explorer.exe\",\n                         \"dllhost.exe\", \"rundll32.exe\", \"regsvr32.exe\", \"userinit.exe\", \"wininit.exe\", \"spoolsv.exe\",\n                         \"wermgr.exe\", \"csrss.exe\", \"ctfmon.exe\")\n",
+    "references": [
+      "https://www.fireeye.com/blog/threat-research/2017/08/monitoring-windows-console-activity-part-one.html"
+    ],
+    "risk_score": 73,
+    "rule_id": "05b358de-aa6d-4f6c-89e6-78f74018b43b",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Execution"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0002",
+          "name": "Execution",
+          "reference": "https://attack.mitre.org/tactics/TA0002/"
+        },
+        "technique": [
+          {
+            "id": "T1059",
+            "name": "Command and Scripting Interpreter",
+            "reference": "https://attack.mitre.org/techniques/T1059/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 4,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.11.2",
+          "pre_query": "event.category:process and event.type:(start or process_started) and process.name:conhost.exe and process.parent.name:(svchost.exe or lsass.exe or services.exe or smss.exe or winlogon.exe or explorer.exe or dllhost.exe or rundll32.exe or regsvr32.exe or userinit.exe or wininit.exe or spoolsv.exe or wermgr.exe or csrss.exe or ctfmon.exe)",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 3,
+          "updated": "7.12.0",
+          "pre_query": "event.category:process and event.type:(start or process_started) and process.name:conhost.exe and process.parent.name:(svchost.exe or lsass.exe or services.exe or smss.exe or winlogon.exe or explorer.exe or dllhost.exe or rundll32.exe or regsvr32.exe or userinit.exe or wininit.exe or spoolsv.exe or wermgr.exe or csrss.exe or ctfmon.exe)",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 4,
+          "updated": "7.13.0",
+          "pre_query": "event.category:process and event.type:(start or process_started) and process.name:conhost.exe and process.parent.name:(svchost.exe or lsass.exe or services.exe or smss.exe or winlogon.exe or explorer.exe or dllhost.exe or rundll32.exe or regsvr32.exe or userinit.exe or wininit.exe or spoolsv.exe or wermgr.exe or csrss.exe or ctfmon.exe)",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.13.0",
+    "added": "7.10.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies unusual processes connecting to domains using known free SSL certificates. Adversaries may employ a known encryption algorithm to conceal command and control traffic.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Connection to Commonly Abused Free SSL Certificate Providers",
+    "query": "network where network.protocol == \"dns\" and\n  /* Add new free SSL certificate provider domains here */\n  dns.question.name : (\"*letsencrypt.org\", \"*.sslforfree.com\", \"*.zerossl.com\", \"*.freessl.org\") and\n  \n  /* Native Windows process paths that are unlikely to have network connections to domains secured using free SSL certificates */\n  process.executable : (\"C:\\\\Windows\\\\System32\\\\*.exe\",\n                        \"C:\\\\Windows\\\\System\\\\*.exe\",\n\t                  \"C:\\\\Windows\\\\SysWOW64\\\\*.exe\",\n\t\t          \"C:\\\\Windows\\\\Microsoft.NET\\\\Framework*\\\\*.exe\",\n\t\t          \"C:\\\\Windows\\\\explorer.exe\",\n\t\t          \"C:\\\\Windows\\\\notepad.exe\") and\n  \n  /* Insert noisy false positives here */\n  not process.name : (\"svchost.exe\", \"MicrosoftEdge*.exe\", \"msedge.exe\")\n",
+    "risk_score": 21,
+    "rule_id": "e3cf38fa-d5b8-46cc-87f9-4a7513e4281d",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Command and Control"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0011",
+          "name": "Command and Control",
+          "reference": "https://attack.mitre.org/tactics/TA0011/"
+        },
+        "technique": [
+          {
+            "id": "T1573",
+            "name": "Encrypted Channel",
+            "reference": "https://attack.mitre.org/techniques/T1573/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 3,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.11.2",
+          "pre_query": "network where network.protocol == \"dns\" and\n  /* Add new free SSL certificate provider domains here */\n  dns.question.name : (\"*letsencrypt.org\", \"*.sslforfree.com\", \"*.zerossl.com\", \"*.freessl.org\") and\n  \n  /* Native Windows process paths that are unlikely to have network connections to domains secured using free SSL certificates */\n  process.executable : (\"C:\\\\Windows\\\\System32\\\\*.exe\",\n                        \"C:\\\\Windows\\\\System\\\\*.exe\",\n\t                  \"C:\\\\Windows\\\\SysWOW64\\\\*.exe\",\n\t\t          \"C:\\\\Windows\\\\Microsoft.NET\\\\Framework*\\\\*.exe\",\n\t\t          \"C:\\\\Windows\\\\explorer.exe\",\n\t\t          \"C:\\\\Windows\\\\notepad.exe\") and\n  \n  /* Insert noisy false positives here */\n  not process.name : (\"svchost.exe\", \"MicrosoftEdge*.exe\", \"msedge.exe\")\n",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 3,
+          "updated": "7.12.0",
+          "pre_query": "network where network.protocol == \"dns\" and\n  /* Add new free SSL certificate provider domains here */\n  dns.question.name : (\"*letsencrypt.org\", \"*.sslforfree.com\", \"*.zerossl.com\", \"*.freessl.org\") and\n  \n  /* Native Windows process paths that are unlikely to have network connections to domains secured using free SSL certificates */\n  process.executable : (\"C:\\\\Windows\\\\System32\\\\*.exe\",\n                        \"C:\\\\Windows\\\\System\\\\*.exe\",\n\t                  \"C:\\\\Windows\\\\SysWOW64\\\\*.exe\",\n\t\t          \"C:\\\\Windows\\\\Microsoft.NET\\\\Framework*\\\\*.exe\",\n\t\t          \"C:\\\\Windows\\\\explorer.exe\",\n\t\t          \"C:\\\\Windows\\\\notepad.exe\") and\n  \n  /* Insert noisy false positives here */\n  not process.name : (\"svchost.exe\", \"MicrosoftEdge*.exe\", \"msedge.exe\")\n",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.12.0",
+    "added": "7.11.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Adversaries may implement command and control communications that use common web services in order to hide their activity. This attack technique is typically targeted to an organization and uses web services common to the victim network which allows the adversary to blend into legitimate traffic. activity. These popular services are typically targeted since they have most likely been used before a compromise and allow adversaries to blend in the network.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Connection to Commonly Abused Web Services",
+    "query": "network where network.protocol == \"dns\" and\n    process.name != null and user.id not in (\"S-1-5-18\", \"S-1-5-19\", \"S-1-5-20\") and\n    /* Add new WebSvc domains here */\n    dns.question.name :\n    (\n        \"raw.githubusercontent.*\",\n        \"*.pastebin.*\",\n        \"*drive.google.*\",\n        \"*docs.live.*\",\n        \"*api.dropboxapi.*\",\n        \"*dropboxusercontent.*\",\n        \"*onedrive.*\",\n        \"*4shared.*\",\n        \"*.file.io\",\n        \"*filebin.net\",\n        \"*slack-files.com\",\n        \"*ghostbin.*\",\n        \"*ngrok.*\",\n        \"*portmap.*\",\n        \"*serveo.net\",\n        \"*localtunnel.me\",\n        \"*pagekite.me\",\n        \"*localxpose.io\",\n        \"*notabug.org\",\n        \"rawcdn.githack.*\",\n        \"paste.nrecom.net\",\n        \"zerobin.net\",\n        \"controlc.com\",\n        \"requestbin.net\",\n        \"cdn.discordapp.com\",\n        \"discordapp.com\",\n        \"discord.com\"\n    ) and\n    /* Insert noisy false positives here */\n    not process.executable :\n    (\n      \"?:\\\\Program Files\\\\*.exe\",\n      \"?:\\\\Program Files (x86)\\\\*.exe\",\n      \"?:\\\\Windows\\\\System32\\\\WWAHost.exe\",\n      \"?:\\\\Windows\\\\System32\\\\smartscreen.exe\",\n      \"?:\\\\Windows\\\\System32\\\\MicrosoftEdgeCP.exe\",\n      \"?:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\Platform\\\\*\\\\MsMpEng.exe\",\n      \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe\",\n      \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Programs\\\\Fiddler\\\\Fiddler.exe\",\n      \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Programs\\\\Microsoft VS Code\\\\Code.exe\",\n      \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Microsoft\\\\OneDrive\\\\OneDrive.exe\",\n      \"?:\\\\Windows\\\\system32\\\\mobsync.exe\",\n      \"?:\\\\Windows\\\\SysWOW64\\\\mobsync.exe\",\n      \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Discord\\\\-*\\\\Discord.exe\"\n    )\n",
+    "risk_score": 21,
+    "rule_id": "66883649-f908-4a5b-a1e0-54090a1d3a32",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Command and Control"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0011",
+          "name": "Command and Control",
+          "reference": "https://attack.mitre.org/tactics/TA0011/"
+        },
+        "technique": [
+          {
+            "id": "T1102",
+            "name": "Web Service",
+            "reference": "https://attack.mitre.org/techniques/T1102/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0010",
+          "name": "Exfiltration",
+          "reference": "https://attack.mitre.org/tactics/TA0010/"
+        },
+        "technique": [
+          {
+            "id": "T1567",
+            "name": "Exfiltration Over Web Service",
+            "reference": "https://attack.mitre.org/techniques/T1567/",
+            "subtechnique": [
+              {
+                "id": "T1567.001",
+                "name": "Exfiltration to Code Repository",
+                "reference": "https://attack.mitre.org/techniques/T1567/001/"
+              },
+              {
+                "id": "T1567.002",
+                "name": "Exfiltration to Cloud Storage",
+                "reference": "https://attack.mitre.org/techniques/T1567/002/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 6,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.11.2",
+          "pre_query": "network where network.protocol == \"dns\" and\n             /* Add new WebSvc domains here */\n              wildcard(dns.question.name, \"*.githubusercontent.*\",\n                                          \"*.pastebin.*\",\n                                          \"*drive.google.*\",\n                                          \"*docs.live.*\",\n                                          \"*api.dropboxapi.*\",\n                                          \"*dropboxusercontent.*\",\n                                          \"*onedrive.*\",\n                                          \"*4shared.*\",\n                                          \"*.file.io\",\n                                          \"*filebin.net\",\n                                          \"*slack-files.com\",\n                                          \"*ghostbin.*\",\n                                          \"*ngrok.*\",\n                                          \"*portmap.*\",\n                                          \"*serveo.net\",\n                                          \"*localtunnel.me\",\n                                          \"*pagekite.me\",\n                                          \"*localxpose.io\",\n                                          \"*notabug.org\"\n                      ) and\n                          /* Insert noisy false positives here */\n              not process.name in (\"MicrosoftEdgeCP.exe\",\n                                    \"MicrosoftEdge.exe\",\n                                    \"iexplore.exe\",\n                                    \"chrome.exe\",\n                                    \"msedge.exe\",\n                                    \"opera.exe\",\n                                    \"firefox.exe\",\n                                    \"Dropbox.exe\",\n                                    \"slack.exe\",\n                                    \"svchost.exe\",\n                                    \"thunderbird.exe\",\n                                    \"outlook.exe\",\n                                    \"OneDrive.exe\")\n",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 3,
+          "updated": "7.12.0",
+          "pre_query": "network where network.protocol == \"dns\" and\n             /* Add new WebSvc domains here */\n              wildcard(dns.question.name, \"*.githubusercontent.*\",\n                                          \"*.pastebin.*\",\n                                          \"*drive.google.*\",\n                                          \"*docs.live.*\",\n                                          \"*api.dropboxapi.*\",\n                                          \"*dropboxusercontent.*\",\n                                          \"*onedrive.*\",\n                                          \"*4shared.*\",\n                                          \"*.file.io\",\n                                          \"*filebin.net\",\n                                          \"*slack-files.com\",\n                                          \"*ghostbin.*\",\n                                          \"*ngrok.*\",\n                                          \"*portmap.*\",\n                                          \"*serveo.net\",\n                                          \"*localtunnel.me\",\n                                          \"*pagekite.me\",\n                                          \"*localxpose.io\",\n                                          \"*notabug.org\"\n                      ) and\n                          /* Insert noisy false positives here */\n              not process.name in (\"MicrosoftEdgeCP.exe\",\n                                    \"MicrosoftEdge.exe\",\n                                    \"iexplore.exe\",\n                                    \"chrome.exe\",\n                                    \"msedge.exe\",\n                                    \"opera.exe\",\n                                    \"firefox.exe\",\n                                    \"Dropbox.exe\",\n                                    \"slack.exe\",\n                                    \"svchost.exe\",\n                                    \"thunderbird.exe\",\n                                    \"outlook.exe\",\n                                    \"OneDrive.exe\")\n",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        },
+        {
+          "version": 4,
+          "updated": "7.13.0",
+          "pre_query": "network where network.protocol == \"dns\" and\n    /* Add new WebSvc domains here */\n    dns.question.name :\n    (\n        \"*.githubusercontent.*\",\n        \"*.pastebin.*\",\n        \"*drive.google.*\",\n        \"*docs.live.*\",\n        \"*api.dropboxapi.*\",\n        \"*dropboxusercontent.*\",\n        \"*onedrive.*\",\n        \"*4shared.*\",\n        \"*.file.io\",\n        \"*filebin.net\",\n        \"*slack-files.com\",\n        \"*ghostbin.*\",\n        \"*ngrok.*\",\n        \"*portmap.*\",\n        \"*serveo.net\",\n        \"*localtunnel.me\",\n        \"*pagekite.me\",\n        \"*localxpose.io\",\n        \"*notabug.org\"\n    ) and\n    /* Insert noisy false positives here */\n    not process.name :\n    (\n        \"MicrosoftEdgeCP.exe\",\n        \"MicrosoftEdge.exe\",\n        \"iexplore.exe\",\n        \"chrome.exe\",\n        \"msedge.exe\",\n        \"opera.exe\",\n        \"firefox.exe\",\n        \"Dropbox.exe\",\n        \"slack.exe\",\n        \"svchost.exe\",\n        \"thunderbird.exe\",\n        \"outlook.exe\",\n        \"OneDrive.exe\"\n    )\n",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        },
+        {
+          "version": 5,
+          "updated": "7.16.0",
+          "pre_query": "network where network.protocol == \"dns\" and\n    process.name != null and user.id not in (\"S-1-5-18\", \"S-1-5-19\", \"S-1-5-20\") and\n    /* Add new WebSvc domains here */\n    dns.question.name :\n    (\n        \"raw.githubusercontent.*\",\n        \"*.pastebin.*\",\n        \"*drive.google.*\",\n        \"*docs.live.*\",\n        \"*api.dropboxapi.*\",\n        \"*dropboxusercontent.*\",\n        \"*onedrive.*\",\n        \"*4shared.*\",\n        \"*.file.io\",\n        \"*filebin.net\",\n        \"*slack-files.com\",\n        \"*ghostbin.*\",\n        \"*ngrok.*\",\n        \"*portmap.*\",\n        \"*serveo.net\",\n        \"*localtunnel.me\",\n        \"*pagekite.me\",\n        \"*localxpose.io\",\n        \"*notabug.org\",\n        \"rawcdn.githack.*\",\n        \"paste.nrecom.net\",\n        \"zerobin.net\",\n        \"controlc.com\",\n        \"requestbin.net\"\n    ) and\n    /* Insert noisy false positives here */\n    not process.executable :\n    (\n      \"?:\\\\Program Files\\\\*.exe\",\n      \"?:\\\\Program Files (x86)\\\\*.exe\",\n      \"?:\\\\Windows\\\\System32\\\\WWAHost.exe\",\n      \"?:\\\\Windows\\\\System32\\\\smartscreen.exe\",\n      \"?:\\\\Windows\\\\System32\\\\MicrosoftEdgeCP.exe\",\n      \"?:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\Platform\\\\*\\\\MsMpEng.exe\",\n      \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe\",\n      \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Programs\\\\Fiddler\\\\Fiddler.exe\",\n      \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Programs\\\\Microsoft VS Code\\\\Code.exe\",\n      \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Microsoft\\\\OneDrive\\\\OneDrive.exe\",\n      \"?:\\\\Windows\\\\system32\\\\mobsync.exe\",\n      \"?:\\\\Windows\\\\SysWOW64\\\\mobsync.exe\"\n    )\n",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 6,
+          "updated": "8.0.0",
+          "pre_query": "network where network.protocol == \"dns\" and\n    process.name != null and user.id not in (\"S-1-5-18\", \"S-1-5-19\", \"S-1-5-20\") and\n    /* Add new WebSvc domains here */\n    dns.question.name :\n    (\n        \"raw.githubusercontent.*\",\n        \"*.pastebin.*\",\n        \"*drive.google.*\",\n        \"*docs.live.*\",\n        \"*api.dropboxapi.*\",\n        \"*dropboxusercontent.*\",\n        \"*onedrive.*\",\n        \"*4shared.*\",\n        \"*.file.io\",\n        \"*filebin.net\",\n        \"*slack-files.com\",\n        \"*ghostbin.*\",\n        \"*ngrok.*\",\n        \"*portmap.*\",\n        \"*serveo.net\",\n        \"*localtunnel.me\",\n        \"*pagekite.me\",\n        \"*localxpose.io\",\n        \"*notabug.org\",\n        \"rawcdn.githack.*\",\n        \"paste.nrecom.net\",\n        \"zerobin.net\",\n        \"controlc.com\",\n        \"requestbin.net\"\n    ) and\n    /* Insert noisy false positives here */\n    not process.executable :\n    (\n      \"?:\\\\Program Files\\\\*.exe\",\n      \"?:\\\\Program Files (x86)\\\\*.exe\",\n      \"?:\\\\Windows\\\\System32\\\\WWAHost.exe\",\n      \"?:\\\\Windows\\\\System32\\\\smartscreen.exe\",\n      \"?:\\\\Windows\\\\System32\\\\MicrosoftEdgeCP.exe\",\n      \"?:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\Platform\\\\*\\\\MsMpEng.exe\",\n      \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe\",\n      \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Programs\\\\Fiddler\\\\Fiddler.exe\",\n      \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Programs\\\\Microsoft VS Code\\\\Code.exe\",\n      \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Microsoft\\\\OneDrive\\\\OneDrive.exe\",\n      \"?:\\\\Windows\\\\system32\\\\mobsync.exe\",\n      \"?:\\\\Windows\\\\SysWOW64\\\\mobsync.exe\"\n    )\n",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "8.0.0",
+    "added": "7.11.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Telnet provides a command line interface for communication with a remote device or server. This rule identifies Telnet network connections to publicly routable IP addresses.",
+    "false_positives": [
+      "Telnet can be used for both benign or malicious purposes. Telnet is included by default in some Linux distributions, so its presence is not inherently suspicious. The use of Telnet to manage devices remotely has declined in recent years in favor of more secure protocols such as SSH. Telnet usage by non-automated tools or frameworks may be suspicious."
+    ],
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Connection to External Network via Telnet",
+    "query": "sequence by process.entity_id\n  [process where process.name == \"telnet\" and event.type == \"start\"]\n  [network where process.name == \"telnet\" and\n    not cidrmatch(destination.ip, \"10.0.0.0/8\", \"127.0.0.0/8\", \"169.254.0.0/16\", \"172.16.0.0/12\", \"192.0.0.0/24\",\n                                  \"192.0.0.0/29\", \"192.0.0.8/32\", \"192.0.0.9/32\", \"192.0.0.10/32\", \"192.0.0.170/32\",\n                                  \"192.0.0.171/32\", \"192.0.2.0/24\", \"192.31.196.0/24\", \"192.52.193.0/24\",\n                                  \"192.168.0.0/16\", \"192.88.99.0/24\", \"224.0.0.0/4\", \"100.64.0.0/10\", \"192.175.48.0/24\",\n                                  \"198.18.0.0/15\", \"198.51.100.0/24\", \"203.0.113.0/24\", \"240.0.0.0/4\", \"::1\",\n                                  \"FE80::/10\", \"FF00::/8\")]\n",
+    "references": [
+      "https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml"
+    ],
+    "risk_score": 47,
+    "rule_id": "e19e64ee-130e-4c07-961f-8a339f0b8362",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "Threat Detection",
+      "Lateral Movement"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0008",
+          "name": "Lateral Movement",
+          "reference": "https://attack.mitre.org/tactics/TA0008/"
+        },
+        "technique": [
+          {
+            "id": "T1021",
+            "name": "Remote Services",
+            "reference": "https://attack.mitre.org/techniques/T1021/"
+          }
+        ]
+      }
+    ],
+    "type": "eql",
+    "version": 6,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.9.0",
+          "pre_query": "event.action:(\"connected-to\" or \"network_flow\") and process.name:telnet and not destination.ip:(127.0.0.0/8 or 10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 or \"FE80::/10\" or \"::1/128\")",
+          "doc_text": "Updated query."
+        },
+        {
+          "version": 3,
+          "updated": "7.9.1",
+          "pre_query": "event.category:network and event.type:(connection or start) and process.name:telnet and not destination.ip:(127.0.0.0/8 or 10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 or \"FE80::/10\" or \"::1/128\")",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 4,
+          "updated": "7.10.0",
+          "pre_query": "event.category:network and event.type:(connection or start) and process.name:telnet and not destination.ip:(127.0.0.0/8 or 10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 or \"FE80::/10\" or \"::1/128\")",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        },
+        {
+          "version": 5,
+          "updated": "7.12.0",
+          "pre_query": "sequence by process.entity_id\n  [process where process.name == \"telnet\" and event.type == \"start\"]\n  [network where process.name == \"telnet\" and\n    not cidrmatch(destination.ip, \"127.0.0.0/8\", \"10.0.0.0/8\", \"172.16.0.0/12\",\n                                  \"192.168.0.0/16\", \"FE80::/10\", \"::1/128\")]\n",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 6,
+          "updated": "7.14.0",
+          "pre_query": "sequence by process.entity_id\n  [process where process.name == \"telnet\" and event.type == \"start\"]\n  [network where process.name == \"telnet\" and\n    not cidrmatch(destination.ip, \"127.0.0.0/8\", \"10.0.0.0/8\", \"172.16.0.0/12\",\n                                  \"192.168.0.0/16\", \"FE80::/10\", \"::1/128\")]\n",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.14.0",
+    "added": "7.8.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Telnet provides a command line interface for communication with a remote device or server. This rule identifies Telnet network connections to non-publicly routable IP addresses.",
+    "false_positives": [
+      "Telnet can be used for both benign or malicious purposes. Telnet is included by default in some Linux distributions, so its presence is not inherently suspicious. The use of Telnet to manage devices remotely has declined in recent years in favor of more secure protocols such as SSH. Telnet usage by non-automated tools or frameworks may be suspicious."
+    ],
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Connection to Internal Network via Telnet",
+    "query": "sequence by process.entity_id\n  [process where process.name == \"telnet\" and event.type == \"start\"]\n  [network where process.name == \"telnet\" and\n    cidrmatch(destination.ip, \"10.0.0.0/8\", \"127.0.0.0/8\", \"169.254.0.0/16\", \"172.16.0.0/12\", \"192.0.0.0/24\",\n                              \"192.0.0.0/29\", \"192.0.0.8/32\", \"192.0.0.9/32\", \"192.0.0.10/32\", \"192.0.0.170/32\",\n                              \"192.0.0.171/32\", \"192.0.2.0/24\", \"192.31.196.0/24\", \"192.52.193.0/24\",\n                              \"192.168.0.0/16\", \"192.88.99.0/24\", \"224.0.0.0/4\", \"100.64.0.0/10\", \"192.175.48.0/24\",\n                              \"198.18.0.0/15\", \"198.51.100.0/24\", \"203.0.113.0/24\", \"240.0.0.0/4\", \"::1\",\n                              \"FE80::/10\", \"FF00::/8\")]\n",
+    "references": [
+      "https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml"
+    ],
+    "risk_score": 47,
+    "rule_id": "1b21abcc-4d9f-4b08-a7f5-316f5f94b973",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "Threat Detection",
+      "Lateral Movement"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0008",
+          "name": "Lateral Movement",
+          "reference": "https://attack.mitre.org/tactics/TA0008/"
+        },
+        "technique": [
+          {
+            "id": "T1021",
+            "name": "Remote Services",
+            "reference": "https://attack.mitre.org/techniques/T1021/"
+          }
+        ]
+      }
+    ],
+    "type": "eql",
+    "version": 6,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.9.0",
+          "pre_query": "event.action:(\"connected-to\" or \"network_flow\") and process.name:telnet and destination.ip:((10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 or \"FE80::/10\") and not (127.0.0.0/8 or \"::1/128\"))",
+          "doc_text": "Updated query."
+        },
+        {
+          "version": 3,
+          "updated": "7.9.1",
+          "pre_query": "event.category:network and event.type:(connection or start) and process.name:telnet and destination.ip:((10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 or \"FE80::/10\") and not (127.0.0.0/8 or \"::1/128\"))",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 4,
+          "updated": "7.10.0",
+          "pre_query": "event.category:network and event.type:(connection or start) and process.name:telnet and destination.ip:((10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 or \"FE80::/10\") and not (127.0.0.0/8 or \"::1/128\"))",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        },
+        {
+          "version": 5,
+          "updated": "7.12.0",
+          "pre_query": "sequence by process.entity_id\n  [process where process.name == \"telnet\" and event.type == \"start\"]\n  [network where process.name == \"telnet\" and\n    cidrmatch(destination.ip, \"10.0.0.0/8\", \"172.16.0.0/12\", \"192.168.0.0/16\", \"FE80::/10\") and\n    not cidrmatch(destination.ip, \"127.0.0.0/8\", \"::1/128\")]\n",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 6,
+          "updated": "7.14.0",
+          "pre_query": "sequence by process.entity_id\n  [process where process.name == \"telnet\" and event.type == \"start\"]\n  [network where process.name == \"telnet\" and\n    cidrmatch(destination.ip, \"10.0.0.0/8\", \"172.16.0.0/12\", \"192.168.0.0/16\", \"FE80::/10\") and\n    not cidrmatch(destination.ip, \"127.0.0.0/8\", \"::1/128\")]\n",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.14.0",
+    "added": "7.8.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies unusual instances of Control Panel with suspicious keywords or paths in the process command line value. Adversaries may abuse control.exe to proxy execution of malicious code.",
+    "from": "now-9m",
+    "index": [
+      "logs-endpoint.events.*",
+      "winlogbeat-*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Control Panel Process with Unusual Arguments",
+    "query": "process where event.type in (\"start\", \"process_started\") and\n process.executable : (\"?:\\\\Windows\\\\SysWOW64\\\\control.exe\", \"?:\\\\Windows\\\\System32\\\\control.exe\") and\n process.command_line :\n          (\"*.jpg*\",\n           \"*.png*\",\n           \"*.gif*\",\n           \"*.bmp*\",\n           \"*.jpeg*\",\n           \"*.TIFF*\",\n           \"*.inf*\",\n           \"*.dat*\",\n           \"*.cpl:*/*\",\n           \"*../../..*\",\n           \"*/AppData/Local/*\",\n           \"*:\\\\Users\\\\Public\\\\*\",\n           \"*\\\\AppData\\\\Local\\\\*\")\n",
+    "references": [
+      "https://www.joesandbox.com/analysis/476188/1/html"
+    ],
+    "risk_score": 73,
+    "rule_id": "416697ae-e468-4093-a93d-59661fa619ec",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1218",
+            "name": "Signed Binary Proxy Execution",
+            "reference": "https://attack.mitre.org/techniques/T1218/",
+            "subtechnique": [
+              {
+                "id": "T1218.002",
+                "name": "Control Panel",
+                "reference": "https://attack.mitre.org/techniques/T1218/002/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 2,
+    "last_update": "8.0.0",
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "8.0.0",
+          "pre_query": "process where event.type in (\"start\", \"process_started\") and\n process.executable : (\"?:\\\\Windows\\\\SysWOW64\\\\control.exe\", \"?:\\\\Windows\\\\System32\\\\control.exe\") and\n process.command_line :\n          (\"*.jpg*\",\n           \"*.png*\",\n           \"*.gif*\",\n           \"*.bmp*\",\n           \"*.jpeg*\",\n           \"*.TIFF*\",\n           \"*.inf*\",\n           \"*.dat*\",\n           \"*.cpl:*/*\",\n           \"*../../..*\",\n           \"*/AppData/Local/*\",\n           \"*:\\\\Users\\\\Public\\\\*\",\n           \"*\\\\AppData\\\\Local\\\\*\")\n",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "added": "7.16.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Users can mark specific files as hidden simply by putting a \".\" as the first character in the file or folder name. Adversaries can use this to their advantage to hide files and folders on the system for persistence and defense evasion. This rule looks for hidden files or folders in common writable directories.",
+    "false_positives": [
+      "Certain tools may create hidden temporary files or directories upon installation or as part of their normal behavior. These events can be filtered by the process arguments, username, or process name values."
+    ],
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "max_signals": 33,
+    "name": "Creation of Hidden Files and Directories",
+    "query": "process where event.type in (\"start\", \"process_started\") and\n  process.working_directory in (\"/tmp\", \"/var/tmp\", \"/dev/shm\") and\n  process.args regex~ \"\"\"\\.[a-z0-9_\\-][a-z0-9_\\-\\.]{1,254}\"\"\" and\n  not process.name in (\"ls\", \"find\")\n",
+    "risk_score": 47,
+    "rule_id": "b9666521-4742-49ce-9ddc-b8e84c35acae",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1564",
+            "name": "Hide Artifacts",
+            "reference": "https://attack.mitre.org/techniques/T1564/",
+            "subtechnique": [
+              {
+                "id": "T1564.001",
+                "name": "Hidden Files and Directories",
+                "reference": "https://attack.mitre.org/techniques/T1564/001/"
+              }
+            ]
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": []
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 7,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.9.1",
+          "pre_query": "event.category:process AND event.type:(start or process_started) AND process.working_directory:(\"/tmp\" or \"/var/tmp\" or \"/dev/shm\") AND process.args:/\\.[a-zA-Z0-9_\\-][a-zA-Z0-9_\\-\\.]{1,254}/ AND NOT process.name:(ls or find)",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 3,
+          "updated": "7.10.0",
+          "pre_query": "event.category:process AND event.type:(start or process_started) AND process.working_directory:(\"/tmp\" or \"/var/tmp\" or \"/dev/shm\") AND process.args:/\\.[a-zA-Z0-9_\\-][a-zA-Z0-9_\\-\\.]{1,254}/ AND NOT process.name:(ls or find)",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 4,
+          "updated": "7.11.0",
+          "pre_query": "event.category:process AND event.type:(start or process_started) AND process.working_directory:(\"/tmp\" or \"/var/tmp\" or \"/dev/shm\") AND process.args:/\\.[a-zA-Z0-9_\\-][a-zA-Z0-9_\\-\\.]{1,254}/ AND NOT process.name:(ls or find)",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 5,
+          "updated": "7.11.2",
+          "pre_query": "event.category:process AND event.type:(start or process_started) AND process.working_directory:(\"/tmp\" or \"/var/tmp\" or \"/dev/shm\") AND process.args:/\\.[a-zA-Z0-9_\\-][a-zA-Z0-9_\\-\\.]{1,254}/ AND NOT process.name:(ls or find)",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 6,
+          "updated": "7.12.0",
+          "pre_query": "event.category:process AND event.type:(start or process_started) AND process.working_directory:(\"/tmp\" or \"/var/tmp\" or \"/dev/shm\") AND process.args:/\\.[a-zA-Z0-9_\\-][a-zA-Z0-9_\\-\\.]{1,254}/ AND NOT process.name:(ls or find)",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 7,
+          "updated": "7.14.0",
+          "pre_query": "event.category:process AND event.type:(start or process_started) AND process.working_directory:(\"/tmp\" or \"/var/tmp\" or \"/dev/shm\") AND process.args:/\\.[a-zA-Z0-9_\\-][a-zA-Z0-9_\\-\\.]{1,254}/ AND NOT process.name:(ls or find)",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.14.0",
+    "added": "7.9.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the creation of a hidden launch agent or daemon. An adversary may establish persistence by installing a new launch agent or daemon which executes at login.",
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Creation of Hidden Launch Agent or Daemon",
+    "query": "file where event.type != \"deletion\" and\n  file.path : \n  (\n    \"/System/Library/LaunchAgents/.*.plist\",\n    \"/Library/LaunchAgents/.*.plist\",\n    \"/Users/*/Library/LaunchAgents/.*.plist\",\n    \"/System/Library/LaunchDaemons/.*.plist\",\n    \"/Library/LaunchDaemons/.*.plist\"\n  )\n",
+    "references": [
+      "https://developer.apple.com/library/archive/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/CreatingLaunchdJobs.html"
+    ],
+    "risk_score": 47,
+    "rule_id": "092b068f-84ac-485d-8a55-7dd9e006715f",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "macOS",
+      "Threat Detection",
+      "Persistence",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1543",
+            "name": "Create or Modify System Process",
+            "reference": "https://attack.mitre.org/techniques/T1543/",
+            "subtechnique": [
+              {
+                "id": "T1543.001",
+                "name": "Launch Agent",
+                "reference": "https://attack.mitre.org/techniques/T1543/001/"
+              }
+            ]
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1564",
+            "name": "Hide Artifacts",
+            "reference": "https://attack.mitre.org/techniques/T1564/",
+            "subtechnique": [
+              {
+                "id": "T1564.001",
+                "name": "Hidden Files and Directories",
+                "reference": "https://attack.mitre.org/techniques/T1564/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 1,
+    "last_update": "7.12.0",
+    "added": "7.12.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the execution of osascript to create a hidden login item. This may indicate an attempt to persist a malicious program while concealing its presence.",
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Creation of Hidden Login Item via Apple Script",
+    "query": "process where event.type in (\"start\", \"process_started\") and process.name : \"osascript\" and\n process.command_line : \"osascript*login item*hidden:true*\"\n",
+    "risk_score": 47,
+    "rule_id": "f24bcae1-8980-4b30-b5dd-f851b055c9e7",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "macOS",
+      "Threat Detection",
+      "Persistence",
+      "Execution"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1547",
+            "name": "Boot or Logon Autostart Execution",
+            "reference": "https://attack.mitre.org/techniques/T1547/",
+            "subtechnique": [
+              {
+                "id": "T1547.011",
+                "name": "Plist Modification",
+                "reference": "https://attack.mitre.org/techniques/T1547/011/"
+              }
+            ]
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0002",
+          "name": "Execution",
+          "reference": "https://attack.mitre.org/tactics/TA0002/"
+        },
+        "technique": [
+          {
+            "id": "T1059",
+            "name": "Command and Scripting Interpreter",
+            "reference": "https://attack.mitre.org/techniques/T1059/",
+            "subtechnique": [
+              {
+                "id": "T1059.002",
+                "name": "AppleScript",
+                "reference": "https://attack.mitre.org/techniques/T1059/002/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 1,
+    "last_update": "7.12.0",
+    "added": "7.12.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the creation of a hidden local user account by appending the dollar sign to the account name. This is sometimes done by attackers to increase access to a system and avoid appearing in the results of accounts listing using the net users command.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Creation of a Hidden Local User Account",
+    "query": "registry where registry.path : \"HKLM\\\\SAM\\\\SAM\\\\Domains\\\\Account\\\\Users\\\\Names\\\\*$\\\\\"\n",
+    "references": [
+      "https://blog.menasec.net/2019/02/threat-hunting-6-hiding-in-plain-sights_8.html",
+      "https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/tree/master/2020/2020.12.15.Lazarus_Campaign"
+    ],
+    "risk_score": 73,
+    "rule_id": "2edc8076-291e-41e9-81e4-e3fcbc97ae5e",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Persistence"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1136",
+            "name": "Create Account",
+            "reference": "https://attack.mitre.org/techniques/T1136/",
+            "subtechnique": [
+              {
+                "id": "T1136.001",
+                "name": "Local Account",
+                "reference": "https://attack.mitre.org/techniques/T1136/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 2,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.16.0",
+          "pre_query": "registry where registry.path : \"HKLM\\\\SAM\\\\SAM\\\\Domains\\\\Account\\\\Users\\\\Names\\\\*$\\\\\"\n",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.16.0",
+    "added": "7.12.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the creation or modification of Domain Backup private keys. Adversaries may extract the Data Protection API (DPAPI) domain backup key from a Domain Controller (DC) to be able to decrypt any domain user master key file.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Creation or Modification of Domain Backup DPAPI private key",
+    "note": "## Triage and analysis\n\nDomain DPAPI Backup keys are stored on domain controllers and can be dumped remotely with tools such as Mimikatz. The resulting .pvk private key can be used to decrypt ANY domain user masterkeys, which then can be used to decrypt any secrets protected by those keys.",
+    "query": "file where event.type != \"deletion\" and file.name : (\"ntds_capi_*.pfx\", \"ntds_capi_*.pvk\")\n",
+    "references": [
+      "https://www.dsinternals.com/en/retrieving-dpapi-backup-keys-from-active-directory/",
+      "https://www.harmj0y.net/blog/redteaming/operational-guidance-for-offensive-user-dpapi-abuse/"
+    ],
+    "risk_score": 73,
+    "rule_id": "b83a7e96-2eb3-4edf-8346-427b6858d3bd",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Credential Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0006",
+          "name": "Credential Access",
+          "reference": "https://attack.mitre.org/tactics/TA0006/"
+        },
+        "technique": [
+          {
+            "id": "T1552",
+            "name": "Unsecured Credentials",
+            "reference": "https://attack.mitre.org/techniques/T1552/",
+            "subtechnique": [
+              {
+                "id": "T1552.004",
+                "name": "Private Keys",
+                "reference": "https://attack.mitre.org/techniques/T1552/004/"
+              }
+            ]
+          },
+          {
+            "id": "T1555",
+            "name": "Credentials from Password Stores",
+            "reference": "https://attack.mitre.org/techniques/T1555/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 6,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.11.0",
+          "pre_query": "event.category:file and not event.type:deletion and file.name:(ntds_capi_*.pfx or ntds_capi_*.pvk)",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 3,
+          "updated": "7.11.2",
+          "pre_query": "event.category:file and not event.type:deletion and file.name:(ntds_capi_*.pfx or ntds_capi_*.pvk)",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 4,
+          "updated": "7.12.0",
+          "pre_query": "event.category:file and not event.type:deletion and file.name:(ntds_capi_*.pfx or ntds_capi_*.pvk)",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 5,
+          "updated": "7.13.0",
+          "pre_query": "event.category:file and not event.type:deletion and file.name:(ntds_capi_*.pfx or ntds_capi_*.pvk)",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        },
+        {
+          "version": 6,
+          "updated": "7.16.0",
+          "pre_query": "file where event.type != \"deletion\" and file.name : (\"ntds_capi_*.pfx\", \"ntds_capi_*.pvk\")\n",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.16.0",
+    "added": "7.10.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the creation or modification of a local trusted root certificate in Windows. The install of a malicious root certificate would allow an attacker the ability to masquerade malicious files as valid signed components from any entity (e.g. Microsoft). It could also allow an attacker to decrypt SSL traffic.",
+    "false_positives": [
+      "Certain applications may install root certificates for the purpose of inspecting SSL traffic."
+    ],
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Creation or Modification of Root Certificate",
+    "query": "registry where event.type in (\"creation\", \"change\") and\n  registry.path :\n    (\n      \"HKLM\\\\Software\\\\Microsoft\\\\SystemCertificates\\\\Root\\\\Certificates\\\\*\\\\Blob\",\n      \"HKLM\\\\Software\\\\Microsoft\\\\SystemCertificates\\\\AuthRoot\\\\Certificates\\\\*\\\\Blob\",\n      \"HKLM\\\\Software\\\\Policies\\\\Microsoft\\\\SystemCertificates\\\\Root\\\\Certificates\\\\*\\\\Blob\",\n      \"HKLM\\\\Software\\\\Policies\\\\Microsoft\\\\SystemCertificates\\\\AuthRoot\\\\Certificates\\\\*\\\\Blob\"\n    )\n",
+    "references": [
+      "https://posts.specterops.io/code-signing-certificate-cloning-attacks-and-defenses-6f98657fc6ec",
+      "https://www.ired.team/offensive-security/persistence/t1130-install-root-certificate"
+    ],
+    "risk_score": 21,
+    "rule_id": "203ab79b-239b-4aa5-8e54-fc50623ee8e4",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1553",
+            "name": "Subvert Trust Controls",
+            "reference": "https://attack.mitre.org/techniques/T1553/",
+            "subtechnique": [
+              {
+                "id": "T1553.004",
+                "name": "Install Root Certificate",
+                "reference": "https://attack.mitre.org/techniques/T1553/004/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 1,
+    "last_update": "7.12.0",
+    "added": "7.12.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Detects the creation or modification of a new Group Policy based scheduled task or service. These methods are used for legitimate system administration, but can also be abused by an attacker with domain admin permissions to execute a malicious payload remotely on all or a subset of the domain joined machines.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Creation or Modification of a new GPO Scheduled Task or Service",
+    "query": "file where event.type != \"deletion\" and\n  file.path : (\"?:\\\\Windows\\\\SYSVOL\\\\domain\\\\Policies\\\\*\\\\MACHINE\\\\Preferences\\\\ScheduledTasks\\\\ScheduledTasks.xml\",\n               \"?:\\\\Windows\\\\SYSVOL\\\\domain\\\\Policies\\\\*\\\\MACHINE\\\\Preferences\\\\Preferences\\\\Services\\\\Services.xml\") and\n  not process.name : \"dfsrs.exe\"\n",
+    "risk_score": 21,
+    "rule_id": "c0429aa8-9974-42da-bfb6-53a0a515a145",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Persistence"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1053",
+            "name": "Scheduled Task/Job",
+            "reference": "https://attack.mitre.org/techniques/T1053/",
+            "subtechnique": [
+              {
+                "id": "T1053.005",
+                "name": "Scheduled Task",
+                "reference": "https://attack.mitre.org/techniques/T1053/005/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 6,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.11.0",
+          "pre_query": "event.category:file and not event.type:deletion and file.path:(C\\:\\\\Windows\\\\SYSVOL\\\\domain\\\\Policies\\\\*\\\\MACHINE\\\\Preferences\\\\ScheduledTasks\\\\ScheduledTasks.xml or C\\:\\\\Windows\\\\SYSVOL\\\\domain\\\\Policies\\\\*\\\\MACHINE\\\\Preferences\\\\Preferences\\\\Services\\\\Services.xml) and not process.name:dfsrs.exe",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 3,
+          "updated": "7.11.2",
+          "pre_query": "event.category:file and not event.type:deletion and file.path:(C\\:\\\\Windows\\\\SYSVOL\\\\domain\\\\Policies\\\\*\\\\MACHINE\\\\Preferences\\\\ScheduledTasks\\\\ScheduledTasks.xml or C\\:\\\\Windows\\\\SYSVOL\\\\domain\\\\Policies\\\\*\\\\MACHINE\\\\Preferences\\\\Preferences\\\\Services\\\\Services.xml) and not process.name:dfsrs.exe",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 4,
+          "updated": "7.12.0",
+          "pre_query": "event.category:file and not event.type:deletion and file.path:(C\\:\\\\Windows\\\\SYSVOL\\\\domain\\\\Policies\\\\*\\\\MACHINE\\\\Preferences\\\\ScheduledTasks\\\\ScheduledTasks.xml or C\\:\\\\Windows\\\\SYSVOL\\\\domain\\\\Policies\\\\*\\\\MACHINE\\\\Preferences\\\\Preferences\\\\Services\\\\Services.xml) and not process.name:dfsrs.exe",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 5,
+          "updated": "7.13.0",
+          "pre_query": "event.category:file and not event.type:deletion and file.path:(C\\:\\\\Windows\\\\SYSVOL\\\\domain\\\\Policies\\\\*\\\\MACHINE\\\\Preferences\\\\ScheduledTasks\\\\ScheduledTasks.xml or C\\:\\\\Windows\\\\SYSVOL\\\\domain\\\\Policies\\\\*\\\\MACHINE\\\\Preferences\\\\Preferences\\\\Services\\\\Services.xml) and not process.name:dfsrs.exe",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        },
+        {
+          "version": 6,
+          "updated": "7.16.0",
+          "pre_query": "file where event.type != \"deletion\" and\n  file.path : (\"?:\\\\Windows\\\\SYSVOL\\\\domain\\\\Policies\\\\*\\\\MACHINE\\\\Preferences\\\\ScheduledTasks\\\\ScheduledTasks.xml\",\n               \"?:\\\\Windows\\\\SYSVOL\\\\domain\\\\Policies\\\\*\\\\MACHINE\\\\Preferences\\\\Preferences\\\\Services\\\\Services.xml\") and\n  not process.name : \"dfsrs.exe\"\n",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.16.0",
+    "added": "7.10.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies attempts to export a registry hive which may contain credentials using the Windows reg.exe tool.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Credential Acquisition via Registry Hive Dumping",
+    "query": "process where event.type in (\"start\", \"process_started\") and\n process.pe.original_file_name == \"reg.exe\" and\n process.args : (\"save\", \"export\") and\n process.args : (\"hklm\\\\sam\", \"hklm\\\\security\")\n",
+    "references": [
+      "https://medium.com/threatpunter/detecting-attempts-to-steal-passwords-from-the-registry-7512674487f8"
+    ],
+    "risk_score": 73,
+    "rule_id": "a7e7bfa3-088e-4f13-b29e-3986e0e756b8",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Credential Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0006",
+          "name": "Credential Access",
+          "reference": "https://attack.mitre.org/tactics/TA0006/"
+        },
+        "technique": [
+          {
+            "id": "T1003",
+            "name": "OS Credential Dumping",
+            "reference": "https://attack.mitre.org/techniques/T1003/",
+            "subtechnique": [
+              {
+                "id": "T1003.002",
+                "name": "Security Account Manager",
+                "reference": "https://attack.mitre.org/techniques/T1003/002/"
+              },
+              {
+                "id": "T1003.004",
+                "name": "LSA Secrets",
+                "reference": "https://attack.mitre.org/techniques/T1003/004/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 4,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.11.2",
+          "pre_query": "process where event.type in (\"start\", \"process_started\") and\n process.pe.original_file_name == \"reg.exe\" and\n process.args : (\"save\", \"export\") and\n process.args : (\"hklm\\\\sam\", \"hklm\\\\security\") and\n not process.parent.executable : \"C:\\\\Program Files*\\\\Rapid7\\\\Insight Agent\\\\components\\\\insight_agent\\\\*\\\\ir_agent.exe\"\n \n",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        },
+        {
+          "version": 3,
+          "updated": "7.12.0",
+          "pre_query": "process where event.type in (\"start\", \"process_started\") and\n process.pe.original_file_name == \"reg.exe\" and\n process.args : (\"save\", \"export\") and\n process.args : (\"hklm\\\\sam\", \"hklm\\\\security\") and\n not process.parent.executable : \"C:\\\\Program Files*\\\\Rapid7\\\\Insight Agent\\\\components\\\\insight_agent\\\\*\\\\ir_agent.exe\"\n",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        },
+        {
+          "version": 4,
+          "updated": "7.16.0",
+          "pre_query": "process where event.type in (\"start\", \"process_started\") and\n process.pe.original_file_name == \"reg.exe\" and\n process.args : (\"save\", \"export\") and\n process.args : (\"hklm\\\\sam\", \"hklm\\\\security\")\n",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.16.0",
+    "added": "7.11.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Elastic Endgame detected Credential Dumping. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information.",
+    "from": "now-15m",
+    "index": [
+      "endgame-*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "max_signals": 10000,
+    "name": "Credential Dumping - Detected - Elastic Endgame",
+    "query": "event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:cred_theft_event or endgame.event_subtype_full:cred_theft_event)\n",
+    "risk_score": 73,
+    "rule_id": "571afc56-5ed9-465d-a2a9-045f099f6e7e",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Elastic Endgame"
+    ],
+    "type": "query",
+    "version": 7,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.7.0",
+          "pre_query": "event.kind:alert and event.module:endgame and event.action:cred_theft_event and endgame.metadata.type:detection",
+          "doc_text": "Updated query."
+        },
+        {
+          "version": 3,
+          "updated": "7.9.0",
+          "pre_query": "event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:cred_theft_event or endgame.event_subtype_full:cred_theft_event)",
+          "doc_text": "Formatting only",
+          "pre_name": "Credential Dumping - Detected - Elastic Endpoint"
+        },
+        {
+          "version": 4,
+          "updated": "7.10.0",
+          "pre_query": "event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:cred_theft_event or endgame.event_subtype_full:cred_theft_event)",
+          "doc_text": "Formatting only",
+          "pre_name": "Credential Dumping - Detected - Elastic Endpoint Security"
+        },
+        {
+          "version": 5,
+          "updated": "7.12.0",
+          "pre_query": "event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:cred_theft_event or endgame.event_subtype_full:cred_theft_event)",
+          "doc_text": "Formatting only",
+          "pre_name": "Credential Dumping - Detected - Endpoint Security",
+          "duplicate_old_file": "credential-dumping-detected-endpoint-security"
+        },
+        {
+          "version": 6,
+          "updated": "7.12.1",
+          "pre_query": "event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:cred_theft_event or endgame.event_subtype_full:cred_theft_event)",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 7,
+          "updated": "8.0.0",
+          "pre_query": "event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:cred_theft_event or endgame.event_subtype_full:cred_theft_event)\n",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "8.0.0",
+    "added": "7.6.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Elastic Endgame prevented Credential Dumping. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information.",
+    "from": "now-15m",
+    "index": [
+      "endgame-*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "max_signals": 10000,
+    "name": "Credential Dumping - Prevented - Elastic Endgame",
+    "query": "event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:cred_theft_event or endgame.event_subtype_full:cred_theft_event)\n",
+    "risk_score": 47,
+    "rule_id": "db8c33a8-03cd-4988-9e2c-d0a4863adb13",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Elastic Endgame"
+    ],
+    "type": "query",
+    "version": 7,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.7.0",
+          "pre_query": "event.kind:alert and event.module:endgame and event.action:cred_theft_event and endgame.metadata.type:prevention",
+          "doc_text": "Updated query."
+        },
+        {
+          "version": 3,
+          "updated": "7.9.0",
+          "pre_query": "event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:cred_theft_event or endgame.event_subtype_full:cred_theft_event)",
+          "doc_text": "Formatting only",
+          "pre_name": "Credential Dumping - Prevented - Elastic Endpoint"
+        },
+        {
+          "version": 4,
+          "updated": "7.10.0",
+          "pre_query": "event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:cred_theft_event or endgame.event_subtype_full:cred_theft_event)",
+          "doc_text": "Formatting only",
+          "pre_name": "Credential Dumping - Prevented - Elastic Endpoint Security"
+        },
+        {
+          "version": 5,
+          "updated": "7.12.0",
+          "pre_query": "event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:cred_theft_event or endgame.event_subtype_full:cred_theft_event)",
+          "doc_text": "Formatting only",
+          "pre_name": "Credential Dumping - Prevented - Endpoint Security",
+          "duplicate_old_file": "credential-dumping-prevented-endpoint-security"
+        },
+        {
+          "version": 6,
+          "updated": "7.12.1",
+          "pre_query": "event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:cred_theft_event or endgame.event_subtype_full:cred_theft_event)",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 7,
+          "updated": "8.0.0",
+          "pre_query": "event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:cred_theft_event or endgame.event_subtype_full:cred_theft_event)\n",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "8.0.0",
+    "added": "7.6.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Elastic Endgame detected Credential Manipulation. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information.",
+    "from": "now-15m",
+    "index": [
+      "endgame-*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "max_signals": 10000,
+    "name": "Credential Manipulation - Detected - Elastic Endgame",
+    "query": "event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:token_manipulation_event or endgame.event_subtype_full:token_manipulation_event)\n",
+    "risk_score": 73,
+    "rule_id": "c0be5f31-e180-48ed-aa08-96b36899d48f",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Elastic Endgame"
+    ],
+    "type": "query",
+    "version": 7,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.7.0",
+          "pre_query": "event.kind:alert and event.module:endgame and event.action:token_manipulation_event and endgame.metadata.type:detection",
+          "doc_text": "Updated query."
+        },
+        {
+          "version": 3,
+          "updated": "7.9.0",
+          "pre_query": "event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:token_manipulation_event or endgame.event_subtype_full:token_manipulation_event)",
+          "doc_text": "Formatting only",
+          "pre_name": "Credential Manipulation - Detected - Elastic Endpoint"
+        },
+        {
+          "version": 4,
+          "updated": "7.10.0",
+          "pre_query": "event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:token_manipulation_event or endgame.event_subtype_full:token_manipulation_event)",
+          "doc_text": "Formatting only",
+          "pre_name": "Credential Manipulation - Detected - Elastic Endpoint Security"
+        },
+        {
+          "version": 5,
+          "updated": "7.12.0",
+          "pre_query": "event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:token_manipulation_event or endgame.event_subtype_full:token_manipulation_event)",
+          "doc_text": "Formatting only",
+          "pre_name": "Credential Manipulation - Detected - Endpoint Security",
+          "duplicate_old_file": "credential-manipulation-detected-endpoint-security"
+        },
+        {
+          "version": 6,
+          "updated": "7.12.1",
+          "pre_query": "event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:token_manipulation_event or endgame.event_subtype_full:token_manipulation_event)",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 7,
+          "updated": "8.0.0",
+          "pre_query": "event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:token_manipulation_event or endgame.event_subtype_full:token_manipulation_event)\n",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "8.0.0",
+    "added": "7.6.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Elastic Endgame prevented Credential Manipulation. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information.",
+    "from": "now-15m",
+    "index": [
+      "endgame-*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "max_signals": 10000,
+    "name": "Credential Manipulation - Prevented - Elastic Endgame",
+    "query": "event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:token_manipulation_event or endgame.event_subtype_full:token_manipulation_event)\n",
+    "risk_score": 47,
+    "rule_id": "c9e38e64-3f4c-4bf3-ad48-0e61a60ea1fa",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Elastic Endgame"
+    ],
+    "type": "query",
+    "version": 7,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.7.0",
+          "pre_query": "event.kind:alert and event.module:endgame and event.action:token_manipulation_event and endgame.metadata.type:prevention",
+          "doc_text": "Updated query."
+        },
+        {
+          "version": 3,
+          "updated": "7.9.0",
+          "pre_query": "event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:token_manipulation_event or endgame.event_subtype_full:token_manipulation_event)",
+          "doc_text": "Formatting only",
+          "pre_name": "Credential Manipulation - Prevented - Elastic Endpoint"
+        },
+        {
+          "version": 4,
+          "updated": "7.10.0",
+          "pre_query": "event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:token_manipulation_event or endgame.event_subtype_full:token_manipulation_event)",
+          "doc_text": "Formatting only",
+          "pre_name": "Credential Manipulation - Prevented - Elastic Endpoint Security"
+        },
+        {
+          "version": 5,
+          "updated": "7.12.0",
+          "pre_query": "event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:token_manipulation_event or endgame.event_subtype_full:token_manipulation_event)",
+          "doc_text": "Formatting only",
+          "pre_name": "Credential Manipulation - Prevented - Endpoint Security",
+          "duplicate_old_file": "credential-manipulation-prevented-endpoint-security"
+        },
+        {
+          "version": 6,
+          "updated": "7.12.1",
+          "pre_query": "event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:token_manipulation_event or endgame.event_subtype_full:token_manipulation_event)",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 7,
+          "updated": "8.0.0",
+          "pre_query": "event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:token_manipulation_event or endgame.event_subtype_full:token_manipulation_event)\n",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "8.0.0",
+    "added": "7.6.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the occurrence of a CyberArk Privileged Access Security (PAS) error level audit event. The event.code correlates to the CyberArk Vault Audit Action Code.",
+    "false_positives": [
+      "To tune this rule, add exceptions to exclude any event.code which should not trigger this rule."
+    ],
+    "from": "now-30m",
+    "index": [
+      "filebeat-*",
+      "logs-cyberarkpas.audit*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "CyberArk Privileged Access Security Error",
+    "note": "## Config\n\nThe CyberArk Privileged Access Security (PAS) Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\n\n## Triage and analysis\n\nThis is a promotion rule for CyberArk error events, which are alertable events per the vendor.\nConsult vendor documentation on interpreting specific events.\n",
+    "query": "event.dataset:cyberarkpas.audit and event.type:error\n",
+    "references": [
+      "https://docs.cyberark.com/Product-Doc/OnlineHelp/PAS/Latest/en/Content/PASREF/Vault%20Audit%20Action%20Codes.htm?tocpath=Administration%7CReferences%7C_____3"
+    ],
+    "risk_score": 73,
+    "rule_id": "3f0e5410-a4bf-4e8c-bcfc-79d67a285c54",
+    "rule_name_override": "event.action",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "cyberarkpas",
+      "SecOps",
+      "Log Auditing",
+      "Threat Detection",
+      "Privilege Escalation"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0004",
+          "name": "Privilege Escalation",
+          "reference": "https://attack.mitre.org/tactics/TA0004/"
+        },
+        "technique": [
+          {
+            "id": "T1078",
+            "name": "Valid Accounts",
+            "reference": "https://attack.mitre.org/techniques/T1078/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0001",
+          "name": "Initial Access",
+          "reference": "https://attack.mitre.org/tactics/TA0001/"
+        },
+        "technique": []
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 1,
+    "last_update": "7.14.0",
+    "added": "7.14.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the occurrence of a CyberArk Privileged Access Security (PAS) non-error level audit event which is recommended for monitoring by the vendor. The event.code correlates to the CyberArk Vault Audit Action Code.",
+    "false_positives": [
+      "To tune this rule, add exceptions to exclude any event.code which should not trigger this rule."
+    ],
+    "from": "now-30m",
+    "index": [
+      "filebeat-*",
+      "logs-cyberarkpas.audit*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "CyberArk Privileged Access Security Recommended Monitor",
+    "note": "## Config\n\nThe CyberArk Privileged Access Security (PAS) Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\n\n## Triage and analysis\n\nThis is a promotion rule for CyberArk events, which the vendor recommends should be monitored.\nConsult vendor documentation on interpreting specific events.\n",
+    "query": "event.dataset:cyberarkpas.audit and\n  event.code:(4 or 22 or 24 or 31 or 38 or 57 or 60 or 130 or 295 or 300 or 302 or\n              308 or 319 or 344 or 346 or 359 or 361 or 378 or 380 or 411) and\n  not event.type:error\n",
+    "references": [
+      "https://docs.cyberark.com/Product-Doc/OnlineHelp/PAS/Latest/en/Content/PASREF/Vault%20Audit%20Action%20Codes.htm?tocpath=Administration%7CReferences%7C_____3#RecommendedActionCodesforMonitoring"
+    ],
+    "risk_score": 73,
+    "rule_id": "c5f81243-56e0-47f9-b5bb-55a5ed89ba57",
+    "rule_name_override": "event.action",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "cyberarkpas",
+      "SecOps",
+      "Log Auditing",
+      "Threat Detection",
+      "Privilege Escalation"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0004",
+          "name": "Privilege Escalation",
+          "reference": "https://attack.mitre.org/tactics/TA0004/"
+        },
+        "technique": [
+          {
+            "id": "T1078",
+            "name": "Valid Accounts",
+            "reference": "https://attack.mitre.org/techniques/T1078/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0001",
+          "name": "Initial Access",
+          "reference": "https://attack.mitre.org/tactics/TA0001/"
+        },
+        "technique": []
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 1,
+    "last_update": "7.14.0",
+    "added": "7.14.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "This rule detects when an internal network client sends DNS traffic directly to the Internet. This is atypical behavior for a managed network and can be indicative of malware, exfiltration, command and control, or simply misconfiguration. This DNS activity also impacts your organization's ability to provide enterprise monitoring and logging of DNS, and it opens your network to a variety of abuses and malicious communications.",
+    "false_positives": [
+      "Exclude DNS servers from this rule as this is expected behavior. Endpoints usually query local DNS servers defined in their DHCP scopes, but this may be overridden if a user configures their endpoint to use a remote DNS server. This is uncommon in managed enterprise networks because it could break intranet name resolution when split horizon DNS is utilized. Some consumer VPN services and browser plug-ins may send DNS traffic to remote Internet destinations. In that case, such devices or networks can be excluded from this rule when this is expected behavior."
+    ],
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "filebeat-*",
+      "packetbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "DNS Activity to the Internet",
+    "query": "event.category:(network or network_traffic) and (event.type:connection or type:dns) and (destination.port:53 or event.dataset:zeek.dns)\n  and source.ip:(\n    10.0.0.0/8 or\n    172.16.0.0/12 or\n    192.168.0.0/16\n  ) and\n  not destination.ip:(\n    10.0.0.0/8 or\n    127.0.0.0/8 or\n    169.254.0.0/16 or\n    172.16.0.0/12 or\n    192.0.0.0/24 or\n    192.0.0.0/29 or\n    192.0.0.8/32 or\n    192.0.0.9/32 or\n    192.0.0.10/32 or\n    192.0.0.170/32 or\n    192.0.0.171/32 or\n    192.0.2.0/24 or\n    192.31.196.0/24 or\n    192.52.193.0/24 or\n    192.168.0.0/16 or\n    192.88.99.0/24 or\n    224.0.0.0/4 or\n    100.64.0.0/10 or\n    192.175.48.0/24 or\n    198.18.0.0/15 or\n    198.51.100.0/24 or\n    203.0.113.0/24 or\n    240.0.0.0/4 or\n    \"::1\" or\n    \"FE80::/10\" or\n    \"FF00::/8\"\n  )\n",
+    "references": [
+      "https://www.us-cert.gov/ncas/alerts/TA15-240A",
+      "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-81-2.pdf",
+      "https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml"
+    ],
+    "risk_score": 47,
+    "rule_id": "6ea71ff0-9e95-475b-9506-2580d1ce6154",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Network",
+      "Threat Detection",
+      "Command and Control",
+      "Host"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0011",
+          "name": "Command and Control",
+          "reference": "https://attack.mitre.org/tactics/TA0011/"
+        },
+        "technique": []
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 12,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.6.1",
+          "doc_text": "Removed auditbeat-\\*, packetbeat-*, and winlogbeat-* from the rule indices."
+        },
+        {
+          "version": 3,
+          "updated": "7.7.0",
+          "pre_query": "destination.port:53 and (\n network.direction: outbound or (\n source.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and\n not destination.ip:( 169.254.169.254/32 or 127.0.0.53/32 or 10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 or 224.0.0.251 or ff02\\:\\:fb or 255.255.255.255 )\n )\n)\n",
+          "doc_text": "Updated query."
+        },
+        {
+          "version": 4,
+          "updated": "7.9.0",
+          "pre_query": "destination.port:53 and source.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and not destination.ip:(10.0.0.0/8 or 127.0.0.0/8 or 169.254.169.254/32 or 172.16.0.0/12 or 192.168.0.0/16 or 224.0.0.251 or 224.0.0.252 or 255.255.255.255 or \"::1\" or \"ff02::fb\")",
+          "doc_text": "Updated query."
+        },
+        {
+          "version": 5,
+          "updated": "7.10.0",
+          "pre_query": "event.category:(network or network_traffic) and (event.type:connection or type:dns) and (destination.port:53 or event.dataset:zeek.dns) and source.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and not destination.ip:(10.0.0.0/8 or 127.0.0.0/8 or 169.254.169.254/32 or 172.16.0.0/12 or 192.168.0.0/16 or 224.0.0.251 or 224.0.0.252 or 255.255.255.255 or \"::1\" or \"ff02::fb\")",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 6,
+          "updated": "7.11.0",
+          "pre_query": "event.category:(network or network_traffic) and (event.type:connection or type:dns) and (destination.port:53 or event.dataset:zeek.dns) and source.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and not destination.ip:(10.0.0.0/8 or 127.0.0.0/8 or 169.254.169.254/32 or 172.16.0.0/12 or 192.168.0.0/16 or 224.0.0.251 or 224.0.0.252 or 255.255.255.255 or \"::1\" or \"ff02::fb\")",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        },
+        {
+          "version": 7,
+          "updated": "7.11.2",
+          "pre_query": "event.category:(network or network_traffic) and (event.type:connection or type:dns) and (destination.port:53 or event.dataset:zeek.dns) and source.ip:( 10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 ) and not destination.ip:( 10.0.0.0/8 or 127.0.0.0/8 or 169.254.0.0/16 or 172.16.0.0/12 or 192.168.0.0/16 or 224.0.0.0/4 or 255.255.255.255 or \"::1\" or \"FE80::/10\" or \"FF00::/8\")",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 8,
+          "updated": "7.12.0",
+          "pre_query": "event.category:(network or network_traffic) and (event.type:connection or type:dns) and (destination.port:53 or event.dataset:zeek.dns) and source.ip:( 10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 ) and not destination.ip:( 10.0.0.0/8 or 127.0.0.0/8 or 169.254.0.0/16 or 172.16.0.0/12 or 192.168.0.0/16 or 224.0.0.0/4 or 255.255.255.255 or \"::1\" or \"FE80::/10\" or \"FF00::/8\")",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 10,
+          "updated": "7.14.0",
+          "pre_query": "event.category:(network or network_traffic) and (event.type:connection or type:dns) and (destination.port:53 or event.dataset:zeek.dns) and source.ip:( 10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 ) and not destination.ip:( 10.0.0.0/8 or 127.0.0.0/8 or 169.254.0.0/16 or 172.16.0.0/12 or 192.168.0.0/16 or 224.0.0.0/4 or 255.255.255.255 or \"::1\" or \"FE80::/10\" or \"FF00::/8\")",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        },
+        {
+          "version": 11,
+          "updated": "7.15.0",
+          "pre_query": "event.category:(network or network_traffic) and (event.type:connection or type:dns) and (destination.port:53 or event.dataset:zeek.dns)\n  and source.ip:(\n    10.0.0.0/8 or\n    172.16.0.0/12 or\n    192.168.0.0/16\n  ) and\n  not destination.ip:(\n    10.0.0.0/8 or\n    127.0.0.0/8 or\n    169.254.0.0/16 or\n    172.16.0.0/12 or\n    192.0.0.0/24 or\n    192.0.0.0/29 or\n    192.0.0.8/32 or\n    192.0.0.9/32 or\n    192.0.0.10/32 or\n    192.0.0.170/32 or\n    192.0.0.171/32 or\n    192.0.2.0/24 or\n    192.31.196.0/24 or\n    192.52.193.0/24 or\n    192.168.0.0/16 or\n    192.88.99.0/24 or\n    224.0.0.0/4 or\n    100.64.0.0/10 or\n    192.175.48.0/24 or\n    198.18.0.0/15 or\n    198.51.100.0/24 or\n    203.0.113.0/24 or\n    240.0.0.0/4 or\n    \"::1\" or\n    \"FE80::/10\" or\n    \"FF00::/8\"\n  )\n",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 12,
+          "updated": "7.16.0",
+          "pre_query": "event.category:(network or network_traffic) and (event.type:connection or type:dns) and (destination.port:53 or event.dataset:zeek.dns)\n  and source.ip:(\n    10.0.0.0/8 or\n    172.16.0.0/12 or\n    192.168.0.0/16\n  ) and\n  not destination.ip:(\n    10.0.0.0/8 or\n    127.0.0.0/8 or\n    169.254.0.0/16 or\n    172.16.0.0/12 or\n    192.0.0.0/24 or\n    192.0.0.0/29 or\n    192.0.0.8/32 or\n    192.0.0.9/32 or\n    192.0.0.10/32 or\n    192.0.0.170/32 or\n    192.0.0.171/32 or\n    192.0.2.0/24 or\n    192.31.196.0/24 or\n    192.52.193.0/24 or\n    192.168.0.0/16 or\n    192.88.99.0/24 or\n    224.0.0.0/4 or\n    100.64.0.0/10 or\n    192.175.48.0/24 or\n    198.18.0.0/15 or\n    198.51.100.0/24 or\n    203.0.113.0/24 or\n    240.0.0.0/4 or\n    \"::1\" or\n    \"FE80::/10\" or\n    \"FF00::/8\"\n  )\n",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.16.0",
+    "added": "7.6.0"
+  },
+  {
+    "anomaly_threshold": 50,
+    "author": [
+      "Elastic"
+    ],
+    "description": "A machine learning job detected unusually large numbers of DNS queries for a single top-level DNS domain, which is often used for DNS tunneling. DNS tunneling can be used for command-and-control, persistence, or data exfiltration activity. For example, dnscat tends to generate many DNS questions for a top-level domain as it uses the DNS protocol to tunnel data.",
+    "false_positives": [
+      "DNS domains that use large numbers of child domains, such as software or content distribution networks, can trigger this alert and such parent domains can be excluded."
+    ],
+    "from": "now-45m",
+    "interval": "15m",
+    "license": "Elastic License v2",
+    "machine_learning_job_id": "packetbeat_dns_tunneling",
+    "name": "DNS Tunneling",
+    "references": [
+      "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"
+    ],
+    "risk_score": 21,
+    "rule_id": "91f02f01-969f-4167-8f66-07827ac3bdd9",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Network",
+      "Threat Detection",
+      "ML"
+    ],
+    "type": "machine_learning",
+    "version": 4,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.9.0",
+          "pre_query": "N/A",
+          "doc_text": "Formatting only"
+        },
+        {
+          "version": 3,
+          "updated": "7.10.0",
+          "pre_query": "N/A",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 4,
+          "updated": "7.12.0",
+          "pre_query": "N/A",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.12.0",
+    "added": "7.7.0"
+  },
+  {
+    "author": [
+      "Austin Songer"
+    ],
+    "description": "Identifies when a user enables DNS-over-HTTPS. This can be used to hide internet activity or the process of exfiltrating data. With this enabled, an organization will lose visibility into data such as query type, response, and originating IP, which are used to determine bad actors.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "DNS-over-HTTPS Enabled via Registry",
+    "query": "registry where event.type in (\"creation\", \"change\") and\n  (registry.path : \"*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Edge\\\\BuiltInDnsClientEnabled\" and\n  registry.data.strings : \"1\") or\n  (registry.path : \"*\\\\SOFTWARE\\\\Google\\\\Chrome\\\\DnsOverHttpsMode\" and\n  registry.data.strings : \"secure\") or\n  (registry.path : \"*\\\\SOFTWARE\\\\Policies\\\\Mozilla\\\\Firefox\\\\DNSOverHTTPS\" and\n  registry.data.strings : \"1\")\n",
+    "references": [
+      "https://www.tenforums.com/tutorials/151318-how-enable-disable-dns-over-https-doh-microsoft-edge.html",
+      "https://chromeenterprise.google/policies/?policy=DnsOverHttpsMode"
+    ],
+    "risk_score": 21,
+    "rule_id": "a22a09c2-2162-4df0-a356-9aacbeb56a04",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1562",
+            "name": "Impair Defenses",
+            "reference": "https://attack.mitre.org/techniques/T1562/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 2,
+    "last_update": "8.0.0",
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "8.0.0",
+          "pre_query": "registry where event.type in (\"creation\", \"change\") and\n  (registry.path : \"*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Edge\\\\BuiltInDnsClientEnabled\" and\n  registry.data.strings : \"1\") or\n  (registry.path : \"*\\\\SOFTWARE\\\\Google\\\\Chrome\\\\DnsOverHttpsMode\" and\n  registry.data.strings : \"secure\") or\n  (registry.path : \"*\\\\SOFTWARE\\\\Policies\\\\Mozilla\\\\Firefox\\\\DNSOverHTTPS\" and\n  registry.data.strings : \"1\")\n",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "added": "7.16.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "This rule detects the use of the default Cobalt Strike Team Server TLS certificate. Cobalt Strike is software for Adversary Simulations and Red Team Operations which are security assessments that replicate the tactics and techniques of an advanced adversary in a network. Modifications to the Packetbeat configuration can be made to include MD5 and SHA256 hashing algorithms (the default is SHA1). See the References section for additional information on module configuration.",
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "filebeat-*",
+      "packetbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Default Cobalt Strike Team Server Certificate",
+    "note": "## Threat intel\n\nWhile Cobalt Strike is intended to be used for penetration tests and IR training, it is frequently used by actual threat actors (TA) such as APT19, APT29, APT32, APT41, FIN6, DarkHydrus, CopyKittens, Cobalt Group, Leviathan, and many other unnamed criminal TAs. This rule uses high-confidence atomic indicators, so alerts should be investigated rapidly.",
+    "query": "event.category:(network or network_traffic) and (tls.server.hash.md5:950098276A495286EB2A2556FBAB6D83 or\n  tls.server.hash.sha1:6ECE5ECE4192683D2D84E25B0BA7E04F9CB7EB7C or\n  tls.server.hash.sha256:87F2085C32B6A2CC709B365F55873E207A9CAA10BFFECF2FD16D3CF9D94D390C)\n",
+    "references": [
+      "https://attack.mitre.org/software/S0154/",
+      "https://www.cobaltstrike.com/help-setup-collaboration",
+      "https://www.elastic.co/guide/en/beats/packetbeat/current/configuration-tls.html",
+      "https://www.elastic.co/guide/en/beats/filebeat/7.9/filebeat-module-suricata.html",
+      "https://www.elastic.co/guide/en/beats/filebeat/7.9/filebeat-module-zeek.html"
+    ],
+    "risk_score": 99,
+    "rule_id": "e7075e8d-a966-458e-a183-85cd331af255",
+    "severity": "critical",
+    "tags": [
+      "Command and Control",
+      "Post-Execution",
+      "Threat Detection",
+      "Elastic",
+      "Network",
+      "Host"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0011",
+          "name": "Command and Control",
+          "reference": "https://attack.mitre.org/tactics/TA0011/"
+        },
+        "technique": [
+          {
+            "id": "T1071",
+            "name": "Application Layer Protocol",
+            "reference": "https://attack.mitre.org/techniques/T1071/",
+            "subtechnique": [
+              {
+                "id": "T1071.001",
+                "name": "Web Protocols",
+                "reference": "https://attack.mitre.org/techniques/T1071/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 6,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.11.2",
+          "pre_query": "event.category:(network or network_traffic) and (tls.server.hash.md5:950098276A495286EB2A2556FBAB6D83 or tls.server.hash.sha1:6ECE5ECE4192683D2D84E25B0BA7E04F9CB7EB7C or tls.server.hash.sha256:87F2085C32B6A2CC709B365F55873E207A9CAA10BFFECF2FD16D3CF9D94D390C)",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 3,
+          "updated": "7.12.0",
+          "pre_query": "event.category:(network or network_traffic) and (tls.server.hash.md5:950098276A495286EB2A2556FBAB6D83 or tls.server.hash.sha1:6ECE5ECE4192683D2D84E25B0BA7E04F9CB7EB7C or tls.server.hash.sha256:87F2085C32B6A2CC709B365F55873E207A9CAA10BFFECF2FD16D3CF9D94D390C)",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 4,
+          "updated": "7.13.0",
+          "pre_query": "event.category:(network or network_traffic) and (tls.server.hash.md5:950098276A495286EB2A2556FBAB6D83 or tls.server.hash.sha1:6ECE5ECE4192683D2D84E25B0BA7E04F9CB7EB7C or tls.server.hash.sha256:87F2085C32B6A2CC709B365F55873E207A9CAA10BFFECF2FD16D3CF9D94D390C)",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 5,
+          "updated": "7.14.0",
+          "pre_query": "event.category:(network or network_traffic) and (tls.server.hash.md5:950098276A495286EB2A2556FBAB6D83 or tls.server.hash.sha1:6ECE5ECE4192683D2D84E25B0BA7E04F9CB7EB7C or tls.server.hash.sha256:87F2085C32B6A2CC709B365F55873E207A9CAA10BFFECF2FD16D3CF9D94D390C)",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        },
+        {
+          "version": 6,
+          "updated": "7.15.0",
+          "pre_query": "event.category:(network or network_traffic) and (tls.server.hash.md5:950098276A495286EB2A2556FBAB6D83 or\n  tls.server.hash.sha1:6ECE5ECE4192683D2D84E25B0BA7E04F9CB7EB7C or\n  tls.server.hash.sha256:87F2085C32B6A2CC709B365F55873E207A9CAA10BFFECF2FD16D3CF9D94D390C)\n",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.15.0",
+    "added": "7.11.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies use of the fsutil.exe to delete the volume USNJRNL. This technique is used by attackers to eliminate evidence of files created during post-exploitation activities.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Delete Volume USN Journal with Fsutil",
+    "query": "process where event.type in (\"start\", \"process_started\") and\n  (process.name : \"fsutil.exe\" or process.pe.original_file_name == \"fsutil.exe\") and \n  process.args : \"deletejournal\" and process.args : \"usn\"\n",
+    "risk_score": 21,
+    "rule_id": "f675872f-6d85-40a3-b502-c0d2ef101e92",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1070",
+            "name": "Indicator Removal on Host",
+            "reference": "https://attack.mitre.org/techniques/T1070/",
+            "subtechnique": [
+              {
+                "id": "T1070.004",
+                "name": "File Deletion",
+                "reference": "https://attack.mitre.org/techniques/T1070/004/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 9,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.7.0",
+          "pre_query": "event.action:\"Process Create (rule: ProcessCreate)\" and process.name:\"fsutil.exe\" and process.args:(\"usn\" and \"deletejournal\")",
+          "doc_text": "Updated query."
+        },
+        {
+          "version": 3,
+          "updated": "7.9.0",
+          "pre_query": "event.action:\"Process Create (rule: ProcessCreate)\" and process.name:fsutil.exe and process.args:(deletejournal and usn)",
+          "doc_text": "Updated query."
+        },
+        {
+          "version": 4,
+          "updated": "7.9.1",
+          "pre_query": "event.category:process and event.type:(start or process_started) and process.name:fsutil.exe and process.args:(deletejournal and usn)",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 5,
+          "updated": "7.10.0",
+          "pre_query": "event.category:process and event.type:(start or process_started) and process.name:fsutil.exe and process.args:(deletejournal and usn)",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 6,
+          "updated": "7.11.0",
+          "pre_query": "event.category:process and event.type:(start or process_started) and process.name:fsutil.exe and process.args:(deletejournal and usn)",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 7,
+          "updated": "7.11.2",
+          "pre_query": "event.category:process and event.type:(start or process_started) and process.name:fsutil.exe and process.args:(deletejournal and usn)",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 8,
+          "updated": "7.12.0",
+          "pre_query": "event.category:process and event.type:(start or process_started) and process.name:fsutil.exe and process.args:(deletejournal and usn)",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 9,
+          "updated": "7.13.0",
+          "pre_query": "event.category:process and event.type:(start or process_started) and process.name:fsutil.exe and process.args:(deletejournal and usn)",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.13.0",
+    "added": "7.6.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies use of the wbadmin.exe to delete the backup catalog. Ransomware and other malware may do this to prevent system recovery.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Deleting Backup Catalogs with Wbadmin",
+    "query": "process where event.type in (\"start\", \"process_started\") and\n  (process.name : \"wbadmin.exe\" or process.pe.original_file_name == \"WBADMIN.EXE\") and\n  process.args : \"catalog\" and process.args : \"delete\"\n",
+    "risk_score": 21,
+    "rule_id": "581add16-df76-42bb-af8e-c979bfb39a59",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Impact"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0040",
+          "name": "Impact",
+          "reference": "https://attack.mitre.org/tactics/TA0040/"
+        },
+        "technique": [
+          {
+            "id": "T1490",
+            "name": "Inhibit System Recovery",
+            "reference": "https://attack.mitre.org/techniques/T1490/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 10,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.7.0",
+          "pre_query": "event.action:\"Process Create (rule: ProcessCreate)\" and process.name:\"wbadmin.exe\" and process.args:(\"delete\" and \"catalog\")",
+          "doc_text": "Updated query."
+        },
+        {
+          "version": 3,
+          "updated": "7.9.0",
+          "pre_query": "event.action:\"Process Create (rule: ProcessCreate)\" and process.name:wbadmin.exe and process.args:(catalog and delete)",
+          "doc_text": "Updated query."
+        },
+        {
+          "version": 4,
+          "updated": "7.9.1",
+          "pre_query": "event.category:process and event.type:(start or process_started) and process.name:wbadmin.exe and process.args:(catalog and delete)",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 5,
+          "updated": "7.10.0",
+          "pre_query": "event.category:process and event.type:(start or process_started) and process.name:wbadmin.exe and process.args:(catalog and delete)",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 6,
+          "updated": "7.11.0",
+          "pre_query": "event.category:process and event.type:(start or process_started) and process.name:wbadmin.exe and process.args:(catalog and delete)",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 7,
+          "updated": "7.11.2",
+          "pre_query": "event.category:process and event.type:(start or process_started) and process.name:wbadmin.exe and process.args:(catalog and delete)",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 8,
+          "updated": "7.12.0",
+          "pre_query": "event.category:process and event.type:(start or process_started) and process.name:wbadmin.exe and process.args:(catalog and delete)",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 9,
+          "updated": "7.13.0",
+          "pre_query": "event.category:process and event.type:(start or process_started) and process.name:wbadmin.exe and process.args:(catalog and delete)",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        },
+        {
+          "version": 10,
+          "updated": "7.16.0",
+          "pre_query": "process where event.type in (\"start\", \"process_started\") and\n  (process.name : \"wbadmin.exe\" or process.pe.original_file_name == \"WBADMIN.EXE\") and\n  process.args : \"catalog\" and process.args : \"delete\"\n",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.16.0",
+    "added": "7.6.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies unexpected processes making network connections over port 445. Windows File Sharing is typically implemented over Server Message Block (SMB), which communicates between hosts using port 445. When legitimate, these network connections are established by the kernel. Processes making 445/tcp connections may be port scanners, exploits, or suspicious user-level processes moving laterally.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Direct Outbound SMB Connection",
+    "query": "sequence by process.entity_id\n  [process where event.type == \"start\" and process.pid != 4]\n  [network where destination.port == 445 and process.pid != 4 and\n     not cidrmatch(destination.ip, \"127.0.0.1\", \"::1\")]\n",
+    "risk_score": 47,
+    "rule_id": "c82c7d8f-fb9e-4874-a4bd-fd9e3f9becf1",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Lateral Movement"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0008",
+          "name": "Lateral Movement",
+          "reference": "https://attack.mitre.org/tactics/TA0008/"
+        },
+        "technique": [
+          {
+            "id": "T1021",
+            "name": "Remote Services",
+            "reference": "https://attack.mitre.org/techniques/T1021/",
+            "subtechnique": [
+              {
+                "id": "T1021.002",
+                "name": "SMB/Windows Admin Shares",
+                "reference": "https://attack.mitre.org/techniques/T1021/002/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "type": "eql",
+    "version": 7,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.7.0",
+          "pre_query": "event.action:\"Network connection detected (rule: NetworkConnect)\" and destination.port:445 and not process.pid:4 and not destination.ip:(\"127.0.0.1\" or \"::1\")",
+          "doc_text": "Updated query."
+        },
+        {
+          "version": 3,
+          "updated": "7.9.0",
+          "pre_query": "event.action:\"Network connection detected (rule: NetworkConnect)\" and destination.port:445 and not process.pid:4 and not destination.ip:(127.0.0.1 or \"::1\")",
+          "doc_text": "Updated query."
+        },
+        {
+          "version": 4,
+          "updated": "7.9.1",
+          "pre_query": "event.category:network and event.type:connection and destination.port:445 and not process.pid:4 and not destination.ip:(127.0.0.1 or \"::1\")",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 5,
+          "updated": "7.10.0",
+          "pre_query": "event.category:network and event.type:connection and destination.port:445 and not process.pid:4 and not destination.ip:(127.0.0.1 or \"::1\")",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        },
+        {
+          "version": 6,
+          "updated": "7.12.0",
+          "pre_query": "sequence by process.entity_id\n  [process where event.type == \"start\" and process.pid != 4]\n  [network where destination.port == 445 and process.pid != 4 and\n     not cidrmatch(destination.ip, \"127.0.0.1\", \"::1\")]\n",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 7,
+          "updated": "7.16.0",
+          "pre_query": "sequence by process.entity_id\n  [process where event.type == \"start\" and process.pid != 4]\n  [network where destination.port == 445 and process.pid != 4 and\n     not cidrmatch(destination.ip, \"127.0.0.1\", \"::1\")]\n",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.16.0",
+    "added": "7.6.0"
+  },
+  {
+    "author": [
+      "Elastic",
+      "Ivan Ninichuck",
+      "Austin Songer"
+    ],
+    "description": "Identifies attempts to disable EventLog via the logman Windows utility, PowerShell, or auditpol. This is often done by attackers in an attempt to evade detection on a system.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Disable Windows Event and Security Logs Using Built-in Tools",
+    "query": "process where event.type in (\"start\", \"process_started\") and\n\n  ((process.name:\"logman.exe\" or process.pe.original_file_name == \"Logman.exe\") and\n      process.args : \"EventLog-*\" and process.args : (\"stop\", \"delete\")) or\n\n  ((process.name : (\"pwsh.exe\", \"powershell.exe\", \"powershell_ise.exe\") or process.pe.original_file_name in\n      (\"pwsh.exe\", \"powershell.exe\", \"powershell_ise.exe\")) and\n\tprocess.args : \"Set-Service\" and process.args: \"EventLog\" and process.args : \"Disabled\")  or\n\t\n  ((process.name:\"auditpol.exe\" or process.pe.original_file_name == \"AUDITPOL.EXE\") and process.args : \"/success:disable\")\n",
+    "references": [
+      "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/logman"
+    ],
+    "risk_score": 21,
+    "rule_id": "4de76544-f0e5-486a-8f84-eae0b6063cdc",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1070",
+            "name": "Indicator Removal on Host",
+            "reference": "https://attack.mitre.org/techniques/T1070/",
+            "subtechnique": [
+              {
+                "id": "T1070.001",
+                "name": "Clear Windows Event Logs",
+                "reference": "https://attack.mitre.org/techniques/T1070/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 2,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.16.0",
+          "pre_query": "process where event.type in (\"start\", \"process_started\") and\n\n  ((process.name:\"logman.exe\" or process.pe.original_file_name == \"Logman.exe\") and\n      process.args : \"EventLog-*\" and process.args : (\"stop\", \"delete\")) or\n\n  ((process.name : (\"pwsh.exe\", \"powershell.exe\", \"powershell_ise.exe\") or process.pe.original_file_name in\n      (\"pwsh.exe\", \"powershell.exe\", \"powershell_ise.exe\")) and\n\tprocess.args : \"Set-Service\" and process.args: \"EventLog\" and process.args : \"Disabled\")  or\n\t\n  ((process.name:\"auditpol.exe\" or process.pe.original_file_name == \"AUDITPOL.EXE\") and process.args : \"/success:disable\")\n",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.16.0",
+    "added": "7.14.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies use of the netsh.exe to disable or weaken the local firewall. Attackers will use this command line tool to disable the firewall during troubleshooting or to enable network mobility.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Disable Windows Firewall Rules via Netsh",
+    "query": "process where event.type in (\"start\", \"process_started\") and\n  process.name : \"netsh.exe\" and\n  (process.args : \"disable\" and process.args : \"firewall\" and process.args : \"set\") or\n  (process.args : \"advfirewall\" and process.args : \"off\" and process.args : \"state\")\n",
+    "risk_score": 47,
+    "rule_id": "4b438734-3793-4fda-bd42-ceeada0be8f9",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1562",
+            "name": "Impair Defenses",
+            "reference": "https://attack.mitre.org/techniques/T1562/",
+            "subtechnique": [
+              {
+                "id": "T1562.004",
+                "name": "Disable or Modify System Firewall",
+                "reference": "https://attack.mitre.org/techniques/T1562/004/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 10,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.7.0",
+          "pre_query": "event.action:\"Process Create (rule: ProcessCreate)\" and process.name:\"netsh.exe\" and process.args:(\"firewall\" and \"set\" and \"disable\") or process.args:(\"advfirewall\" and \"state\" and \"off\")",
+          "doc_text": "Updated query."
+        },
+        {
+          "version": 3,
+          "updated": "7.9.0",
+          "pre_query": "event.action:\"Process Create (rule: ProcessCreate)\" and process.name:netsh.exe and process.args:(disable and firewall and set) or process.args:(advfirewall and off and state)",
+          "doc_text": "Updated query."
+        },
+        {
+          "version": 4,
+          "updated": "7.9.1",
+          "pre_query": "event.category:process and event.type:(start or process_started) and process.name:netsh.exe and process.args:(disable and firewall and set) or process.args:(advfirewall and off and state)",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 5,
+          "updated": "7.10.0",
+          "pre_query": "event.category:process and event.type:(start or process_started) and process.name:netsh.exe and process.args:(disable and firewall and set) or process.args:(advfirewall and off and state)",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 6,
+          "updated": "7.11.0",
+          "pre_query": "event.category:process and event.type:(start or process_started) and process.name:netsh.exe and process.args:(disable and firewall and set) or process.args:(advfirewall and off and state)",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 7,
+          "updated": "7.11.2",
+          "pre_query": "event.category:process and event.type:(start or process_started) and process.name:netsh.exe and process.args:(disable and firewall and set) or process.args:(advfirewall and off and state)",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 8,
+          "updated": "7.12.0",
+          "pre_query": "event.category:process and event.type:(start or process_started) and process.name:netsh.exe and process.args:(disable and firewall and set) or process.args:(advfirewall and off and state)",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 9,
+          "updated": "7.13.0",
+          "pre_query": "event.category:process and event.type:(start or process_started) and process.name:netsh.exe and process.args:(disable and firewall and set) or process.args:(advfirewall and off and state)",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        },
+        {
+          "version": 10,
+          "updated": "7.16.0",
+          "pre_query": "process where event.type in (\"start\", \"process_started\") and\n  process.name : \"netsh.exe\" and\n  (process.args : \"disable\" and process.args : \"firewall\" and process.args : \"set\") or\n  (process.args : \"advfirewall\" and process.args : \"off\" and process.args : \"state\")\n",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.16.0",
+    "added": "7.6.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "User Account Control (UAC) can help mitigate the impact of malware on Windows hosts. With UAC, apps and tasks always run in the security context of a non-administrator account, unless an administrator specifically authorizes administrator-level access to the system. This rule identifies registry value changes to bypass User Access Control (UAC) protection.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Disabling User Account Control via Registry Modification",
+    "query": "registry where event.type == \"change\" and\n  registry.path :\n    (\n      \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\EnableLUA\",\n      \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\ConsentPromptBehaviorAdmin\",\n      \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\PromptOnSecureDesktop\"\n    ) and\n  registry.data.strings : \"0\"\n",
+    "references": [
+      "https://www.greyhathacker.net/?p=796",
+      "https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/user-account-control-group-policy-and-registry-key-settings",
+      "https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/user-account-control-overview"
+    ],
+    "risk_score": 47,
+    "rule_id": "d31f183a-e5b1-451b-8534-ba62bca0b404",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Privilege Escalation"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0004",
+          "name": "Privilege Escalation",
+          "reference": "https://attack.mitre.org/tactics/TA0004/"
+        },
+        "technique": [
+          {
+            "id": "T1548",
+            "name": "Abuse Elevation Control Mechanism",
+            "reference": "https://attack.mitre.org/techniques/T1548/",
+            "subtechnique": [
+              {
+                "id": "T1548.002",
+                "name": "Bypass User Account Control",
+                "reference": "https://attack.mitre.org/techniques/T1548/002/"
+              }
+            ]
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1548",
+            "name": "Abuse Elevation Control Mechanism",
+            "reference": "https://attack.mitre.org/techniques/T1548/",
+            "subtechnique": [
+              {
+                "id": "T1548.002",
+                "name": "Bypass User Account Control",
+                "reference": "https://attack.mitre.org/techniques/T1548/002/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 2,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.15.0",
+          "pre_query": "registry where event.type == \"change\" and\n  registry.path :\n    (\n      \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\EnableLUA\",\n      \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\ConsentPromptBehaviorAdmin\",\n      \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\PromptOnSecureDesktop\"\n    ) and\n  registry.data.strings : \"0\"\n",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.15.0",
+    "added": "7.12.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies use of the Set-MpPreference PowerShell command to disable or weaken certain Windows Defender settings.",
+    "false_positives": [
+      "Planned Windows Defender configuration changes."
+    ],
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Disabling Windows Defender Security Settings via PowerShell",
+    "query": "process where event.type == \"start\" and\n (process.name : (\"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\") or process.pe.original_file_name in (\"powershell.exe\", \"pwsh.dll\", \"powershell_ise.exe\")) and\n process.args : \"Set-MpPreference\" and process.args : (\"-Disable*\", \"Disabled\", \"NeverSend\", \"-Exclusion*\")\n",
+    "references": [
+      "https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2019-ps"
+    ],
+    "risk_score": 47,
+    "rule_id": "c8cccb06-faf2-4cd5-886e-2c9636cfcb87",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1562",
+            "name": "Impair Defenses",
+            "reference": "https://attack.mitre.org/techniques/T1562/",
+            "subtechnique": [
+              {
+                "id": "T1562.001",
+                "name": "Disable or Modify Tools",
+                "reference": "https://attack.mitre.org/techniques/T1562/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 2,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.16.0",
+          "pre_query": "process where event.type == \"start\" and\n (process.name : (\"powershell.exe\", \"pwsh.exe\") or process.pe.original_file_name == \"PowerShell.EXE\") and\n process.args : \"Set-MpPreference\" and process.args : (\"-Disable*\", \"Disabled\", \"NeverSend\", \"-Exclusion*\")\n",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.16.0",
+    "added": "7.14.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Detects when a domain is added to the list of trusted Google Workspace domains. An adversary may add a trusted domain in order to collect and exfiltrate data from their target\u2019s organization with less restrictive security controls.",
+    "false_positives": [
+      "Trusted domains may be added by system administrators. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior."
+    ],
+    "from": "now-130m",
+    "index": [
+      "filebeat-*",
+      "logs-google_workspace*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Domain Added to Google Workspace Trusted Domains",
+    "note": "## Config\n\nThe Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\n\n### Important Information Regarding Google Workspace Event Lag Times\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information:\n  - https://support.google.com/a/answer/7061566\n  - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html",
+    "query": "event.dataset:google_workspace.admin and event.provider:admin and event.category:iam and event.action:ADD_TRUSTED_DOMAINS\n",
+    "references": [
+      "https://support.google.com/a/answer/6160020?hl=en"
+    ],
+    "risk_score": 73,
+    "rule_id": "cf549724-c577-4fd6-8f9b-d1b8ec519ec0",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "Google Workspace",
+      "Continuous Monitoring",
+      "SecOps",
+      "Configuration Audit"
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 6,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.11.2",
+          "pre_query": "event.dataset:(gsuite.admin or google_workspace.admin) and event.provider:admin and event.category:iam and event.action:ADD_TRUSTED_DOMAINS",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 3,
+          "updated": "7.12.0",
+          "pre_query": "event.dataset:(gsuite.admin or google_workspace.admin) and event.provider:admin and event.category:iam and event.action:ADD_TRUSTED_DOMAINS",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 4,
+          "updated": "7.13.0",
+          "pre_query": "event.dataset:(gsuite.admin or google_workspace.admin) and event.provider:admin and event.category:iam and event.action:ADD_TRUSTED_DOMAINS",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 5,
+          "updated": "7.15.0",
+          "pre_query": "event.dataset:(gsuite.admin or google_workspace.admin) and event.provider:admin and event.category:iam and event.action:ADD_TRUSTED_DOMAINS\n",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 6,
+          "updated": "8.0.0",
+          "pre_query": "event.dataset:(gsuite.admin or google_workspace.admin) and event.provider:admin and event.category:iam and event.action:ADD_TRUSTED_DOMAINS\n",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "8.0.0",
+    "added": "7.11.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the execution of macOS built-in commands used to dump user account hashes. Adversaries may attempt to dump credentials to obtain account login information in the form of a hash. These hashes can be cracked or leveraged for lateral movement.",
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Dumping Account Hashes via Built-In Commands",
+    "query": "event.category:process and event.type:start and\n process.name:(defaults or mkpassdb) and process.args:(ShadowHashData or \"-dump\")\n",
+    "references": [
+      "https://apple.stackexchange.com/questions/186893/os-x-10-9-where-are-password-hashes-stored",
+      "https://www.unix.com/man-page/osx/8/mkpassdb/"
+    ],
+    "risk_score": 73,
+    "rule_id": "02ea4563-ec10-4974-b7de-12e65aa4f9b3",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "macOS",
+      "Threat Detection",
+      "Credential Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0006",
+          "name": "Credential Access",
+          "reference": "https://attack.mitre.org/tactics/TA0006/"
+        },
+        "technique": [
+          {
+            "id": "T1003",
+            "name": "OS Credential Dumping",
+            "reference": "https://attack.mitre.org/techniques/T1003/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 1,
+    "last_update": "7.12.0",
+    "added": "7.12.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Adversaries may dump the content of the keychain storage data from a system to acquire credentials. Keychains are the built-in way for macOS to keep track of users' passwords and credentials for many services and features, including Wi-Fi and website passwords, secure notes, certificates, and Kerberos.",
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Dumping of Keychain Content via Security Command",
+    "query": "process where event.type in (\"start\", \"process_started\") and process.args : \"dump-keychain\" and process.args : \"-d\"\n",
+    "references": [
+      "https://ss64.com/osx/security.html"
+    ],
+    "risk_score": 73,
+    "rule_id": "565d6ca5-75ba-4c82-9b13-add25353471c",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "macOS",
+      "Threat Detection",
+      "Credential Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0006",
+          "name": "Credential Access",
+          "reference": "https://attack.mitre.org/tactics/TA0006/"
+        },
+        "technique": [
+          {
+            "id": "T1555",
+            "name": "Credentials from Password Stores",
+            "reference": "https://attack.mitre.org/techniques/T1555/",
+            "subtechnique": [
+              {
+                "id": "T1555.001",
+                "name": "Keychain",
+                "reference": "https://attack.mitre.org/techniques/T1555/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 1,
+    "last_update": "7.12.0",
+    "added": "7.12.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the execution of and EggShell Backdoor. EggShell is a known post exploitation tool for macOS and Linux.",
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "EggShell Backdoor Execution",
+    "query": "event.category:process and event.type:(start or process_started) and process.name:espl and process.args:eyJkZWJ1ZyI6*\n",
+    "references": [
+      "https://github.com/neoneggplant/EggShell"
+    ],
+    "risk_score": 73,
+    "rule_id": "41824afb-d68c-4d0e-bfee-474dac1fa56e",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "macOS",
+      "Threat Detection",
+      "Execution"
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 1,
+    "last_update": "7.12.0",
+    "added": "7.12.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the creation or modification of the Event Monitor Daemon (emond) rules. Adversaries may abuse this service by writing a rule to execute commands when a defined event occurs, such as system start up or user authentication.",
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Emond Rules Creation or Modification",
+    "query": "file where event.type != \"deletion\" and\n file.path : (\"/private/etc/emond.d/rules/*.plist\", \"/etc/emon.d/rules/*.plist\")\n",
+    "references": [
+      "https://www.xorrior.com/emond-persistence/"
+    ],
+    "risk_score": 47,
+    "rule_id": "a6bf4dd4-743e-4da8-8c03-3ebd753a6c90",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "macOS",
+      "Threat Detection",
+      "Persistence"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1546",
+            "name": "Event Triggered Execution",
+            "reference": "https://attack.mitre.org/techniques/T1546/",
+            "subtechnique": [
+              {
+                "id": "T1546.014",
+                "name": "Emond",
+                "reference": "https://attack.mitre.org/techniques/T1546/014/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 1,
+    "last_update": "7.12.0",
+    "added": "7.12.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies use of the netsh.exe program to enable host discovery via the network. Attackers can use this command-line tool to weaken the host firewall settings.",
+    "false_positives": [
+      "Host Windows Firewall planned system administration changes."
+    ],
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Enable Host Network Discovery via Netsh",
+    "query": "process where event.type == \"start\" and\nprocess.name : \"netsh.exe\" and\nprocess.args : (\"firewall\", \"advfirewall\") and process.args : \"group=Network Discovery\" and process.args : \"enable=Yes\"\n",
+    "risk_score": 47,
+    "rule_id": "8b4f0816-6a65-4630-86a6-c21c179c0d09",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1562",
+            "name": "Impair Defenses",
+            "reference": "https://attack.mitre.org/techniques/T1562/",
+            "subtechnique": [
+              {
+                "id": "T1562.004",
+                "name": "Disable or Modify System Firewall",
+                "reference": "https://attack.mitre.org/techniques/T1562/004/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 2,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.16.0",
+          "pre_query": "process where event.type == \"start\" and\nprocess.name : \"netsh.exe\" and\nprocess.args : (\"firewall\", \"advfirewall\") and process.args : \"group=Network Discovery\" and process.args : \"enable=Yes\"\n",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.16.0",
+    "added": "7.14.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies registry write modifications to hide an encoded portable executable. This could be indicative of adversary defense evasion by avoiding the storing of malicious content directly on disk.",
+    "from": "now-9m",
+    "index": [
+      "logs-endpoint.events.*",
+      "winlogbeat-*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Encoded Executable Stored in the Registry",
+    "query": "registry where\n/* update here with encoding combinations */\n registry.data.strings : \"TVqQAAMAAAAEAAAA*\"\n",
+    "risk_score": 47,
+    "rule_id": "93c1ce76-494c-4f01-8167-35edfb52f7b1",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1140",
+            "name": "Deobfuscate/Decode Files or Information",
+            "reference": "https://attack.mitre.org/techniques/T1140/"
+          },
+          {
+            "id": "T1112",
+            "name": "Modify Registry",
+            "reference": "https://attack.mitre.org/techniques/T1112/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 4,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.11.2",
+          "pre_query": "registry where\n/* update here with encoding combinations */\n registry.data.strings : \"TVqQAAMAAAAEAAAA*\"\n",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 3,
+          "updated": "7.12.0",
+          "pre_query": "registry where\n/* update here with encoding combinations */\n registry.data.strings : \"TVqQAAMAAAAEAAAA*\"\n",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 4,
+          "updated": "7.16.0",
+          "pre_query": "registry where\n/* update here with encoding combinations */\n registry.data.strings : \"TVqQAAMAAAAEAAAA*\"\n",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.16.0",
+    "added": "7.11.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies use of WinRar or 7z to create an encrypted files. Adversaries will often compress and encrypt data in preparation for exfiltration.",
+    "from": "now-9m",
+    "index": [
+      "logs-endpoint.events.*",
+      "winlogbeat-*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Encrypting Files with WinRar or 7z",
+    "query": "process where event.type in (\"start\", \"process_started\") and\n  ((process.name:\"rar.exe\" or process.code_signature.subject_name == \"win.rar GmbH\" or\n      process.pe.original_file_name == \"Command line RAR\") and\n    process.args == \"a\" and process.args : (\"-hp*\", \"-p*\", \"-dw\", \"-tb\", \"-ta\", \"/hp*\", \"/p*\", \"/dw\", \"/tb\", \"/ta\"))\n\n  or\n  (process.pe.original_file_name in (\"7z.exe\", \"7za.exe\") and\n     process.args == \"a\" and process.args : (\"-p*\", \"-sdel\"))\n\n  /* uncomment if noisy for backup software related FPs */\n  /* not process.parent.executable : (\"C:\\\\Program Files\\\\*.exe\", \"C:\\\\Program Files (x86)\\\\*.exe\") */\n",
+    "references": [
+      "https://www.welivesecurity.com/2020/12/02/turla-crutch-keeping-back-door-open/"
+    ],
+    "risk_score": 47,
+    "rule_id": "45d273fb-1dca-457d-9855-bcb302180c21",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Collection"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0009",
+          "name": "Collection",
+          "reference": "https://attack.mitre.org/tactics/TA0009/"
+        },
+        "technique": [
+          {
+            "id": "T1560",
+            "name": "Archive Collected Data",
+            "reference": "https://attack.mitre.org/techniques/T1560/",
+            "subtechnique": [
+              {
+                "id": "T1560.001",
+                "name": "Archive via Utility",
+                "reference": "https://attack.mitre.org/techniques/T1560/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 4,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.11.2",
+          "pre_query": "process where event.type in (\"start\", \"process_started\") and\n  ((process.name:\"rar.exe\" or process.code_signature.subject_name == \"win.rar GmbH\" or\n      process.pe.original_file_name == \"Command line RAR\") and\n    process.args == \"a\" and process.args : (\"-hp*\", \"-p*\", \"-dw\", \"-tb\", \"-ta\", \"/hp*\", \"/p*\", \"/dw\", \"/tb\", \"/ta\"))\n\n  or\n  (process.pe.original_file_name in (\"7z.exe\", \"7za.exe\") and\n     process.args == \"a\" and process.args : (\"-p*\", \"-sdel\"))\n\n  /* uncomment if noisy for backup software related FPs */\n  /* not process.parent.executable : (\"C:\\\\Program Files\\\\*.exe\", \"C:\\\\Program Files (x86)\\\\*.exe\") */\n",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 3,
+          "updated": "7.12.0",
+          "pre_query": "process where event.type in (\"start\", \"process_started\") and\n  ((process.name:\"rar.exe\" or process.code_signature.subject_name == \"win.rar GmbH\" or\n      process.pe.original_file_name == \"Command line RAR\") and\n    process.args == \"a\" and process.args : (\"-hp*\", \"-p*\", \"-dw\", \"-tb\", \"-ta\", \"/hp*\", \"/p*\", \"/dw\", \"/tb\", \"/ta\"))\n\n  or\n  (process.pe.original_file_name in (\"7z.exe\", \"7za.exe\") and\n     process.args == \"a\" and process.args : (\"-p*\", \"-sdel\"))\n\n  /* uncomment if noisy for backup software related FPs */\n  /* not process.parent.executable : (\"C:\\\\Program Files\\\\*.exe\", \"C:\\\\Program Files (x86)\\\\*.exe\") */\n",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 4,
+          "updated": "7.16.0",
+          "pre_query": "process where event.type in (\"start\", \"process_started\") and\n  ((process.name:\"rar.exe\" or process.code_signature.subject_name == \"win.rar GmbH\" or\n      process.pe.original_file_name == \"Command line RAR\") and\n    process.args == \"a\" and process.args : (\"-hp*\", \"-p*\", \"-dw\", \"-tb\", \"-ta\", \"/hp*\", \"/p*\", \"/dw\", \"/tb\", \"/ta\"))\n\n  or\n  (process.pe.original_file_name in (\"7z.exe\", \"7za.exe\") and\n     process.args == \"a\" and process.args : (\"-p*\", \"-sdel\"))\n\n  /* uncomment if noisy for backup software related FPs */\n  /* not process.parent.executable : (\"C:\\\\Program Files\\\\*.exe\", \"C:\\\\Program Files (x86)\\\\*.exe\") */\n",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.16.0",
+    "added": "7.11.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Generates a detection alert each time an Elastic Endpoint Security alert is received. Enabling this rule allows you to immediately begin investigating your Endpoint alerts.",
+    "enabled": true,
+    "exceptions_list": [
+      {
+        "id": "endpoint_list",
+        "list_id": "endpoint_list",
+        "namespace_type": "agnostic",
+        "type": "endpoint"
+      }
+    ],
+    "from": "now-10m",
+    "index": [
+      "logs-endpoint.alerts-*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "max_signals": 10000,
+    "name": "Endpoint Security",
+    "query": "event.kind:alert and event.module:(endpoint and not endgame)\n",
+    "risk_score": 47,
+    "risk_score_mapping": [
+      {
+        "field": "event.risk_score",
+        "operator": "equals",
+        "value": ""
+      }
+    ],
+    "rule_id": "9a1a2dae-0b5f-4c3d-8305-a268d404c306",
+    "rule_name_override": "message",
+    "severity": "medium",
+    "severity_mapping": [
+      {
+        "field": "event.severity",
+        "operator": "equals",
+        "severity": "low",
+        "value": "21"
+      },
+      {
+        "field": "event.severity",
+        "operator": "equals",
+        "severity": "medium",
+        "value": "47"
+      },
+      {
+        "field": "event.severity",
+        "operator": "equals",
+        "severity": "high",
+        "value": "73"
+      },
+      {
+        "field": "event.severity",
+        "operator": "equals",
+        "severity": "critical",
+        "value": "99"
+      }
+    ],
+    "tags": [
+      "Elastic",
+      "Endpoint Security"
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 3,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.10.0",
+          "pre_query": "event.kind:alert and event.module:(endpoint and not endgame)",
+          "doc_text": "Formatting only",
+          "pre_name": "Elastic Endpoint Security"
+        },
+        {
+          "version": 3,
+          "updated": "7.12.0",
+          "pre_query": "event.kind:alert and event.module:(endpoint and not endgame)",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.12.0",
+    "added": "7.9.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies native Windows host and network enumeration commands spawned by the Windows Management Instrumentation Provider Service (WMIPrvSE).",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Enumeration Command Spawned via WMIPrvSE",
+    "query": "process where event.type in (\"start\", \"process_started\") and\n  process.name:\n  (\n    \"arp.exe\",\n    \"dsquery.exe\",\n    \"dsget.exe\",\n    \"gpresult.exe\",\n    \"hostname.exe\",\n    \"ipconfig.exe\",\n    \"nbtstat.exe\",\n    \"net.exe\",\n    \"net1.exe\",\n    \"netsh.exe\",\n    \"netstat.exe\",\n    \"nltest.exe\",\n    \"ping.exe\",\n    \"qprocess.exe\",\n    \"quser.exe\",\n    \"qwinsta.exe\",\n    \"reg.exe\",\n    \"sc.exe\",\n    \"systeminfo.exe\",\n    \"tasklist.exe\",\n    \"tracert.exe\",\n    \"whoami.exe\"\n  ) and\n  process.parent.name:\"wmiprvse.exe\"\n",
+    "risk_score": 21,
+    "rule_id": "770e0c4d-b998-41e5-a62e-c7901fd7f470",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Execution"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0002",
+          "name": "Execution",
+          "reference": "https://attack.mitre.org/tactics/TA0002/"
+        },
+        "technique": [
+          {
+            "id": "T1047",
+            "name": "Windows Management Instrumentation",
+            "reference": "https://attack.mitre.org/techniques/T1047/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0007",
+          "name": "Discovery",
+          "reference": "https://attack.mitre.org/tactics/TA0007/"
+        },
+        "technique": [
+          {
+            "id": "T1518",
+            "name": "Software Discovery",
+            "reference": "https://attack.mitre.org/techniques/T1518/"
+          },
+          {
+            "id": "T1087",
+            "name": "Account Discovery",
+            "reference": "https://attack.mitre.org/techniques/T1087/"
+          },
+          {
+            "id": "T1018",
+            "name": "Remote System Discovery",
+            "reference": "https://attack.mitre.org/techniques/T1018/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 2,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.16.0",
+          "pre_query": "process where event.type in (\"start\", \"process_started\") and\n  process.name:\n  (\n    \"arp.exe\",\n    \"dsquery.exe\",\n    \"dsget.exe\",\n    \"gpresult.exe\",\n    \"hostname.exe\",\n    \"ipconfig.exe\",\n    \"nbtstat.exe\",\n    \"net.exe\",\n    \"net1.exe\",\n    \"netsh.exe\",\n    \"netstat.exe\",\n    \"nltest.exe\",\n    \"ping.exe\",\n    \"qprocess.exe\",\n    \"quser.exe\",\n    \"qwinsta.exe\",\n    \"reg.exe\",\n    \"sc.exe\",\n    \"systeminfo.exe\",\n    \"tasklist.exe\",\n    \"tracert.exe\",\n    \"whoami.exe\"\n  ) and\n  process.parent.name:\"wmiprvse.exe\"\n",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.16.0",
+    "added": "7.12.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies instances of lower privilege accounts enumerating Administrator accounts or groups using built-in Windows tools.",
+    "from": "now-9m",
+    "index": [
+      "logs-endpoint.events.*",
+      "winlogbeat-*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Enumeration of Administrator Accounts",
+    "query": "process where event.type in (\"start\", \"process_started\") and\n  (((process.name : \"net.exe\" or process.pe.original_file_name == \"net.exe\") or\n    ((process.name : \"net1.exe\" or process.pe.original_file_name == \"net1.exe\") and\n        not process.parent.name : \"net.exe\")) and\n   process.args : (\"group\", \"user\", \"localgroup\") and\n   process.args : (\"admin\", \"Domain Admins\", \"Remote Desktop Users\", \"Enterprise Admins\", \"Organization Management\") and\n   not process.args : \"/add\")\n\n   or\n\n  ((process.name : \"wmic.exe\" or process.pe.original_file_name == \"wmic.exe\") and\n     process.args : (\"group\", \"useraccount\"))\n",
+    "risk_score": 21,
+    "rule_id": "871ea072-1b71-4def-b016-6278b505138d",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Discovery"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0007",
+          "name": "Discovery",
+          "reference": "https://attack.mitre.org/tactics/TA0007/"
+        },
+        "technique": [
+          {
+            "id": "T1069",
+            "name": "Permission Groups Discovery",
+            "reference": "https://attack.mitre.org/techniques/T1069/",
+            "subtechnique": [
+              {
+                "id": "T1069.002",
+                "name": "Domain Groups",
+                "reference": "https://attack.mitre.org/techniques/T1069/002/"
+              }
+            ]
+          },
+          {
+            "id": "T1087",
+            "name": "Account Discovery",
+            "reference": "https://attack.mitre.org/techniques/T1087/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 4,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.11.2",
+          "pre_query": "process where event.type in (\"start\", \"process_started\") and\n  (((process.name : \"net.exe\" or process.pe.original_file_name == \"net.exe\") or\n    ((process.name : \"net1.exe\" or process.pe.original_file_name == \"net1.exe\") and\n        not process.parent.name : \"net.exe\")) and\n   process.args : (\"group\", \"user\", \"localgroup\") and\n   process.args : (\"admin\", \"Domain Admins\", \"Remote Desktop Users\", \"Enterprise Admins\", \"Organization Management\") and\n   not process.args : \"/add\")\n\n   or\n\n  ((process.name : \"wmic.exe\" or process.pe.original_file_name == \"wmic.exe\") and\n     process.args : (\"group\", \"useraccount\"))\n",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 3,
+          "updated": "7.12.0",
+          "pre_query": "process where event.type in (\"start\", \"process_started\") and\n  (((process.name : \"net.exe\" or process.pe.original_file_name == \"net.exe\") or\n    ((process.name : \"net1.exe\" or process.pe.original_file_name == \"net1.exe\") and\n        not process.parent.name : \"net.exe\")) and\n   process.args : (\"group\", \"user\", \"localgroup\") and\n   process.args : (\"admin\", \"Domain Admins\", \"Remote Desktop Users\", \"Enterprise Admins\", \"Organization Management\") and\n   not process.args : \"/add\")\n\n   or\n\n  ((process.name : \"wmic.exe\" or process.pe.original_file_name == \"wmic.exe\") and\n     process.args : (\"group\", \"useraccount\"))\n",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 4,
+          "updated": "7.16.0",
+          "pre_query": "process where event.type in (\"start\", \"process_started\") and\n  (((process.name : \"net.exe\" or process.pe.original_file_name == \"net.exe\") or\n    ((process.name : \"net1.exe\" or process.pe.original_file_name == \"net1.exe\") and\n        not process.parent.name : \"net.exe\")) and\n   process.args : (\"group\", \"user\", \"localgroup\") and\n   process.args : (\"admin\", \"Domain Admins\", \"Remote Desktop Users\", \"Enterprise Admins\", \"Organization Management\") and\n   not process.args : \"/add\")\n\n   or\n\n  ((process.name : \"wmic.exe\" or process.pe.original_file_name == \"wmic.exe\") and\n     process.args : (\"group\", \"useraccount\"))\n",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.16.0",
+    "added": "7.11.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Loadable Kernel Modules (or LKMs) are pieces of code that can be loaded and unloaded into the kernel upon demand. They extend the functionality of the kernel without the need to reboot the system. This identifies attempts to enumerate information about a kernel module.",
+    "false_positives": [
+      "Security tools and device drivers may run these programs in order to enumerate kernel modules. Use of these programs by ordinary users is uncommon. These can be exempted by process name or username."
+    ],
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Enumeration of Kernel Modules",
+    "query": "event.category:process and event.type:(start or process_started) and\n  process.args:(kmod and list and sudo or sudo and (depmod or lsmod or modinfo))\n",
+    "risk_score": 47,
+    "rule_id": "2d8043ed-5bda-4caf-801c-c1feb7410504",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "Threat Detection",
+      "Discovery"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0007",
+          "name": "Discovery",
+          "reference": "https://attack.mitre.org/tactics/TA0007/"
+        },
+        "technique": [
+          {
+            "id": "T1082",
+            "name": "System Information Discovery",
+            "reference": "https://attack.mitre.org/techniques/T1082/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 6,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.9.0",
+          "pre_query": "event.action:executed and process.args:(kmod and list and sudo or sudo and (depmod or lsmod or modinfo))",
+          "doc_text": "Updated query."
+        },
+        {
+          "version": 3,
+          "updated": "7.9.1",
+          "pre_query": "event.category:process and event.type:(start or process_started) and process.args:(kmod and list and sudo or sudo and (depmod or lsmod or modinfo))",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 4,
+          "updated": "7.10.0",
+          "pre_query": "event.category:process and event.type:(start or process_started) and process.args:(kmod and list and sudo or sudo and (depmod or lsmod or modinfo))",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 5,
+          "updated": "7.11.2",
+          "pre_query": "event.category:process and event.type:(start or process_started) and process.args:(kmod and list and sudo or sudo and (depmod or lsmod or modinfo))",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 6,
+          "updated": "7.12.0",
+          "pre_query": "event.category:process and event.type:(start or process_started) and process.args:(kmod and list and sudo or sudo and (depmod or lsmod or modinfo))",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.12.0",
+    "added": "7.8.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies instances of an unusual process enumerating built-in Windows privileged local groups membership like Administrators or Remote Desktop users.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Enumeration of Privileged Local Groups Membership",
+    "note": "## Config\n\nThis will require Windows security event 4799 by enabling audit success for the windows Account Management category and\nthe Security Group Management subcategory.\n",
+    "query": "iam where event.action == \"user-member-enumerated\" and\n\n /* noisy and usual legit processes excluded */\n not winlog.event_data.CallerProcessName:\n              (\"?:\\\\Windows\\\\System32\\\\VSSVC.exe\",\n               \"?:\\\\Windows\\\\System32\\\\SearchIndexer.exe\",\n               \"?:\\\\Windows\\\\System32\\\\CompatTelRunner.exe\",\n               \"?:\\\\Windows\\\\System32\\\\oobe\\\\msoobe.exe\",\n               \"?:\\\\Windows\\\\System32\\\\net1.exe\",\n               \"?:\\\\Windows\\\\System32\\\\svchost.exe\",\n               \"?:\\\\Windows\\\\System32\\\\Netplwiz.exe\",\n               \"?:\\\\Windows\\\\System32\\\\msiexec.exe\",\n               \"?:\\\\Windows\\\\System32\\\\CloudExperienceHostBroker.exe\",\n               \"?:\\\\Windows\\\\System32\\\\wbem\\\\WmiPrvSE.exe\",\n               \"?:\\\\Windows\\\\System32\\\\SrTasks.exe\",\n               \"?:\\\\Windows\\\\System32\\\\lsass.exe\",\n               \"?:\\\\Windows\\\\System32\\\\diskshadow.exe\",\n               \"?:\\\\Windows\\\\System32\\\\dfsrs.exe\",\n               \"?:\\\\Program Files\\\\*.exe\",\n               \"?:\\\\Program Files (x86)\\\\*.exe\") and\n  /* privileged local groups */\n (group.name:(\"admin*\",\"RemoteDesktopUsers\") or\n  winlog.event_data.TargetSid:(\"S-1-5-32-544\",\"S-1-5-32-555\"))\n",
+    "risk_score": 43,
+    "rule_id": "291a0de9-937a-4189-94c0-3e847c8b13e4",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Discovery"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0007",
+          "name": "Discovery",
+          "reference": "https://attack.mitre.org/tactics/TA0007/"
+        },
+        "technique": [
+          {
+            "id": "T1069",
+            "name": "Permission Groups Discovery",
+            "reference": "https://attack.mitre.org/techniques/T1069/",
+            "subtechnique": [
+              {
+                "id": "T1069.001",
+                "name": "Local Groups",
+                "reference": "https://attack.mitre.org/techniques/T1069/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 1,
+    "last_update": "8.0.0",
+    "added": "8.0.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the execution of macOS built-in commands related to account or group enumeration.",
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Enumeration of Users or Groups via Built-in Commands",
+    "query": "process where event.type in (\"start\", \"process_started\") and\n  not process.parent.executable : (\"/Applications/NoMAD.app/Contents/MacOS/NoMAD\", \n    \"/Applications/ZoomPresence.app/Contents/MacOS/ZoomPresence\",\n     \"/Applications/Sourcetree.app/Contents/MacOS/Sourcetree\",\n     \"/Library/Application Support/JAMF/Jamf.app/Contents/MacOS/JamfDaemon.app/Contents/MacOS/JamfDaemon\",\n     \"/usr/local/jamf/bin/jamf\"\n    ) and \n  process.name : (\"ldapsearch\", \"dsmemberutil\") or\n  (process.name : \"dscl\" and \n     process.args : (\"read\", \"-read\", \"list\", \"-list\", \"ls\", \"search\", \"-search\") and \n     process.args : (\"/Active Directory/*\", \"/Users*\", \"/Groups*\"))\n",
+    "risk_score": 21,
+    "rule_id": "6e9b351e-a531-4bdc-b73e-7034d6eed7ff",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "macOS",
+      "Threat Detection",
+      "Discovery"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0007",
+          "name": "Discovery",
+          "reference": "https://attack.mitre.org/tactics/TA0007/"
+        },
+        "technique": [
+          {
+            "id": "T1069",
+            "name": "Permission Groups Discovery",
+            "reference": "https://attack.mitre.org/techniques/T1069/"
+          },
+          {
+            "id": "T1087",
+            "name": "Account Discovery",
+            "reference": "https://attack.mitre.org/techniques/T1087/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 2,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.13.0",
+          "pre_query": "process where event.type in (\"start\", \"process_started\") and\n  not process.parent.executable : (\"/Applications/NoMAD.app/Contents/MacOS/NoMAD\", \n    \"/Applications/ZoomPresence.app/Contents/MacOS/ZoomPresence\") and \n  process.name : (\"ldapsearch\", \"dsmemberutil\") or\n  (process.name : \"dscl\" and \n     process.args : (\"read\", \"-read\", \"list\", \"-list\", \"ls\", \"search\", \"-search\") and \n     process.args : (\"/Active Directory/*\", \"/Users*\", \"/Groups*\"))\n",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.13.0",
+    "added": "7.12.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Masquerading can allow an adversary to evade defenses and better blend in with the environment. One way it occurs is when the name or location of a file is manipulated as a means of tricking a user into executing what they think is a benign file type but is actually executable code.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Executable File Creation with Multiple Extensions",
+    "query": "file where event.type == \"creation\" and file.extension : \"exe\" and\n  file.name regex~ \"\"\".*\\.(vbs|vbe|bat|js|cmd|wsh|ps1|pdf|docx?|xlsx?|pptx?|txt|rtf|gif|jpg|png|bmp|hta|txt|img|iso)\\.exe\"\"\"\n",
+    "risk_score": 47,
+    "rule_id": "8b2b3a62-a598-4293-bc14-3d5fa22bb98f",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1036",
+            "name": "Masquerading",
+            "reference": "https://attack.mitre.org/techniques/T1036/",
+            "subtechnique": [
+              {
+                "id": "T1036.004",
+                "name": "Masquerade Task or Service",
+                "reference": "https://attack.mitre.org/techniques/T1036/004/"
+              }
+            ]
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0002",
+          "name": "Execution",
+          "reference": "https://attack.mitre.org/tactics/TA0002/"
+        },
+        "technique": [
+          {
+            "id": "T1204",
+            "name": "User Execution",
+            "reference": "https://attack.mitre.org/techniques/T1204/",
+            "subtechnique": [
+              {
+                "id": "T1204.002",
+                "name": "Malicious File",
+                "reference": "https://attack.mitre.org/techniques/T1204/002/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 3,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.14.0",
+          "pre_query": "file where event.type == \"creation\" and file.extension:\"exe\" and\n  file.name:\n  (\n    \"*.vbs.exe\",\n    \"*.vbe.exe\",\n    \"*.bat.exe\",\n    \"*.js.exe\",\n    \"*.cmd.exe\",\n    \"*.wsh.exe\",\n    \"*.ps1.exe\",\n    \"*.pdf.exe\",\n    \"*.docx.exe\",\n    \"*.doc.exe\",\n    \"*.xlsx.exe\",\n    \"*.xls.exe\",\n    \"*.pptx.exe\",\n    \"*.ppt.exe\",\n    \"*.txt.exe\",\n    \"*.rtf.exe\",\n    \"*.gif.exe\",\n    \"*.jpg.exe\",\n    \"*.png.exe\",\n    \"*.bmp.exe\",\n    \"*.hta.exe\",\n    \"*.txt.exe\",\n    \"*.img.exe\",\n    \"*.iso.exe\"\n  )\n",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        },
+        {
+          "version": 3,
+          "updated": "7.16.0",
+          "pre_query": "file where event.type == \"creation\" and file.extension : \"exe\" and\n  file.name regex~ \"\"\".*\\.(vbs|vbe|bat|js|cmd|wsh|ps1|pdf|docx?|xlsx?|pptx?|txt|rtf|gif|jpg|png|bmp|hta|txt|img|iso)\\.exe\"\"\"\n",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.16.0",
+    "added": "7.12.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies process execution from suspicious default Windows directories. This may be abused by adversaries to hide malware in trusted paths.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Execution from Unusual Directory - Command Line",
+    "note": "## Triage and analysis\n\nThis is related to the `Process Execution from an Unusual Directory rule`.",
+    "query": "process where event.type in (\"start\", \"process_started\", \"info\") and\n  process.name : (\"wscript.exe\", \n                  \"cscript.exe\", \n                  \"rundll32.exe\", \n                  \"regsvr32.exe\", \n                  \"cmstp.exe\",\n                  \"RegAsm.exe\",\n                  \"installutil.exe\",\n                  \"mshta.exe\",\n                  \"RegSvcs.exe\", \n                  \"powershell.exe\", \n                  \"pwsh.exe\", \n                  \"cmd.exe\") and\n                  \n  /* add suspicious execution paths here */\n  process.args : (\"C:\\\\PerfLogs\\\\*\",\n                  \"C:\\\\Users\\\\Public\\\\*\",\n                  \"C:\\\\Users\\\\Default\\\\*\",\n                  \"C:\\\\Windows\\\\Tasks\\\\*\",\n                  \"C:\\\\Intel\\\\*\", \n                  \"C:\\\\AMD\\\\Temp\\\\*\", \n                  \"C:\\\\Windows\\\\AppReadiness\\\\*\", \n                  \"C:\\\\Windows\\\\ServiceState\\\\*\",\n                  \"C:\\\\Windows\\\\security\\\\*\",\n                  \"C:\\\\Windows\\\\IdentityCRL\\\\*\",\n                  \"C:\\\\Windows\\\\Branding\\\\*\",\n                  \"C:\\\\Windows\\\\csc\\\\*\",\n                  \"C:\\\\Windows\\\\DigitalLocker\\\\*\",\n                  \"C:\\\\Windows\\\\en-US\\\\*\",\n                  \"C:\\\\Windows\\\\wlansvc\\\\*\",\n                  \"C:\\\\Windows\\\\Prefetch\\\\*\",\n                  \"C:\\\\Windows\\\\Fonts\\\\*\",\n                  \"C:\\\\Windows\\\\diagnostics\\\\*\",\n                  \"C:\\\\Windows\\\\TAPI\\\\*\",\n                  \"C:\\\\Windows\\\\INF\\\\*\",\n                  \"C:\\\\Windows\\\\System32\\\\Speech\\\\*\",\n                  \"C:\\\\windows\\\\tracing\\\\*\",\n                  \"c:\\\\windows\\\\IME\\\\*\",\n                  \"c:\\\\Windows\\\\Performance\\\\*\",\n                  \"c:\\\\windows\\\\intel\\\\*\",\n                  \"c:\\\\windows\\\\ms\\\\*\",\n                  \"C:\\\\Windows\\\\dot3svc\\\\*\",\n                  \"C:\\\\Windows\\\\ServiceProfiles\\\\*\",\n                  \"C:\\\\Windows\\\\panther\\\\*\",\n                  \"C:\\\\Windows\\\\RemotePackages\\\\*\",\n                  \"C:\\\\Windows\\\\OCR\\\\*\",\n                  \"C:\\\\Windows\\\\appcompat\\\\*\",\n                  \"C:\\\\Windows\\\\apppatch\\\\*\",\n                  \"C:\\\\Windows\\\\addins\\\\*\",\n                  \"C:\\\\Windows\\\\Setup\\\\*\",\n                  \"C:\\\\Windows\\\\Help\\\\*\",\n                  \"C:\\\\Windows\\\\SKB\\\\*\",\n                  \"C:\\\\Windows\\\\Vss\\\\*\",\n                  \"C:\\\\Windows\\\\Web\\\\*\",\n                  \"C:\\\\Windows\\\\servicing\\\\*\",\n                  \"C:\\\\Windows\\\\CbsTemp\\\\*\",\n                  \"C:\\\\Windows\\\\Logs\\\\*\",\n                  \"C:\\\\Windows\\\\WaaS\\\\*\",\n                  \"C:\\\\Windows\\\\twain_32\\\\*\",\n                  \"C:\\\\Windows\\\\ShellExperiences\\\\*\",\n                  \"C:\\\\Windows\\\\ShellComponents\\\\*\",\n                  \"C:\\\\Windows\\\\PLA\\\\*\",\n                  \"C:\\\\Windows\\\\Migration\\\\*\",\n                  \"C:\\\\Windows\\\\debug\\\\*\",\n                  \"C:\\\\Windows\\\\Cursors\\\\*\",\n                  \"C:\\\\Windows\\\\Containers\\\\*\",\n                  \"C:\\\\Windows\\\\Boot\\\\*\",\n                  \"C:\\\\Windows\\\\bcastdvr\\\\*\",\n                  \"C:\\\\Windows\\\\assembly\\\\*\",\n                  \"C:\\\\Windows\\\\TextInput\\\\*\",\n                  \"C:\\\\Windows\\\\security\\\\*\",\n                  \"C:\\\\Windows\\\\schemas\\\\*\",\n                  \"C:\\\\Windows\\\\SchCache\\\\*\",\n                  \"C:\\\\Windows\\\\Resources\\\\*\",\n                  \"C:\\\\Windows\\\\rescache\\\\*\",\n                  \"C:\\\\Windows\\\\Provisioning\\\\*\",\n                  \"C:\\\\Windows\\\\PrintDialog\\\\*\",\n                  \"C:\\\\Windows\\\\PolicyDefinitions\\\\*\",\n                  \"C:\\\\Windows\\\\media\\\\*\",\n                  \"C:\\\\Windows\\\\Globalization\\\\*\",\n                  \"C:\\\\Windows\\\\L2Schemas\\\\*\",\n                  \"C:\\\\Windows\\\\LiveKernelReports\\\\*\",\n                  \"C:\\\\Windows\\\\ModemLogs\\\\*\",\n                  \"C:\\\\Windows\\\\ImmersiveControlPanel\\\\*\",\n                  \"C:\\\\$Recycle.Bin\\\\*\") and\n  not process.parent.executable : (\"C:\\\\WINDOWS\\\\System32\\\\DriverStore\\\\FileRepository\\\\*\\\\igfxCUIService*.exe\",\n                                   \"C:\\\\Windows\\\\System32\\\\spacedeskService.exe\",\n                                   \"C:\\\\Program Files\\\\Dell\\\\SupportAssistAgent\\\\SRE\\\\SRE.exe\") and\n  not (process.name : \"rundll32.exe\" and process.args : (\"uxtheme.dll,#64\", \"PRINTUI.DLL,PrintUIEntry\"))\n",
+    "risk_score": 47,
+    "rule_id": "cff92c41-2225-4763-b4ce-6f71e5bda5e6",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Execution"
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 4,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.11.2",
+          "pre_query": "process where event.type in (\"start\", \"process_started\", \"info\") and\n process.name : (\"wscript.exe\",\"cscript.exe\",\"rundll32.exe\",\"regsvr32.exe\",\"cmstp.exe\",\"RegAsm.exe\",\"installutil.exe\",\"mshta.exe\",\"RegSvcs.exe\") and\n /* add suspicious execution paths here */\nprocess.args : (\"C:\\\\PerfLogs\\\\*\",\"C:\\\\Users\\\\Public\\\\*\",\"C:\\\\Users\\\\Default\\\\*\",\"C:\\\\Windows\\\\Tasks\\\\*\",\"C:\\\\Intel\\\\*\", \"C:\\\\AMD\\\\Temp\\\\*\", \n \"C:\\\\Windows\\\\AppReadiness\\\\*\", \"C:\\\\Windows\\\\ServiceState\\\\*\",\"C:\\\\Windows\\\\security\\\\*\",\"C:\\\\Windows\\\\IdentityCRL\\\\*\",\"C:\\\\Windows\\\\Branding\\\\*\",\"C:\\\\Windows\\\\csc\\\\*\",\n \"C:\\\\Windows\\\\DigitalLocker\\\\*\",\"C:\\\\Windows\\\\en-US\\\\*\",\"C:\\\\Windows\\\\wlansvc\\\\*\",\"C:\\\\Windows\\\\Prefetch\\\\*\",\"C:\\\\Windows\\\\Fonts\\\\*\",\n \"C:\\\\Windows\\\\diagnostics\\\\*\",\"C:\\\\Windows\\\\TAPI\\\\*\",\"C:\\\\Windows\\\\INF\\\\*\",\"C:\\\\Windows\\\\System32\\\\Speech\\\\*\",\"C:\\\\windows\\\\tracing\\\\*\",\n \"c:\\\\windows\\\\IME\\\\*\",\"c:\\\\Windows\\\\Performance\\\\*\",\"c:\\\\windows\\\\intel\\\\*\",\"c:\\\\windows\\\\ms\\\\*\",\"C:\\\\Windows\\\\dot3svc\\\\*\",\"C:\\\\Windows\\\\ServiceProfiles\\\\*\",\n \"C:\\\\Windows\\\\panther\\\\*\",\"C:\\\\Windows\\\\RemotePackages\\\\*\",\"C:\\\\Windows\\\\OCR\\\\*\",\"C:\\\\Windows\\\\appcompat\\\\*\",\"C:\\\\Windows\\\\apppatch\\\\*\",\"C:\\\\Windows\\\\addins\\\\*\",\n \"C:\\\\Windows\\\\Setup\\\\*\",\"C:\\\\Windows\\\\Help\\\\*\",\"C:\\\\Windows\\\\SKB\\\\*\",\"C:\\\\Windows\\\\Vss\\\\*\",\"C:\\\\Windows\\\\Web\\\\*\",\"C:\\\\Windows\\\\servicing\\\\*\",\"C:\\\\Windows\\\\CbsTemp\\\\*\",\n \"C:\\\\Windows\\\\Logs\\\\*\",\"C:\\\\Windows\\\\WaaS\\\\*\",\"C:\\\\Windows\\\\twain_32\\\\*\",\"C:\\\\Windows\\\\ShellExperiences\\\\*\",\"C:\\\\Windows\\\\ShellComponents\\\\*\",\"C:\\\\Windows\\\\PLA\\\\*\",\n \"C:\\\\Windows\\\\Migration\\\\*\",\"C:\\\\Windows\\\\debug\\\\*\",\"C:\\\\Windows\\\\Cursors\\\\*\",\"C:\\\\Windows\\\\Containers\\\\*\",\"C:\\\\Windows\\\\Boot\\\\*\",\"C:\\\\Windows\\\\bcastdvr\\\\*\",\n \"C:\\\\Windows\\\\assembly\\\\*\",\"C:\\\\Windows\\\\TextInput\\\\*\",\"C:\\\\Windows\\\\security\\\\*\",\"C:\\\\Windows\\\\schemas\\\\*\",\"C:\\\\Windows\\\\SchCache\\\\*\",\"C:\\\\Windows\\\\Resources\\\\*\",\n \"C:\\\\Windows\\\\rescache\\\\*\",\"C:\\\\Windows\\\\Provisioning\\\\*\",\"C:\\\\Windows\\\\PrintDialog\\\\*\",\"C:\\\\Windows\\\\PolicyDefinitions\\\\*\",\"C:\\\\Windows\\\\media\\\\*\",\n \"C:\\\\Windows\\\\Globalization\\\\*\",\"C:\\\\Windows\\\\L2Schemas\\\\*\",\"C:\\\\Windows\\\\LiveKernelReports\\\\*\",\"C:\\\\Windows\\\\ModemLogs\\\\*\",\"C:\\\\Windows\\\\ImmersiveControlPanel\\\\*\")\n",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 3,
+          "updated": "7.12.0",
+          "pre_query": "process where event.type in (\"start\", \"process_started\", \"info\") and\n process.name : (\"wscript.exe\",\"cscript.exe\",\"rundll32.exe\",\"regsvr32.exe\",\"cmstp.exe\",\"RegAsm.exe\",\"installutil.exe\",\"mshta.exe\",\"RegSvcs.exe\") and\n /* add suspicious execution paths here */\nprocess.args : (\"C:\\\\PerfLogs\\\\*\",\"C:\\\\Users\\\\Public\\\\*\",\"C:\\\\Users\\\\Default\\\\*\",\"C:\\\\Windows\\\\Tasks\\\\*\",\"C:\\\\Intel\\\\*\", \"C:\\\\AMD\\\\Temp\\\\*\", \n \"C:\\\\Windows\\\\AppReadiness\\\\*\", \"C:\\\\Windows\\\\ServiceState\\\\*\",\"C:\\\\Windows\\\\security\\\\*\",\"C:\\\\Windows\\\\IdentityCRL\\\\*\",\"C:\\\\Windows\\\\Branding\\\\*\",\"C:\\\\Windows\\\\csc\\\\*\",\n \"C:\\\\Windows\\\\DigitalLocker\\\\*\",\"C:\\\\Windows\\\\en-US\\\\*\",\"C:\\\\Windows\\\\wlansvc\\\\*\",\"C:\\\\Windows\\\\Prefetch\\\\*\",\"C:\\\\Windows\\\\Fonts\\\\*\",\n \"C:\\\\Windows\\\\diagnostics\\\\*\",\"C:\\\\Windows\\\\TAPI\\\\*\",\"C:\\\\Windows\\\\INF\\\\*\",\"C:\\\\Windows\\\\System32\\\\Speech\\\\*\",\"C:\\\\windows\\\\tracing\\\\*\",\n \"c:\\\\windows\\\\IME\\\\*\",\"c:\\\\Windows\\\\Performance\\\\*\",\"c:\\\\windows\\\\intel\\\\*\",\"c:\\\\windows\\\\ms\\\\*\",\"C:\\\\Windows\\\\dot3svc\\\\*\",\"C:\\\\Windows\\\\ServiceProfiles\\\\*\",\n \"C:\\\\Windows\\\\panther\\\\*\",\"C:\\\\Windows\\\\RemotePackages\\\\*\",\"C:\\\\Windows\\\\OCR\\\\*\",\"C:\\\\Windows\\\\appcompat\\\\*\",\"C:\\\\Windows\\\\apppatch\\\\*\",\"C:\\\\Windows\\\\addins\\\\*\",\n \"C:\\\\Windows\\\\Setup\\\\*\",\"C:\\\\Windows\\\\Help\\\\*\",\"C:\\\\Windows\\\\SKB\\\\*\",\"C:\\\\Windows\\\\Vss\\\\*\",\"C:\\\\Windows\\\\Web\\\\*\",\"C:\\\\Windows\\\\servicing\\\\*\",\"C:\\\\Windows\\\\CbsTemp\\\\*\",\n \"C:\\\\Windows\\\\Logs\\\\*\",\"C:\\\\Windows\\\\WaaS\\\\*\",\"C:\\\\Windows\\\\twain_32\\\\*\",\"C:\\\\Windows\\\\ShellExperiences\\\\*\",\"C:\\\\Windows\\\\ShellComponents\\\\*\",\"C:\\\\Windows\\\\PLA\\\\*\",\n \"C:\\\\Windows\\\\Migration\\\\*\",\"C:\\\\Windows\\\\debug\\\\*\",\"C:\\\\Windows\\\\Cursors\\\\*\",\"C:\\\\Windows\\\\Containers\\\\*\",\"C:\\\\Windows\\\\Boot\\\\*\",\"C:\\\\Windows\\\\bcastdvr\\\\*\",\n \"C:\\\\Windows\\\\assembly\\\\*\",\"C:\\\\Windows\\\\TextInput\\\\*\",\"C:\\\\Windows\\\\security\\\\*\",\"C:\\\\Windows\\\\schemas\\\\*\",\"C:\\\\Windows\\\\SchCache\\\\*\",\"C:\\\\Windows\\\\Resources\\\\*\",\n \"C:\\\\Windows\\\\rescache\\\\*\",\"C:\\\\Windows\\\\Provisioning\\\\*\",\"C:\\\\Windows\\\\PrintDialog\\\\*\",\"C:\\\\Windows\\\\PolicyDefinitions\\\\*\",\"C:\\\\Windows\\\\media\\\\*\",\n \"C:\\\\Windows\\\\Globalization\\\\*\",\"C:\\\\Windows\\\\L2Schemas\\\\*\",\"C:\\\\Windows\\\\LiveKernelReports\\\\*\",\"C:\\\\Windows\\\\ModemLogs\\\\*\",\"C:\\\\Windows\\\\ImmersiveControlPanel\\\\*\")\n",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        },
+        {
+          "version": 4,
+          "updated": "7.13.0",
+          "pre_query": "process where event.type in (\"start\", \"process_started\", \"info\") and\n process.name : (\"wscript.exe\",\"cscript.exe\",\"rundll32.exe\",\"regsvr32.exe\",\"cmstp.exe\",\"RegAsm.exe\",\"installutil.exe\",\"mshta.exe\",\"RegSvcs.exe\", \"powershell.exe\", \"pwsh.exe\", \"cmd.exe\") and\n /* add suspicious execution paths here */\nprocess.args : (\"C:\\\\PerfLogs\\\\*\",\"C:\\\\Users\\\\Public\\\\*\",\"C:\\\\Users\\\\Default\\\\*\",\"C:\\\\Windows\\\\Tasks\\\\*\",\"C:\\\\Intel\\\\*\", \"C:\\\\AMD\\\\Temp\\\\*\", \n \"C:\\\\Windows\\\\AppReadiness\\\\*\", \"C:\\\\Windows\\\\ServiceState\\\\*\",\"C:\\\\Windows\\\\security\\\\*\",\"C:\\\\Windows\\\\IdentityCRL\\\\*\",\"C:\\\\Windows\\\\Branding\\\\*\",\"C:\\\\Windows\\\\csc\\\\*\",\n \"C:\\\\Windows\\\\DigitalLocker\\\\*\",\"C:\\\\Windows\\\\en-US\\\\*\",\"C:\\\\Windows\\\\wlansvc\\\\*\",\"C:\\\\Windows\\\\Prefetch\\\\*\",\"C:\\\\Windows\\\\Fonts\\\\*\",\n \"C:\\\\Windows\\\\diagnostics\\\\*\",\"C:\\\\Windows\\\\TAPI\\\\*\",\"C:\\\\Windows\\\\INF\\\\*\",\"C:\\\\Windows\\\\System32\\\\Speech\\\\*\",\"C:\\\\windows\\\\tracing\\\\*\",\n \"c:\\\\windows\\\\IME\\\\*\",\"c:\\\\Windows\\\\Performance\\\\*\",\"c:\\\\windows\\\\intel\\\\*\",\"c:\\\\windows\\\\ms\\\\*\",\"C:\\\\Windows\\\\dot3svc\\\\*\",\"C:\\\\Windows\\\\ServiceProfiles\\\\*\",\n \"C:\\\\Windows\\\\panther\\\\*\",\"C:\\\\Windows\\\\RemotePackages\\\\*\",\"C:\\\\Windows\\\\OCR\\\\*\",\"C:\\\\Windows\\\\appcompat\\\\*\",\"C:\\\\Windows\\\\apppatch\\\\*\",\"C:\\\\Windows\\\\addins\\\\*\",\n \"C:\\\\Windows\\\\Setup\\\\*\",\"C:\\\\Windows\\\\Help\\\\*\",\"C:\\\\Windows\\\\SKB\\\\*\",\"C:\\\\Windows\\\\Vss\\\\*\",\"C:\\\\Windows\\\\Web\\\\*\",\"C:\\\\Windows\\\\servicing\\\\*\",\"C:\\\\Windows\\\\CbsTemp\\\\*\",\n \"C:\\\\Windows\\\\Logs\\\\*\",\"C:\\\\Windows\\\\WaaS\\\\*\",\"C:\\\\Windows\\\\twain_32\\\\*\",\"C:\\\\Windows\\\\ShellExperiences\\\\*\",\"C:\\\\Windows\\\\ShellComponents\\\\*\",\"C:\\\\Windows\\\\PLA\\\\*\",\n \"C:\\\\Windows\\\\Migration\\\\*\",\"C:\\\\Windows\\\\debug\\\\*\",\"C:\\\\Windows\\\\Cursors\\\\*\",\"C:\\\\Windows\\\\Containers\\\\*\",\"C:\\\\Windows\\\\Boot\\\\*\",\"C:\\\\Windows\\\\bcastdvr\\\\*\",\n \"C:\\\\Windows\\\\assembly\\\\*\",\"C:\\\\Windows\\\\TextInput\\\\*\",\"C:\\\\Windows\\\\security\\\\*\",\"C:\\\\Windows\\\\schemas\\\\*\",\"C:\\\\Windows\\\\SchCache\\\\*\",\"C:\\\\Windows\\\\Resources\\\\*\",\n \"C:\\\\Windows\\\\rescache\\\\*\",\"C:\\\\Windows\\\\Provisioning\\\\*\",\"C:\\\\Windows\\\\PrintDialog\\\\*\",\"C:\\\\Windows\\\\PolicyDefinitions\\\\*\",\"C:\\\\Windows\\\\media\\\\*\",\n \"C:\\\\Windows\\\\Globalization\\\\*\",\"C:\\\\Windows\\\\L2Schemas\\\\*\",\"C:\\\\Windows\\\\LiveKernelReports\\\\*\",\"C:\\\\Windows\\\\ModemLogs\\\\*\",\"C:\\\\Windows\\\\ImmersiveControlPanel\\\\*\",\n \"C:\\\\$Recycle.Bin\\\\*\")\n",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.13.0",
+    "added": "7.11.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Windows Component Object Model (COM) is an inter-process communication (IPC) component of the native Windows application programming interface (API) that enables interaction between software objects or executable code. Xwizard can be used to run a COM object created in registry to evade defensive counter measures.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Execution of COM object via Xwizard",
+    "query": "process where event.type in (\"start\", \"process_started\") and\n process.pe.original_file_name : \"xwizard.exe\" and\n (\n   (process.args : \"RunWizard\" and process.args : \"{*}\") or\n   (process.executable != null and\n     not process.executable : (\"C:\\\\Windows\\\\SysWOW64\\\\xwizard.exe\", \"C:\\\\Windows\\\\System32\\\\xwizard.exe\")\n   )\n )\n",
+    "references": [
+      "https://lolbas-project.github.io/lolbas/Binaries/Xwizard/",
+      "http://www.hexacorn.com/blog/2017/07/31/the-wizard-of-x-oppa-plugx-style/"
+    ],
+    "risk_score": 47,
+    "rule_id": "1a6075b0-7479-450e-8fe7-b8b8438ac570",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Execution"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0002",
+          "name": "Execution",
+          "reference": "https://attack.mitre.org/tactics/TA0002/"
+        },
+        "technique": [
+          {
+            "id": "T1559",
+            "name": "Inter-Process Communication",
+            "reference": "https://attack.mitre.org/techniques/T1559/",
+            "subtechnique": [
+              {
+                "id": "T1559.001",
+                "name": "Component Object Model",
+                "reference": "https://attack.mitre.org/techniques/T1559/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 1,
+    "last_update": "7.12.0",
+    "added": "7.12.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies an executable created by a Microsoft Office application and subsequently executed. These processes are often launched via scripts inside documents or during exploitation of Microsoft Office applications.",
+    "from": "now-120m",
+    "index": [
+      "logs-endpoint.events.*",
+      "winlogbeat-*",
+      "logs-windows.*"
+    ],
+    "interval": "60m",
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Execution of File Written or Modified by Microsoft Office",
+    "query": "sequence with maxspan=2h\n  [file where event.type != \"deletion\" and file.extension : \"exe\" and\n     (process.name : \"WINWORD.EXE\" or\n      process.name : \"EXCEL.EXE\" or\n      process.name : \"OUTLOOK.EXE\" or\n      process.name : \"POWERPNT.EXE\" or\n      process.name : \"eqnedt32.exe\" or\n      process.name : \"fltldr.exe\" or\n      process.name : \"MSPUB.EXE\" or\n      process.name : \"MSACCESS.EXE\")\n  ] by host.id, file.path\n  [process where event.type in (\"start\", \"process_started\")] by host.id, process.executable\n",
+    "risk_score": 21,
+    "rule_id": "0d8ad79f-9025-45d8-80c1-4f0cd3c5e8e5",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Execution"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0002",
+          "name": "Execution",
+          "reference": "https://attack.mitre.org/tactics/TA0002/"
+        },
+        "technique": []
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0001",
+          "name": "Initial Access",
+          "reference": "https://attack.mitre.org/tactics/TA0001/"
+        },
+        "technique": [
+          {
+            "id": "T1566",
+            "name": "Phishing",
+            "reference": "https://attack.mitre.org/techniques/T1566/",
+            "subtechnique": [
+              {
+                "id": "T1566.001",
+                "name": "Spearphishing Attachment",
+                "reference": "https://attack.mitre.org/techniques/T1566/001/"
+              },
+              {
+                "id": "T1566.002",
+                "name": "Spearphishing Link",
+                "reference": "https://attack.mitre.org/techniques/T1566/002/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "type": "eql",
+    "version": 5,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.11.0",
+          "pre_query": "sequence with maxspan=2h\n  [file where event.type != \"deletion\" and file.extension : \"exe\" and\n     (process.name : \"WINWORD.EXE\" or\n      process.name : \"EXCEL.EXE\" or\n      process.name : \"OUTLOOK.EXE\" or\n      process.name : \"POWERPNT.EXE\" or\n      process.name : \"eqnedt32.exe\" or\n      process.name : \"fltldr.exe\" or\n      process.name : \"MSPUB.EXE\" or\n      process.name : \"MSACCESS.EXE\")\n  ] by host.id, file.path\n  [process where event.type in (\"start\", \"process_started\")] by host.id, process.executable\n",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 3,
+          "updated": "7.12.0",
+          "pre_query": "sequence with maxspan=2h\n  [file where event.type != \"deletion\" and file.extension : \"exe\" and\n     (process.name : \"WINWORD.EXE\" or\n      process.name : \"EXCEL.EXE\" or\n      process.name : \"OUTLOOK.EXE\" or\n      process.name : \"POWERPNT.EXE\" or\n      process.name : \"eqnedt32.exe\" or\n      process.name : \"fltldr.exe\" or\n      process.name : \"MSPUB.EXE\" or\n      process.name : \"MSACCESS.EXE\")\n  ] by host.id, file.path\n  [process where event.type in (\"start\", \"process_started\")] by host.id, process.executable\n",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 4,
+          "updated": "7.14.0",
+          "pre_query": "sequence with maxspan=2h\n  [file where event.type != \"deletion\" and file.extension : \"exe\" and\n     (process.name : \"WINWORD.EXE\" or\n      process.name : \"EXCEL.EXE\" or\n      process.name : \"OUTLOOK.EXE\" or\n      process.name : \"POWERPNT.EXE\" or\n      process.name : \"eqnedt32.exe\" or\n      process.name : \"fltldr.exe\" or\n      process.name : \"MSPUB.EXE\" or\n      process.name : \"MSACCESS.EXE\")\n  ] by host.id, file.path\n  [process where event.type in (\"start\", \"process_started\")] by host.id, process.executable\n",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 5,
+          "updated": "7.15.0",
+          "pre_query": "sequence with maxspan=2h\n  [file where event.type != \"deletion\" and file.extension : \"exe\" and\n     (process.name : \"WINWORD.EXE\" or\n      process.name : \"EXCEL.EXE\" or\n      process.name : \"OUTLOOK.EXE\" or\n      process.name : \"POWERPNT.EXE\" or\n      process.name : \"eqnedt32.exe\" or\n      process.name : \"fltldr.exe\" or\n      process.name : \"MSPUB.EXE\" or\n      process.name : \"MSACCESS.EXE\")\n  ] by host.id, file.path\n  [process where event.type in (\"start\", \"process_started\")] by host.id, process.executable\n",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.15.0",
+    "added": "7.10.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies a suspicious file that was written by a PDF reader application and subsequently executed. These processes are often launched via exploitation of PDF applications.",
+    "from": "now-120m",
+    "index": [
+      "logs-endpoint.events.*",
+      "winlogbeat-*",
+      "logs-windows.*"
+    ],
+    "interval": "60m",
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Execution of File Written or Modified by PDF Reader",
+    "query": "sequence with maxspan=2h\n  [file where event.type != \"deletion\" and file.extension : \"exe\" and\n     (process.name : \"AcroRd32.exe\" or\n      process.name : \"rdrcef.exe\" or\n      process.name : \"FoxitPhantomPDF.exe\" or\n      process.name : \"FoxitReader.exe\") and\n     not (file.name : \"FoxitPhantomPDF.exe\" or\n          file.name : \"FoxitPhantomPDFUpdater.exe\" or\n          file.name : \"FoxitReader.exe\" or\n          file.name : \"FoxitReaderUpdater.exe\" or\n          file.name : \"AcroRd32.exe\" or\n          file.name : \"rdrcef.exe\")\n  ] by host.id, file.path\n  [process where event.type in (\"start\", \"process_started\")] by host.id, process.executable\n",
+    "risk_score": 21,
+    "rule_id": "1defdd62-cd8d-426e-a246-81a37751bb2b",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Execution"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0002",
+          "name": "Execution",
+          "reference": "https://attack.mitre.org/tactics/TA0002/"
+        },
+        "technique": []
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0001",
+          "name": "Initial Access",
+          "reference": "https://attack.mitre.org/tactics/TA0001/"
+        },
+        "technique": [
+          {
+            "id": "T1566",
+            "name": "Phishing",
+            "reference": "https://attack.mitre.org/techniques/T1566/",
+            "subtechnique": [
+              {
+                "id": "T1566.001",
+                "name": "Spearphishing Attachment",
+                "reference": "https://attack.mitre.org/techniques/T1566/001/"
+              },
+              {
+                "id": "T1566.002",
+                "name": "Spearphishing Link",
+                "reference": "https://attack.mitre.org/techniques/T1566/002/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "type": "eql",
+    "version": 4,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.11.0",
+          "pre_query": "sequence with maxspan=2h\n  [file where event.type != \"deletion\" and file.extension : \"exe\" and\n     (process.name : \"AcroRd32.exe\" or\n      process.name : \"rdrcef.exe\" or\n      process.name : \"FoxitPhantomPDF.exe\" or\n      process.name : \"FoxitReader.exe\") and\n     not (file.name : \"FoxitPhantomPDF.exe\" or\n          file.name : \"FoxitPhantomPDFUpdater.exe\" or\n          file.name : \"FoxitReader.exe\" or\n          file.name : \"FoxitReaderUpdater.exe\" or\n          file.name : \"AcroRd32.exe\" or\n          file.name : \"rdrcef.exe\")\n  ] by host.id, file.path\n  [process where event.type in (\"start\", \"process_started\")] by host.id, process.executable\n",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 3,
+          "updated": "7.12.0",
+          "pre_query": "sequence with maxspan=2h\n  [file where event.type != \"deletion\" and file.extension : \"exe\" and\n     (process.name : \"AcroRd32.exe\" or\n      process.name : \"rdrcef.exe\" or\n      process.name : \"FoxitPhantomPDF.exe\" or\n      process.name : \"FoxitReader.exe\") and\n     not (file.name : \"FoxitPhantomPDF.exe\" or\n          file.name : \"FoxitPhantomPDFUpdater.exe\" or\n          file.name : \"FoxitReader.exe\" or\n          file.name : \"FoxitReaderUpdater.exe\" or\n          file.name : \"AcroRd32.exe\" or\n          file.name : \"rdrcef.exe\")\n  ] by host.id, file.path\n  [process where event.type in (\"start\", \"process_started\")] by host.id, process.executable\n",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 4,
+          "updated": "7.14.0",
+          "pre_query": "sequence with maxspan=2h\n  [file where event.type != \"deletion\" and file.extension : \"exe\" and\n     (process.name : \"AcroRd32.exe\" or\n      process.name : \"rdrcef.exe\" or\n      process.name : \"FoxitPhantomPDF.exe\" or\n      process.name : \"FoxitReader.exe\") and\n     not (file.name : \"FoxitPhantomPDF.exe\" or\n          file.name : \"FoxitPhantomPDFUpdater.exe\" or\n          file.name : \"FoxitReader.exe\" or\n          file.name : \"FoxitReaderUpdater.exe\" or\n          file.name : \"AcroRd32.exe\" or\n          file.name : \"rdrcef.exe\")\n  ] by host.id, file.path\n  [process where event.type in (\"start\", \"process_started\")] by host.id, process.executable\n",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.14.0",
+    "added": "7.10.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies execution of suspicious persistent programs (scripts, rundll32, etc.) by looking at process lineage and command line usage.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Execution of Persistent Suspicious Program",
+    "query": "/* userinit followed by explorer followed by early child process of explorer (unlikely to be launched interactively) within 1m */\nsequence by host.id, user.name with maxspan=1m\n  [process where event.type in (\"start\", \"process_started\") and process.name : \"userinit.exe\" and process.parent.name : \"winlogon.exe\"]\n  [process where event.type in (\"start\", \"process_started\") and process.name : \"explorer.exe\"]\n  [process where event.type in (\"start\", \"process_started\") and process.parent.name : \"explorer.exe\" and\n   /* add suspicious programs here */\n   process.pe.original_file_name in (\"cscript.exe\",\n                                     \"wscript.exe\",\n                                     \"PowerShell.EXE\",\n                                     \"MSHTA.EXE\",\n                                     \"RUNDLL32.EXE\",\n                                     \"REGSVR32.EXE\",\n                                     \"RegAsm.exe\",\n                                     \"MSBuild.exe\",\n                                     \"InstallUtil.exe\") and\n    /* add potential suspicious paths here */\n    process.args : (\"C:\\\\Users\\\\*\", \"C:\\\\ProgramData\\\\*\", \"C:\\\\Windows\\\\Temp\\\\*\", \"C:\\\\Windows\\\\Tasks\\\\*\", \"C:\\\\PerfLogs\\\\*\", \"C:\\\\Intel\\\\*\")\n   ]\n",
+    "risk_score": 47,
+    "rule_id": "e7125cea-9fe1-42a5-9a05-b0792cf86f5a",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Persistence"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1547",
+            "name": "Boot or Logon Autostart Execution",
+            "reference": "https://attack.mitre.org/techniques/T1547/",
+            "subtechnique": [
+              {
+                "id": "T1547.001",
+                "name": "Registry Run Keys / Startup Folder",
+                "reference": "https://attack.mitre.org/techniques/T1547/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "type": "eql",
+    "version": 2,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.12.0",
+          "pre_query": "/* userinit followed by explorer followed by early child process of explorer (unlikely to be launched interactively) within 1m */\nsequence by host.id, user.name with maxspan=1m\n  [process where event.type in (\"start\", \"process_started\") and process.name : \"userinit.exe\" and process.parent.name : \"winlogon.exe\"]\n  [process where event.type in (\"start\", \"process_started\") and process.name : \"explorer.exe\"]\n  [process where event.type in (\"start\", \"process_started\") and process.parent.name : \"explorer.exe\" and\n   /* add suspicious programs here */\n   process.pe.original_file_name in (\"cscript.exe\",\n                                     \"wscript.exe\",\n                                     \"PowerShell.EXE\",\n                                     \"MSHTA.EXE\",\n                                     \"RUNDLL32.EXE\",\n                                     \"REGSVR32.EXE\",\n                                     \"RegAsm.exe\",\n                                     \"MSBuild.exe\",\n                                     \"InstallUtil.exe\") and\n    /* add potential suspicious paths here */\n    process.args : (\"C:\\\\Users\\\\*\", \"C:\\\\ProgramData\\\\*\", \"C:\\\\Windows\\\\Temp\\\\*\", \"C:\\\\Windows\\\\Tasks\\\\*\", \"C:\\\\PerfLogs\\\\*\", \"C:\\\\Intel\\\\*\")\n   ]\n",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.12.0",
+    "added": "7.11.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies attempts to execute a child process from within the context of an Electron application using the child_process Node.js module. Adversaries may abuse this technique to inherit permissions from parent processes.",
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Execution via Electron Child Process Node.js Module",
+    "query": "event.category:process and event.type:(start or process_started) and process.args:(\"-e\" and const*require*child_process*)\n",
+    "references": [
+      "https://www.matthewslipper.com/2019/09/22/everything-you-wanted-electron-child-process.html",
+      "https://www.trustedsec.com/blog/macos-injection-via-third-party-frameworks/",
+      "https://nodejs.org/api/child_process.html"
+    ],
+    "risk_score": 47,
+    "rule_id": "35330ba2-c859-4c98-8b7f-c19159ea0e58",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "macOS",
+      "Threat Detection",
+      "Defense Evasion",
+      "Execution"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0002",
+          "name": "Execution",
+          "reference": "https://attack.mitre.org/tactics/TA0002/"
+        },
+        "technique": [
+          {
+            "id": "T1059",
+            "name": "Command and Scripting Interpreter",
+            "reference": "https://attack.mitre.org/techniques/T1059/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1548",
+            "name": "Abuse Elevation Control Mechanism",
+            "reference": "https://attack.mitre.org/techniques/T1548/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 1,
+    "last_update": "7.12.0",
+    "added": "7.12.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies execution via MSSQL xp_cmdshell stored procedure. Malicious users may attempt to elevate their privileges by using xp_cmdshell, which is disabled by default, thus, it's important to review the context of it's use.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Execution via MSSQL xp_cmdshell Stored Procedure",
+    "query": "process where event.type in (\"start\", \"process_started\") and\n  process.name : \"cmd.exe\" and process.parent.name : \"sqlservr.exe\"\n",
+    "risk_score": 73,
+    "rule_id": "4ed493fc-d637-4a36-80ff-ac84937e5461",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Execution"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0002",
+          "name": "Execution",
+          "reference": "https://attack.mitre.org/tactics/TA0002/"
+        },
+        "technique": [
+          {
+            "id": "T1059",
+            "name": "Command and Scripting Interpreter",
+            "reference": "https://attack.mitre.org/techniques/T1059/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 4,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.11.2",
+          "pre_query": "event.category:process and event.type:(start or process_started) and process.name:cmd.exe and process.parent.name:sqlservr.exe",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 3,
+          "updated": "7.12.0",
+          "pre_query": "event.category:process and event.type:(start or process_started) and process.name:cmd.exe and process.parent.name:sqlservr.exe",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 4,
+          "updated": "7.13.0",
+          "pre_query": "event.category:process and event.type:(start or process_started) and process.name:cmd.exe and process.parent.name:sqlservr.exe",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.13.0",
+    "added": "7.10.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies execution from the Remote Desktop Protocol (RDP) shared mountpoint tsclient on the target host. This may indicate a lateral movement attempt.",
+    "from": "now-9m",
+    "index": [
+      "logs-endpoint.events.*",
+      "winlogbeat-*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Execution via TSClient Mountpoint",
+    "query": "process where event.type in (\"start\", \"process_started\") and process.executable : \"\\\\Device\\\\Mup\\\\tsclient\\\\*.exe\"\n",
+    "references": [
+      "https://posts.specterops.io/revisiting-remote-desktop-lateral-movement-8fb905cb46c3"
+    ],
+    "risk_score": 73,
+    "rule_id": "4fe9d835-40e1-452d-8230-17c147cafad8",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Lateral Movement"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0008",
+          "name": "Lateral Movement",
+          "reference": "https://attack.mitre.org/tactics/TA0008/"
+        },
+        "technique": [
+          {
+            "id": "T1021",
+            "name": "Remote Services",
+            "reference": "https://attack.mitre.org/techniques/T1021/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 3,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.11.2",
+          "pre_query": "process where event.type in (\"start\", \"process_started\") and process.executable : \"\\\\Device\\\\Mup\\\\tsclient\\\\*.exe\"\n",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 3,
+          "updated": "7.12.0",
+          "pre_query": "process where event.type in (\"start\", \"process_started\") and process.executable : \"\\\\Device\\\\Mup\\\\tsclient\\\\*.exe\"\n",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.12.0",
+    "added": "7.11.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the creation, change, or deletion of a DLL module within a Windows SxS local folder. Adversaries may abuse shared modules to execute malicious payloads by instructing the Windows module loader to load DLLs from arbitrary local paths.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Execution via local SxS Shared Module",
+    "note": "## Triage and analysis\n\nThe SxS DotLocal folder is a legitimate feature that can be abused to hijack standard modules loading order by forcing an executable on the same application.exe.local folder to load a malicious DLL module from the same directory.",
+    "query": "file where file.extension : \"dll\" and file.path : \"C:\\\\*\\\\*.exe.local\\\\*.dll\"\n",
+    "references": [
+      "https://docs.microsoft.com/en-us/windows/win32/dlls/dynamic-link-library-redirection"
+    ],
+    "risk_score": 47,
+    "rule_id": "a3ea12f3-0d4e-4667-8b44-4230c63f3c75",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Execution"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0002",
+          "name": "Execution",
+          "reference": "https://attack.mitre.org/tactics/TA0002/"
+        },
+        "technique": [
+          {
+            "id": "T1129",
+            "name": "Shared Modules",
+            "reference": "https://attack.mitre.org/techniques/T1129/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 4,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.11.2",
+          "pre_query": "file where file.extension : \"dll\" and file.path : \"C:\\\\*\\\\*.exe.local\\\\*.dll\"\n",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 3,
+          "updated": "7.12.0",
+          "pre_query": "file where file.extension : \"dll\" and file.path : \"C:\\\\*\\\\*.exe.local\\\\*.dll\"\n",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 4,
+          "updated": "7.13.0",
+          "pre_query": "file where file.extension : \"dll\" and file.path : \"C:\\\\*\\\\*.exe.local\\\\*.dll\"\n",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.13.0",
+    "added": "7.11.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies execution of the security_authtrampoline process via a scripting interpreter. This occurs when programs use AuthorizationExecute-WithPrivileges from the Security.framework to run another program with root privileges. It should not be run by itself, as this is a sign of execution with explicit logon credentials.",
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Execution with Explicit Credentials via Scripting",
+    "query": "event.category:process and event.type:(start or process_started) and\n process.name:\"security_authtrampoline\" and\n process.parent.name:(osascript or com.apple.automator.runner or sh or bash or dash or zsh or python* or perl* or php* or ruby or pwsh)\n",
+    "references": [
+      "https://objectivebythesea.com/v2/talks/OBTS_v2_Thomas.pdf",
+      "https://www.manpagez.com/man/8/security_authtrampoline/"
+    ],
+    "risk_score": 47,
+    "rule_id": "f0eb70e9-71e9-40cd-813f-bf8e8c812cb1",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "macOS",
+      "Threat Detection",
+      "Execution",
+      "Privilege Escalation"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0004",
+          "name": "Privilege Escalation",
+          "reference": "https://attack.mitre.org/tactics/TA0004/"
+        },
+        "technique": [
+          {
+            "id": "T1078",
+            "name": "Valid Accounts",
+            "reference": "https://attack.mitre.org/techniques/T1078/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0002",
+          "name": "Execution",
+          "reference": "https://attack.mitre.org/tactics/TA0002/"
+        },
+        "technique": [
+          {
+            "id": "T1059",
+            "name": "Command and Scripting Interpreter",
+            "reference": "https://attack.mitre.org/techniques/T1059/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 2,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.12.0",
+          "pre_query": "sequence by host.id with maxspan=5s\n [process where event.type in (\"start\", \"process_started\", \"info\") and process.name == \"osascript\"] by process.pid\n [process where event.type in (\"start\", \"process_started\") and process.name == \"security_authtrampoline\"] by process.ppid\n",
+          "doc_text": "Updated query.",
+          "pre_name": "Execution with Explicit Credentials via Apple Scripting",
+          "duplicate_old_file": "execution-with-explicit-credentials-via-apple-scripting"
+        }
+      ]
+    },
+    "last_update": "7.12.0",
+    "added": "7.11.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Elastic Endgame detected an Exploit. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information.",
+    "from": "now-15m",
+    "index": [
+      "endgame-*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "max_signals": 10000,
+    "name": "Exploit - Detected - Elastic Endgame",
+    "query": "event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:exploit_event or endgame.event_subtype_full:exploit_event)\n",
+    "risk_score": 73,
+    "rule_id": "2003cdc8-8d83-4aa5-b132-1f9a8eb48514",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Elastic Endgame"
+    ],
+    "type": "query",
+    "version": 7,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.7.0",
+          "pre_query": "event.kind:alert and event.module:endgame and event.action:exploit_event and endgame.metadata.type:detection",
+          "doc_text": "Updated query."
+        },
+        {
+          "version": 3,
+          "updated": "7.9.0",
+          "pre_query": "event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:exploit_event or endgame.event_subtype_full:exploit_event)",
+          "doc_text": "Formatting only",
+          "pre_name": "Exploit - Detected - Elastic Endpoint"
+        },
+        {
+          "version": 4,
+          "updated": "7.10.0",
+          "pre_query": "event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:exploit_event or endgame.event_subtype_full:exploit_event)",
+          "doc_text": "Formatting only",
+          "pre_name": "Exploit - Detected - Elastic Endpoint Security"
+        },
+        {
+          "version": 5,
+          "updated": "7.12.0",
+          "pre_query": "event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:exploit_event or endgame.event_subtype_full:exploit_event)",
+          "doc_text": "Formatting only",
+          "pre_name": "Exploit - Detected - Endpoint Security",
+          "duplicate_old_file": "exploit-detected-endpoint-security"
+        },
+        {
+          "version": 6,
+          "updated": "7.12.1",
+          "pre_query": "event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:exploit_event or endgame.event_subtype_full:exploit_event)",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 7,
+          "updated": "8.0.0",
+          "pre_query": "event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:exploit_event or endgame.event_subtype_full:exploit_event)\n",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "8.0.0",
+    "added": "7.6.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Elastic Endgame prevented an Exploit. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information.",
+    "from": "now-15m",
+    "index": [
+      "endgame-*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "max_signals": 10000,
+    "name": "Exploit - Prevented - Elastic Endgame",
+    "query": "event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:exploit_event or endgame.event_subtype_full:exploit_event)\n",
+    "risk_score": 47,
+    "rule_id": "2863ffeb-bf77-44dd-b7a5-93ef94b72036",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Elastic Endgame"
+    ],
+    "type": "query",
+    "version": 7,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.7.0",
+          "pre_query": "event.kind:alert and event.module:endgame and event.action:exploit_event and endgame.metadata.type:prevention",
+          "doc_text": "Updated query."
+        },
+        {
+          "version": 3,
+          "updated": "7.9.0",
+          "pre_query": "event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:exploit_event or endgame.event_subtype_full:exploit_event)",
+          "doc_text": "Formatting only",
+          "pre_name": "Exploit - Prevented - Elastic Endpoint"
+        },
+        {
+          "version": 4,
+          "updated": "7.10.0",
+          "pre_query": "event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:exploit_event or endgame.event_subtype_full:exploit_event)",
+          "doc_text": "Formatting only",
+          "pre_name": "Exploit - Prevented - Elastic Endpoint Security"
+        },
+        {
+          "version": 5,
+          "updated": "7.12.0",
+          "pre_query": "event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:exploit_event or endgame.event_subtype_full:exploit_event)",
+          "doc_text": "Formatting only",
+          "pre_name": "Exploit - Prevented - Endpoint Security",
+          "duplicate_old_file": "exploit-prevented-endpoint-security"
+        },
+        {
+          "version": 6,
+          "updated": "7.12.1",
+          "pre_query": "event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:exploit_event or endgame.event_subtype_full:exploit_event)",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 7,
+          "updated": "8.0.0",
+          "pre_query": "event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:exploit_event or endgame.event_subtype_full:exploit_event)\n",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "8.0.0",
+    "added": "7.6.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the use of the Exchange PowerShell cmdlet, New-MailBoxExportRequest, to export the contents of a primary mailbox or archive to a .pst file. Adversaries may target user email to collect sensitive information.",
+    "false_positives": [
+      "Legitimate exchange system administration activity."
+    ],
+    "from": "now-9m",
+    "index": [
+      "logs-endpoint.events.*",
+      "winlogbeat-*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Exporting Exchange Mailbox via PowerShell",
+    "query": "process where event.type in (\"start\", \"process_started\") and\n  process.name: (\"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\") and process.args : \"New-MailboxExportRequest*\"\n",
+    "references": [
+      "https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/",
+      "https://docs.microsoft.com/en-us/powershell/module/exchange/new-mailboxexportrequest?view=exchange-ps"
+    ],
+    "risk_score": 47,
+    "rule_id": "6aace640-e631-4870-ba8e-5fdda09325db",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Collection"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0009",
+          "name": "Collection",
+          "reference": "https://attack.mitre.org/tactics/TA0009/"
+        },
+        "technique": [
+          {
+            "id": "T1114",
+            "name": "Email Collection",
+            "reference": "https://attack.mitre.org/techniques/T1114/",
+            "subtechnique": [
+              {
+                "id": "T1114.002",
+                "name": "Remote Email Collection",
+                "reference": "https://attack.mitre.org/techniques/T1114/002/"
+              }
+            ]
+          },
+          {
+            "id": "T1005",
+            "name": "Data from Local System",
+            "reference": "https://attack.mitre.org/techniques/T1005/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 6,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.11.2",
+          "pre_query": "process where event.type in (\"start\", \"process_started\") and\n  process.name: (\"powershell.exe\", \"pwsh.exe\") and process.args : \"New-MailboxExportRequest*\"\n",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 3,
+          "updated": "7.12.0",
+          "pre_query": "process where event.type in (\"start\", \"process_started\") and\n  process.name: (\"powershell.exe\", \"pwsh.exe\") and process.args : \"New-MailboxExportRequest*\"\n",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 4,
+          "updated": "7.15.0",
+          "pre_query": "process where event.type in (\"start\", \"process_started\") and\n  process.name: (\"powershell.exe\", \"pwsh.exe\") and process.args : \"New-MailboxExportRequest*\"\n",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 6,
+          "updated": "7.16.0",
+          "pre_query": "process where event.type in (\"start\", \"process_started\") and\n  process.name: (\"powershell.exe\", \"pwsh.exe\") and process.args : \"New-MailboxExportRequest*\"\n",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.16.0",
+    "added": "7.11.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Generates a detection alert for each external alert written to the configured indices. Enabling this rule allows you to immediately begin investigating external alerts in the app.",
+    "index": [
+      "apm-*-transaction*",
+      "traces-apm*",
+      "auditbeat-*",
+      "filebeat-*",
+      "logs-*",
+      "packetbeat-*",
+      "winlogbeat-*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "max_signals": 10000,
+    "name": "External Alerts",
+    "query": "event.kind:alert and not event.module:(endgame or endpoint)\n",
+    "risk_score": 47,
+    "risk_score_mapping": [
+      {
+        "field": "event.risk_score",
+        "operator": "equals",
+        "value": ""
+      }
+    ],
+    "rule_id": "eb079c62-4481-4d6e-9643-3ca499df7aaa",
+    "rule_name_override": "message",
+    "severity": "medium",
+    "severity_mapping": [
+      {
+        "field": "event.severity",
+        "operator": "equals",
+        "severity": "low",
+        "value": "21"
+      },
+      {
+        "field": "event.severity",
+        "operator": "equals",
+        "severity": "medium",
+        "value": "47"
+      },
+      {
+        "field": "event.severity",
+        "operator": "equals",
+        "severity": "high",
+        "value": "73"
+      },
+      {
+        "field": "event.severity",
+        "operator": "equals",
+        "severity": "critical",
+        "value": "99"
+      }
+    ],
+    "tags": [
+      "Elastic",
+      "Network",
+      "Windows",
+      "APM",
+      "macOS",
+      "Linux"
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 4,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.10.0",
+          "pre_query": "event.kind:alert and not event.module:(endgame or endpoint)",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 3,
+          "updated": "7.12.0",
+          "pre_query": "event.kind:alert and not event.module:(endgame or endpoint)",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 4,
+          "updated": "7.14.0",
+          "pre_query": "event.kind:alert and not event.module:(endgame or endpoint)",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.14.0",
+    "added": "7.9.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies domains commonly used by adversaries for post-exploitation IP lookups. It is common for adversaries to test for Internet access and acquire their external IP address after they have gained access to a system. Among others, this has been observed in campaigns leveraging the information stealer, Trickbot.",
+    "false_positives": [
+      "If the domains listed in this rule are used as part of an authorized workflow, this rule will be triggered by those events. Validate that this is expected activity and tune the rule to fit your environment variables."
+    ],
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "External IP Lookup from Non-Browser Process",
+    "query": "network where network.protocol == \"dns\" and\n    process.name != null and user.id not in (\"S-1-5-19\", \"S-1-5-20\") and\n    event.action == \"lookup_requested\" and\n    /* Add new external IP lookup services here */\n    dns.question.name :\n    (\n        \"*api.ipify.org\",\n        \"*freegeoip.app\",\n        \"*checkip.amazonaws.com\",\n        \"*checkip.dyndns.org\",\n        \"*freegeoip.app\",\n        \"*icanhazip.com\",\n        \"*ifconfig.*\",\n        \"*ipecho.net\",\n        \"*ipgeoapi.com\",\n        \"*ipinfo.io\",\n        \"*ip.anysrc.net\",\n        \"*myexternalip.com\",\n        \"*myipaddress.com\",\n        \"*showipaddress.com\",\n        \"*whatismyipaddress.com\",\n        \"*wtfismyip.com\",\n        \"*ipapi.co\",\n        \"*ip-lookup.net\",\n        \"*ipstack.com\"\n    ) and\n    /* Insert noisy false positives here */\n    not process.executable :\n    (\n      \"?:\\\\Program Files\\\\*.exe\",\n      \"?:\\\\Program Files (x86)\\\\*.exe\",\n      \"?:\\\\Windows\\\\System32\\\\WWAHost.exe\",\n      \"?:\\\\Windows\\\\System32\\\\smartscreen.exe\",\n      \"?:\\\\Windows\\\\System32\\\\MicrosoftEdgeCP.exe\",\n      \"?:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\Platform\\\\*\\\\MsMpEng.exe\",\n      \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe\",\n      \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Programs\\\\Fiddler\\\\Fiddler.exe\",\n      \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Programs\\\\Microsoft VS Code\\\\Code.exe\",\n      \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Microsoft\\\\OneDrive\\\\OneDrive.exe\"\n    )\n",
+    "references": [
+      "https://community.jisc.ac.uk/blogs/csirt/article/trickbot-analysis-and-mitigation",
+      "https://www.cybereason.com/blog/dropping-anchor-from-a-trickbot-infection-to-the-discovery-of-the-anchor-malware"
+    ],
+    "risk_score": 21,
+    "rule_id": "1d72d014-e2ab-4707-b056-9b96abe7b511",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Discovery"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0007",
+          "name": "Discovery",
+          "reference": "https://attack.mitre.org/tactics/TA0007/"
+        },
+        "technique": [
+          {
+            "id": "T1016",
+            "name": "System Network Configuration Discovery",
+            "reference": "https://attack.mitre.org/techniques/T1016/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 6,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.11.2",
+          "pre_query": "event.category:network AND event.type:connection AND server.domain:(ipecho.net OR ipinfo.io OR ifconfig.co OR ifconfig.me OR icanhazip.com OR myexternalip.com OR api.ipify.org OR bot.whatismyipaddress.com OR ip.anysrc.net OR wtfismyip.com) AND NOT http.response.status_code:302 AND status:OK AND NOT _exists_:http.request.referrer",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 3,
+          "updated": "7.12.0",
+          "pre_query": "event.category:network AND event.type:connection AND server.domain:(ipecho.net OR ipinfo.io OR ifconfig.co OR ifconfig.me OR icanhazip.com OR myexternalip.com OR api.ipify.org OR bot.whatismyipaddress.com OR ip.anysrc.net OR wtfismyip.com) AND NOT http.response.status_code:302 AND status:OK AND NOT _exists_:http.request.referrer",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 4,
+          "updated": "7.13.0",
+          "pre_query": "event.category:network AND event.type:connection AND server.domain:(ipecho.net OR ipinfo.io OR ifconfig.co OR ifconfig.me OR icanhazip.com OR myexternalip.com OR api.ipify.org OR bot.whatismyipaddress.com OR ip.anysrc.net OR wtfismyip.com) AND NOT http.response.status_code:302 AND status:OK AND NOT _exists_:http.request.referrer",
+          "doc_text": "Updated query.",
+          "pre_name": "Public IP Reconnaissance Activity",
+          "duplicate_old_file": "public-ip-reconnaissance-activity"
+        },
+        {
+          "version": 5,
+          "updated": "7.14.0",
+          "pre_query": "network where network.protocol == \"dns\" and\n    process.name != null and user.id not in (\"S-1-5-19\", \"S-1-5-20\") and\n    event.action == \"lookup_requested\" and\n    /* Add new external IP lookup services here */\n    dns.question.name :\n    (\n        \"*api.ipify.org\",\n        \"*freegeoip.app\",\n        \"*checkip.amazonaws.com\",\n        \"*checkip.dyndns.org\",\n        \"*freegeoip.app\",\n        \"*icanhazip.com\",\n        \"*ifconfig.*\",\n        \"*ipecho.net\",\n        \"*ipgeoapi.com\",\n        \"*ipinfo.io\",\n        \"*ip.anysrc.net\",\n        \"*myexternalip.com\",\n        \"*myipaddress.com\",\n        \"*showipaddress.com\",\n        \"*whatismyipaddress.com\",\n        \"*wtfismyip.com\"\n    ) and\n    /* Insert noisy false positives here */\n    not process.executable :\n    (\n      \"?:\\\\Program Files\\\\*.exe\",\n      \"?:\\\\Program Files (x86)\\\\*.exe\",\n      \"?:\\\\Windows\\\\System32\\\\WWAHost.exe\",\n      \"?:\\\\Windows\\\\System32\\\\smartscreen.exe\",\n      \"?:\\\\Windows\\\\System32\\\\MicrosoftEdgeCP.exe\",\n      \"?:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\Platform\\\\*\\\\MsMpEng.exe\",\n      \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe\",\n      \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Programs\\\\Fiddler\\\\Fiddler.exe\",\n      \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Programs\\\\Microsoft VS Code\\\\Code.exe\",\n      \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Microsoft\\\\OneDrive\\\\OneDrive.exe\"\n    )\n",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        },
+        {
+          "version": 6,
+          "updated": "7.15.0",
+          "pre_query": "network where network.protocol == \"dns\" and\n    process.name != null and user.id not in (\"S-1-5-19\", \"S-1-5-20\") and\n    event.action == \"lookup_requested\" and\n    /* Add new external IP lookup services here */\n    dns.question.name :\n    (\n        \"*api.ipify.org\",\n        \"*freegeoip.app\",\n        \"*checkip.amazonaws.com\",\n        \"*checkip.dyndns.org\",\n        \"*freegeoip.app\",\n        \"*icanhazip.com\",\n        \"*ifconfig.*\",\n        \"*ipecho.net\",\n        \"*ipgeoapi.com\",\n        \"*ipinfo.io\",\n        \"*ip.anysrc.net\",\n        \"*myexternalip.com\",\n        \"*myipaddress.com\",\n        \"*showipaddress.com\",\n        \"*whatismyipaddress.com\",\n        \"*wtfismyip.com\",\n        \"*ipapi.co\",\n        \"*ip-lookup.net\",\n        \"*ipstack.com\"\n    ) and\n    /* Insert noisy false positives here */\n    not process.executable :\n    (\n      \"?:\\\\Program Files\\\\*.exe\",\n      \"?:\\\\Program Files (x86)\\\\*.exe\",\n      \"?:\\\\Windows\\\\System32\\\\WWAHost.exe\",\n      \"?:\\\\Windows\\\\System32\\\\smartscreen.exe\",\n      \"?:\\\\Windows\\\\System32\\\\MicrosoftEdgeCP.exe\",\n      \"?:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\Platform\\\\*\\\\MsMpEng.exe\",\n      \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe\",\n      \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Programs\\\\Fiddler\\\\Fiddler.exe\",\n      \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Programs\\\\Microsoft VS Code\\\\Code.exe\",\n      \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Microsoft\\\\OneDrive\\\\OneDrive.exe\"\n    )\n",
+          "doc_text": "Formatting only",
+          "pre_name": "External IP Lookup fron Non-Browser Process",
+          "duplicate_old_file": "external-ip-lookup-fron-non-browser-process"
+        }
+      ]
+    },
+    "last_update": "7.15.0",
+    "added": "7.10.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Malware or other files dropped or created on a system by an adversary may leave traces behind as to what was done within a network and how. Adversaries may remove these files over the course of an intrusion to keep their footprint low or remove them at the end as part of the post-intrusion cleanup process.",
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "File Deletion via Shred",
+    "query": "event.category:process and event.type:(start or process_started) and process.name:shred and\n  process.args:(\"-u\" or \"--remove\" or \"-z\" or \"--zero\")\n",
+    "risk_score": 21,
+    "rule_id": "a1329140-8de3-4445-9f87-908fb6d824f4",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1070",
+            "name": "Indicator Removal on Host",
+            "reference": "https://attack.mitre.org/techniques/T1070/",
+            "subtechnique": [
+              {
+                "id": "T1070.004",
+                "name": "File Deletion",
+                "reference": "https://attack.mitre.org/techniques/T1070/004/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 7,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.9.0",
+          "pre_query": "event.action:(executed or process_started) and process.name:shred and process.args:(\"-u\" or \"--remove\" or \"-z\" or \"--zero\")",
+          "doc_text": "Updated query."
+        },
+        {
+          "version": 3,
+          "updated": "7.9.1",
+          "pre_query": "event.category:process and event.type:(start or process_started) and process.name:shred and process.args:(\"-u\" or \"--remove\" or \"-z\" or \"--zero\")",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 4,
+          "updated": "7.10.0",
+          "pre_query": "event.category:process and event.type:(start or process_started) and process.name:shred and process.args:(\"-u\" or \"--remove\" or \"-z\" or \"--zero\")",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 5,
+          "updated": "7.11.0",
+          "pre_query": "event.category:process and event.type:(start or process_started) and process.name:shred and process.args:(\"-u\" or \"--remove\" or \"-z\" or \"--zero\")",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 6,
+          "updated": "7.11.2",
+          "pre_query": "event.category:process and event.type:(start or process_started) and process.name:shred and process.args:(\"-u\" or \"--remove\" or \"-z\" or \"--zero\")",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 7,
+          "updated": "7.12.0",
+          "pre_query": "event.category:process and event.type:(start or process_started) and process.name:shred and process.args:(\"-u\" or \"--remove\" or \"-z\" or \"--zero\")",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.12.0",
+    "added": "7.8.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies file permission modifications in common writable directories by a non-root user. Adversaries often drop files or payloads into a writable directory and change permissions prior to execution.",
+    "false_positives": [
+      "Certain programs or applications may modify files or change ownership in writable directories. These can be exempted by username."
+    ],
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "File Permission Modification in Writable Directory",
+    "query": "event.category:process and event.type:(start or process_started) and\n  process.name:(chmod or chown or chattr or chgrp) and\n  process.working_directory:(/tmp or /var/tmp or /dev/shm) and\n  not user.name:root\n",
+    "risk_score": 21,
+    "rule_id": "9f9a2a82-93a8-4b1a-8778-1780895626d4",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1222",
+            "name": "File and Directory Permissions Modification",
+            "reference": "https://attack.mitre.org/techniques/T1222/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 6,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.9.0",
+          "pre_query": "event.action:executed and process.name:(chmod or chown or chattr or chgrp) and process.working_directory:(/tmp or /var/tmp or /dev/shm) and not user.name:root",
+          "doc_text": "Updated query."
+        },
+        {
+          "version": 3,
+          "updated": "7.9.1",
+          "pre_query": "event.category:process and event.type:(start or process_started) and process.name:(chmod or chown or chattr or chgrp) and process.working_directory:(/tmp or /var/tmp or /dev/shm) and not user.name:root",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 4,
+          "updated": "7.10.0",
+          "pre_query": "event.category:process and event.type:(start or process_started) and process.name:(chmod or chown or chattr or chgrp) and process.working_directory:(/tmp or /var/tmp or /dev/shm) and not user.name:root",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 5,
+          "updated": "7.11.2",
+          "pre_query": "event.category:process and event.type:(start or process_started) and process.name:(chmod or chown or chattr or chgrp) and process.working_directory:(/tmp or /var/tmp or /dev/shm) and not user.name:root",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 6,
+          "updated": "7.12.0",
+          "pre_query": "event.category:process and event.type:(start or process_started) and process.name:(chmod or chown or chattr or chgrp) and process.working_directory:(/tmp or /var/tmp or /dev/shm) and not user.name:root",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.12.0",
+    "added": "7.8.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Enumeration of files and directories using built-in tools. Adversaries may use the information discovered to plan follow-on activity.",
+    "false_positives": [
+      "Enumeration of files and directories may not be inherently malicious and noise may come from scripts, automation tools, or normal command line usage. It's important to baseline your environment to determine the amount of expected noise and exclude any known FP's from the rule."
+    ],
+    "from": "now-9m",
+    "index": [
+      "logs-endpoint.events.*",
+      "winlogbeat-*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "File and Directory Discovery",
+    "query": "sequence by agent.id, user.name with maxspan=1m\n[process where event.type in (\"start\", \"process_started\") and\n  ((process.name : \"cmd.exe\" or process.pe.original_file_name == \"Cmd.Exe\") and process.args : \"dir\") or\n    process.name : \"tree.com\"]\n[process where event.type in (\"start\", \"process_started\") and\n  ((process.name : \"cmd.exe\" or process.pe.original_file_name == \"Cmd.Exe\") and process.args : \"dir\") or\n    process.name : \"tree.com\"]\n[process where event.type in (\"start\", \"process_started\") and\n  ((process.name : \"cmd.exe\" or process.pe.original_file_name == \"Cmd.Exe\") and process.args : \"dir\") or\n    process.name : \"tree.com\"]\n",
+    "risk_score": 21,
+    "rule_id": "7b08314d-47a0-4b71-ae4e-16544176924f",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Discovery"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0007",
+          "name": "Discovery",
+          "reference": "https://attack.mitre.org/tactics/TA0007/"
+        },
+        "technique": [
+          {
+            "id": "T1083",
+            "name": "File and Directory Discovery",
+            "reference": "https://attack.mitre.org/techniques/T1083/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 3,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.11.2",
+          "pre_query": "process where event.type in (\"start\", \"process_started\") and\n  (process.name : \"cmd.exe\" or process.pe.original_file_name == \"Cmd.Exe\") and\n  process.args : (\"dir\", \"tree\")\n\n",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        },
+        {
+          "version": 3,
+          "updated": "7.12.0",
+          "pre_query": "process where event.type in (\"start\", \"process_started\") and\n  (process.name : \"cmd.exe\" or process.pe.original_file_name == \"Cmd.Exe\") and\n  process.args : (\"dir\", \"tree\")\n",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.12.0",
+    "added": "7.11.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Finder Sync plugins enable users to extend Finder\u2019s functionality by modifying the user interface. Adversaries may abuse this feature by adding a rogue Finder Plugin to repeatedly execute malicious payloads for persistence.",
+    "false_positives": [
+      "Trusted Finder Sync Plugins"
+    ],
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Finder Sync Plugin Registered and Enabled",
+    "query": "sequence by host.id, user.id with maxspan = 5s\n  [process where event.type in (\"start\", \"process_started\") and process.name : \"pluginkit\" and process.args : \"-a\"]\n  [process where event.type in (\"start\", \"process_started\") and process.name : \"pluginkit\" and\n    process.args : \"-e\" and process.args : \"use\" and process.args : \"-i\" and\n    not process.args :\n    (\n      \"com.google.GoogleDrive.FinderSyncAPIExtension\",\n      \"com.google.drivefs.findersync\",\n      \"com.boxcryptor.osx.Rednif\",\n      \"com.adobe.accmac.ACCFinderSync\",\n      \"com.microsoft.OneDrive.FinderSync\",\n      \"com.insynchq.Insync.Insync-Finder-Integration\",\n      \"com.box.desktop.findersyncext\"\n    )\n  ]\n",
+    "references": [
+      "https://github.com/specterops/presentations/raw/master/Leo%20Pitt/Hey_Im_Still_in_Here_Modern_macOS_Persistence_SO-CON2020.pdf"
+    ],
+    "risk_score": 47,
+    "rule_id": "37f638ea-909d-4f94-9248-edd21e4a9906",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "macOS",
+      "Threat Detection",
+      "Persistence"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1543",
+            "name": "Create or Modify System Process",
+            "reference": "https://attack.mitre.org/techniques/T1543/"
+          }
+        ]
+      }
+    ],
+    "type": "eql",
+    "version": 2,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.15.0",
+          "pre_query": "sequence by host.id, user.id with maxspan = 5s\n  [process where event.type in (\"start\", \"process_started\") and process.name : \"pluginkit\" and process.args : \"-a\"]\n  [process where event.type in (\"start\", \"process_started\") and process.name : \"pluginkit\" and\n    process.args : \"-e\" and process.args : \"use\" and process.args : \"-i\" and\n    not process.args :\n    (\n      \"com.google.GoogleDrive.FinderSyncAPIExtension\",\n      \"com.google.drivefs.findersync\",\n      \"com.boxcryptor.osx.Rednif\",\n      \"com.adobe.accmac.ACCFinderSync\",\n      \"com.microsoft.OneDrive.FinderSync\",\n      \"com.insynchq.Insync.Insync-Finder-Integration\",\n      \"com.box.desktop.findersyncext\"\n    )\n  ]\n",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.15.0",
+    "added": "7.12.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies when a firewall rule is created in Google Cloud Platform (GCP). Virtual Private Cloud (VPC) firewall rules can be configured to allow or deny connections to or from virtual machine (VM) instances. An adversary may create a new firewall rule in order to weaken their target's security controls and allow more permissive ingress or egress traffic flows for their benefit.",
+    "false_positives": [
+      "Firewall rules may be created by system administrators. Verify that the firewall configuration change was expected. Exceptions can be added to this rule to filter expected behavior."
+    ],
+    "index": [
+      "filebeat-*",
+      "logs-gcp*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "GCP Firewall Rule Creation",
+    "note": "## Config\n\nThe GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:(googlecloud.audit or gcp.audit) and event.action:v*.compute.firewalls.insert\n",
+    "references": [
+      "https://cloud.google.com/vpc/docs/firewalls"
+    ],
+    "risk_score": 21,
+    "rule_id": "30562697-9859-4ae0-a8c5-dab45d664170",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "GCP",
+      "Continuous Monitoring",
+      "SecOps",
+      "Configuration Audit"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1562",
+            "name": "Impair Defenses",
+            "reference": "https://attack.mitre.org/techniques/T1562/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 5,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.11.0",
+          "pre_query": "event.dataset:googlecloud.audit and event.action:v*.compute.firewalls.insert",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        },
+        {
+          "version": 3,
+          "updated": "7.11.2",
+          "pre_query": "event.dataset:(googlecloud.audit or gcp.audit) and event.action:v*.compute.firewalls.insert",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 4,
+          "updated": "7.12.0",
+          "pre_query": "event.dataset:(googlecloud.audit or gcp.audit) and event.action:v*.compute.firewalls.insert",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 5,
+          "updated": "7.13.0",
+          "pre_query": "event.dataset:(googlecloud.audit or gcp.audit) and event.action:v*.compute.firewalls.insert",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.13.0",
+    "added": "7.10.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies when a firewall rule is deleted in Google Cloud Platform (GCP). Virtual Private Cloud (VPC) firewall rules can be configured to allow or deny connections to or from virtual machine (VM) instances. An adversary may delete a firewall rule in order to weaken their target's security controls.",
+    "false_positives": [
+      "Firewall rules may be deleted by system administrators. Verify that the firewall configuration change was expected. Exceptions can be added to this rule to filter expected behavior."
+    ],
+    "index": [
+      "filebeat-*",
+      "logs-gcp*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "GCP Firewall Rule Deletion",
+    "note": "## Config\n\nThe GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:(googlecloud.audit or gcp.audit) and event.action:v*.compute.firewalls.delete\n",
+    "references": [
+      "https://cloud.google.com/vpc/docs/firewalls"
+    ],
+    "risk_score": 47,
+    "rule_id": "ff9b571e-61d6-4f6c-9561-eb4cca3bafe1",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "GCP",
+      "Continuous Monitoring",
+      "SecOps",
+      "Configuration Audit"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1562",
+            "name": "Impair Defenses",
+            "reference": "https://attack.mitre.org/techniques/T1562/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 5,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.11.0",
+          "pre_query": "event.dataset:googlecloud.audit and event.action:v*.compute.firewalls.delete",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        },
+        {
+          "version": 3,
+          "updated": "7.11.2",
+          "pre_query": "event.dataset:(googlecloud.audit or gcp.audit) and event.action:v*.compute.firewalls.delete",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 4,
+          "updated": "7.12.0",
+          "pre_query": "event.dataset:(googlecloud.audit or gcp.audit) and event.action:v*.compute.firewalls.delete",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 5,
+          "updated": "7.13.0",
+          "pre_query": "event.dataset:(googlecloud.audit or gcp.audit) and event.action:v*.compute.firewalls.delete",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.13.0",
+    "added": "7.10.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies when a firewall rule is modified in Google Cloud Platform (GCP). Virtual Private Cloud (VPC) firewall rules can be configured to allow or deny connections to or from virtual machine (VM) instances. An adversary may modify a firewall rule in order to weaken their target's security controls.",
+    "false_positives": [
+      "Firewall rules may be modified by system administrators. Verify that the firewall configuration change was expected. Exceptions can be added to this rule to filter expected behavior."
+    ],
+    "index": [
+      "filebeat-*",
+      "logs-gcp*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "GCP Firewall Rule Modification",
+    "note": "## Config\n\nThe GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:(googlecloud.audit or gcp.audit) and event.action:v*.compute.firewalls.patch\n",
+    "references": [
+      "https://cloud.google.com/vpc/docs/firewalls"
+    ],
+    "risk_score": 47,
+    "rule_id": "2783d84f-5091-4d7d-9319-9fceda8fa71b",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "GCP",
+      "Continuous Monitoring",
+      "SecOps",
+      "Configuration Audit"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1562",
+            "name": "Impair Defenses",
+            "reference": "https://attack.mitre.org/techniques/T1562/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 5,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.11.0",
+          "pre_query": "event.dataset:googlecloud.audit and event.action:v*.compute.firewalls.patch",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        },
+        {
+          "version": 3,
+          "updated": "7.11.2",
+          "pre_query": "event.dataset:(googlecloud.audit or gcp.audit) and event.action:v*.compute.firewalls.patch",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 4,
+          "updated": "7.12.0",
+          "pre_query": "event.dataset:(googlecloud.audit or gcp.audit) and event.action:v*.compute.firewalls.patch",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 5,
+          "updated": "7.13.0",
+          "pre_query": "event.dataset:(googlecloud.audit or gcp.audit) and event.action:v*.compute.firewalls.patch",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.13.0",
+    "added": "7.10.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies an Identity and Access Management (IAM) custom role creation in Google Cloud Platform (GCP). Custom roles are user-defined, and allow for the bundling of one or more supported permissions to meet specific needs. Custom roles will not be updated automatically and could lead to privilege creep if not carefully scrutinized.",
+    "false_positives": [
+      "Custom role creations may be done by a system or network administrator. Verify whether the user email, resource name, and/or hostname should be making changes in your environment. Role creations from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "index": [
+      "filebeat-*",
+      "logs-gcp*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "GCP IAM Custom Role Creation",
+    "note": "## Config\n\nThe GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:(googlecloud.audit or gcp.audit) and event.action:google.iam.admin.v*.CreateRole and event.outcome:success\n",
+    "references": [
+      "https://cloud.google.com/iam/docs/understanding-custom-roles"
+    ],
+    "risk_score": 47,
+    "rule_id": "aa8007f0-d1df-49ef-8520-407857594827",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "GCP",
+      "Continuous Monitoring",
+      "SecOps",
+      "Identity and Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0001",
+          "name": "Initial Access",
+          "reference": "https://attack.mitre.org/tactics/TA0001/"
+        },
+        "technique": [
+          {
+            "id": "T1078",
+            "name": "Valid Accounts",
+            "reference": "https://attack.mitre.org/techniques/T1078/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1078",
+            "name": "Valid Accounts",
+            "reference": "https://attack.mitre.org/techniques/T1078/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 5,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.11.0",
+          "pre_query": "event.dataset:googlecloud.audit and event.action:google.iam.admin.v*.CreateRole and event.outcome:success",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        },
+        {
+          "version": 3,
+          "updated": "7.11.2",
+          "pre_query": "event.dataset:(googlecloud.audit or gcp.audit) and event.action:google.iam.admin.v*.CreateRole and event.outcome:success",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 4,
+          "updated": "7.12.0",
+          "pre_query": "event.dataset:(googlecloud.audit or gcp.audit) and event.action:google.iam.admin.v*.CreateRole and event.outcome:success",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 5,
+          "updated": "7.13.0",
+          "pre_query": "event.dataset:(googlecloud.audit or gcp.audit) and event.action:google.iam.admin.v*.CreateRole and event.outcome:success",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.13.0",
+    "added": "7.10.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies an Identity and Access Management (IAM) role deletion in Google Cloud Platform (GCP). A role contains a set of permissions that allows you to perform specific actions on Google Cloud resources. An adversary may delete an IAM role to inhibit access to accounts utilized by legitimate users.",
+    "false_positives": [
+      "Role deletions may be done by a system or network administrator. Verify whether the user email, resource name, and/or hostname should be making changes in your environment. Role deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "index": [
+      "filebeat-*",
+      "logs-gcp*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "GCP IAM Role Deletion",
+    "note": "## Config\n\nThe GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:(googlecloud.audit or gcp.audit) and event.action:google.iam.admin.v*.DeleteRole and event.outcome:success\n",
+    "references": [
+      "https://cloud.google.com/iam/docs/understanding-roles"
+    ],
+    "risk_score": 21,
+    "rule_id": "e2fb5b18-e33c-4270-851e-c3d675c9afcd",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "GCP",
+      "Continuous Monitoring",
+      "SecOps",
+      "Identity and Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0040",
+          "name": "Impact",
+          "reference": "https://attack.mitre.org/tactics/TA0040/"
+        },
+        "technique": [
+          {
+            "id": "T1531",
+            "name": "Account Access Removal",
+            "reference": "https://attack.mitre.org/techniques/T1531/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 5,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.11.0",
+          "pre_query": "event.dataset:googlecloud.audit and event.action:google.iam.admin.v*.DeleteRole and event.outcome:success",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        },
+        {
+          "version": 3,
+          "updated": "7.11.2",
+          "pre_query": "event.dataset:(googlecloud.audit or gcp.audit) and event.action:google.iam.admin.v*.DeleteRole and event.outcome:success",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 4,
+          "updated": "7.12.0",
+          "pre_query": "event.dataset:(googlecloud.audit or gcp.audit) and event.action:google.iam.admin.v*.DeleteRole and event.outcome:success",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 5,
+          "updated": "7.13.0",
+          "pre_query": "event.dataset:(googlecloud.audit or gcp.audit) and event.action:google.iam.admin.v*.DeleteRole and event.outcome:success",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.13.0",
+    "added": "7.10.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the deletion of an Identity and Access Management (IAM) service account key in Google Cloud Platform (GCP). Each service account is associated with two sets of public/private RSA key pairs that are used to authenticate. If a key is deleted, the application will no longer be able to access Google Cloud resources using that key. A security best practice is to rotate your service account keys regularly.",
+    "false_positives": [
+      "Service account key deletions may be done by a system or network administrator. Verify whether the user email, resource name, and/or hostname should be making changes in your environment. Key deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "index": [
+      "filebeat-*",
+      "logs-gcp*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "GCP IAM Service Account Key Deletion",
+    "note": "## Config\n\nThe GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:(googlecloud.audit or gcp.audit) and event.action:google.iam.admin.v*.DeleteServiceAccountKey and event.outcome:success\n",
+    "references": [
+      "https://cloud.google.com/iam/docs/service-accounts",
+      "https://cloud.google.com/iam/docs/creating-managing-service-account-keys"
+    ],
+    "risk_score": 21,
+    "rule_id": "9890ee61-d061-403d-9bf6-64934c51f638",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "GCP",
+      "Continuous Monitoring",
+      "SecOps",
+      "Identity and Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1098",
+            "name": "Account Manipulation",
+            "reference": "https://attack.mitre.org/techniques/T1098/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 5,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.11.0",
+          "pre_query": "event.dataset:googlecloud.audit and event.action:google.iam.admin.v*.DeleteServiceAccountKey and event.outcome:success",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        },
+        {
+          "version": 3,
+          "updated": "7.11.2",
+          "pre_query": "event.dataset:(googlecloud.audit or gcp.audit) and event.action:google.iam.admin.v*.DeleteServiceAccountKey and event.outcome:success",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 4,
+          "updated": "7.12.0",
+          "pre_query": "event.dataset:(googlecloud.audit or gcp.audit) and event.action:google.iam.admin.v*.DeleteServiceAccountKey and event.outcome:success",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 5,
+          "updated": "7.13.0",
+          "pre_query": "event.dataset:(googlecloud.audit or gcp.audit) and event.action:google.iam.admin.v*.DeleteServiceAccountKey and event.outcome:success",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.13.0",
+    "added": "7.10.0"
+  },
+  {
+    "author": [
+      "Elastic",
+      "Austin Songer"
+    ],
+    "description": "Identifies the creation or patching of potential malicious rolebinding. You can assign these roles to Kubernetes subjects (users, groups, or service accounts) with role bindings and cluster role bindings.",
+    "from": "now-20m",
+    "index": [
+      "filebeat-*",
+      "logs-gcp*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "GCP Kubernetes Rolebindings Created or Patched",
+    "note": "## Config\n\nThe GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:(googlecloud.audit or gcp.audit) and event.action:(io.k8s.authorization.rbac.v*.clusterrolebindings.create or \nio.k8s.authorization.rbac.v*.rolebindings.create or io.k8s.authorization.rbac.v*.clusterrolebindings.patch or \nio.k8s.authorization.rbac.v*.rolebindings.patch) and event.outcome:success\n",
+    "references": [
+      "https://cloud.google.com/kubernetes-engine/docs/how-to/audit-logging",
+      "https://unofficial-kubernetes.readthedocs.io/en/latest/admin/authorization/rbac/",
+      "https://cloud.google.com/kubernetes-engine/docs/how-to/role-based-access-control"
+    ],
+    "risk_score": 47,
+    "rule_id": "2f0bae2d-bf20-4465-be86-1311addebaa3",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "GCP",
+      "Continuous Monitoring",
+      "SecOps",
+      "Configuration Audit"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0004",
+          "name": "Privilege Escalation",
+          "reference": "https://attack.mitre.org/tactics/TA0004/"
+        },
+        "technique": []
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 1,
+    "last_update": "7.16.0",
+    "added": "7.16.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies a Logging bucket deletion in Google Cloud Platform (GCP). Log buckets are containers that store and organize log data. A deleted bucket stays in a pending state for 7 days, and Logging continues to route logs to the bucket during that time. To stop routing logs to a deleted bucket, the log sinks can be deleted that have the bucket as a destination, or the filter for the sinks can be modified to stop routing logs to the deleted bucket. An adversary may delete a log bucket to evade detection.",
+    "false_positives": [
+      "Logging bucket deletions may be done by a system or network administrator. Verify whether the user email, resource name, and/or hostname should be making changes in your environment. Logging bucket deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "index": [
+      "filebeat-*",
+      "logs-gcp*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "GCP Logging Bucket Deletion",
+    "note": "## Config\n\nThe GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:(googlecloud.audit or gcp.audit) and event.action:google.logging.v*.ConfigServiceV*.DeleteBucket and event.outcome:success\n",
+    "references": [
+      "https://cloud.google.com/logging/docs/buckets",
+      "https://cloud.google.com/logging/docs/storage"
+    ],
+    "risk_score": 47,
+    "rule_id": "5663b693-0dea-4f2e-8275-f1ae5ff2de8e",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "GCP",
+      "Continuous Monitoring",
+      "SecOps",
+      "Log Auditing"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1562",
+            "name": "Impair Defenses",
+            "reference": "https://attack.mitre.org/techniques/T1562/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 5,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.11.0",
+          "pre_query": "event.dataset:googlecloud.audit and event.action:google.logging.v*.ConfigServiceV*.DeleteBucket and event.outcome:success",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        },
+        {
+          "version": 3,
+          "updated": "7.11.2",
+          "pre_query": "event.dataset:(googlecloud.audit or gcp.audit) and event.action:google.logging.v*.ConfigServiceV*.DeleteBucket and event.outcome:success",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 4,
+          "updated": "7.12.0",
+          "pre_query": "event.dataset:(googlecloud.audit or gcp.audit) and event.action:google.logging.v*.ConfigServiceV*.DeleteBucket and event.outcome:success",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 5,
+          "updated": "7.13.0",
+          "pre_query": "event.dataset:(googlecloud.audit or gcp.audit) and event.action:google.logging.v*.ConfigServiceV*.DeleteBucket and event.outcome:success",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.13.0",
+    "added": "7.10.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies a Logging sink deletion in Google Cloud Platform (GCP). Every time a log entry arrives, Logging compares the log entry to the sinks in that resource. Each sink whose filter matches the log entry writes a copy of the log entry to the sink's export destination. An adversary may delete a Logging sink to evade detection.",
+    "false_positives": [
+      "Logging sink deletions may be done by a system or network administrator. Verify whether the user email, resource name, and/or hostname should be making changes in your environment. Logging sink deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "index": [
+      "filebeat-*",
+      "logs-gcp*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "GCP Logging Sink Deletion",
+    "note": "## Config\n\nThe GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:(googlecloud.audit or gcp.audit) and event.action:google.logging.v*.ConfigServiceV*.DeleteSink and event.outcome:success\n",
+    "references": [
+      "https://cloud.google.com/logging/docs/export"
+    ],
+    "risk_score": 47,
+    "rule_id": "51859fa0-d86b-4214-bf48-ebb30ed91305",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "GCP",
+      "Continuous Monitoring",
+      "SecOps",
+      "Log Auditing"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1562",
+            "name": "Impair Defenses",
+            "reference": "https://attack.mitre.org/techniques/T1562/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 5,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.11.0",
+          "pre_query": "event.dataset:googlecloud.audit and event.action:google.logging.v*.ConfigServiceV*.DeleteSink and event.outcome:success",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        },
+        {
+          "version": 3,
+          "updated": "7.11.2",
+          "pre_query": "event.dataset:(googlecloud.audit or gcp.audit) and event.action:google.logging.v*.ConfigServiceV*.DeleteSink and event.outcome:success",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 4,
+          "updated": "7.12.0",
+          "pre_query": "event.dataset:(googlecloud.audit or gcp.audit) and event.action:google.logging.v*.ConfigServiceV*.DeleteSink and event.outcome:success",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 5,
+          "updated": "7.13.0",
+          "pre_query": "event.dataset:(googlecloud.audit or gcp.audit) and event.action:google.logging.v*.ConfigServiceV*.DeleteSink and event.outcome:success",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.13.0",
+    "added": "7.10.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies a modification to a Logging sink in Google Cloud Platform (GCP). Logging compares the log entry to the sinks in that resource. Each sink whose filter matches the log entry writes a copy of the log entry to the sink's export destination. An adversary may update a Logging sink to exfiltrate logs to a different export destination.",
+    "false_positives": [
+      "Logging sink modifications may be done by a system or network administrator. Verify whether the user email, resource name, and/or hostname should be making changes in your environment. Sink modifications from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "index": [
+      "filebeat-*",
+      "logs-gcp*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "GCP Logging Sink Modification",
+    "note": "## Config\n\nThe GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:(googlecloud.audit or gcp.audit) and event.action:google.logging.v*.ConfigServiceV*.UpdateSink and event.outcome:success\n",
+    "references": [
+      "https://cloud.google.com/logging/docs/export#how_sinks_work"
+    ],
+    "risk_score": 21,
+    "rule_id": "184dfe52-2999-42d9-b9d1-d1ca54495a61",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "GCP",
+      "Continuous Monitoring",
+      "SecOps",
+      "Log Auditing"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0010",
+          "name": "Exfiltration",
+          "reference": "https://attack.mitre.org/tactics/TA0010/"
+        },
+        "technique": [
+          {
+            "id": "T1537",
+            "name": "Transfer Data to Cloud Account",
+            "reference": "https://attack.mitre.org/techniques/T1537/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 5,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.11.0",
+          "pre_query": "event.dataset:googlecloud.audit and event.action:google.logging.v*.ConfigServiceV*.UpdateSink and event.outcome:success",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        },
+        {
+          "version": 3,
+          "updated": "7.11.2",
+          "pre_query": "event.dataset:(googlecloud.audit or gcp.audit) and event.action:google.logging.v*.ConfigServiceV*.UpdateSink and event.outcome:success",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 4,
+          "updated": "7.12.0",
+          "pre_query": "event.dataset:(googlecloud.audit or gcp.audit) and event.action:google.logging.v*.ConfigServiceV*.UpdateSink and event.outcome:success",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 5,
+          "updated": "7.13.0",
+          "pre_query": "event.dataset:(googlecloud.audit or gcp.audit) and event.action:google.logging.v*.ConfigServiceV*.UpdateSink and event.outcome:success",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.13.0",
+    "added": "7.10.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the creation of a subscription in Google Cloud Platform (GCP). In GCP, the publisher-subscriber relationship (Pub/Sub) is an asynchronous messaging service that decouples event-producing and event-processing services. A subscription is a named resource representing the stream of messages to be delivered to the subscribing application.",
+    "false_positives": [
+      "Subscription creations may be done by a system or network administrator. Verify whether the user email, resource name, and/or hostname should be making changes in your environment. Subscription creations from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "index": [
+      "filebeat-*",
+      "logs-gcp*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "GCP Pub/Sub Subscription Creation",
+    "note": "## Config\n\nThe GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:(googlecloud.audit or gcp.audit) and event.action:google.pubsub.v*.Subscriber.CreateSubscription and event.outcome:success\n",
+    "references": [
+      "https://cloud.google.com/pubsub/docs/overview"
+    ],
+    "risk_score": 21,
+    "rule_id": "d62b64a8-a7c9-43e5-aee3-15a725a794e7",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "GCP",
+      "Continuous Monitoring",
+      "SecOps",
+      "Log Auditing"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0009",
+          "name": "Collection",
+          "reference": "https://attack.mitre.org/tactics/TA0009/"
+        },
+        "technique": [
+          {
+            "id": "T1530",
+            "name": "Data from Cloud Storage Object",
+            "reference": "https://attack.mitre.org/techniques/T1530/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 5,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.11.0",
+          "pre_query": "event.dataset:googlecloud.audit and event.action:google.pubsub.v*.Subscriber.CreateSubscription and event.outcome:success",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        },
+        {
+          "version": 3,
+          "updated": "7.11.2",
+          "pre_query": "event.dataset:(googlecloud.audit or gcp.audit) and event.action:google.pubsub.v*.Subscriber.CreateSubscription and event.outcome:success",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 4,
+          "updated": "7.12.0",
+          "pre_query": "event.dataset:(googlecloud.audit or gcp.audit) and event.action:google.pubsub.v*.Subscriber.CreateSubscription and event.outcome:success",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 5,
+          "updated": "7.13.0",
+          "pre_query": "event.dataset:(googlecloud.audit or gcp.audit) and event.action:google.pubsub.v*.Subscriber.CreateSubscription and event.outcome:success",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.13.0",
+    "added": "7.10.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the deletion of a subscription in Google Cloud Platform (GCP). In GCP, the publisher-subscriber relationship (Pub/Sub) is an asynchronous messaging service that decouples event-producing and event-processing services. A subscription is a named resource representing the stream of messages to be delivered to the subscribing application.",
+    "false_positives": [
+      "Subscription deletions may be done by a system or network administrator. Verify whether the user email, resource name, and/or hostname should be making changes in your environment. Subscription deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "index": [
+      "filebeat-*",
+      "logs-gcp*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "GCP Pub/Sub Subscription Deletion",
+    "note": "## Config\n\nThe GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:(googlecloud.audit or gcp.audit) and event.action:google.pubsub.v*.Subscriber.DeleteSubscription and event.outcome:success\n",
+    "references": [
+      "https://cloud.google.com/pubsub/docs/overview"
+    ],
+    "risk_score": 21,
+    "rule_id": "cc89312d-6f47-48e4-a87c-4977bd4633c3",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "GCP",
+      "Continuous Monitoring",
+      "SecOps",
+      "Log Auditing"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1562",
+            "name": "Impair Defenses",
+            "reference": "https://attack.mitre.org/techniques/T1562/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 5,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.11.0",
+          "pre_query": "event.dataset:googlecloud.audit and event.action:google.pubsub.v*.Subscriber.DeleteSubscription and event.outcome:success",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        },
+        {
+          "version": 3,
+          "updated": "7.11.2",
+          "pre_query": "event.dataset:(googlecloud.audit or gcp.audit) and event.action:google.pubsub.v*.Subscriber.DeleteSubscription and event.outcome:success",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 4,
+          "updated": "7.12.0",
+          "pre_query": "event.dataset:(googlecloud.audit or gcp.audit) and event.action:google.pubsub.v*.Subscriber.DeleteSubscription and event.outcome:success",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 5,
+          "updated": "7.13.0",
+          "pre_query": "event.dataset:(googlecloud.audit or gcp.audit) and event.action:google.pubsub.v*.Subscriber.DeleteSubscription and event.outcome:success",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.13.0",
+    "added": "7.10.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the creation of a topic in Google Cloud Platform (GCP). In GCP, the publisher-subscriber relationship (Pub/Sub) is an asynchronous messaging service that decouples event-producing and event-processing services. A topic is used to forward messages from publishers to subscribers.",
+    "false_positives": [
+      "Topic creations may be done by a system or network administrator. Verify whether the user email, resource name, and/or hostname should be making changes in your environment. Topic creations from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "index": [
+      "filebeat-*",
+      "logs-gcp*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "GCP Pub/Sub Topic Creation",
+    "note": "## Config\n\nThe GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:(googlecloud.audit or gcp.audit) and event.action:google.pubsub.v*.Publisher.CreateTopic and event.outcome:success\n",
+    "references": [
+      "https://cloud.google.com/pubsub/docs/admin"
+    ],
+    "risk_score": 21,
+    "rule_id": "a10d3d9d-0f65-48f1-8b25-af175e2594f5",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "GCP",
+      "Continuous Monitoring",
+      "SecOps",
+      "Log Auditing"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0009",
+          "name": "Collection",
+          "reference": "https://attack.mitre.org/tactics/TA0009/"
+        },
+        "technique": [
+          {
+            "id": "T1530",
+            "name": "Data from Cloud Storage Object",
+            "reference": "https://attack.mitre.org/techniques/T1530/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 5,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.11.0",
+          "pre_query": "event.dataset:googlecloud.audit and event.action:google.pubsub.v*.Publisher.CreateTopic and event.outcome:success",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        },
+        {
+          "version": 3,
+          "updated": "7.11.2",
+          "pre_query": "event.dataset:(googlecloud.audit or gcp.audit) and event.action:google.pubsub.v*.Publisher.CreateTopic and event.outcome:success",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 4,
+          "updated": "7.12.0",
+          "pre_query": "event.dataset:(googlecloud.audit or gcp.audit) and event.action:google.pubsub.v*.Publisher.CreateTopic and event.outcome:success",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 5,
+          "updated": "7.13.0",
+          "pre_query": "event.dataset:(googlecloud.audit or gcp.audit) and event.action:google.pubsub.v*.Publisher.CreateTopic and event.outcome:success",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.13.0",
+    "added": "7.10.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the deletion of a topic in Google Cloud Platform (GCP). In GCP, the publisher-subscriber relationship (Pub/Sub) is an asynchronous messaging service that decouples event-producing and event-processing services. A publisher application creates and sends messages to a topic. Deleting a topic can interrupt message flow in the Pub/Sub pipeline.",
+    "false_positives": [
+      "Topic deletions may be done by a system or network administrator. Verify whether the user email, resource name, and/or hostname should be making changes in your environment. Topic deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "index": [
+      "filebeat-*",
+      "logs-gcp*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "GCP Pub/Sub Topic Deletion",
+    "note": "## Config\n\nThe GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:(googlecloud.audit or gcp.audit) and event.action:google.pubsub.v*.Publisher.DeleteTopic and event.outcome:success\n",
+    "references": [
+      "https://cloud.google.com/pubsub/docs/overview"
+    ],
+    "risk_score": 21,
+    "rule_id": "3202e172-01b1-4738-a932-d024c514ba72",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "GCP",
+      "Continuous Monitoring",
+      "SecOps",
+      "Log Auditing"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1562",
+            "name": "Impair Defenses",
+            "reference": "https://attack.mitre.org/techniques/T1562/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 5,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.11.0",
+          "pre_query": "event.dataset:googlecloud.audit and event.action:google.pubsub.v*.Publisher.DeleteTopic and event.outcome:success",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        },
+        {
+          "version": 3,
+          "updated": "7.11.2",
+          "pre_query": "event.dataset:(googlecloud.audit or gcp.audit) and event.action:google.pubsub.v*.Publisher.DeleteTopic and event.outcome:success",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 4,
+          "updated": "7.12.0",
+          "pre_query": "event.dataset:(googlecloud.audit or gcp.audit) and event.action:google.pubsub.v*.Publisher.DeleteTopic and event.outcome:success",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 5,
+          "updated": "7.13.0",
+          "pre_query": "event.dataset:(googlecloud.audit or gcp.audit) and event.action:google.pubsub.v*.Publisher.DeleteTopic and event.outcome:success",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.13.0",
+    "added": "7.10.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies when a new service account is created in Google Cloud Platform (GCP). A service account is a special type of account used by an application or a virtual machine (VM) instance, not a person. Applications use service accounts to make authorized API calls, authorized as either the service account itself, or as G Suite or Cloud Identity users through domain-wide delegation. If service accounts are not tracked and managed properly, they can present a security risk. An adversary may create a new service account to use during their operations in order to avoid using a standard user account and attempt to evade detection.",
+    "false_positives": [
+      "Service accounts can be created by system administrators. Verify that the behavior was expected. Exceptions can be added to this rule to filter expected behavior."
+    ],
+    "index": [
+      "filebeat-*",
+      "logs-gcp*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "GCP Service Account Creation",
+    "note": "## Config\n\nThe GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:(googlecloud.audit or gcp.audit) and event.action:google.iam.admin.v*.CreateServiceAccount and event.outcome:success\n",
+    "references": [
+      "https://cloud.google.com/iam/docs/service-accounts"
+    ],
+    "risk_score": 21,
+    "rule_id": "7ceb2216-47dd-4e64-9433-cddc99727623",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "GCP",
+      "Continuous Monitoring",
+      "SecOps",
+      "Identity and Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1136",
+            "name": "Create Account",
+            "reference": "https://attack.mitre.org/techniques/T1136/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 5,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.11.0",
+          "pre_query": "event.dataset:googlecloud.audit and event.action:google.iam.admin.v*.CreateServiceAccount and event.outcome:success",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        },
+        {
+          "version": 3,
+          "updated": "7.11.2",
+          "pre_query": "event.dataset:(googlecloud.audit or gcp.audit) and event.action:google.iam.admin.v*.CreateServiceAccount and event.outcome:success",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 4,
+          "updated": "7.12.0",
+          "pre_query": "event.dataset:(googlecloud.audit or gcp.audit) and event.action:google.iam.admin.v*.CreateServiceAccount and event.outcome:success",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 5,
+          "updated": "7.13.0",
+          "pre_query": "event.dataset:(googlecloud.audit or gcp.audit) and event.action:google.iam.admin.v*.CreateServiceAccount and event.outcome:success",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.13.0",
+    "added": "7.10.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies when a service account is deleted in Google Cloud Platform (GCP). A service account is a special type of account used by an application or a virtual machine (VM) instance, not a person. Applications use service accounts to make authorized API calls, authorized as either the service account itself, or as G Suite or Cloud Identity users through domain-wide delegation. An adversary may delete a service account in order to disrupt their target's business operations.",
+    "false_positives": [
+      "Service accounts may be deleted by system administrators. Verify that the behavior was expected. Exceptions can be added to this rule to filter expected behavior."
+    ],
+    "index": [
+      "filebeat-*",
+      "logs-gcp*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "GCP Service Account Deletion",
+    "note": "## Config\n\nThe GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:(googlecloud.audit or gcp.audit) and event.action:google.iam.admin.v*.DeleteServiceAccount and event.outcome:success\n",
+    "references": [
+      "https://cloud.google.com/iam/docs/service-accounts"
+    ],
+    "risk_score": 47,
+    "rule_id": "8fb75dda-c47a-4e34-8ecd-34facf7aad13",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "GCP",
+      "Continuous Monitoring",
+      "SecOps",
+      "Identity and Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0040",
+          "name": "Impact",
+          "reference": "https://attack.mitre.org/tactics/TA0040/"
+        },
+        "technique": [
+          {
+            "id": "T1531",
+            "name": "Account Access Removal",
+            "reference": "https://attack.mitre.org/techniques/T1531/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 5,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.11.0",
+          "pre_query": "event.dataset:googlecloud.audit and event.action:google.iam.admin.v*.DeleteServiceAccount and event.outcome:success",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        },
+        {
+          "version": 3,
+          "updated": "7.11.2",
+          "pre_query": "event.dataset:(googlecloud.audit or gcp.audit) and event.action:google.iam.admin.v*.DeleteServiceAccount and event.outcome:success",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 4,
+          "updated": "7.12.0",
+          "pre_query": "event.dataset:(googlecloud.audit or gcp.audit) and event.action:google.iam.admin.v*.DeleteServiceAccount and event.outcome:success",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 5,
+          "updated": "7.13.0",
+          "pre_query": "event.dataset:(googlecloud.audit or gcp.audit) and event.action:google.iam.admin.v*.DeleteServiceAccount and event.outcome:success",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.13.0",
+    "added": "7.10.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies when a service account is disabled in Google Cloud Platform (GCP). A service account is a special type of account used by an application or a virtual machine (VM) instance, not a person. Applications use service accounts to make authorized API calls, authorized as either the service account itself, or as G Suite or Cloud Identity users through domain-wide delegation. An adversary may disable a service account in order to disrupt to disrupt their target's business operations.",
+    "false_positives": [
+      "Service accounts may be disabled by system administrators. Verify that the behavior was expected. Exceptions can be added to this rule to filter expected behavior."
+    ],
+    "index": [
+      "filebeat-*",
+      "logs-gcp*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "GCP Service Account Disabled",
+    "note": "## Config\n\nThe GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:(googlecloud.audit or gcp.audit) and event.action:google.iam.admin.v*.DisableServiceAccount and event.outcome:success\n",
+    "references": [
+      "https://cloud.google.com/iam/docs/service-accounts"
+    ],
+    "risk_score": 47,
+    "rule_id": "bca7d28e-4a48-47b1-adb7-5074310e9a61",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "GCP",
+      "Continuous Monitoring",
+      "SecOps",
+      "Identity and Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0040",
+          "name": "Impact",
+          "reference": "https://attack.mitre.org/tactics/TA0040/"
+        },
+        "technique": [
+          {
+            "id": "T1531",
+            "name": "Account Access Removal",
+            "reference": "https://attack.mitre.org/techniques/T1531/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 5,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.11.0",
+          "pre_query": "event.dataset:googlecloud.audit and event.action:google.iam.admin.v*.DisableServiceAccount and event.outcome:success",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        },
+        {
+          "version": 3,
+          "updated": "7.11.2",
+          "pre_query": "event.dataset:(googlecloud.audit or gcp.audit) and event.action:google.iam.admin.v*.DisableServiceAccount and event.outcome:success",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 4,
+          "updated": "7.12.0",
+          "pre_query": "event.dataset:(googlecloud.audit or gcp.audit) and event.action:google.iam.admin.v*.DisableServiceAccount and event.outcome:success",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 5,
+          "updated": "7.13.0",
+          "pre_query": "event.dataset:(googlecloud.audit or gcp.audit) and event.action:google.iam.admin.v*.DisableServiceAccount and event.outcome:success",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.13.0",
+    "added": "7.10.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies when a new key is created for a service account in Google Cloud Platform (GCP). A service account is a special type of account used by an application or a virtual machine (VM) instance, not a person. Applications use service accounts to make authorized API calls, authorized as either the service account itself, or as G Suite or Cloud Identity users through domain-wide delegation. If private keys are not tracked and managed properly, they can present a security risk. An adversary may create a new key for a service account in order to attempt to abuse the permissions assigned to that account and evade detection.",
+    "false_positives": [
+      "Service account keys may be created by system administrators. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior."
+    ],
+    "index": [
+      "filebeat-*",
+      "logs-gcp*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "GCP Service Account Key Creation",
+    "note": "## Config\n\nThe GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:(googlecloud.audit or gcp.audit) and event.action:google.iam.admin.v*.CreateServiceAccountKey and event.outcome:success\n",
+    "references": [
+      "https://cloud.google.com/iam/docs/service-accounts",
+      "https://cloud.google.com/iam/docs/creating-managing-service-account-keys"
+    ],
+    "risk_score": 21,
+    "rule_id": "0e5acaae-6a64-4bbc-adb8-27649c03f7e1",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "GCP",
+      "Continuous Monitoring",
+      "SecOps",
+      "Identity and Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1098",
+            "name": "Account Manipulation",
+            "reference": "https://attack.mitre.org/techniques/T1098/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 5,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.11.0",
+          "pre_query": "event.dataset:googlecloud.audit and event.action:google.iam.admin.v*.CreateServiceAccountKey and event.outcome:success",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        },
+        {
+          "version": 3,
+          "updated": "7.11.2",
+          "pre_query": "event.dataset:(googlecloud.audit or gcp.audit) and event.action:google.iam.admin.v*.CreateServiceAccountKey and event.outcome:success",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 4,
+          "updated": "7.12.0",
+          "pre_query": "event.dataset:(googlecloud.audit or gcp.audit) and event.action:google.iam.admin.v*.CreateServiceAccountKey and event.outcome:success",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 5,
+          "updated": "7.13.0",
+          "pre_query": "event.dataset:(googlecloud.audit or gcp.audit) and event.action:google.iam.admin.v*.CreateServiceAccountKey and event.outcome:success",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.13.0",
+    "added": "7.10.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies when the configuration is modified for a storage bucket in Google Cloud Platform (GCP). An adversary may modify the configuration of a storage bucket in order to weaken the security controls of their target's environment.",
+    "false_positives": [
+      "Storage bucket configuration may be modified by system administrators. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior."
+    ],
+    "index": [
+      "filebeat-*",
+      "logs-gcp*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "GCP Storage Bucket Configuration Modification",
+    "note": "## Config\n\nThe GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:(googlecloud.audit or gcp.audit) and event.action:\"storage.buckets.update\" and event.outcome:success\n",
+    "references": [
+      "https://cloud.google.com/storage/docs/key-terms#buckets"
+    ],
+    "risk_score": 47,
+    "rule_id": "97359fd8-757d-4b1d-9af1-ef29e4a8680e",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "GCP",
+      "Continuous Monitoring",
+      "SecOps",
+      "Identity and Access"
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 5,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.11.0",
+          "pre_query": "event.dataset:googlecloud.audit and event.action:storage.buckets.update and event.outcome:success",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        },
+        {
+          "version": 3,
+          "updated": "7.11.2",
+          "pre_query": "event.dataset:(googlecloud.audit or gcp.audit) and event.action:storage.buckets.update and event.outcome:success",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 4,
+          "updated": "7.12.0",
+          "pre_query": "event.dataset:(googlecloud.audit or gcp.audit) and event.action:storage.buckets.update and event.outcome:success",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 5,
+          "updated": "7.13.0",
+          "pre_query": "event.dataset:(googlecloud.audit or gcp.audit) and event.action:storage.buckets.update and event.outcome:success",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.13.0",
+    "added": "7.10.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies when a Google Cloud Platform (GCP) storage bucket is deleted. An adversary may delete a storage bucket in order to disrupt their target's business operations.",
+    "false_positives": [
+      "Storage buckets may be deleted by a system or network administrator. Verify whether the user email, resource name, and/or hostname should be making changes in your environment. Bucket deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "index": [
+      "filebeat-*",
+      "logs-gcp*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "GCP Storage Bucket Deletion",
+    "note": "## Config\n\nThe GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:(googlecloud.audit or gcp.audit) and event.action:\"storage.buckets.delete\"\n",
+    "references": [
+      "https://cloud.google.com/storage/docs/key-terms#buckets"
+    ],
+    "risk_score": 47,
+    "rule_id": "bc0f2d83-32b8-4ae2-b0e6-6a45772e9331",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "GCP",
+      "Continuous Monitoring",
+      "SecOps",
+      "Monitoring"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0040",
+          "name": "Impact",
+          "reference": "https://attack.mitre.org/tactics/TA0040/"
+        },
+        "technique": [
+          {
+            "id": "T1485",
+            "name": "Data Destruction",
+            "reference": "https://attack.mitre.org/techniques/T1485/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 5,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.11.0",
+          "pre_query": "event.dataset:googlecloud.audit and event.action:storage.buckets.delete",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        },
+        {
+          "version": 3,
+          "updated": "7.11.2",
+          "pre_query": "event.dataset:(googlecloud.audit or gcp.audit) and event.action:storage.buckets.delete",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 4,
+          "updated": "7.12.0",
+          "pre_query": "event.dataset:(googlecloud.audit or gcp.audit) and event.action:storage.buckets.delete",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 5,
+          "updated": "7.13.0",
+          "pre_query": "event.dataset:(googlecloud.audit or gcp.audit) and event.action:storage.buckets.delete",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.13.0",
+    "added": "7.10.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies when the Identity and Access Management (IAM) permissions are modified for a Google Cloud Platform (GCP) storage bucket. An adversary may modify the permissions on a storage bucket to weaken their target's security controls or an administrator may inadvertently modify the permissions, which could lead to data exposure or loss.",
+    "false_positives": [
+      "Storage bucket permissions may be modified by system administrators. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior."
+    ],
+    "index": [
+      "filebeat-*",
+      "logs-gcp*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "GCP Storage Bucket Permissions Modification",
+    "note": "## Config\n\nThe GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:(googlecloud.audit or gcp.audit) and event.action:\"storage.setIamPermissions\" and event.outcome:success\n",
+    "references": [
+      "https://cloud.google.com/storage/docs/access-control/iam-permissions"
+    ],
+    "risk_score": 47,
+    "rule_id": "2326d1b2-9acf-4dee-bd21-867ea7378b4d",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "GCP",
+      "Continuous Monitoring",
+      "SecOps",
+      "Identity and Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1222",
+            "name": "File and Directory Permissions Modification",
+            "reference": "https://attack.mitre.org/techniques/T1222/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 5,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.11.0",
+          "pre_query": "event.dataset:googlecloud.audit and event.action:storage.setIamPermissions and event.outcome:success",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        },
+        {
+          "version": 3,
+          "updated": "7.11.2",
+          "pre_query": "event.dataset:(googlecloud.audit or gcp.audit) and event.action:storage.setIamPermissions and event.outcome:success",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 4,
+          "updated": "7.12.0",
+          "pre_query": "event.dataset:(googlecloud.audit or gcp.audit) and event.action:storage.setIamPermissions and event.outcome:success",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 5,
+          "updated": "7.13.0",
+          "pre_query": "event.dataset:(googlecloud.audit or gcp.audit) and event.action:storage.setIamPermissions and event.outcome:success",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.13.0",
+    "added": "7.10.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies when a Virtual Private Cloud (VPC) network is deleted in Google Cloud Platform (GCP). A VPC network is a virtual version of a physical network within a GCP project. Each VPC network has its own subnets, routes, and firewall, as well as other elements. An adversary may delete a VPC network in order to disrupt their target's network and business operations.",
+    "false_positives": [
+      "Virtual Private Cloud networks may be deleted by system administrators. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior."
+    ],
+    "index": [
+      "filebeat-*",
+      "logs-gcp*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "GCP Virtual Private Cloud Network Deletion",
+    "note": "## Config\n\nThe GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:(googlecloud.audit or gcp.audit) and event.action:v*.compute.networks.delete and event.outcome:success\n",
+    "references": [
+      "https://cloud.google.com/vpc/docs/vpc"
+    ],
+    "risk_score": 47,
+    "rule_id": "c58c3081-2e1d-4497-8491-e73a45d1a6d6",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "GCP",
+      "Continuous Monitoring",
+      "SecOps",
+      "Configuration Audit"
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 5,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.11.0",
+          "pre_query": "event.dataset:googlecloud.audit and event.action:v*.compute.networks.delete and event.outcome:success",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        },
+        {
+          "version": 3,
+          "updated": "7.11.2",
+          "pre_query": "event.dataset:(googlecloud.audit or gcp.audit) and event.action:v*.compute.networks.delete and event.outcome:success",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 4,
+          "updated": "7.12.0",
+          "pre_query": "event.dataset:(googlecloud.audit or gcp.audit) and event.action:v*.compute.networks.delete and event.outcome:success",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 5,
+          "updated": "7.13.0",
+          "pre_query": "event.dataset:(googlecloud.audit or gcp.audit) and event.action:v*.compute.networks.delete and event.outcome:success",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.13.0",
+    "added": "7.10.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies when a Virtual Private Cloud a virtual private cloud (VPC) route is created in Google Cloud Platform (GCP). Google Cloud routes define the paths that network traffic takes from a virtual machine (VM) instance to other destinations. These destinations can be inside a Google VPC network or outside it. An adversary may create a route in order to impact the flow of network traffic in their target's cloud environment.",
+    "false_positives": [
+      "Virtual Private Cloud routes may be created by system administrators. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior."
+    ],
+    "index": [
+      "filebeat-*",
+      "logs-gcp*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "GCP Virtual Private Cloud Route Creation",
+    "note": "## Config\n\nThe GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:(googlecloud.audit or gcp.audit) and event.action:(v*.compute.routes.insert or \"beta.compute.routes.insert\")\n",
+    "references": [
+      "https://cloud.google.com/vpc/docs/routes",
+      "https://cloud.google.com/vpc/docs/using-routes"
+    ],
+    "risk_score": 21,
+    "rule_id": "9180ffdf-f3d0-4db3-bf66-7a14bcff71b8",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "GCP",
+      "Continuous Monitoring",
+      "SecOps",
+      "Configuration Audit"
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 6,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.11.0",
+          "pre_query": "event.dataset:googlecloud.audit and event.action:(v*.compute.routes.insert or beta.compute.routes.insert)",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        },
+        {
+          "version": 3,
+          "updated": "7.11.2",
+          "pre_query": "event.dataset:(googlecloud.audit or gcp.audit) and event.action:(v*.compute.routes.insert or beta.compute.routes.insert)",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 4,
+          "updated": "7.12.0",
+          "pre_query": "event.dataset:(googlecloud.audit or gcp.audit) and event.action:(v*.compute.routes.insert or beta.compute.routes.insert)",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 5,
+          "updated": "7.13.0",
+          "pre_query": "event.dataset:(googlecloud.audit or gcp.audit) and event.action:(v*.compute.routes.insert or beta.compute.routes.insert)",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        },
+        {
+          "version": 6,
+          "updated": "8.0.0",
+          "pre_query": "event.dataset:(googlecloud.audit or gcp.audit) and event.action:(v*.compute.routes.insert or \"beta.compute.routes.insert\")\n",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "8.0.0",
+    "added": "7.10.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies when a Virtual Private Cloud (VPC) route is deleted in Google Cloud Platform (GCP). Google Cloud routes define the paths that network traffic takes from a virtual machine (VM) instance to other destinations. These destinations can be inside a Google VPC network or outside it. An adversary may delete a route in order to impact the flow of network traffic in their target's cloud environment.",
+    "false_positives": [
+      "Virtual Private Cloud routes may be deleted by system administrators. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior."
+    ],
+    "index": [
+      "filebeat-*",
+      "logs-gcp*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "GCP Virtual Private Cloud Route Deletion",
+    "note": "## Config\n\nThe GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:(googlecloud.audit or gcp.audit) and event.action:v*.compute.routes.delete and event.outcome:success\n",
+    "references": [
+      "https://cloud.google.com/vpc/docs/routes",
+      "https://cloud.google.com/vpc/docs/using-routes"
+    ],
+    "risk_score": 47,
+    "rule_id": "a17bcc91-297b-459b-b5ce-bc7460d8f82a",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "GCP",
+      "Continuous Monitoring",
+      "SecOps",
+      "Configuration Audit"
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 5,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.11.0",
+          "pre_query": "event.dataset:googlecloud.audit and event.action:v*.compute.routes.delete and event.outcome:success",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        },
+        {
+          "version": 3,
+          "updated": "7.11.2",
+          "pre_query": "event.dataset:(googlecloud.audit or gcp.audit) and event.action:v*.compute.routes.delete and event.outcome:success",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 4,
+          "updated": "7.12.0",
+          "pre_query": "event.dataset:(googlecloud.audit or gcp.audit) and event.action:v*.compute.routes.delete and event.outcome:success",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 5,
+          "updated": "7.13.0",
+          "pre_query": "event.dataset:(googlecloud.audit or gcp.audit) and event.action:v*.compute.routes.delete and event.outcome:success",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.13.0",
+    "added": "7.10.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Detects when a domain-wide delegation of authority is granted to a service account. Domain-wide delegation can be configured to grant third-party and internal applications to access the data of Google Workspace users. An adversary may configure domain-wide delegation to maintain access to their target\u2019s data.",
+    "false_positives": [
+      "Domain-wide delegation of authority may be granted to service accounts by system administrators. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior."
+    ],
+    "from": "now-130m",
+    "index": [
+      "filebeat-*",
+      "logs-google_workspace*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Google Workspace API Access Granted via Domain-Wide Delegation of Authority",
+    "note": "## Config\n\nThe Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\n\n### Important Information Regarding Google Workspace Event Lag Times\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information:\n  - https://support.google.com/a/answer/7061566\n  - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html",
+    "query": "event.dataset:google_workspace.admin and event.provider:admin and event.category:iam and event.action:AUTHORIZE_API_CLIENT_ACCESS\n",
+    "references": [
+      "https://developers.google.com/admin-sdk/directory/v1/guides/delegation"
+    ],
+    "risk_score": 47,
+    "rule_id": "acbc8bb9-2486-49a8-8779-45fb5f9a93ee",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "Google Workspace",
+      "Continuous Monitoring",
+      "SecOps",
+      "Identity and Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1098",
+            "name": "Account Manipulation",
+            "reference": "https://attack.mitre.org/techniques/T1098/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 6,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.11.2",
+          "pre_query": "event.dataset:(gsuite.admin or google_workspace.admin) and event.provider:admin and event.category:iam and event.action:AUTHORIZE_API_CLIENT_ACCESS",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 3,
+          "updated": "7.12.0",
+          "pre_query": "event.dataset:(gsuite.admin or google_workspace.admin) and event.provider:admin and event.category:iam and event.action:AUTHORIZE_API_CLIENT_ACCESS",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 4,
+          "updated": "7.13.0",
+          "pre_query": "event.dataset:(gsuite.admin or google_workspace.admin) and event.provider:admin and event.category:iam and event.action:AUTHORIZE_API_CLIENT_ACCESS",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 5,
+          "updated": "7.15.0",
+          "pre_query": "event.dataset:(gsuite.admin or google_workspace.admin) and event.provider:admin and event.category:iam and event.action:AUTHORIZE_API_CLIENT_ACCESS\n",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 6,
+          "updated": "8.0.0",
+          "pre_query": "event.dataset:(gsuite.admin or google_workspace.admin) and event.provider:admin and event.category:iam and event.action:AUTHORIZE_API_CLIENT_ACCESS\n",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "8.0.0",
+    "added": "7.11.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Detects when an admin role is assigned to a Google Workspace user. An adversary may assign an admin role to a user in order to elevate the permissions of another user account and persist in their target\u2019s environment.",
+    "false_positives": [
+      "Google Workspace admin role assignments may be modified by system administrators. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior."
+    ],
+    "from": "now-130m",
+    "index": [
+      "filebeat-*",
+      "logs-google_workspace*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Google Workspace Admin Role Assigned to a User",
+    "note": "## Config\n\nThe Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\n\n### Important Information Regarding Google Workspace Event Lag Times\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information:\n  - https://support.google.com/a/answer/7061566\n  - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html",
+    "query": "event.dataset:google_workspace.admin and event.provider:admin and event.category:iam and event.action:ASSIGN_ROLE\n",
+    "references": [
+      "https://support.google.com/a/answer/172176?hl=en"
+    ],
+    "risk_score": 47,
+    "rule_id": "68994a6c-c7ba-4e82-b476-26a26877adf6",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "Google Workspace",
+      "Continuous Monitoring",
+      "SecOps",
+      "Identity and Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1098",
+            "name": "Account Manipulation",
+            "reference": "https://attack.mitre.org/techniques/T1098/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 6,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.11.2",
+          "pre_query": "event.dataset:(gsuite.admin or google_workspace.admin) and event.provider:admin and event.category:iam and event.action:ASSIGN_ROLE",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 3,
+          "updated": "7.12.0",
+          "pre_query": "event.dataset:(gsuite.admin or google_workspace.admin) and event.provider:admin and event.category:iam and event.action:ASSIGN_ROLE",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 4,
+          "updated": "7.13.0",
+          "pre_query": "event.dataset:(gsuite.admin or google_workspace.admin) and event.provider:admin and event.category:iam and event.action:ASSIGN_ROLE",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 5,
+          "updated": "7.15.0",
+          "pre_query": "event.dataset:(gsuite.admin or google_workspace.admin) and event.provider:admin and event.category:iam and event.action:ASSIGN_ROLE\n",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 6,
+          "updated": "8.0.0",
+          "pre_query": "event.dataset:(gsuite.admin or google_workspace.admin) and event.provider:admin and event.category:iam and event.action:ASSIGN_ROLE\n",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "8.0.0",
+    "added": "7.11.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Detects when a custom admin role is deleted. An adversary may delete a custom admin role in order to impact the permissions or capabilities of system administrators.",
+    "false_positives": [
+      "Google Workspace admin roles may be deleted by system administrators. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior."
+    ],
+    "from": "now-130m",
+    "index": [
+      "filebeat-*",
+      "logs-google_workspace*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Google Workspace Admin Role Deletion",
+    "note": "## Config\n\nThe Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\n\n### Important Information Regarding Google Workspace Event Lag Times\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information:\n  - https://support.google.com/a/answer/7061566\n  - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html",
+    "query": "event.dataset:google_workspace.admin and event.provider:admin and event.category:iam and event.action:DELETE_ROLE\n",
+    "references": [
+      "https://support.google.com/a/answer/2406043?hl=en"
+    ],
+    "risk_score": 47,
+    "rule_id": "93e63c3e-4154-4fc6-9f86-b411e0987bbf",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "Google Workspace",
+      "Continuous Monitoring",
+      "SecOps",
+      "Identity and Access"
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 6,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.11.2",
+          "pre_query": "event.dataset:(gsuite.admin or google_workspace.admin) and event.provider:admin and event.category:iam and event.action:DELETE_ROLE",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 3,
+          "updated": "7.12.0",
+          "pre_query": "event.dataset:(gsuite.admin or google_workspace.admin) and event.provider:admin and event.category:iam and event.action:DELETE_ROLE",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 4,
+          "updated": "7.13.0",
+          "pre_query": "event.dataset:(gsuite.admin or google_workspace.admin) and event.provider:admin and event.category:iam and event.action:DELETE_ROLE",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 5,
+          "updated": "7.15.0",
+          "pre_query": "event.dataset:(gsuite.admin or google_workspace.admin) and event.provider:admin and event.category:iam and event.action:DELETE_ROLE\n",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 6,
+          "updated": "8.0.0",
+          "pre_query": "event.dataset:(gsuite.admin or google_workspace.admin) and event.provider:admin and event.category:iam and event.action:DELETE_ROLE\n",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "8.0.0",
+    "added": "7.11.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Detects when a custom admin role is created in Google Workspace. An adversary may create a custom admin role in order to elevate the permissions of other user accounts and persist in their target\u2019s environment.",
+    "false_positives": [
+      "Custom Google Workspace admin roles may be created by system administrators. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior."
+    ],
+    "from": "now-130m",
+    "index": [
+      "filebeat-*",
+      "logs-google_workspace*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Google Workspace Custom Admin Role Created",
+    "note": "## Config\n\nThe Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\n\n### Important Information Regarding Google Workspace Event Lag Times\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information:\n  - https://support.google.com/a/answer/7061566\n  - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html",
+    "query": "event.dataset:google_workspace.admin and event.provider:admin and event.category:iam and event.action:CREATE_ROLE\n",
+    "references": [
+      "https://support.google.com/a/answer/2406043?hl=en"
+    ],
+    "risk_score": 47,
+    "rule_id": "ad3f2807-2b3e-47d7-b282-f84acbbe14be",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "Google Workspace",
+      "Continuous Monitoring",
+      "SecOps",
+      "Identity and Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1098",
+            "name": "Account Manipulation",
+            "reference": "https://attack.mitre.org/techniques/T1098/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 6,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.11.2",
+          "pre_query": "event.dataset:(gsuite.admin or google_workspace.admin) and event.provider:admin and event.category:iam and event.action:CREATE_ROLE",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 3,
+          "updated": "7.12.0",
+          "pre_query": "event.dataset:(gsuite.admin or google_workspace.admin) and event.provider:admin and event.category:iam and event.action:CREATE_ROLE",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 4,
+          "updated": "7.13.0",
+          "pre_query": "event.dataset:(gsuite.admin or google_workspace.admin) and event.provider:admin and event.category:iam and event.action:CREATE_ROLE",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 5,
+          "updated": "7.15.0",
+          "pre_query": "event.dataset:(gsuite.admin or google_workspace.admin) and event.provider:admin and event.category:iam and event.action:CREATE_ROLE\n",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 6,
+          "updated": "8.0.0",
+          "pre_query": "event.dataset:(gsuite.admin or google_workspace.admin) and event.provider:admin and event.category:iam and event.action:CREATE_ROLE\n",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "8.0.0",
+    "added": "7.11.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Detects when multi-factor authentication (MFA) enforcement is disabled for Google Workspace users. An adversary may disable MFA enforcement in order to weaken an organization\u2019s security controls.",
+    "false_positives": [
+      "MFA policies may be modified by system administrators. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior."
+    ],
+    "from": "now-130m",
+    "index": [
+      "filebeat-*",
+      "logs-google_workspace*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Google Workspace MFA Enforcement Disabled",
+    "note": "## Config\n\nThe Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\n\n### Important Information Regarding Google Workspace Event Lag Times\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information:\n  - https://support.google.com/a/answer/7061566\n  - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html",
+    "query": "event.dataset:google_workspace.admin and event.provider:admin and event.category:iam and event.action:ENFORCE_STRONG_AUTHENTICATION and google_workspace.admin.new_value:false\n",
+    "references": [
+      "https://support.google.com/a/answer/9176657?hl=en#"
+    ],
+    "risk_score": 47,
+    "rule_id": "cad4500a-abd7-4ef3-b5d3-95524de7cfe1",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "Google Workspace",
+      "Continuous Monitoring",
+      "SecOps",
+      "Configuration Audit"
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 7,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.11.2",
+          "pre_query": "event.dataset:(gsuite.admin or google_workspace.admin) and event.provider:admin and event.category:iam and event.action:ENFORCE_STRONG_AUTHENTICATION and gsuite.admin.new_value:false",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 3,
+          "updated": "7.12.0",
+          "pre_query": "event.dataset:(gsuite.admin or google_workspace.admin) and event.provider:admin and event.category:iam and event.action:ENFORCE_STRONG_AUTHENTICATION and gsuite.admin.new_value:false",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 4,
+          "updated": "7.13.0",
+          "pre_query": "event.dataset:(gsuite.admin or google_workspace.admin) and event.provider:admin and event.category:iam and event.action:ENFORCE_STRONG_AUTHENTICATION and gsuite.admin.new_value:false",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 5,
+          "updated": "7.14.0",
+          "pre_query": "event.dataset:(gsuite.admin or google_workspace.admin) and event.provider:admin and event.category:iam and event.action:ENFORCE_STRONG_AUTHENTICATION and gsuite.admin.new_value:false",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        },
+        {
+          "version": 6,
+          "updated": "7.15.0",
+          "pre_query": "event.dataset:(gsuite.admin or google_workspace.admin) and event.provider:admin and event.category:iam and event.action:ENFORCE_STRONG_AUTHENTICATION and (gsuite.admin.new_value:false or google_workspace.admin.new_value:false)\n",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 7,
+          "updated": "8.0.0",
+          "pre_query": "event.dataset:(gsuite.admin or google_workspace.admin) and event.provider:admin and event.category:iam and event.action:ENFORCE_STRONG_AUTHENTICATION and (gsuite.admin.new_value:false or google_workspace.admin.new_value:false)\n",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "8.0.0",
+    "added": "7.11.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Detects when a Google Workspace password policy is modified. An adversary may attempt to modify a password policy in order to weaken an organization\u2019s security controls.",
+    "false_positives": [
+      "Password policies may be modified by system administrators. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior."
+    ],
+    "from": "now-130m",
+    "index": [
+      "filebeat-*",
+      "logs-google_workspace*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Google Workspace Password Policy Modified",
+    "note": "## Config\n\nThe Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\n\n### Important Information Regarding Google Workspace Event Lag Times\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information:\n  - https://support.google.com/a/answer/7061566\n  - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html",
+    "query": "event.dataset:google_workspace.admin and event.provider:admin and event.category:iam and\n  event.action:(CHANGE_APPLICATION_SETTING or CREATE_APPLICATION_SETTING) and\n  google_workspace.admin.setting.name:(\n    \"Password Management - Enforce strong password\" or\n    \"Password Management - Password reset frequency\" or\n    \"Password Management - Enable password reuse\" or\n    \"Password Management - Enforce password policy at next login\" or\n    \"Password Management - Minimum password length\" or\n    \"Password Management - Maximum password length\"\n  )\n",
+    "risk_score": 47,
+    "rule_id": "a99f82f5-8e77-4f8b-b3ce-10c0f6afbc73",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "Google Workspace",
+      "Continuous Monitoring",
+      "SecOps",
+      "Identity and Access"
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 7,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.11.2",
+          "pre_query": "event.dataset:(gsuite.admin or google_workspace.admin) and event.provider:admin and event.category:iam and event.action:(CHANGE_APPLICATION_SETTING or CREATE_APPLICATION_SETTING) and gsuite.admin.setting.name:( \"Password Management - Enforce strong password\" or \"Password Management - Password reset frequency\" or \"Password Management - Enable password reuse\" or \"Password Management - Enforce password policy at next login\" or \"Password Management - Minimum password length\" or \"Password Management - Maximum password length\" )",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 3,
+          "updated": "7.12.0",
+          "pre_query": "event.dataset:(gsuite.admin or google_workspace.admin) and event.provider:admin and event.category:iam and event.action:(CHANGE_APPLICATION_SETTING or CREATE_APPLICATION_SETTING) and gsuite.admin.setting.name:( \"Password Management - Enforce strong password\" or \"Password Management - Password reset frequency\" or \"Password Management - Enable password reuse\" or \"Password Management - Enforce password policy at next login\" or \"Password Management - Minimum password length\" or \"Password Management - Maximum password length\" )",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 4,
+          "updated": "7.13.0",
+          "pre_query": "event.dataset:(gsuite.admin or google_workspace.admin) and event.provider:admin and event.category:iam and event.action:(CHANGE_APPLICATION_SETTING or CREATE_APPLICATION_SETTING) and gsuite.admin.setting.name:( \"Password Management - Enforce strong password\" or \"Password Management - Password reset frequency\" or \"Password Management - Enable password reuse\" or \"Password Management - Enforce password policy at next login\" or \"Password Management - Minimum password length\" or \"Password Management - Maximum password length\" )",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 5,
+          "updated": "7.14.0",
+          "pre_query": "event.dataset:(gsuite.admin or google_workspace.admin) and event.provider:admin and event.category:iam and event.action:(CHANGE_APPLICATION_SETTING or CREATE_APPLICATION_SETTING) and gsuite.admin.setting.name:( \"Password Management - Enforce strong password\" or \"Password Management - Password reset frequency\" or \"Password Management - Enable password reuse\" or \"Password Management - Enforce password policy at next login\" or \"Password Management - Minimum password length\" or \"Password Management - Maximum password length\" )",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        },
+        {
+          "version": 6,
+          "updated": "7.15.0",
+          "pre_query": "event.dataset:(gsuite.admin or google_workspace.admin) and\n  event.provider:admin and event.category:iam and\n  event.action:(CHANGE_APPLICATION_SETTING or CREATE_APPLICATION_SETTING) and\n  gsuite.admin.setting.name:(\n    \"Password Management - Enforce strong password\" or\n    \"Password Management - Password reset frequency\" or\n    \"Password Management - Enable password reuse\" or\n    \"Password Management - Enforce password policy at next login\" or\n    \"Password Management - Minimum password length\" or\n    \"Password Management - Maximum password length\"\n  ) or\n  google_workspace.admin.setting.name:(\n    \"Password Management - Enforce strong password\" or\n    \"Password Management - Password reset frequency\" or\n    \"Password Management - Enable password reuse\" or\n    \"Password Management - Enforce password policy at next login\" or\n    \"Password Management - Minimum password length\" or\n    \"Password Management - Maximum password length\"\n  )\n",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 7,
+          "updated": "8.0.0",
+          "pre_query": "event.dataset:(gsuite.admin or google_workspace.admin) and\n  event.provider:admin and event.category:iam and\n  event.action:(CHANGE_APPLICATION_SETTING or CREATE_APPLICATION_SETTING) and\n  gsuite.admin.setting.name:(\n    \"Password Management - Enforce strong password\" or\n    \"Password Management - Password reset frequency\" or\n    \"Password Management - Enable password reuse\" or\n    \"Password Management - Enforce password policy at next login\" or\n    \"Password Management - Minimum password length\" or\n    \"Password Management - Maximum password length\"\n  ) or\n  google_workspace.admin.setting.name:(\n    \"Password Management - Enforce strong password\" or\n    \"Password Management - Password reset frequency\" or\n    \"Password Management - Enable password reuse\" or\n    \"Password Management - Enforce password policy at next login\" or\n    \"Password Management - Minimum password length\" or\n    \"Password Management - Maximum password length\"\n  )\n",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "8.0.0",
+    "added": "7.11.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Detects when a custom admin role or its permissions are modified. An adversary may modify a custom admin role in order to elevate the permissions of other user accounts and persist in their target\u2019s environment.",
+    "false_positives": [
+      "Google Workspace admin roles may be modified by system administrators. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior."
+    ],
+    "from": "now-130m",
+    "index": [
+      "filebeat-*",
+      "logs-google_workspace*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Google Workspace Role Modified",
+    "note": "## Config\n\nThe Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\n\n### Important Information Regarding Google Workspace Event Lag Times\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information:\n  - https://support.google.com/a/answer/7061566\n  - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html",
+    "query": "event.dataset:google_workspace.admin and event.provider:admin and event.category:iam and event.action:(ADD_PRIVILEGE or UPDATE_ROLE)\n",
+    "references": [
+      "https://support.google.com/a/answer/2406043?hl=en"
+    ],
+    "risk_score": 47,
+    "rule_id": "6f435062-b7fc-4af9-acea-5b1ead65c5a5",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "Google Workspace",
+      "Continuous Monitoring",
+      "SecOps",
+      "Identity and Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1098",
+            "name": "Account Manipulation",
+            "reference": "https://attack.mitre.org/techniques/T1098/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 6,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.11.2",
+          "pre_query": "event.dataset:(gsuite.admin or google_workspace.admin) and event.provider:admin and event.category:iam and event.action:(ADD_PRIVILEGE or UPDATE_ROLE)",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 3,
+          "updated": "7.12.0",
+          "pre_query": "event.dataset:(gsuite.admin or google_workspace.admin) and event.provider:admin and event.category:iam and event.action:(ADD_PRIVILEGE or UPDATE_ROLE)",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 4,
+          "updated": "7.13.0",
+          "pre_query": "event.dataset:(gsuite.admin or google_workspace.admin) and event.provider:admin and event.category:iam and event.action:(ADD_PRIVILEGE or UPDATE_ROLE)",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 5,
+          "updated": "7.15.0",
+          "pre_query": "event.dataset:(gsuite.admin or google_workspace.admin) and event.provider:admin and event.category:iam and event.action:(ADD_PRIVILEGE or UPDATE_ROLE)\n",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 6,
+          "updated": "8.0.0",
+          "pre_query": "event.dataset:(gsuite.admin or google_workspace.admin) and event.provider:admin and event.category:iam and event.action:(ADD_PRIVILEGE or UPDATE_ROLE)\n",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "8.0.0",
+    "added": "7.11.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "This rule detects the first occurrence of a modification to Group Policy Object Attributes to add privileges to user accounts or use them to add users as local admins.",
+    "index": [
+      "winlogbeat-*",
+      "logs-system.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Group Policy Abuse for Privilege Addition",
+    "note": "## Triage and analysis\n\n### Investigating Group Policy Abuse for Privilege Addition\n\nGroup Policy Objects can be used to add rights and/or modify Group Membership on GPOs by changing the contents of an INF file named\nGptTmpl.inf, which is responsible for storing every setting under the Security Settings container in the GPO, this file is unique\nfor each GPO, and only exists if the GPO contains security settings.\nExample Path: \"\\\\DC.com\\SysVol\\DC.com\\Policies\\{21B9B880-B2FB-4836-9C2D-2013E0D832E9}\\Machine\\Microsoft\\Windows NT\\SecEdit\\GptTmpl.inf\"\n\n#### Possible investigation steps:\n- This attack abuses a legitimate mechanism of the Active Directory, so it is important to determine whether the activity is legitimate\nand the administrator is authorized to perform this operation.\n- Retrieve the contents of the `GptTmpl.inf` file, under the `Privilege Rights` section, look for potentially dangerous high privileges,\nfor example: SeTakeOwnershipPrivilege, SeEnableDelegationPrivilege, etc.\n- Inspect the user SIDs associated with these privileges\n\n### False Positive Analysis\n- Verify if these User SIDs should have these privileges enabled.\n- Inspect whether the user that has done these modifications should be allowed to do it. The user name can be found in the\n`winlog.event_data.SubjectUserName` field\n\n### Related Rules\n- Scheduled Task Execution at Scale via GPO\n- Startup/Logon Script added to Group Policy Object\n\n### Response and Remediation\n- Immediate response should be taken to validate activity, investigate and potentially isolate activity to prevent further\npost-compromise behavior.\n\n## Config\n\nThe 'Audit Directory Service Changes' audit policy is required be configured (Success Failure).\nSteps to implement the logging policy with with Advanced Audit Configuration:\n```\nComputer Configuration > \nPolicies > \nWindows Settings > \nSecurity Settings > \nAdvanced Audit Policies Configuration > \nAudit Policies > \nDS Access > \nAudit Directory Service Changes (Success,Failure)\n```\n",
+    "query": "event.code: \"5136\" and winlog.event_data.AttributeLDAPDisplayName:\"gPCMachineExtensionNames\" and \nwinlog.event_data.AttributeValue:(*827D319E-6EAC-11D2-A4EA-00C04F79F83A* and *803E14A0-B4FB-11D0-A0D0-00A0C90F574B*)\n",
+    "references": [
+      "https://github.com/atc-project/atc-data/blob/master/docs/Logging_Policies/LP_0025_windows_audit_directory_service_changes.md",
+      "https://labs.f-secure.com/tools/sharpgpoabuse"
+    ],
+    "risk_score": 73,
+    "rule_id": "b9554892-5e0e-424b-83a0-5aef95aa43bf",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Privilege Escalation",
+      "Active Directory"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0004",
+          "name": "Privilege Escalation",
+          "reference": "https://attack.mitre.org/tactics/TA0004/"
+        },
+        "technique": [
+          {
+            "id": "T1484",
+            "name": "Domain Policy Modification",
+            "reference": "https://attack.mitre.org/techniques/T1484/",
+            "subtechnique": [
+              {
+                "id": "T1484.001",
+                "name": "Group Policy Modification",
+                "reference": "https://attack.mitre.org/techniques/T1484/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 1,
+    "last_update": "8.0.0",
+    "added": "8.0.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Halfbaked is a malware family used to establish persistence in a contested network. This rule detects a network activity algorithm leveraged by Halfbaked implant beacons for command and control.",
+    "false_positives": [
+      "This rule should be tailored to exclude systems, either as sources or destinations, in which this behavior is expected."
+    ],
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "filebeat-*",
+      "packetbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "lucene",
+    "license": "Elastic License v2",
+    "name": "Halfbaked Command and Control Beacon",
+    "note": "## Threat intel\n\nThis activity has been observed in FIN7 campaigns.",
+    "query": "event.category:(network OR network_traffic) AND network.protocol:http AND\n  network.transport:tcp AND url.full:/http:\\/\\/[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}\\/cd/ AND\n  destination.port:(53 OR 80 OR 8080 OR 443)\n",
+    "references": [
+      "https://www.fireeye.com/blog/threat-research/2017/04/fin7-phishing-lnk.html",
+      "https://attack.mitre.org/software/S0151/"
+    ],
+    "risk_score": 73,
+    "rule_id": "2e580225-2a58-48ef-938b-572933be06fe",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Network",
+      "Threat Detection",
+      "Command and Control",
+      "Host"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0011",
+          "name": "Command and Control",
+          "reference": "https://attack.mitre.org/tactics/TA0011/"
+        },
+        "technique": [
+          {
+            "id": "T1071",
+            "name": "Application Layer Protocol",
+            "reference": "https://attack.mitre.org/techniques/T1071/"
+          },
+          {
+            "id": "T1568",
+            "name": "Dynamic Resolution",
+            "reference": "https://attack.mitre.org/techniques/T1568/",
+            "subtechnique": [
+              {
+                "id": "T1568.002",
+                "name": "Domain Generation Algorithms",
+                "reference": "https://attack.mitre.org/techniques/T1568/002/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 6,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.11.0",
+          "pre_query": "event.category:(network OR network_traffic) AND network.protocol:http AND network.transport:tcp AND url.full:/http:\\/\\/[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}\\/cd/ AND destination.port:(53 OR 80 OR 8080 OR 443)",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 3,
+          "updated": "7.11.2",
+          "pre_query": "event.category:(network OR network_traffic) AND network.protocol:http AND network.transport:tcp AND url.full:/http:\\/\\/[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}\\/cd/ AND destination.port:(53 OR 80 OR 8080 OR 443)",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 4,
+          "updated": "7.12.0",
+          "pre_query": "event.category:(network OR network_traffic) AND network.protocol:http AND network.transport:tcp AND url.full:/http:\\/\\/[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}\\/cd/ AND destination.port:(53 OR 80 OR 8080 OR 443)",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 5,
+          "updated": "7.13.0",
+          "pre_query": "event.category:(network OR network_traffic) AND network.protocol:http AND network.transport:tcp AND url.full:/http:\\/\\/[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}\\/cd/ AND destination.port:(53 OR 80 OR 8080 OR 443)",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 6,
+          "updated": "7.14.0",
+          "pre_query": "event.category:(network OR network_traffic) AND network.protocol:http AND network.transport:tcp AND url.full:/http:\\/\\/[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}\\/cd/ AND destination.port:(53 OR 80 OR 8080 OR 443)",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.14.0",
+    "added": "7.10.0"
+  },
+  {
+    "author": [
+      "Elastic",
+      "@BenB196",
+      "Austin Songer"
+    ],
+    "description": "Identifies a high number of Okta user password reset or account unlock attempts. An adversary may attempt to obtain unauthorized access to Okta user accounts using these methods and attempt to blend in with normal activity in their target's environment and evade detection.",
+    "false_positives": [
+      "The number of Okta user password reset or account unlock attempts will likely vary between organizations. To fit this rule to their organization, users can duplicate this rule and edit the schedule and threshold values in the new rule."
+    ],
+    "from": "now-60m",
+    "index": [
+      "filebeat-*",
+      "logs-okta*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "High Number of Okta User Password Reset or Unlock Attempts",
+    "note": "## Config\n\nThe Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:okta.system and\n  event.action:(system.email.account_unlock.sent_message or system.email.password_reset.sent_message or\n                system.sms.send_account_unlock_message or system.sms.send_password_reset_message or\n                system.voice.send_account_unlock_call or system.voice.send_password_reset_call or\n                user.account.unlock_token)\n",
+    "references": [
+      "https://developer.okta.com/docs/reference/api/system-log/",
+      "https://developer.okta.com/docs/reference/api/event-types/"
+    ],
+    "risk_score": 47,
+    "rule_id": "e90ee3af-45fc-432e-a850-4a58cf14a457",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Identity",
+      "Okta",
+      "Continuous Monitoring",
+      "SecOps",
+      "Identity and Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1078",
+            "name": "Valid Accounts",
+            "reference": "https://attack.mitre.org/techniques/T1078/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1078",
+            "name": "Valid Accounts",
+            "reference": "https://attack.mitre.org/techniques/T1078/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0001",
+          "name": "Initial Access",
+          "reference": "https://attack.mitre.org/tactics/TA0001/"
+        },
+        "technique": [
+          {
+            "id": "T1078",
+            "name": "Valid Accounts",
+            "reference": "https://attack.mitre.org/techniques/T1078/"
+          }
+        ]
+      }
+    ],
+    "threshold": {
+      "field": [
+        "okta.actor.alternate_id"
+      ],
+      "value": 5
+    },
+    "type": "threshold",
+    "version": 5,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.11.0",
+          "pre_query": "event.dataset:okta.system and event.action:(system.email.account_unlock.sent_message or system.email.password_reset.sent_message or system.sms.send_account_unlock_message or system.sms.send_password_reset_message or system.voice.send_account_unlock_call or system.voice.send_password_reset_call or user.account.unlock_token)",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 3,
+          "updated": "7.12.0",
+          "pre_query": "event.dataset:okta.system and event.action:(system.email.account_unlock.sent_message or system.email.password_reset.sent_message or system.sms.send_account_unlock_message or system.sms.send_password_reset_message or system.voice.send_account_unlock_call or system.voice.send_password_reset_call or user.account.unlock_token)",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 4,
+          "updated": "7.13.0",
+          "pre_query": "event.dataset:okta.system and event.action:(system.email.account_unlock.sent_message or system.email.password_reset.sent_message or system.sms.send_account_unlock_message or system.sms.send_password_reset_message or system.voice.send_account_unlock_call or system.voice.send_password_reset_call or user.account.unlock_token)",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 5,
+          "updated": "7.14.0",
+          "pre_query": "event.dataset:okta.system and event.action:(system.email.account_unlock.sent_message or system.email.password_reset.sent_message or system.sms.send_account_unlock_message or system.sms.send_password_reset_message or system.voice.send_account_unlock_call or system.voice.send_password_reset_call or user.account.unlock_token)",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.14.0",
+    "added": "7.10.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "This rule identifies a high number (10) of process terminations (stop, delete, or suspend) from the same host within a short time period.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "High Number of Process and/or Service Terminations",
+    "query": "event.category:process and event.type:start and process.name:(net.exe or sc.exe or taskkill.exe) and\n process.args:(stop or pause or delete or \"/PID\" or \"/IM\" or \"/T\" or \"/F\" or \"/t\" or \"/f\" or \"/im\" or \"/pid\")\n",
+    "risk_score": 47,
+    "rule_id": "035889c4-2686-4583-a7df-67f89c292f2c",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Impact"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0040",
+          "name": "Impact",
+          "reference": "https://attack.mitre.org/tactics/TA0040/"
+        },
+        "technique": [
+          {
+            "id": "T1489",
+            "name": "Service Stop",
+            "reference": "https://attack.mitre.org/techniques/T1489/"
+          }
+        ]
+      }
+    ],
+    "threshold": {
+      "field": [
+        "host.id"
+      ],
+      "value": 10
+    },
+    "type": "threshold",
+    "version": 3,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.12.0",
+          "pre_query": "event.category:process and event.type:start and process.name:(net.exe or sc.exe or taskkill.exe) and process.args:(stop or pause or delete or \"/PID\" or \"/IM\" or \"/T\" or \"/F\" or \"/t\" or \"/f\" or \"/im\" or \"/pid\")",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 3,
+          "updated": "7.16.0",
+          "pre_query": "event.category:process and event.type:start and process.name:(net.exe or sc.exe or taskkill.exe) and\n process.args:(stop or pause or delete or \"/PID\" or \"/IM\" or \"/T\" or \"/F\" or \"/t\" or \"/f\" or \"/im\" or \"/pid\")\n",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.16.0",
+    "added": "7.11.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "The hosts file on endpoints is used to control manual IP address to hostname resolutions. The hosts file is the first point of lookup for DNS hostname resolution so if adversaries can modify the endpoint hosts file, they can route traffic to malicious infrastructure. This rule detects modifications to the hosts file on Microsoft Windows, Linux (Ubuntu or RHEL) and macOS systems.",
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Hosts File Modified",
+    "note": "## Config\n\nFor Windows systems using Auditbeat, this rule requires adding `C:/Windows/System32/drivers/etc` as an additional path in the 'file_integrity' module of auditbeat.yml.",
+    "query": "any where\n\n  /* file events for creation; file change events are not captured by some of the included sources for linux and so may\n     miss this, which is the purpose of the process + command line args logic below */\n  (\n   event.category == \"file\" and event.type in (\"change\", \"creation\") and\n     file.path : (\"/private/etc/hosts\", \"/etc/hosts\", \"?:\\\\Windows\\\\System32\\\\drivers\\\\etc\\\\hosts\")\n  )\n  or\n\n  /* process events for change targeting linux only */\n  (\n   event.category == \"process\" and event.type in (\"start\") and\n     process.name in (\"nano\", \"vim\", \"vi\", \"emacs\", \"echo\", \"sed\") and\n     process.args : (\"/etc/hosts\")\n  )\n",
+    "references": [
+      "https://www.elastic.co/guide/en/beats/auditbeat/current/auditbeat-reference-yml.html"
+    ],
+    "risk_score": 47,
+    "rule_id": "9c260313-c811-4ec8-ab89-8f6530e0246c",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "Windows",
+      "macOS",
+      "Threat Detection",
+      "Impact"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0040",
+          "name": "Impact",
+          "reference": "https://attack.mitre.org/tactics/TA0040/"
+        },
+        "technique": [
+          {
+            "id": "T1565",
+            "name": "Data Manipulation",
+            "reference": "https://attack.mitre.org/techniques/T1565/",
+            "subtechnique": [
+              {
+                "id": "T1565.001",
+                "name": "Stored Data Manipulation",
+                "reference": "https://attack.mitre.org/techniques/T1565/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 6,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.11.0",
+          "pre_query": "event.category:file and event.type:(change or creation) and file.path:(\"/private/etc/hosts\" or \"/etc/hosts\" or \"C:\\Windows\\System32\\drivers\\etc\\hosts\")",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 3,
+          "updated": "7.11.2",
+          "pre_query": "event.category:file and event.type:(change or creation) and file.path:(\"/private/etc/hosts\" or \"/etc/hosts\" or \"C:\\Windows\\System32\\drivers\\etc\\hosts\")",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 4,
+          "updated": "7.12.0",
+          "pre_query": "event.category:file and event.type:(change or creation) and file.path:(\"/private/etc/hosts\" or \"/etc/hosts\" or \"C:\\Windows\\System32\\drivers\\etc\\hosts\")",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 5,
+          "updated": "7.13.0",
+          "pre_query": "event.category:file and event.type:(change or creation) and file.path:(\"/private/etc/hosts\" or \"/etc/hosts\" or \"C:\\Windows\\System32\\drivers\\etc\\hosts\")",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        },
+        {
+          "version": 6,
+          "updated": "7.16.0",
+          "pre_query": "file where event.type in (\"change\", \"creation\") and\n  file.path : (\"/private/etc/hosts\", \"/etc/hosts\", \"?:\\\\Windows\\\\System32\\\\drivers\\\\etc\\\\hosts\") \n",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.16.0",
+    "added": "7.10.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Hping ran on a Linux host. Hping is a FOSS command-line packet analyzer and has the ability to construct network packets for a wide variety of network security testing applications, including scanning and firewall auditing.",
+    "false_positives": [
+      "Normal use of hping is uncommon apart from security testing and research. Use by non-security engineers is very uncommon."
+    ],
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Hping Process Activity",
+    "query": "event.category:process and event.type:(start or process_started) and process.name:(hping or hping2 or hping3)\n",
+    "references": [
+      "https://en.wikipedia.org/wiki/Hping"
+    ],
+    "risk_score": 73,
+    "rule_id": "90169566-2260-4824-b8e4-8615c3b4ed52",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "Threat Detection"
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 7,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.7.0",
+          "pre_query": "process.name: (hping3 or hping2 or hping) and event.action:executed",
+          "doc_text": "Updated query."
+        },
+        {
+          "version": 3,
+          "updated": "7.9.0",
+          "pre_query": "process.name:(hping or hping2 or hping3) and event.action:executed",
+          "doc_text": "Updated query."
+        },
+        {
+          "version": 4,
+          "updated": "7.9.1",
+          "pre_query": "event.category:process and event.type:(start or process_started) and process.name:(hping or hping2 or hping3)",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 5,
+          "updated": "7.10.0",
+          "pre_query": "event.category:process and event.type:(start or process_started) and process.name:(hping or hping2 or hping3)",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 6,
+          "updated": "7.11.2",
+          "pre_query": "event.category:process and event.type:(start or process_started) and process.name:(hping or hping2 or hping3)",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 7,
+          "updated": "7.12.0",
+          "pre_query": "event.category:process and event.type:(start or process_started) and process.name:(hping or hping2 or hping3)",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.12.0",
+    "added": "7.6.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies when Internet Information Services (IIS) HTTP Logging is disabled on a server. An attacker with IIS server access via a webshell or other mechanism can disable HTTP Logging as an effective anti-forensics measure.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "max_signals": 33,
+    "name": "IIS HTTP Logging Disabled",
+    "query": "process where event.type in (\"start\", \"process_started\") and\n  (process.name : \"appcmd.exe\" or process.pe.original_file_name == \"appcmd.exe\") and\n  process.args : \"/dontLog*:*True\" and\n  not process.parent.name : \"iissetup.exe\"\n",
+    "risk_score": 73,
+    "rule_id": "ebf1adea-ccf2-4943-8b96-7ab11ca173a5",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1562",
+            "name": "Impair Defenses",
+            "reference": "https://attack.mitre.org/techniques/T1562/",
+            "subtechnique": [
+              {
+                "id": "T1562.002",
+                "name": "Disable Windows Event Logging",
+                "reference": "https://attack.mitre.org/techniques/T1562/002/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 6,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.11.0",
+          "pre_query": "event.category:process and event.type:(start or process_started) and (process.name:appcmd.exe or process.pe.original_file_name:appcmd.exe or winlog.event_data.OriginalFileName:appcmd.exe) and process.args:/dontLog\\:\\\"True\\\" and not process.parent.name:iissetup.exe",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        },
+        {
+          "version": 3,
+          "updated": "7.11.2",
+          "pre_query": "event.category:process and event.type:(start or process_started) and (process.name:appcmd.exe or process.pe.original_file_name:appcmd.exe) and process.args:/dontLog\\:\\\"True\\\" and not process.parent.name:iissetup.exe",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 4,
+          "updated": "7.12.0",
+          "pre_query": "event.category:process and event.type:(start or process_started) and (process.name:appcmd.exe or process.pe.original_file_name:appcmd.exe) and process.args:/dontLog\\:\\\"True\\\" and not process.parent.name:iissetup.exe",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 5,
+          "updated": "7.13.0",
+          "pre_query": "event.category:process and event.type:(start or process_started) and (process.name:appcmd.exe or process.pe.original_file_name:appcmd.exe) and process.args:/dontLog\\:\\\"True\\\" and not process.parent.name:iissetup.exe",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        },
+        {
+          "version": 6,
+          "updated": "7.16.0",
+          "pre_query": "process where event.type in (\"start\", \"process_started\") and\n  (process.name : \"appcmd.exe\" or process.pe.original_file_name == \"appcmd.exe\") and\n  process.args : \"/dontLog*:*True\" and\n  not process.parent.name : \"iissetup.exe\"\n",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.16.0",
+    "added": "7.10.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "This rule detects events that could be describing IPSEC NAT Traversal traffic. IPSEC is a VPN technology that allows one system to talk to another using encrypted tunnels. NAT Traversal enables these tunnels to communicate over the Internet where one of the sides is behind a NAT router gateway. This may be common on your network, but this technique is also used by threat actors to avoid detection.",
+    "false_positives": [
+      "Some networks may utilize these protocols but usage that is unfamiliar to local network administrators can be unexpected and suspicious. Because this port is in the ephemeral range, this rule may false under certain conditions, such as when an application server with a public IP address replies to a client which has used a UDP port in the range by coincidence. This is uncommon but such servers can be excluded."
+    ],
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "filebeat-*",
+      "packetbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "IPSEC NAT Traversal Port Activity",
+    "query": "event.category:(network or network_traffic) and network.transport:udp and destination.port:4500\n",
+    "risk_score": 21,
+    "rule_id": "a9cb3641-ff4b-4cdc-a063-b4b8d02a67c7",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Network",
+      "Threat Detection",
+      "Command and Control",
+      "Host"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0011",
+          "name": "Command and Control",
+          "reference": "https://attack.mitre.org/tactics/TA0011/"
+        },
+        "technique": []
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 8,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.6.1",
+          "doc_text": "Removed auditbeat-\\*, packetbeat-*, and winlogbeat-* from the rule indices."
+        },
+        {
+          "version": 3,
+          "updated": "7.9.0",
+          "pre_query": "network.transport:udp and destination.port:4500",
+          "doc_text": "Updated query."
+        },
+        {
+          "version": 4,
+          "updated": "7.10.0",
+          "pre_query": "event.category:(network or network_traffic) and network.transport:udp and destination.port:4500",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 5,
+          "updated": "7.11.0",
+          "pre_query": "event.category:(network or network_traffic) and network.transport:udp and destination.port:4500",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 6,
+          "updated": "7.11.2",
+          "pre_query": "event.category:(network or network_traffic) and network.transport:udp and destination.port:4500",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 7,
+          "updated": "7.12.0",
+          "pre_query": "event.category:(network or network_traffic) and network.transport:udp and destination.port:4500",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 8,
+          "updated": "7.14.0",
+          "pre_query": "event.category:(network or network_traffic) and network.transport:udp and destination.port:4500",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.14.0",
+    "added": "7.6.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "The Debugger and SilentProcessExit registry keys can allow an adversary to intercept the execution of files, causing a different process to be executed. This functionality can be abused by an adversary to establish persistence.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Image File Execution Options Injection",
+    "query": "registry where length(registry.data.strings) > 0 and\n registry.path : (\"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\*.exe\\\\Debugger\", \n                  \"HKLM\\\\SOFTWARE\\\\WOW6432Node\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\*\\\\Debugger\", \n                  \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\SilentProcessExit\\\\*\\\\MonitorProcess\", \n                  \"HKLM\\\\SOFTWARE\\\\WOW6432Node\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\SilentProcessExit\\\\*\\\\MonitorProcess\") and\n   /* add FPs here */\n not registry.data.strings regex~ (\"\"\"C:\\\\Program Files( \\(x86\\))?\\\\ThinKiosk\\\\thinkiosk\\.exe\"\"\", \"\"\".*\\\\PSAppDeployToolkit\\\\.*\"\"\")\n",
+    "references": [
+      "https://oddvar.moe/2018/04/10/persistence-using-globalflags-in-image-file-execution-options-hidden-from-autoruns-exe/"
+    ],
+    "risk_score": 41,
+    "rule_id": "6839c821-011d-43bd-bd5b-acff00257226",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Persistence"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1546",
+            "name": "Event Triggered Execution",
+            "reference": "https://attack.mitre.org/techniques/T1546/",
+            "subtechnique": [
+              {
+                "id": "T1546.012",
+                "name": "Image File Execution Options Injection",
+                "reference": "https://attack.mitre.org/techniques/T1546/012/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 4,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.11.2",
+          "pre_query": "registry where length(registry.data.strings) > 0 and\n registry.path : (\"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\*.exe\\\\Debugger\", \n                  \"HKLM\\\\SOFTWARE\\\\WOW6432Node\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\*\\\\Debugger\", \n                  \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\SilentProcessExit\\\\*\\\\MonitorProcess\", \n                  \"HKLM\\\\SOFTWARE\\\\WOW6432Node\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\SilentProcessExit\\\\*\\\\MonitorProcess\") and\n   /* add FPs here */\n not registry.data.strings : (\"C:\\\\Program Files*\\\\ThinKiosk\\\\thinkiosk.exe\", \"*\\\\PSAppDeployToolkit\\\\*\")\n",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 3,
+          "updated": "7.12.0",
+          "pre_query": "registry where length(registry.data.strings) > 0 and\n registry.path : (\"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\*.exe\\\\Debugger\", \n                  \"HKLM\\\\SOFTWARE\\\\WOW6432Node\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\*\\\\Debugger\", \n                  \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\SilentProcessExit\\\\*\\\\MonitorProcess\", \n                  \"HKLM\\\\SOFTWARE\\\\WOW6432Node\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\SilentProcessExit\\\\*\\\\MonitorProcess\") and\n   /* add FPs here */\n not registry.data.strings : (\"C:\\\\Program Files*\\\\ThinKiosk\\\\thinkiosk.exe\", \"*\\\\PSAppDeployToolkit\\\\*\")\n",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 4,
+          "updated": "7.14.0",
+          "pre_query": "registry where length(registry.data.strings) > 0 and\n registry.path : (\"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\*.exe\\\\Debugger\", \n                  \"HKLM\\\\SOFTWARE\\\\WOW6432Node\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\*\\\\Debugger\", \n                  \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\SilentProcessExit\\\\*\\\\MonitorProcess\", \n                  \"HKLM\\\\SOFTWARE\\\\WOW6432Node\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\SilentProcessExit\\\\*\\\\MonitorProcess\") and\n   /* add FPs here */\n not registry.data.strings : (\"C:\\\\Program Files*\\\\ThinKiosk\\\\thinkiosk.exe\", \"*\\\\PSAppDeployToolkit\\\\*\")\n",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.14.0",
+    "added": "7.11.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies abuse of the Windows Update Auto Update Client (wuauclt.exe) to load an arbitrary DLL. This behavior is used as a defense evasion technique to blend-in malicious activity with legitimate Windows software.",
+    "from": "now-9m",
+    "index": [
+      "logs-endpoint.events.*",
+      "winlogbeat-*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "ImageLoad via Windows Update Auto Update Client",
+    "query": "process where event.type in (\"start\", \"process_started\") and\n  (process.pe.original_file_name == \"wuauclt.exe\" or process.name : \"wuauclt.exe\") and\n   /* necessary windows update client args to load a dll */\n   process.args : \"/RunHandlerComServer\" and process.args : \"/UpdateDeploymentProvider\" and\n   /* common paths writeable by a standard user where the target DLL can be placed */\n   process.args : (\"C:\\\\Users\\\\*.dll\", \"C:\\\\ProgramData\\\\*.dll\", \"C:\\\\Windows\\\\Temp\\\\*.dll\", \"C:\\\\Windows\\\\Tasks\\\\*.dll\")\n",
+    "references": [
+      "https://dtm.uk/wuauclt/"
+    ],
+    "risk_score": 47,
+    "rule_id": "edf8ee23-5ea7-4123-ba19-56b41e424ae3",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1218",
+            "name": "Signed Binary Proxy Execution",
+            "reference": "https://attack.mitre.org/techniques/T1218/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 3,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.11.2",
+          "pre_query": "process where event.type in (\"start\", \"process_started\") and\n  (process.pe.original_file_name == \"wuauclt.exe\" or process.name : \"wuauclt.exe\") and\n   /* necessary windows update client args to load a dll */\n   process.args : \"/RunHandlerComServer\" and process.args : \"/UpdateDeploymentProvider\" and\n   /* common paths writeable by a standard user where the target DLL can be placed */\n   process.args : (\"C:\\\\Users\\\\*.dll\", \"C:\\\\ProgramData\\\\*.dll\", \"C:\\\\Windows\\\\Temp\\\\*.dll\", \"C:\\\\Windows\\\\Tasks\\\\*.dll\")\n",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 3,
+          "updated": "7.12.0",
+          "pre_query": "process where event.type in (\"start\", \"process_started\") and\n  (process.pe.original_file_name == \"wuauclt.exe\" or process.name : \"wuauclt.exe\") and\n   /* necessary windows update client args to load a dll */\n   process.args : \"/RunHandlerComServer\" and process.args : \"/UpdateDeploymentProvider\" and\n   /* common paths writeable by a standard user where the target DLL can be placed */\n   process.args : (\"C:\\\\Users\\\\*.dll\", \"C:\\\\ProgramData\\\\*.dll\", \"C:\\\\Windows\\\\Temp\\\\*.dll\", \"C:\\\\Windows\\\\Tasks\\\\*.dll\")\n",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.12.0",
+    "added": "7.11.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies Elasticsearch nodes that do not have Transport Layer Security (TLS), and/or lack authentication, and are accepting inbound network connections over the default Elasticsearch port.",
+    "false_positives": [
+      "If you have front-facing proxies that provide authentication and TLS, this rule would need to be tuned to eliminate the source IP address of your reverse-proxy."
+    ],
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "filebeat-*",
+      "packetbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "lucene",
+    "license": "Elastic License v2",
+    "name": "Inbound Connection to an Unsecure Elasticsearch Node",
+    "note": "## Config\n\nThis rule requires the addition of port `9200` and `send_all_headers` to the `HTTP` protocol configuration in `packetbeat.yml`. See the References section for additional configuration documentation.",
+    "query": "event.category:network_traffic AND network.protocol:http AND status:OK AND destination.port:9200 AND network.direction:inbound AND NOT http.response.headers.content-type:\"image/x-icon\" AND NOT _exists_:http.request.headers.authorization\n",
+    "references": [
+      "https://www.elastic.co/guide/en/elasticsearch/reference/current/configuring-security.html",
+      "https://www.elastic.co/guide/en/beats/packetbeat/current/packetbeat-http-options.html#_send_all_headers"
+    ],
+    "risk_score": 47,
+    "rule_id": "31295df3-277b-4c56-a1fb-84e31b4222a9",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Network",
+      "Threat Detection",
+      "Initial Access",
+      "Host"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0001",
+          "name": "Initial Access",
+          "reference": "https://attack.mitre.org/tactics/TA0001/"
+        },
+        "technique": [
+          {
+            "id": "T1190",
+            "name": "Exploit Public-Facing Application",
+            "reference": "https://attack.mitre.org/techniques/T1190/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 5,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.11.2",
+          "pre_query": "event.category:network_traffic AND network.protocol:http AND status:OK AND destination.port:9200 AND network.direction:inbound AND NOT http.response.headers.content-type:\"image/x-icon\" AND NOT _exists_:http.request.headers.authorization",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 3,
+          "updated": "7.12.0",
+          "pre_query": "event.category:network_traffic AND network.protocol:http AND status:OK AND destination.port:9200 AND network.direction:inbound AND NOT http.response.headers.content-type:\"image/x-icon\" AND NOT _exists_:http.request.headers.authorization",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 4,
+          "updated": "7.13.0",
+          "pre_query": "event.category:network_traffic AND network.protocol:http AND status:OK AND destination.port:9200 AND network.direction:inbound AND NOT http.response.headers.content-type:\"image/x-icon\" AND NOT _exists_:http.request.headers.authorization",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 5,
+          "updated": "7.14.0",
+          "pre_query": "event.category:network_traffic AND network.protocol:http AND status:OK AND destination.port:9200 AND network.direction:inbound AND NOT http.response.headers.content-type:\"image/x-icon\" AND NOT _exists_:http.request.headers.authorization",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.14.0",
+    "added": "7.10.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the use of Distributed Component Object Model (DCOM) to execute commands from a remote host, which are launched via the HTA Application COM Object. This behavior may indicate an attacker abusing a DCOM application to move laterally while attempting to evading detection.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Incoming DCOM Lateral Movement via MSHTA",
+    "query": "sequence with maxspan=1m\n  [process where event.type in (\"start\", \"process_started\") and\n     process.name : \"mshta.exe\" and process.args : \"-Embedding\"\n  ] by host.id, process.entity_id\n  [network where event.type == \"start\" and process.name : \"mshta.exe\" and \n     network.direction : (\"incoming\", \"ingress\") and network.transport == \"tcp\" and\n     source.port > 49151 and destination.port > 49151 and source.ip != \"127.0.0.1\" and source.ip != \"::1\"\n  ] by host.id, process.entity_id\n",
+    "references": [
+      "https://codewhitesec.blogspot.com/2018/07/lethalhta.html"
+    ],
+    "risk_score": 73,
+    "rule_id": "622ecb68-fa81-4601-90b5-f8cd661e4520",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Lateral Movement"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0008",
+          "name": "Lateral Movement",
+          "reference": "https://attack.mitre.org/tactics/TA0008/"
+        },
+        "technique": [
+          {
+            "id": "T1021",
+            "name": "Remote Services",
+            "reference": "https://attack.mitre.org/techniques/T1021/",
+            "subtechnique": [
+              {
+                "id": "T1021.003",
+                "name": "Distributed Component Object Model",
+                "reference": "https://attack.mitre.org/techniques/T1021/003/"
+              }
+            ]
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1218",
+            "name": "Signed Binary Proxy Execution",
+            "reference": "https://attack.mitre.org/techniques/T1218/",
+            "subtechnique": [
+              {
+                "id": "T1218.005",
+                "name": "Mshta",
+                "reference": "https://attack.mitre.org/techniques/T1218/005/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "type": "eql",
+    "version": 5,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.12.0",
+          "pre_query": "sequence with maxspan=1m\n  [process where event.type in (\"start\", \"process_started\") and\n     process.name : \"mshta.exe\" and process.args : \"-Embedding\"\n  ] by host.id, process.entity_id\n  [network where event.type == \"start\" and process.name : \"mshta.exe\" and \n     network.direction == \"incoming\" and network.transport == \"tcp\" and\n     source.port > 49151 and destination.port > 49151 and not source.address in (\"127.0.0.1\", \"::1\")\n  ] by host.id, process.entity_id\n",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 4,
+          "updated": "7.16.0",
+          "pre_query": "sequence with maxspan=1m\n  [process where event.type in (\"start\", \"process_started\") and\n     process.name : \"mshta.exe\" and process.args : \"-Embedding\"\n  ] by host.id, process.entity_id\n  [network where event.type == \"start\" and process.name : \"mshta.exe\" and \n     network.direction == \"incoming\" and network.transport == \"tcp\" and\n     source.port > 49151 and destination.port > 49151 and not source.address in (\"127.0.0.1\", \"::1\")\n  ] by host.id, process.entity_id\n",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        },
+        {
+          "version": 5,
+          "updated": "8.0.0",
+          "pre_query": "sequence with maxspan=1m\n  [process where event.type in (\"start\", \"process_started\") and\n     process.name : \"mshta.exe\" and process.args : \"-Embedding\"\n  ] by host.id, process.entity_id\n  [network where event.type == \"start\" and process.name : \"mshta.exe\" and \n     network.direction : (\"incoming\", \"ingress\") and network.transport == \"tcp\" and\n     source.port > 49151 and destination.port > 49151 and not source.address in (\"127.0.0.1\", \"::1\")\n  ] by host.id, process.entity_id\n",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "8.0.0",
+    "added": "7.11.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the use of Distributed Component Object Model (DCOM) to run commands from a remote host, which are launched via the MMC20 Application COM Object. This behavior may indicate an attacker abusing a DCOM application to move laterally.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Incoming DCOM Lateral Movement with MMC",
+    "query": "sequence by host.id with maxspan=1m\n [network where event.type == \"start\" and process.name : \"mmc.exe\" and source.port >= 49152 and\n destination.port >= 49152 and source.ip != \"127.0.0.1\" and source.ip != \"::1\" and\n  network.direction : (\"incoming\", \"ingress\") and network.transport == \"tcp\"\n ] by process.entity_id\n [process where event.type in (\"start\", \"process_started\") and process.parent.name : \"mmc.exe\"\n ] by process.parent.entity_id\n",
+    "references": [
+      "https://enigma0x3.net/2017/01/05/lateral-movement-using-the-mmc20-application-com-object/"
+    ],
+    "risk_score": 73,
+    "rule_id": "51ce96fb-9e52-4dad-b0ba-99b54440fc9a",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Lateral Movement"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0008",
+          "name": "Lateral Movement",
+          "reference": "https://attack.mitre.org/tactics/TA0008/"
+        },
+        "technique": [
+          {
+            "id": "T1021",
+            "name": "Remote Services",
+            "reference": "https://attack.mitre.org/techniques/T1021/",
+            "subtechnique": [
+              {
+                "id": "T1021.003",
+                "name": "Distributed Component Object Model",
+                "reference": "https://attack.mitre.org/techniques/T1021/003/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "type": "eql",
+    "version": 5,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.12.0",
+          "pre_query": "sequence by host.id with maxspan=1m\n [network where event.type == \"start\" and process.name : \"mmc.exe\" and\n  source.port >= 49152 and destination.port >= 49152 and source.address not in (\"127.0.0.1\", \"::1\") and\n  network.direction == \"incoming\" and network.transport == \"tcp\"\n ] by process.entity_id\n [process where event.type in (\"start\", \"process_started\") and process.parent.name : \"mmc.exe\"\n ] by process.parent.entity_id\n",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 4,
+          "updated": "7.16.0",
+          "pre_query": "sequence by host.id with maxspan=1m\n [network where event.type == \"start\" and process.name : \"mmc.exe\" and\n  source.port >= 49152 and destination.port >= 49152 and source.address not in (\"127.0.0.1\", \"::1\") and\n  network.direction == \"incoming\" and network.transport == \"tcp\"\n ] by process.entity_id\n [process where event.type in (\"start\", \"process_started\") and process.parent.name : \"mmc.exe\"\n ] by process.parent.entity_id\n",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        },
+        {
+          "version": 5,
+          "updated": "8.0.0",
+          "pre_query": "sequence by host.id with maxspan=1m\n [network where event.type == \"start\" and process.name : \"mmc.exe\" and\n  source.port >= 49152 and destination.port >= 49152 and source.address not in (\"127.0.0.1\", \"::1\") and\n  network.direction : (\"incoming\", \"ingress\") and network.transport == \"tcp\"\n ] by process.entity_id\n [process where event.type in (\"start\", \"process_started\") and process.parent.name : \"mmc.exe\"\n ] by process.parent.entity_id\n",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "8.0.0",
+    "added": "7.11.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies use of Distributed Component Object Model (DCOM) to run commands from a remote host, which are launched via the ShellBrowserWindow or ShellWindows Application COM Object. This behavior may indicate an attacker abusing a DCOM application to stealthily move laterally.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Incoming DCOM Lateral Movement with ShellBrowserWindow or ShellWindows",
+    "query": "sequence by host.id with maxspan=5s\n [network where event.type == \"start\" and process.name : \"explorer.exe\" and\n  network.direction : (\"incoming\", \"ingress\") and network.transport == \"tcp\" and\n  source.port > 49151 and destination.port > 49151 and source.ip != \"127.0.0.1\" and source.ip != \"::1\"\n ] by process.entity_id\n [process where event.type in (\"start\", \"process_started\") and\n  process.parent.name : \"explorer.exe\"\n ] by process.parent.entity_id\n",
+    "references": [
+      "https://enigma0x3.net/2017/01/23/lateral-movement-via-dcom-round-2/"
+    ],
+    "risk_score": 47,
+    "rule_id": "8f919d4b-a5af-47ca-a594-6be59cd924a4",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Lateral Movement"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0008",
+          "name": "Lateral Movement",
+          "reference": "https://attack.mitre.org/tactics/TA0008/"
+        },
+        "technique": [
+          {
+            "id": "T1021",
+            "name": "Remote Services",
+            "reference": "https://attack.mitre.org/techniques/T1021/",
+            "subtechnique": [
+              {
+                "id": "T1021.003",
+                "name": "Distributed Component Object Model",
+                "reference": "https://attack.mitre.org/techniques/T1021/003/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "type": "eql",
+    "version": 5,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.12.0",
+          "pre_query": "sequence by host.id with maxspan=5s\n [network where event.type == \"start\" and process.name : \"explorer.exe\" and\n  network.direction == \"incoming\" and network.transport == \"tcp\" and\n  source.port > 49151 and destination.port > 49151 and not source.address in (\"127.0.0.1\", \"::1\")\n ] by process.entity_id\n [process where event.type in (\"start\", \"process_started\") and\n  process.parent.name : \"explorer.exe\"\n ] by process.parent.entity_id\n",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 4,
+          "updated": "7.16.0",
+          "pre_query": "sequence by host.id with maxspan=5s\n [network where event.type == \"start\" and process.name : \"explorer.exe\" and\n  network.direction == \"incoming\" and network.transport == \"tcp\" and\n  source.port > 49151 and destination.port > 49151 and not source.address in (\"127.0.0.1\", \"::1\")\n ] by process.entity_id\n [process where event.type in (\"start\", \"process_started\") and\n  process.parent.name : \"explorer.exe\"\n ] by process.parent.entity_id\n",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        },
+        {
+          "version": 5,
+          "updated": "8.0.0",
+          "pre_query": "sequence by host.id with maxspan=5s\n [network where event.type == \"start\" and process.name : \"explorer.exe\" and\n  network.direction : (\"incoming\", \"ingress\") and network.transport == \"tcp\" and\n  source.port > 49151 and destination.port > 49151 and not source.address in (\"127.0.0.1\", \"::1\")\n ] by process.entity_id\n [process where event.type in (\"start\", \"process_started\") and\n  process.parent.name : \"explorer.exe\"\n ] by process.parent.entity_id\n",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "8.0.0",
+    "added": "7.11.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies remote execution via Windows PowerShell remoting. Windows PowerShell remoting allows for running any Windows PowerShell command on one or more remote computers. This could be an indication of lateral movement.",
+    "false_positives": [
+      "PowerShell remoting is a dual-use protocol that can be used for benign or malicious activity. It's important to baseline your environment to determine the amount of noise to expect from this tool."
+    ],
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Incoming Execution via PowerShell Remoting",
+    "query": "sequence by host.id with maxspan = 30s\n   [network where network.direction : (\"incoming\", \"ingress\") and destination.port in (5985, 5986) and\n    network.protocol == \"http\" and source.ip != \"127.0.0.1\" and source.ip != \"::1\"\n   ]\n   [process where event.type == \"start\" and process.parent.name : \"wsmprovhost.exe\" and not process.name : \"conhost.exe\"]\n",
+    "references": [
+      "https://docs.microsoft.com/en-us/powershell/scripting/learn/remoting/running-remote-commands?view=powershell-7.1"
+    ],
+    "risk_score": 47,
+    "rule_id": "2772264c-6fb9-4d9d-9014-b416eed21254",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Lateral Movement"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0008",
+          "name": "Lateral Movement",
+          "reference": "https://attack.mitre.org/tactics/TA0008/"
+        },
+        "technique": [
+          {
+            "id": "T1021",
+            "name": "Remote Services",
+            "reference": "https://attack.mitre.org/techniques/T1021/"
+          }
+        ]
+      }
+    ],
+    "type": "eql",
+    "version": 4,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.12.0",
+          "pre_query": "sequence by host.id with maxspan = 30s\n   [network where network.direction == \"incoming\" and destination.port in (5985, 5986) and\n    network.protocol == \"http\" and source.address != \"127.0.0.1\" and source.address != \"::1\"\n   ]\n   [process where event.type == \"start\" and process.parent.name : \"wsmprovhost.exe\" and not process.name : \"conhost.exe\"]\n",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 3,
+          "updated": "7.16.0",
+          "pre_query": "sequence by host.id with maxspan = 30s\n   [network where network.direction == \"incoming\" and destination.port in (5985, 5986) and\n    network.protocol == \"http\" and source.address != \"127.0.0.1\" and source.address != \"::1\"\n   ]\n   [process where event.type == \"start\" and process.parent.name : \"wsmprovhost.exe\" and not process.name : \"conhost.exe\"]\n",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        },
+        {
+          "version": 4,
+          "updated": "8.0.0",
+          "pre_query": "sequence by host.id with maxspan = 30s\n   [network where network.direction : (\"incoming\", \"ingress\") and destination.port in (5985, 5986) and\n    network.protocol == \"http\" and source.address != \"127.0.0.1\" and source.address != \"::1\"\n   ]\n   [process where event.type == \"start\" and process.parent.name : \"wsmprovhost.exe\" and not process.name : \"conhost.exe\"]\n",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "8.0.0",
+    "added": "7.11.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies remote execution via Windows Remote Management (WinRM) remote shell on a target host. This could be an indication of lateral movement.",
+    "false_positives": [
+      "WinRM is a dual-use protocol that can be used for benign or malicious activity. It's important to baseline your environment to determine the amount of noise to expect from this tool."
+    ],
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Incoming Execution via WinRM Remote Shell",
+    "query": "sequence by host.id with maxspan=30s\n   [network where process.pid == 4 and network.direction : (\"incoming\", \"ingress\") and\n    destination.port in (5985, 5986) and network.protocol == \"http\" and source.ip != \"127.0.0.1\" and source.ip != \"::1\"\n   ]\n   [process where event.type == \"start\" and process.parent.name : \"winrshost.exe\" and not process.name : \"conhost.exe\"]\n",
+    "risk_score": 47,
+    "rule_id": "1cd01db9-be24-4bef-8e7c-e923f0ff78ab",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Lateral Movement"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0008",
+          "name": "Lateral Movement",
+          "reference": "https://attack.mitre.org/tactics/TA0008/"
+        },
+        "technique": [
+          {
+            "id": "T1021",
+            "name": "Remote Services",
+            "reference": "https://attack.mitre.org/techniques/T1021/"
+          }
+        ]
+      }
+    ],
+    "type": "eql",
+    "version": 4,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.12.0",
+          "pre_query": "sequence by host.id with maxspan=30s\n   [network where process.pid == 4 and network.direction == \"incoming\" and\n    destination.port in (5985, 5986) and network.protocol == \"http\" and not source.address in (\"::1\", \"127.0.0.1\")\n   ]\n   [process where event.type == \"start\" and process.parent.name : \"winrshost.exe\" and not process.name : \"conhost.exe\"]\n",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 3,
+          "updated": "7.16.0",
+          "pre_query": "sequence by host.id with maxspan=30s\n   [network where process.pid == 4 and network.direction == \"incoming\" and\n    destination.port in (5985, 5986) and network.protocol == \"http\" and not source.address in (\"::1\", \"127.0.0.1\")\n   ]\n   [process where event.type == \"start\" and process.parent.name : \"winrshost.exe\" and not process.name : \"conhost.exe\"]\n",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        },
+        {
+          "version": 4,
+          "updated": "8.0.0",
+          "pre_query": "sequence by host.id with maxspan=30s\n   [network where process.pid == 4 and network.direction : (\"incoming\", \"ingress\") and\n    destination.port in (5985, 5986) and network.protocol == \"http\" and not source.address in (\"::1\", \"127.0.0.1\")\n   ]\n   [process where event.type == \"start\" and process.parent.name : \"winrshost.exe\" and not process.name : \"conhost.exe\"]\n",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "8.0.0",
+    "added": "7.11.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies InstallUtil.exe making outbound network connections. This may indicate adversarial activity as InstallUtil is often leveraged by adversaries to execute code and evade detection.",
+    "from": "now-9m",
+    "index": [
+      "logs-endpoint.events.*",
+      "winlogbeat-*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "InstallUtil Process Making Network Connections",
+    "query": "/* the benefit of doing this as an eql sequence vs kql is this will limit to alerting only on the first network connection */\n\nsequence by process.entity_id\n  [process where event.type in (\"start\", \"process_started\") and process.name : \"installutil.exe\"]\n  [network where process.name : \"installutil.exe\" and network.direction : (\"outgoing\", \"egress\")]\n",
+    "risk_score": 21,
+    "rule_id": "a13167f1-eec2-4015-9631-1fee60406dcf",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1218",
+            "name": "Signed Binary Proxy Execution",
+            "reference": "https://attack.mitre.org/techniques/T1218/",
+            "subtechnique": [
+              {
+                "id": "T1218.004",
+                "name": "InstallUtil",
+                "reference": "https://attack.mitre.org/techniques/T1218/004/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "type": "eql",
+    "version": 4,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.11.0",
+          "pre_query": "/* the benefit of doing this as an eql sequence vs kql is this will limit to alerting only on the first network connection */\n\nsequence by process.entity_id\n  [process where event.type in (\"start\", \"process_started\") and process.name : \"installutil.exe\"]\n  [network where process.name : \"installutil.exe\" and network.direction == \"outgoing\"]\n",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 3,
+          "updated": "7.12.0",
+          "pre_query": "/* the benefit of doing this as an eql sequence vs kql is this will limit to alerting only on the first network connection */\n\nsequence by process.entity_id\n  [process where event.type in (\"start\", \"process_started\") and process.name : \"installutil.exe\"]\n  [network where process.name : \"installutil.exe\" and network.direction == \"outgoing\"]\n",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 4,
+          "updated": "7.16.0",
+          "pre_query": "/* the benefit of doing this as an eql sequence vs kql is this will limit to alerting only on the first network connection */\n\nsequence by process.entity_id\n  [process where event.type in (\"start\", \"process_started\") and process.name : \"installutil.exe\"]\n  [network where process.name : \"installutil.exe\" and network.direction == \"outgoing\"]\n",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.16.0",
+    "added": "7.10.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the installation of custom Application Compatibility Shim databases. This Windows functionality has been abused by attackers to stealthily gain persistence and arbitrary code execution in legitimate Windows processes.",
+    "from": "now-9m",
+    "index": [
+      "logs-endpoint.events.*",
+      "winlogbeat-*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Installation of Custom Shim Databases",
+    "query": "sequence by process.entity_id with maxspan = 5m\n  [process where event.type in (\"start\", \"process_started\") and\n    not (process.name : \"sdbinst.exe\" and process.parent.name : \"msiexec.exe\")]\n  [registry where event.type in (\"creation\", \"change\") and\n    registry.path : \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\AppCompatFlags\\\\Custom\\\\*.sdb\"]\n",
+    "risk_score": 21,
+    "rule_id": "c5ce48a6-7f57-4ee8-9313-3d0024caee10",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Persistence"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1546",
+            "name": "Event Triggered Execution",
+            "reference": "https://attack.mitre.org/techniques/T1546/",
+            "subtechnique": [
+              {
+                "id": "T1546.011",
+                "name": "Application Shimming",
+                "reference": "https://attack.mitre.org/techniques/T1546/011/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "type": "eql",
+    "version": 3,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.11.0",
+          "pre_query": "sequence by process.entity_id with maxspan=5m\n  [process where event.type in (\"start\", \"process_started\") and\n     not (process.name : \"sdbinst.exe\" and process.parent.name : \"msiexec.exe\")]\n  [registry where event.type in (\"creation\", \"change\") and\n     wildcard(registry.path, \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\AppCompatFlags\\\\Custom\\\\*.sdb\")]\n",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 3,
+          "updated": "7.12.0",
+          "pre_query": "sequence by process.entity_id with maxspan=5m\n  [process where event.type in (\"start\", \"process_started\") and\n     not (process.name : \"sdbinst.exe\" and process.parent.name : \"msiexec.exe\")]\n  [registry where event.type in (\"creation\", \"change\") and\n     wildcard(registry.path, \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\AppCompatFlags\\\\Custom\\\\*.sdb\")]\n",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.12.0",
+    "added": "7.10.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies registry modifications related to the Windows Security Support Provider (SSP) configuration. Adversaries may abuse this to establish persistence in an environment.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Installation of Security Support Provider",
+    "query": "registry where\n   registry.path : (\"HKLM\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\Lsa\\\\Security Packages*\", \n                    \"HKLM\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\Lsa\\\\OSConfig\\\\Security Packages*\") and\n   not process.executable : (\"C:\\\\Windows\\\\System32\\\\msiexec.exe\", \"C:\\\\Windows\\\\SysWOW64\\\\msiexec.exe\")\n",
+    "risk_score": 47,
+    "rule_id": "e86da94d-e54b-4fb5-b96c-cecff87e8787",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Persistence"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1547",
+            "name": "Boot or Logon Autostart Execution",
+            "reference": "https://attack.mitre.org/techniques/T1547/",
+            "subtechnique": [
+              {
+                "id": "T1547.005",
+                "name": "Security Support Provider",
+                "reference": "https://attack.mitre.org/techniques/T1547/005/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 3,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.11.2",
+          "pre_query": "registry where\n   registry.path : (\"HKLM\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\Lsa\\\\Security Packages*\", \n                    \"HKLM\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\Lsa\\\\OSConfig\\\\Security Packages*\") and\n   not process.executable : (\"C:\\\\Windows\\\\System32\\\\msiexec.exe\", \"C:\\\\Windows\\\\SysWOW64\\\\msiexec.exe\")\n",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 3,
+          "updated": "7.12.0",
+          "pre_query": "registry where\n   registry.path : (\"HKLM\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\Lsa\\\\Security Packages*\", \n                    \"HKLM\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\Lsa\\\\OSConfig\\\\Security Packages*\") and\n   not process.executable : (\"C:\\\\Windows\\\\System32\\\\msiexec.exe\", \"C:\\\\Windows\\\\SysWOW64\\\\msiexec.exe\")\n",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.12.0",
+    "added": "7.11.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies when a terminal (tty) is spawned via Perl. Attackers may upgrade a simple reverse shell to a fully interactive tty after obtaining initial access to a host.",
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Interactive Terminal Spawned via Perl",
+    "query": "event.category:process and event.type:(start or process_started) and process.name:perl and\n  process.args:(\"exec \\\"/bin/sh\\\";\" or \"exec \\\"/bin/dash\\\";\" or \"exec \\\"/bin/bash\\\";\")\n",
+    "risk_score": 73,
+    "rule_id": "05e5a668-7b51-4a67-93ab-e9af405c9ef3",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "Threat Detection",
+      "Execution"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0002",
+          "name": "Execution",
+          "reference": "https://attack.mitre.org/tactics/TA0002/"
+        },
+        "technique": [
+          {
+            "id": "T1059",
+            "name": "Command and Scripting Interpreter",
+            "reference": "https://attack.mitre.org/techniques/T1059/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 6,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.9.0",
+          "pre_query": "event.action:executed and process.name:perl and process.args:(\"exec \\\"/bin/sh\\\";\" or \"exec \\\"/bin/dash\\\";\" or \"exec \\\"/bin/bash\\\";\")",
+          "doc_text": "Updated query."
+        },
+        {
+          "version": 3,
+          "updated": "7.9.1",
+          "pre_query": "event.category:process and event.type:(start or process_started) and process.name:perl and process.args:(\"exec \\\"/bin/sh\\\";\" or \"exec \\\"/bin/dash\\\";\" or \"exec \\\"/bin/bash\\\";\")",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 4,
+          "updated": "7.10.0",
+          "pre_query": "event.category:process and event.type:(start or process_started) and process.name:perl and process.args:(\"exec \\\"/bin/sh\\\";\" or \"exec \\\"/bin/dash\\\";\" or \"exec \\\"/bin/bash\\\";\")",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 5,
+          "updated": "7.11.2",
+          "pre_query": "event.category:process and event.type:(start or process_started) and process.name:perl and process.args:(\"exec \\\"/bin/sh\\\";\" or \"exec \\\"/bin/dash\\\";\" or \"exec \\\"/bin/bash\\\";\")",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 6,
+          "updated": "7.12.0",
+          "pre_query": "event.category:process and event.type:(start or process_started) and process.name:perl and process.args:(\"exec \\\"/bin/sh\\\";\" or \"exec \\\"/bin/dash\\\";\" or \"exec \\\"/bin/bash\\\";\")",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.12.0",
+    "added": "7.8.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies when a terminal (tty) is spawned via Python. Attackers may upgrade a simple reverse shell to a fully interactive tty after obtaining initial access to a host.",
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Interactive Terminal Spawned via Python",
+    "query": "event.category:process and event.type:(start or process_started) and process.name:python and\n  process.args:(\"import pty; pty.spawn(\\\"/bin/sh\\\")\" or\n                \"import pty; pty.spawn(\\\"/bin/dash\\\")\" or\n                \"import pty; pty.spawn(\\\"/bin/bash\\\")\")\n",
+    "risk_score": 73,
+    "rule_id": "d76b02ef-fc95-4001-9297-01cb7412232f",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "Threat Detection",
+      "Execution"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0002",
+          "name": "Execution",
+          "reference": "https://attack.mitre.org/tactics/TA0002/"
+        },
+        "technique": [
+          {
+            "id": "T1059",
+            "name": "Command and Scripting Interpreter",
+            "reference": "https://attack.mitre.org/techniques/T1059/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 6,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.9.0",
+          "pre_query": "event.action:executed and process.name:python and process.args:(\"import pty; pty.spawn(\\\"/bin/sh\\\")\" or \"import pty; pty.spawn(\\\"/bin/dash\\\")\" or \"import pty; pty.spawn(\\\"/bin/bash\\\")\")",
+          "doc_text": "Updated query."
+        },
+        {
+          "version": 3,
+          "updated": "7.9.1",
+          "pre_query": "event.category:process and event.type:(start or process_started) and process.name:python and process.args:(\"import pty; pty.spawn(\\\"/bin/sh\\\")\" or \"import pty; pty.spawn(\\\"/bin/dash\\\")\" or \"import pty; pty.spawn(\\\"/bin/bash\\\")\")",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 4,
+          "updated": "7.10.0",
+          "pre_query": "event.category:process and event.type:(start or process_started) and process.name:python and process.args:(\"import pty; pty.spawn(\\\"/bin/sh\\\")\" or \"import pty; pty.spawn(\\\"/bin/dash\\\")\" or \"import pty; pty.spawn(\\\"/bin/bash\\\")\")",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 5,
+          "updated": "7.11.2",
+          "pre_query": "event.category:process and event.type:(start or process_started) and process.name:python and process.args:(\"import pty; pty.spawn(\\\"/bin/sh\\\")\" or \"import pty; pty.spawn(\\\"/bin/dash\\\")\" or \"import pty; pty.spawn(\\\"/bin/bash\\\")\")",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 6,
+          "updated": "7.12.0",
+          "pre_query": "event.category:process and event.type:(start or process_started) and process.name:python and process.args:(\"import pty; pty.spawn(\\\"/bin/sh\\\")\" or \"import pty; pty.spawn(\\\"/bin/dash\\\")\" or \"import pty; pty.spawn(\\\"/bin/bash\\\")\")",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.12.0",
+    "added": "7.8.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the use of the Kerberos credential cache (kcc) utility to dump locally cached Kerberos tickets.",
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Kerberos Cached Credentials Dumping",
+    "query": "event.category:process and event.type:(start or process_started) and\n  process.name:kcc and\n  process.args:copy_cred_cache\n",
+    "references": [
+      "https://github.com/EmpireProject/EmPyre/blob/master/lib/modules/collection/osx/kerberosdump.py",
+      "https://opensource.apple.com/source/Heimdal/Heimdal-323.12/kuser/kcc-commands.in.auto.html"
+    ],
+    "risk_score": 73,
+    "rule_id": "ad88231f-e2ab-491c-8fc6-64746da26cfe",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "macOS",
+      "Threat Detection",
+      "Credential Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0006",
+          "name": "Credential Access",
+          "reference": "https://attack.mitre.org/tactics/TA0006/"
+        },
+        "technique": [
+          {
+            "id": "T1003",
+            "name": "OS Credential Dumping",
+            "reference": "https://attack.mitre.org/techniques/T1003/"
+          },
+          {
+            "id": "T1558",
+            "name": "Steal or Forge Kerberos Tickets",
+            "reference": "https://attack.mitre.org/techniques/T1558/",
+            "subtechnique": [
+              {
+                "id": "T1558.003",
+                "name": "Kerberoasting",
+                "reference": "https://attack.mitre.org/techniques/T1558/003/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 4,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.11.2",
+          "pre_query": "event.category:process and event.type:(start or process_started) and process.name:kcc and process.args:copy_cred_cache",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 3,
+          "updated": "7.12.0",
+          "pre_query": "event.category:process and event.type:(start or process_started) and process.name:kcc and process.args:copy_cred_cache",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 4,
+          "updated": "7.16.0",
+          "pre_query": "event.category:process and event.type:(start or process_started) and\n  process.name:kcc and\n  process.args:copy_cred_cache\n",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.16.0",
+    "added": "7.10.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies network connections to the standard Kerberos port from an unusual process. On Windows, the only process that normally performs Kerberos traffic from a domain joined host is lsass.exe.",
+    "false_positives": [
+      "HTTP traffic on a non standard port. Verify that the destination IP address is not related to a Domain Controller."
+    ],
+    "from": "now-9m",
+    "index": [
+      "logs-endpoint.events.*",
+      "winlogbeat-*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Kerberos Traffic from Unusual Process",
+    "query": "network where event.type == \"start\" and network.direction : (\"outgoing\", \"egress\") and\n destination.port == 88 and source.port >= 49152 and\n process.executable != \"C:\\\\Windows\\\\System32\\\\lsass.exe\" and destination.address !=\"127.0.0.1\" and destination.address !=\"::1\" and\n /* insert False Positives here */\n not process.name in (\"swi_fc.exe\", \"fsIPcam.exe\", \"IPCamera.exe\", \"MicrosoftEdgeCP.exe\", \"MicrosoftEdge.exe\", \"iexplore.exe\", \"chrome.exe\", \"msedge.exe\", \"opera.exe\", \"firefox.exe\")\n",
+    "risk_score": 47,
+    "rule_id": "897dc6b5-b39f-432a-8d75-d3730d50c782",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Credential Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0006",
+          "name": "Credential Access",
+          "reference": "https://attack.mitre.org/tactics/TA0006/"
+        },
+        "technique": [
+          {
+            "id": "T1558",
+            "name": "Steal or Forge Kerberos Tickets",
+            "reference": "https://attack.mitre.org/techniques/T1558/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 4,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.11.2",
+          "pre_query": "network where event.type == \"start\" and network.direction == \"outgoing\" and\n destination.port == 88 and source.port >= 49152 and\n process.executable != \"C:\\\\Windows\\\\System32\\\\lsass.exe\" and destination.address !=\"127.0.0.1\" and destination.address !=\"::1\" and\n /* insert False Positives here */\n not process.name in (\"swi_fc.exe\", \"fsIPcam.exe\", \"IPCamera.exe\", \"MicrosoftEdgeCP.exe\", \"MicrosoftEdge.exe\", \"iexplore.exe\", \"chrome.exe\", \"msedge.exe\", \"opera.exe\", \"firefox.exe\")\n",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 3,
+          "updated": "7.12.0",
+          "pre_query": "network where event.type == \"start\" and network.direction == \"outgoing\" and\n destination.port == 88 and source.port >= 49152 and\n process.executable != \"C:\\\\Windows\\\\System32\\\\lsass.exe\" and destination.address !=\"127.0.0.1\" and destination.address !=\"::1\" and\n /* insert False Positives here */\n not process.name in (\"swi_fc.exe\", \"fsIPcam.exe\", \"IPCamera.exe\", \"MicrosoftEdgeCP.exe\", \"MicrosoftEdge.exe\", \"iexplore.exe\", \"chrome.exe\", \"msedge.exe\", \"opera.exe\", \"firefox.exe\")\n",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 4,
+          "updated": "7.16.0",
+          "pre_query": "network where event.type == \"start\" and network.direction == \"outgoing\" and\n destination.port == 88 and source.port >= 49152 and\n process.executable != \"C:\\\\Windows\\\\System32\\\\lsass.exe\" and destination.address !=\"127.0.0.1\" and destination.address !=\"::1\" and\n /* insert False Positives here */\n not process.name in (\"swi_fc.exe\", \"fsIPcam.exe\", \"IPCamera.exe\", \"MicrosoftEdgeCP.exe\", \"MicrosoftEdge.exe\", \"iexplore.exe\", \"chrome.exe\", \"msedge.exe\", \"opera.exe\", \"firefox.exe\")\n",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.16.0",
+    "added": "7.11.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Kernel modules are pieces of code that can be loaded and unloaded into the kernel upon demand. They extend the functionality of the kernel without the need to reboot the system. This rule identifies attempts to remove a kernel module.",
+    "false_positives": [
+      "There is usually no reason to remove modules, but some buggy modules require it. These can be exempted by username. Note that some Linux distributions are not built to support the removal of modules at all."
+    ],
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Kernel Module Removal",
+    "query": "event.category:process and event.type:(start or process_started) and\n  process.args:((rmmod and sudo) or (modprobe and sudo and (\"--remove\" or \"-r\")))\n",
+    "references": [
+      "http://man7.org/linux/man-pages/man8/modprobe.8.html"
+    ],
+    "risk_score": 73,
+    "rule_id": "cd66a5af-e34b-4bb0-8931-57d0a043f2ef",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1562",
+            "name": "Impair Defenses",
+            "reference": "https://attack.mitre.org/techniques/T1562/",
+            "subtechnique": [
+              {
+                "id": "T1562.001",
+                "name": "Disable or Modify Tools",
+                "reference": "https://attack.mitre.org/techniques/T1562/001/"
+              }
+            ]
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1547",
+            "name": "Boot or Logon Autostart Execution",
+            "reference": "https://attack.mitre.org/techniques/T1547/",
+            "subtechnique": [
+              {
+                "id": "T1547.006",
+                "name": "Kernel Modules and Extensions",
+                "reference": "https://attack.mitre.org/techniques/T1547/006/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 7,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.9.0",
+          "pre_query": "event.action:executed and process.args:(rmmod and sudo or modprobe and sudo and (\"--remove\" or \"-r\"))",
+          "doc_text": "Updated query."
+        },
+        {
+          "version": 3,
+          "updated": "7.9.1",
+          "pre_query": "event.category:process and event.type:(start or process_started) and process.args:((rmmod and sudo) or (modprobe and sudo and (\"--remove\" or \"-r\")))",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 4,
+          "updated": "7.10.0",
+          "pre_query": "event.category:process and event.type:(start or process_started) and process.args:((rmmod and sudo) or (modprobe and sudo and (\"--remove\" or \"-r\")))",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 5,
+          "updated": "7.11.0",
+          "pre_query": "event.category:process and event.type:(start or process_started) and process.args:((rmmod and sudo) or (modprobe and sudo and (\"--remove\" or \"-r\")))",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 6,
+          "updated": "7.11.2",
+          "pre_query": "event.category:process and event.type:(start or process_started) and process.args:((rmmod and sudo) or (modprobe and sudo and (\"--remove\" or \"-r\")))",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 7,
+          "updated": "7.12.0",
+          "pre_query": "event.category:process and event.type:(start or process_started) and process.args:((rmmod and sudo) or (modprobe and sudo and (\"--remove\" or \"-r\")))",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.12.0",
+    "added": "7.8.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Adversaries may collect keychain storage data from a system to in order to acquire credentials. Keychains are the built-in way for macOS to keep track of users' passwords and credentials for many services and features, including Wi-Fi and website passwords, secure notes, certificates, and Kerberos.",
+    "false_positives": [
+      "Applications for password management."
+    ],
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Keychain Password Retrieval via Command Line",
+    "query": "process where event.type == \"start\" and\n process.name : \"security\" and process.args : \"-wa\" and process.args : (\"find-generic-password\", \"find-internet-password\") and\n process.args : (\"Chrome*\", \"Chromium\", \"Opera\", \"Safari*\", \"Brave\", \"Microsoft Edge\", \"Edge\", \"Firefox*\") and\n not process.parent.executable : \"/Applications/Keeper Password Manager.app/Contents/Frameworks/Keeper Password Manager Helper*/Contents/MacOS/Keeper Password Manager Helper*\"\n",
+    "references": [
+      "https://www.netmeister.org/blog/keychain-passwords.html",
+      "https://github.com/priyankchheda/chrome_password_grabber/blob/master/chrome.py",
+      "https://ss64.com/osx/security.html",
+      "https://www.intezer.com/blog/research/operation-electrorat-attacker-creates-fake-companies-to-drain-your-crypto-wallets/"
+    ],
+    "risk_score": 73,
+    "rule_id": "9092cd6c-650f-4fa3-8a8a-28256c7489c9",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "macOS",
+      "Threat Detection",
+      "Credential Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0006",
+          "name": "Credential Access",
+          "reference": "https://attack.mitre.org/tactics/TA0006/"
+        },
+        "technique": [
+          {
+            "id": "T1555",
+            "name": "Credentials from Password Stores",
+            "reference": "https://attack.mitre.org/techniques/T1555/",
+            "subtechnique": [
+              {
+                "id": "T1555.001",
+                "name": "Keychain",
+                "reference": "https://attack.mitre.org/techniques/T1555/001/"
+              }
+            ]
+          },
+          {
+            "id": "T1555",
+            "name": "Credentials from Password Stores",
+            "reference": "https://attack.mitre.org/techniques/T1555/",
+            "subtechnique": [
+              {
+                "id": "T1555.003",
+                "name": "Credentials from Web Browsers",
+                "reference": "https://attack.mitre.org/techniques/T1555/003/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 2,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.13.0",
+          "pre_query": "event.category:process and event.type:(start or process_started) and process.name:security and process.args:(\"find-generic-password\" or \"find-internet-password\")",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.13.0",
+    "added": "7.12.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the creation of a Local Security Authority Subsystem Service (lsass.exe) default memory dump. This may indicate a credential access attempt via trusted system utilities such as Task Manager (taskmgr.exe) and SQL Dumper (sqldumper.exe) or known pentesting tools such as Dumpert and AndrewSpecial.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "LSASS Memory Dump Creation",
+    "query": "file where file.name : (\"lsass*.dmp\", \"dumpert.dmp\", \"Andrew.dmp\", \"SQLDmpr*.mdmp\", \"Coredump.dmp\")\n",
+    "references": [
+      "https://github.com/outflanknl/Dumpert",
+      "https://github.com/hoangprod/AndrewSpecial"
+    ],
+    "risk_score": 73,
+    "rule_id": "f2f46686-6f3c-4724-bd7d-24e31c70f98f",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Credential Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0006",
+          "name": "Credential Access",
+          "reference": "https://attack.mitre.org/tactics/TA0006/"
+        },
+        "technique": [
+          {
+            "id": "T1003",
+            "name": "OS Credential Dumping",
+            "reference": "https://attack.mitre.org/techniques/T1003/",
+            "subtechnique": [
+              {
+                "id": "T1003.001",
+                "name": "LSASS Memory",
+                "reference": "https://attack.mitre.org/techniques/T1003/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 5,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.11.2",
+          "pre_query": "event.category:file and file.name:(lsass.DMP or lsass*.dmp or dumpert.dmp or Andrew.dmp or SQLDmpr*.mdmp or Coredump.dmp)",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 3,
+          "updated": "7.12.0",
+          "pre_query": "event.category:file and file.name:(lsass.DMP or lsass*.dmp or dumpert.dmp or Andrew.dmp or SQLDmpr*.mdmp or Coredump.dmp)",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 4,
+          "updated": "7.13.0",
+          "pre_query": "event.category:file and file.name:(lsass.DMP or lsass*.dmp or dumpert.dmp or Andrew.dmp or SQLDmpr*.mdmp or Coredump.dmp)",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        },
+        {
+          "version": 5,
+          "updated": "7.16.0",
+          "pre_query": "file where file.name : (\"lsass*.dmp\", \"dumpert.dmp\", \"Andrew.dmp\", \"SQLDmpr*.mdmp\", \"Coredump.dmp\")\n",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.16.0",
+    "added": "7.11.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies suspicious file creations in the startup folder of a remote system. An adversary could abuse this to move laterally by dropping a malicious script or executable that will be executed after a reboot or user logon.",
+    "from": "now-9m",
+    "index": [
+      "logs-endpoint.events.*",
+      "winlogbeat-*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Lateral Movement via Startup Folder",
+    "query": "file where event.type in (\"creation\", \"change\") and\n /* via RDP TSClient mounted share or SMB */\n  (process.name : \"mstsc.exe\" or process.pid == 4) and\n   file.path : \"C:\\\\*\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\\\\*\"\n",
+    "references": [
+      "https://www.mdsec.co.uk/2017/06/rdpinception/"
+    ],
+    "risk_score": 73,
+    "rule_id": "25224a80-5a4a-4b8a-991e-6ab390465c4f",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Lateral Movement"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0008",
+          "name": "Lateral Movement",
+          "reference": "https://attack.mitre.org/tactics/TA0008/"
+        },
+        "technique": [
+          {
+            "id": "T1021",
+            "name": "Remote Services",
+            "reference": "https://attack.mitre.org/techniques/T1021/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1547",
+            "name": "Boot or Logon Autostart Execution",
+            "reference": "https://attack.mitre.org/techniques/T1547/",
+            "subtechnique": [
+              {
+                "id": "T1547.001",
+                "name": "Registry Run Keys / Startup Folder",
+                "reference": "https://attack.mitre.org/techniques/T1547/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 3,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.11.2",
+          "pre_query": "file where event.type in (\"creation\", \"change\") and\n /* via RDP TSClient mounted share or SMB */\n  (process.name : \"mstsc.exe\" or process.pid == 4) and\n   file.path : \"C:\\\\*\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\\\\*\"\n",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 3,
+          "updated": "7.12.0",
+          "pre_query": "file where event.type in (\"creation\", \"change\") and\n /* via RDP TSClient mounted share or SMB */\n  (process.name : \"mstsc.exe\" or process.pid == 4) and\n   file.path : \"C:\\\\*\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\\\\*\"\n",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.12.0",
+    "added": "7.11.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the creation or change of a Windows executable file over network shares. Adversaries may transfer tools or other files between systems in a compromised environment.",
+    "from": "now-9m",
+    "index": [
+      "logs-endpoint.events.*",
+      "winlogbeat-*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Lateral Tool Transfer",
+    "query": "sequence by host.id with maxspan=30s\n  [network where event.type == \"start\" and process.pid == 4 and destination.port == 445 and\n   network.direction : (\"incoming\", \"ingress\") and\n   network.transport == \"tcp\" and source.ip != \"127.0.0.1\" and source.ip != \"::1\"\n  ] by process.entity_id\n  /* add more executable extensions here if they are not noisy in your environment */\n  [file where event.type in (\"creation\", \"change\") and process.pid == 4 and file.extension : (\"exe\", \"dll\", \"bat\", \"cmd\")] by process.entity_id\n",
+    "risk_score": 47,
+    "rule_id": "58bc134c-e8d2-4291-a552-b4b3e537c60b",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Lateral Movement"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0008",
+          "name": "Lateral Movement",
+          "reference": "https://attack.mitre.org/tactics/TA0008/"
+        },
+        "technique": [
+          {
+            "id": "T1570",
+            "name": "Lateral Tool Transfer",
+            "reference": "https://attack.mitre.org/techniques/T1570/"
+          }
+        ]
+      }
+    ],
+    "type": "eql",
+    "version": 4,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.12.0",
+          "pre_query": "sequence by host.id with maxspan=30s\n  [network where event.type == \"start\" and process.pid == 4 and destination.port == 445 and\n   network.direction == \"incoming\" and network.transport == \"tcp\" and\n   source.address != \"127.0.0.1\" and source.address != \"::1\"\n  ] by process.entity_id\n  /* add more executable extensions here if they are not noisy in your environment */\n  [file where event.type in (\"creation\", \"change\") and process.pid == 4 and file.extension : (\"exe\", \"dll\", \"bat\", \"cmd\")] by process.entity_id\n",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 3,
+          "updated": "7.16.0",
+          "pre_query": "sequence by host.id with maxspan=30s\n  [network where event.type == \"start\" and process.pid == 4 and destination.port == 445 and\n   network.direction == \"incoming\" and network.transport == \"tcp\" and\n   source.address != \"127.0.0.1\" and source.address != \"::1\"\n  ] by process.entity_id\n  /* add more executable extensions here if they are not noisy in your environment */\n  [file where event.type in (\"creation\", \"change\") and process.pid == 4 and file.extension : (\"exe\", \"dll\", \"bat\", \"cmd\")] by process.entity_id\n",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        },
+        {
+          "version": 4,
+          "updated": "8.0.0",
+          "pre_query": "sequence by host.id with maxspan=30s\n  [network where event.type == \"start\" and process.pid == 4 and destination.port == 445 and\n   network.direction : (\"incoming\", \"ingress\") and network.transport == \"tcp\" and\n   source.address != \"127.0.0.1\" and source.address != \"::1\"\n  ] by process.entity_id\n  /* add more executable extensions here if they are not noisy in your environment */\n  [file where event.type in (\"creation\", \"change\") and process.pid == 4 and file.extension : (\"exe\", \"dll\", \"bat\", \"cmd\")] by process.entity_id\n",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "8.0.0",
+    "added": "7.11.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "An adversary can establish persistence by installing a new launch agent that executes at login by using launchd or launchctl to load a plist into the appropriate directories.",
+    "false_positives": [
+      "Trusted applications persisting via LaunchAgent"
+    ],
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Launch Agent Creation or Modification and Immediate Loading",
+    "query": "sequence by host.id with maxspan=1m\n [file where event.type != \"deletion\" and \n  file.path : (\"/System/Library/LaunchAgents/*\", \"/Library/LaunchAgents/*\", \"/Users/*/Library/LaunchAgents/*\")\n ]\n [process where event.type in (\"start\", \"process_started\") and process.name == \"launchctl\" and process.args == \"load\"]\n",
+    "references": [
+      "https://developer.apple.com/library/archive/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/CreatingLaunchdJobs.html"
+    ],
+    "risk_score": 21,
+    "rule_id": "082e3f8c-6f80-485c-91eb-5b112cb79b28",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "macOS",
+      "Threat Detection",
+      "Persistence"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1543",
+            "name": "Create or Modify System Process",
+            "reference": "https://attack.mitre.org/techniques/T1543/",
+            "subtechnique": [
+              {
+                "id": "T1543.001",
+                "name": "Launch Agent",
+                "reference": "https://attack.mitre.org/techniques/T1543/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "type": "eql",
+    "version": 2,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.12.0",
+          "pre_query": "sequence by host.id with maxspan=1m\n [file where event.type != \"deletion\" and \n  file.path : (\"/System/Library/LaunchAgents/*\", \"/Library/LaunchAgents/*\", \"/Users/*/Library/LaunchAgents/*\")\n ]\n [process where event.type in (\"start\", \"process_started\") and process.name == \"launchctl\" and process.args == \"load\"]\n",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.12.0",
+    "added": "7.11.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Adversaries may create or modify launch daemons to repeatedly execute malicious payloads as part of persistence.",
+    "false_positives": [
+      "Trusted applications persisting via LaunchDaemons"
+    ],
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "LaunchDaemon Creation or Modification and Immediate Loading",
+    "query": "sequence by host.id with maxspan=1m\n [file where event.type != \"deletion\" and file.path in (\"/System/Library/LaunchDaemons/*\", \"/Library/LaunchDaemons/*\")]\n [process where event.type in (\"start\", \"process_started\") and process.name == \"launchctl\" and process.args == \"load\"]\n",
+    "references": [
+      "https://developer.apple.com/library/archive/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/CreatingLaunchdJobs.html"
+    ],
+    "risk_score": 21,
+    "rule_id": "9d19ece6-c20e-481a-90c5-ccca596537de",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "macOS",
+      "Threat Detection",
+      "Persistence"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1543",
+            "name": "Create or Modify System Process",
+            "reference": "https://attack.mitre.org/techniques/T1543/"
+          }
+        ]
+      }
+    ],
+    "type": "eql",
+    "version": 3,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.12.0",
+          "pre_query": "sequence by host.id with maxspan=1m\n [file where event.type != \"deletion\" and file.path in (\"/System/Library/LaunchDaemons/*\", \" /Library/LaunchDaemons/*\")]\n [process where event.type in (\"start\", \"process_started\") and process.name == \"launchctl\" and process.args == \"load\"]\n",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 3,
+          "updated": "8.0.0",
+          "pre_query": "sequence by host.id with maxspan=1m\n [file where event.type != \"deletion\" and file.path in (\"/System/Library/LaunchDaemons/*\", \" /Library/LaunchDaemons/*\")]\n [process where event.type in (\"start\", \"process_started\") and process.name == \"launchctl\" and process.args == \"load\"]\n",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "8.0.0",
+    "added": "7.11.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "A scheduled task can be used by an adversary to establish persistence, move laterally, and/or escalate privileges.",
+    "false_positives": [
+      "Legitimate scheduled tasks may be created during installation of new software."
+    ],
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Local Scheduled Task Creation",
+    "query": "sequence with maxspan=1m\n  [process where event.type != \"end\" and\n    ((process.name : (\"cmd.exe\", \"wscript.exe\", \"rundll32.exe\", \"regsvr32.exe\", \"wmic.exe\", \"mshta.exe\",\n                      \"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\", \"WmiPrvSe.exe\", \"wsmprovhost.exe\", \"winrshost.exe\") or\n    process.pe.original_file_name : (\"cmd.exe\", \"wscript.exe\", \"rundll32.exe\", \"regsvr32.exe\", \"wmic.exe\", \"mshta.exe\",\n                                     \"powershell.exe\", \"pwsh.dll\", \"powershell_ise.exe\", \"WmiPrvSe.exe\", \"wsmprovhost.exe\",\n                                     \"winrshost.exe\")) or\n    process.code_signature.trusted == false)] by process.entity_id\n  [process where event.type == \"start\" and\n    (process.name : \"schtasks.exe\" or process.pe.original_file_name == \"schtasks.exe\") and\n    process.args : (\"/create\", \"-create\") and process.args : (\"/RU\", \"/SC\", \"/TN\", \"/TR\", \"/F\", \"/XML\") and\n    /* exclude SYSTEM SIDs - look for task creations by non-SYSTEM user */\n    not user.id : (\"S-1-5-18\", \"S-1-5-19\", \"S-1-5-20\")] by process.parent.entity_id\n",
+    "risk_score": 21,
+    "rule_id": "afcce5ad-65de-4ed2-8516-5e093d3ac99a",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Persistence"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1053",
+            "name": "Scheduled Task/Job",
+            "reference": "https://attack.mitre.org/techniques/T1053/",
+            "subtechnique": [
+              {
+                "id": "T1053.005",
+                "name": "Scheduled Task",
+                "reference": "https://attack.mitre.org/techniques/T1053/005/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 9,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.7.0",
+          "pre_query": "event.action:\"Process Create (rule: ProcessCreate)\" and process.name:schtasks.exe and process.args:(\"/create\" or \"-create\" or \"/S\" or \"-s\" or \"/run\" or \"-run\" or \"/change\" or \"-change\")",
+          "doc_text": "Updated query."
+        },
+        {
+          "version": 3,
+          "updated": "7.9.0",
+          "pre_query": "event.action:\"Process Create (rule: ProcessCreate)\" and process.name:schtasks.exe and process.args:(-change or -create or -run or -s or /S or /change or /create or /run)",
+          "doc_text": "Updated query."
+        },
+        {
+          "version": 4,
+          "updated": "7.9.1",
+          "pre_query": "event.category:process and event.type:(start or process_started) and process.name:schtasks.exe and process.args:(-change or -create or -run or -s or /S or /change or /create or /run)",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 5,
+          "updated": "7.10.0",
+          "pre_query": "event.category:process and event.type:(start or process_started) and process.name:schtasks.exe and process.args:(-change or -create or -run or -s or /S or /change or /create or /run)",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 6,
+          "updated": "7.11.2",
+          "pre_query": "event.category:process and event.type:(start or process_started) and process.name:schtasks.exe and process.args:(-change or -create or -run or -s or /S or /change or /create or /run)",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 7,
+          "updated": "7.12.0",
+          "pre_query": "event.category:process and event.type:(start or process_started) and process.name:schtasks.exe and process.args:(-change or -create or -run or -s or /S or /change or /create or /run)",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 8,
+          "updated": "7.13.0",
+          "pre_query": "event.category:process and event.type:(start or process_started) and process.name:schtasks.exe and process.args:(-change or -create or -run or -s or /S or /change or /create or /run)",
+          "doc_text": "Updated query.",
+          "pre_name": "Local Scheduled Task Commands",
+          "duplicate_old_file": "local-scheduled-task-commands"
+        },
+        {
+          "version": 9,
+          "updated": "7.16.0",
+          "pre_query": "sequence with maxspan=1m\n  [process where event.type != \"end\" and\n    ((process.name : (\"cmd.exe\", \"wscript.exe\", \"rundll32.exe\", \"regsvr32.exe\", \"wmic.exe\", \"mshta.exe\",\n                      \"powershell.exe\", \"pwsh.exe\", \"WmiPrvSe.exe\", \"wsmprovhost.exe\", \"winrshost.exe\") or\n    process.pe.original_file_name : (\"cmd.exe\", \"wscript.exe\", \"rundll32.exe\", \"regsvr32.exe\", \"wmic.exe\", \"mshta.exe\",\n                                     \"powershell.exe\", \"pwsh.exe\", \"WmiPrvSe.exe\", \"wsmprovhost.exe\",\n                                     \"winrshost.exe\")) or\n    process.code_signature.trusted == false)] by process.entity_id\n  [process where event.type == \"start\" and\n    (process.name : \"schtasks.exe\" or process.pe.original_file_name == \"schtasks.exe\") and\n    process.args : (\"/create\", \"-create\") and process.args : (\"/RU\", \"/SC\", \"/TN\", \"/TR\", \"/F\", \"/XML\") and\n    /* exclude SYSTEM SIDs - look for task creations by non-SYSTEM user */\n    not user.id : (\"S-1-5-18\", \"S-1-5-19\", \"S-1-5-20\")] by process.parent.entity_id\n",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.16.0",
+    "added": "7.6.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Detects when multi-factor authentication (MFA) is disabled for a Google Workspace organization. An adversary may attempt to modify a password policy in order to weaken an organization\u2019s security controls.",
+    "false_positives": [
+      "MFA settings may be modified by system administrators. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior."
+    ],
+    "from": "now-130m",
+    "index": [
+      "filebeat-*",
+      "logs-google_workspace*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "MFA Disabled for Google Workspace Organization",
+    "note": "## Config\n\nThe Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\n\n### Important Information Regarding Google Workspace Event Lag Times\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information:\n  - https://support.google.com/a/answer/7061566\n  - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html",
+    "query": "event.dataset:google_workspace.admin and event.provider:admin and event.category:iam and event.action:(ENFORCE_STRONG_AUTHENTICATION or ALLOW_STRONG_AUTHENTICATION) and google_workspace.admin.new_value:false\n",
+    "risk_score": 47,
+    "rule_id": "e555105c-ba6d-481f-82bb-9b633e7b4827",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "Google Workspace",
+      "Continuous Monitoring",
+      "SecOps",
+      "Identity and Access"
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 7,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.11.2",
+          "pre_query": "event.dataset:(gsuite.admin or google_workspace.admin) and event.provider:admin and event.category:iam and event.action:(ENFORCE_STRONG_AUTHENTICATION or ALLOW_STRONG_AUTHENTICATION) and gsuite.admin.new_value:false",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 3,
+          "updated": "7.12.0",
+          "pre_query": "event.dataset:(gsuite.admin or google_workspace.admin) and event.provider:admin and event.category:iam and event.action:(ENFORCE_STRONG_AUTHENTICATION or ALLOW_STRONG_AUTHENTICATION) and gsuite.admin.new_value:false",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 4,
+          "updated": "7.13.0",
+          "pre_query": "event.dataset:(gsuite.admin or google_workspace.admin) and event.provider:admin and event.category:iam and event.action:(ENFORCE_STRONG_AUTHENTICATION or ALLOW_STRONG_AUTHENTICATION) and gsuite.admin.new_value:false",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 5,
+          "updated": "7.14.0",
+          "pre_query": "event.dataset:(gsuite.admin or google_workspace.admin) and event.provider:admin and event.category:iam and event.action:(ENFORCE_STRONG_AUTHENTICATION or ALLOW_STRONG_AUTHENTICATION) and gsuite.admin.new_value:false",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        },
+        {
+          "version": 6,
+          "updated": "7.15.0",
+          "pre_query": "event.dataset:(gsuite.admin or google_workspace.admin) and event.provider:admin and event.category:iam and event.action:(ENFORCE_STRONG_AUTHENTICATION or ALLOW_STRONG_AUTHENTICATION) and (gsuite.admin.new_value:false or google_workspace.admin.new_value:false)\n",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 7,
+          "updated": "8.0.0",
+          "pre_query": "event.dataset:(gsuite.admin or google_workspace.admin) and event.provider:admin and event.category:iam and event.action:(ENFORCE_STRONG_AUTHENTICATION or ALLOW_STRONG_AUTHENTICATION) and (gsuite.admin.new_value:false or google_workspace.admin.new_value:false)\n",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "8.0.0",
+    "added": "7.11.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Elastic Endgame detected Malware. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information.",
+    "from": "now-15m",
+    "index": [
+      "endgame-*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "max_signals": 10000,
+    "name": "Malware - Detected - Elastic Endgame",
+    "query": "event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:file_classification_event or endgame.event_subtype_full:file_classification_event)\n",
+    "risk_score": 99,
+    "rule_id": "0a97b20f-4144-49ea-be32-b540ecc445de",
+    "severity": "critical",
+    "tags": [
+      "Elastic",
+      "Elastic Endgame"
+    ],
+    "type": "query",
+    "version": 7,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.7.0",
+          "pre_query": "event.kind:alert and event.module:endgame and event.action:file_classification_event and endgame.metadata.type:detection",
+          "doc_text": "Updated query."
+        },
+        {
+          "version": 3,
+          "updated": "7.9.0",
+          "pre_query": "event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:file_classification_event or endgame.event_subtype_full:file_classification_event)",
+          "doc_text": "Formatting only",
+          "pre_name": "Malware - Detected - Elastic Endpoint"
+        },
+        {
+          "version": 4,
+          "updated": "7.10.0",
+          "pre_query": "event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:file_classification_event or endgame.event_subtype_full:file_classification_event)",
+          "doc_text": "Formatting only",
+          "pre_name": "Malware - Detected - Elastic Endpoint Security"
+        },
+        {
+          "version": 5,
+          "updated": "7.12.0",
+          "pre_query": "event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:file_classification_event or endgame.event_subtype_full:file_classification_event)",
+          "doc_text": "Formatting only",
+          "pre_name": "Malware - Detected - Endpoint Security",
+          "duplicate_old_file": "malware-detected-endpoint-security"
+        },
+        {
+          "version": 6,
+          "updated": "7.12.1",
+          "pre_query": "event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:file_classification_event or endgame.event_subtype_full:file_classification_event)",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 7,
+          "updated": "8.0.0",
+          "pre_query": "event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:file_classification_event or endgame.event_subtype_full:file_classification_event)\n",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "8.0.0",
+    "added": "7.6.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Elastic Endgame prevented Malware. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information.",
+    "from": "now-15m",
+    "index": [
+      "endgame-*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "max_signals": 10000,
+    "name": "Malware - Prevented - Elastic Endgame",
+    "query": "event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:file_classification_event or endgame.event_subtype_full:file_classification_event)\n",
+    "risk_score": 73,
+    "rule_id": "3b382770-efbb-44f4-beed-f5e0a051b895",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Elastic Endgame"
+    ],
+    "type": "query",
+    "version": 7,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.7.0",
+          "pre_query": "event.kind:alert and event.module:endgame and event.action:file_classification_event and endgame.metadata.type:prevention",
+          "doc_text": "Updated query."
+        },
+        {
+          "version": 3,
+          "updated": "7.9.0",
+          "pre_query": "event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:file_classification_event or endgame.event_subtype_full:file_classification_event)",
+          "doc_text": "Formatting only",
+          "pre_name": "Malware - Prevented - Elastic Endpoint"
+        },
+        {
+          "version": 4,
+          "updated": "7.10.0",
+          "pre_query": "event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:file_classification_event or endgame.event_subtype_full:file_classification_event)",
+          "doc_text": "Formatting only",
+          "pre_name": "Malware - Prevented - Elastic Endpoint Security"
+        },
+        {
+          "version": 5,
+          "updated": "7.12.0",
+          "pre_query": "event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:file_classification_event or endgame.event_subtype_full:file_classification_event)",
+          "doc_text": "Formatting only",
+          "pre_name": "Malware - Prevented - Endpoint Security",
+          "duplicate_old_file": "malware-prevented-endpoint-security"
+        },
+        {
+          "version": 6,
+          "updated": "7.12.1",
+          "pre_query": "event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:file_classification_event or endgame.event_subtype_full:file_classification_event)",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 7,
+          "updated": "8.0.0",
+          "pre_query": "event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:file_classification_event or endgame.event_subtype_full:file_classification_event)\n",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "8.0.0",
+    "added": "7.6.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the deletion of an anti-phishing policy in Microsoft 365. By default, Microsoft 365 includes built-in features that help protect users from phishing attacks. Anti-phishing polices increase this protection by refining settings to better detect and prevent attacks.",
+    "false_positives": [
+      "An anti-phishing policy may be deleted by a system or network administrator. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior."
+    ],
+    "from": "now-30m",
+    "index": [
+      "filebeat-*",
+      "logs-o365*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Microsoft 365 Exchange Anti-Phish Policy Deletion",
+    "note": "## Config\n\nThe Microsoft 365 Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:\"Remove-AntiPhishPolicy\" and event.outcome:success\n",
+    "references": [
+      "https://docs.microsoft.com/en-us/powershell/module/exchange/remove-antiphishpolicy?view=exchange-ps",
+      "https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/set-up-anti-phishing-policies?view=o365-worldwide"
+    ],
+    "risk_score": 47,
+    "rule_id": "d68eb1b5-5f1c-4b6d-9e63-5b6b145cd4aa",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "Microsoft 365",
+      "Continuous Monitoring",
+      "SecOps",
+      "Configuration Audit"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0001",
+          "name": "Initial Access",
+          "reference": "https://attack.mitre.org/tactics/TA0001/"
+        },
+        "technique": [
+          {
+            "id": "T1566",
+            "name": "Phishing",
+            "reference": "https://attack.mitre.org/techniques/T1566/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 4,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.11.2",
+          "pre_query": "event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:\"Remove-AntiPhishPolicy\" and event.outcome:success",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 3,
+          "updated": "7.12.0",
+          "pre_query": "event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:\"Remove-AntiPhishPolicy\" and event.outcome:success",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 4,
+          "updated": "7.13.0",
+          "pre_query": "event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:\"Remove-AntiPhishPolicy\" and event.outcome:success",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.13.0",
+    "added": "7.11.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the modification of an anti-phishing rule in Microsoft 365. By default, Microsoft 365 includes built-in features that help protect users from phishing attacks. Anti-phishing rules increase this protection by refining settings to better detect and prevent attacks.",
+    "false_positives": [
+      "An anti-phishing rule may be deleted by a system or network administrator. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior."
+    ],
+    "from": "now-30m",
+    "index": [
+      "filebeat-*",
+      "logs-o365*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Microsoft 365 Exchange Anti-Phish Rule Modification",
+    "note": "## Config\n\nThe Microsoft 365 Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:(\"Remove-AntiPhishRule\" or \"Disable-AntiPhishRule\") and event.outcome:success\n",
+    "references": [
+      "https://docs.microsoft.com/en-us/powershell/module/exchange/remove-antiphishrule?view=exchange-ps",
+      "https://docs.microsoft.com/en-us/powershell/module/exchange/disable-antiphishrule?view=exchange-ps"
+    ],
+    "risk_score": 47,
+    "rule_id": "97314185-2568-4561-ae81-f3e480e5e695",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "Microsoft 365",
+      "Continuous Monitoring",
+      "SecOps",
+      "Configuration Audit"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0001",
+          "name": "Initial Access",
+          "reference": "https://attack.mitre.org/tactics/TA0001/"
+        },
+        "technique": [
+          {
+            "id": "T1566",
+            "name": "Phishing",
+            "reference": "https://attack.mitre.org/techniques/T1566/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 4,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.11.2",
+          "pre_query": "event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:(\"Remove-AntiPhishRule\" or \"Disable-AntiPhishRule\") and event.outcome:success",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 3,
+          "updated": "7.12.0",
+          "pre_query": "event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:(\"Remove-AntiPhishRule\" or \"Disable-AntiPhishRule\") and event.outcome:success",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 4,
+          "updated": "7.13.0",
+          "pre_query": "event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:(\"Remove-AntiPhishRule\" or \"Disable-AntiPhishRule\") and event.outcome:success",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.13.0",
+    "added": "7.11.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies when a DomainKeys Identified Mail (DKIM) signing configuration is disabled in Microsoft 365. With DKIM in Microsoft 365, messages that are sent from Exchange Online will be cryptographically signed. This will allow the receiving email system to validate that the messages were generated by a server that the organization authorized and not being spoofed.",
+    "false_positives": [
+      "Disabling a DKIM configuration may be done by a system or network administrator. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior."
+    ],
+    "from": "now-30m",
+    "index": [
+      "filebeat-*",
+      "logs-o365*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Microsoft 365 Exchange DKIM Signing Configuration Disabled",
+    "note": "## Config\n\nThe Microsoft 365 Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:\"Set-DkimSigningConfig\" and o365.audit.Parameters.Enabled:False and event.outcome:success\n",
+    "references": [
+      "https://docs.microsoft.com/en-us/powershell/module/exchange/set-dkimsigningconfig?view=exchange-ps"
+    ],
+    "risk_score": 47,
+    "rule_id": "514121ce-c7b6-474a-8237-68ff71672379",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "Microsoft 365",
+      "Continuous Monitoring",
+      "SecOps",
+      "Data Protection"
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 4,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.11.2",
+          "pre_query": "event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:\"Set-DkimSigningConfig\" and o365.audit.Parameters.Enabled:False and event.outcome:success",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 3,
+          "updated": "7.12.0",
+          "pre_query": "event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:\"Set-DkimSigningConfig\" and o365.audit.Parameters.Enabled:False and event.outcome:success",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 4,
+          "updated": "7.13.0",
+          "pre_query": "event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:\"Set-DkimSigningConfig\" and o365.audit.Parameters.Enabled:False and event.outcome:success",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.13.0",
+    "added": "7.11.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies when a Data Loss Prevention (DLP) policy is removed in Microsoft 365. An adversary may remove a DLP policy to evade existing DLP monitoring.",
+    "false_positives": [
+      "A DLP policy may be removed by a system or network administrator. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior."
+    ],
+    "from": "now-30m",
+    "index": [
+      "filebeat-*",
+      "logs-o365*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Microsoft 365 Exchange DLP Policy Removed",
+    "note": "## Config\n\nThe Microsoft 365 Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:\"Remove-DlpPolicy\" and event.outcome:success\n",
+    "references": [
+      "https://docs.microsoft.com/en-us/powershell/module/exchange/remove-dlppolicy?view=exchange-ps",
+      "https://docs.microsoft.com/en-us/microsoft-365/compliance/data-loss-prevention-policies?view=o365-worldwide"
+    ],
+    "risk_score": 47,
+    "rule_id": "60f3adec-1df9-4104-9c75-b97d9f078b25",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "Microsoft 365",
+      "Continuous Monitoring",
+      "SecOps",
+      "Configuration Audit"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1562",
+            "name": "Impair Defenses",
+            "reference": "https://attack.mitre.org/techniques/T1562/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 4,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.11.2",
+          "pre_query": "event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:\"Remove-DlpPolicy\" and event.outcome:success",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 3,
+          "updated": "7.12.0",
+          "pre_query": "event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:\"Remove-DlpPolicy\" and event.outcome:success",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 4,
+          "updated": "7.13.0",
+          "pre_query": "event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:\"Remove-DlpPolicy\" and event.outcome:success",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.13.0",
+    "added": "7.11.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies when a malware filter policy has been deleted in Microsoft 365. A malware filter policy is used to alert administrators that an internal user sent a message that contained malware. This may indicate an account or machine compromise that would need to be investigated. Deletion of a malware filter policy may be done to evade detection.",
+    "false_positives": [
+      "A malware filter policy may be deleted by a system or network administrator. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior."
+    ],
+    "from": "now-30m",
+    "index": [
+      "filebeat-*",
+      "logs-o365*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Microsoft 365 Exchange Malware Filter Policy Deletion",
+    "note": "## Config\n\nThe Microsoft 365 Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:\"Remove-MalwareFilterPolicy\" and event.outcome:success\n",
+    "references": [
+      "https://docs.microsoft.com/en-us/powershell/module/exchange/remove-malwarefilterpolicy?view=exchange-ps"
+    ],
+    "risk_score": 47,
+    "rule_id": "d743ff2a-203e-4a46-a3e3-40512cfe8fbb",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "Microsoft 365",
+      "Continuous Monitoring",
+      "SecOps",
+      "Configuration Audit"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1562",
+            "name": "Impair Defenses",
+            "reference": "https://attack.mitre.org/techniques/T1562/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 4,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.11.2",
+          "pre_query": "event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:\"Remove-MalwareFilterPolicy\" and event.outcome:success",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 3,
+          "updated": "7.12.0",
+          "pre_query": "event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:\"Remove-MalwareFilterPolicy\" and event.outcome:success",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 4,
+          "updated": "7.13.0",
+          "pre_query": "event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:\"Remove-MalwareFilterPolicy\" and event.outcome:success",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.13.0",
+    "added": "7.11.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies when a malware filter rule has been deleted or disabled in Microsoft 365. An adversary or insider threat may want to modify a malware filter rule to evade detection.",
+    "false_positives": [
+      "A malware filter rule may be deleted by a system or network administrator. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior."
+    ],
+    "from": "now-30m",
+    "index": [
+      "filebeat-*",
+      "logs-o365*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Microsoft 365 Exchange Malware Filter Rule Modification",
+    "note": "## Config\n\nThe Microsoft 365 Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:(\"Remove-MalwareFilterRule\" or \"Disable-MalwareFilterRule\") and event.outcome:success\n",
+    "references": [
+      "https://docs.microsoft.com/en-us/powershell/module/exchange/remove-malwarefilterrule?view=exchange-ps",
+      "https://docs.microsoft.com/en-us/powershell/module/exchange/disable-malwarefilterrule?view=exchange-ps"
+    ],
+    "risk_score": 47,
+    "rule_id": "ca79768e-40e1-4e45-a097-0e5fbc876ac2",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "Microsoft 365",
+      "Continuous Monitoring",
+      "SecOps",
+      "Configuration Audit"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1562",
+            "name": "Impair Defenses",
+            "reference": "https://attack.mitre.org/techniques/T1562/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 4,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.11.2",
+          "pre_query": "event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:(\"Remove-MalwareFilterRule\" or \"Disable-MalwareFilterRule\") and event.outcome:success",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 3,
+          "updated": "7.12.0",
+          "pre_query": "event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:(\"Remove-MalwareFilterRule\" or \"Disable-MalwareFilterRule\") and event.outcome:success",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 4,
+          "updated": "7.13.0",
+          "pre_query": "event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:(\"Remove-MalwareFilterRule\" or \"Disable-MalwareFilterRule\") and event.outcome:success",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.13.0",
+    "added": "7.11.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies when a new role is assigned to a management group in Microsoft 365. An adversary may attempt to add a role in order to maintain persistence in an environment.",
+    "false_positives": [
+      "A new role may be assigned to a management group by a system or network administrator. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior."
+    ],
+    "from": "now-30m",
+    "index": [
+      "filebeat-*",
+      "logs-o365*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Microsoft 365 Exchange Management Group Role Assignment",
+    "note": "## Config\n\nThe Microsoft 365 Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:\"New-ManagementRoleAssignment\" and event.outcome:success\n",
+    "references": [
+      "https://docs.microsoft.com/en-us/powershell/module/exchange/new-managementroleassignment?view=exchange-ps",
+      "https://docs.microsoft.com/en-us/microsoft-365/admin/add-users/about-admin-roles?view=o365-worldwide"
+    ],
+    "risk_score": 47,
+    "rule_id": "98995807-5b09-4e37-8a54-5cae5dc932d7",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "Microsoft 365",
+      "Continuous Monitoring",
+      "SecOps",
+      "Identity and Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1098",
+            "name": "Account Manipulation",
+            "reference": "https://attack.mitre.org/techniques/T1098/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 4,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.11.2",
+          "pre_query": "event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:\"New-ManagementRoleAssignment\" and event.outcome:success",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 3,
+          "updated": "7.12.0",
+          "pre_query": "event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:\"New-ManagementRoleAssignment\" and event.outcome:success",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 4,
+          "updated": "7.13.0",
+          "pre_query": "event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:\"New-ManagementRoleAssignment\" and event.outcome:success",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.13.0",
+    "added": "7.11.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies when a safe attachment rule is disabled in Microsoft 365. Safe attachment rules can extend malware protections to include routing all messages and attachments without a known malware signature to a special hypervisor environment. An adversary or insider threat may disable a safe attachment rule to exfiltrate data or evade defenses.",
+    "false_positives": [
+      "A safe attachment rule may be disabled by a system or network administrator. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior."
+    ],
+    "from": "now-30m",
+    "index": [
+      "filebeat-*",
+      "logs-o365*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Microsoft 365 Exchange Safe Attachment Rule Disabled",
+    "note": "## Config\n\nThe Microsoft 365 Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:\"Disable-SafeAttachmentRule\" and event.outcome:success\n",
+    "references": [
+      "https://docs.microsoft.com/en-us/powershell/module/exchange/disable-safeattachmentrule?view=exchange-ps"
+    ],
+    "risk_score": 21,
+    "rule_id": "03024bd9-d23f-4ec1-8674-3cf1a21e130b",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "Microsoft 365",
+      "Continuous Monitoring",
+      "SecOps",
+      "Configuration Audit"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1562",
+            "name": "Impair Defenses",
+            "reference": "https://attack.mitre.org/techniques/T1562/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 4,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.11.2",
+          "pre_query": "event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:\"Disable-SafeAttachmentRule\" and event.outcome:success",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 3,
+          "updated": "7.12.0",
+          "pre_query": "event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:\"Disable-SafeAttachmentRule\" and event.outcome:success",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 4,
+          "updated": "7.13.0",
+          "pre_query": "event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:\"Disable-SafeAttachmentRule\" and event.outcome:success",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.13.0",
+    "added": "7.11.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies when a Safe Link policy is disabled in Microsoft 365. Safe Link policies for Office applications extend phishing protection to documents that contain hyperlinks, even after they have been delivered to a user.",
+    "false_positives": [
+      "Disabling safe links may be done by a system or network administrator. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior."
+    ],
+    "from": "now-30m",
+    "index": [
+      "filebeat-*",
+      "logs-o365*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Microsoft 365 Exchange Safe Link Policy Disabled",
+    "note": "## Config\n\nThe Microsoft 365 Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:\"Disable-SafeLinksRule\" and event.outcome:success\n",
+    "references": [
+      "https://docs.microsoft.com/en-us/powershell/module/exchange/disable-safelinksrule?view=exchange-ps",
+      "https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/atp-safe-links?view=o365-worldwide"
+    ],
+    "risk_score": 47,
+    "rule_id": "a989fa1b-9a11-4dd8-a3e9-f0de9c6eb5f2",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "Microsoft 365",
+      "Continuous Monitoring",
+      "SecOps",
+      "Identity and Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0001",
+          "name": "Initial Access",
+          "reference": "https://attack.mitre.org/tactics/TA0001/"
+        },
+        "technique": [
+          {
+            "id": "T1566",
+            "name": "Phishing",
+            "reference": "https://attack.mitre.org/techniques/T1566/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 4,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.11.2",
+          "pre_query": "event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:\"Disable-SafeLinksRule\" and event.outcome:success",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 3,
+          "updated": "7.12.0",
+          "pre_query": "event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:\"Disable-SafeLinksRule\" and event.outcome:success",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 4,
+          "updated": "7.13.0",
+          "pre_query": "event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:\"Disable-SafeLinksRule\" and event.outcome:success",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.13.0",
+    "added": "7.11.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies a transport rule creation in Microsoft 365. Exchange Online mail transport rules should be set to not forward email to domains outside of your organization as a best practice. An adversary may create transport rules to exfiltrate data.",
+    "false_positives": [
+      "A new transport rule may be created by a system or network administrator. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior."
+    ],
+    "from": "now-30m",
+    "index": [
+      "filebeat-*",
+      "logs-o365*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Microsoft 365 Exchange Transport Rule Creation",
+    "note": "## Config\n\nThe Microsoft 365 Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:\"New-TransportRule\" and event.outcome:success\n",
+    "references": [
+      "https://docs.microsoft.com/en-us/powershell/module/exchange/new-transportrule?view=exchange-ps",
+      "https://docs.microsoft.com/en-us/exchange/security-and-compliance/mail-flow-rules/mail-flow-rules"
+    ],
+    "risk_score": 47,
+    "rule_id": "ff4dd44a-0ac6-44c4-8609-3f81bc820f02",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "Microsoft 365",
+      "Continuous Monitoring",
+      "SecOps",
+      "Configuration Audit"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0010",
+          "name": "Exfiltration",
+          "reference": "https://attack.mitre.org/tactics/TA0010/"
+        },
+        "technique": [
+          {
+            "id": "T1537",
+            "name": "Transfer Data to Cloud Account",
+            "reference": "https://attack.mitre.org/techniques/T1537/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 4,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.11.2",
+          "pre_query": "event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:\"New-TransportRule\" and event.outcome:success",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 3,
+          "updated": "7.12.0",
+          "pre_query": "event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:\"New-TransportRule\" and event.outcome:success",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 4,
+          "updated": "7.13.0",
+          "pre_query": "event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:\"New-TransportRule\" and event.outcome:success",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.13.0",
+    "added": "7.11.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies when a transport rule has been disabled or deleted in Microsoft 365. Mail flow rules (also known as transport rules) are used to identify and take action on messages that flow through your organization. An adversary or insider threat may modify a transport rule to exfiltrate data or evade defenses.",
+    "false_positives": [
+      "A transport rule may be modified by a system or network administrator. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior."
+    ],
+    "from": "now-30m",
+    "index": [
+      "filebeat-*",
+      "logs-o365*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Microsoft 365 Exchange Transport Rule Modification",
+    "note": "## Config\n\nThe Microsoft 365 Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:(\"Remove-TransportRule\" or \"Disable-TransportRule\") and event.outcome:success\n",
+    "references": [
+      "https://docs.microsoft.com/en-us/powershell/module/exchange/remove-transportrule?view=exchange-ps",
+      "https://docs.microsoft.com/en-us/powershell/module/exchange/disable-transportrule?view=exchange-ps",
+      "https://docs.microsoft.com/en-us/exchange/security-and-compliance/mail-flow-rules/mail-flow-rules"
+    ],
+    "risk_score": 47,
+    "rule_id": "272a6484-2663-46db-a532-ef734bf9a796",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "Microsoft 365",
+      "Continuous Monitoring",
+      "SecOps",
+      "Configuration Audit"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0010",
+          "name": "Exfiltration",
+          "reference": "https://attack.mitre.org/tactics/TA0010/"
+        },
+        "technique": [
+          {
+            "id": "T1537",
+            "name": "Transfer Data to Cloud Account",
+            "reference": "https://attack.mitre.org/techniques/T1537/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 4,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.11.2",
+          "pre_query": "event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:(\"Remove-TransportRule\" or \"Disable-TransportRule\") and event.outcome:success",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 3,
+          "updated": "7.12.0",
+          "pre_query": "event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:(\"Remove-TransportRule\" or \"Disable-TransportRule\") and event.outcome:success",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 4,
+          "updated": "7.13.0",
+          "pre_query": "event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:(\"Remove-TransportRule\" or \"Disable-TransportRule\") and event.outcome:success",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.13.0",
+    "added": "7.11.0"
+  },
+  {
+    "author": [
+      "Elastic",
+      "Gary Blackwell",
+      "Austin Songer"
+    ],
+    "description": "Identifies when a new Inbox rule is created in Microsoft 365. Inbox rules process messages in the Inbox based on conditions and take actions, such as moving a message to a specified folder or deleting a message. Adequate permissions are required on the mailbox to create an Inbox rule.",
+    "false_positives": [
+      "An inbox rule may be created by a system or network administrator. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior."
+    ],
+    "from": "now-30m",
+    "index": [
+      "filebeat-*",
+      "logs-o365*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Microsoft 365 New Inbox Rule Created",
+    "note": "## Config\n\nThe Microsoft 365 Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:\"New-InboxRule\" and event.outcome:success\n",
+    "references": [
+      "https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/responding-to-a-compromised-email-account?view=o365-worldwide",
+      "https://docs.microsoft.com/en-us/powershell/module/exchange/new-inboxrule?view=exchange-ps",
+      "https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/detect-and-remediate-outlook-rules-forms-attack?view=o365-worldwide"
+    ],
+    "risk_score": 21,
+    "rule_id": "ec8efb0c-604d-42fa-ac46-ed1cfbc38f78",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "Microsoft 365",
+      "Continuous Monitoring",
+      "SecOps",
+      "Configuration Audit"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0009",
+          "name": "Collection",
+          "reference": "https://attack.mitre.org/tactics/TA0009/"
+        },
+        "technique": [
+          {
+            "id": "T1114",
+            "name": "Email Collection",
+            "reference": "https://attack.mitre.org/techniques/T1114/",
+            "subtechnique": [
+              {
+                "id": "T1114.003",
+                "name": "Email Forwarding Rule",
+                "reference": "https://attack.mitre.org/techniques/T1114/003/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 1,
+    "last_update": "7.13.0",
+    "added": "7.13.0"
+  },
+  {
+    "author": [
+      "Austin Songer"
+    ],
+    "description": "Identifies when Microsoft Cloud App Security reports that a user has uploaded files to the cloud that might be infected with ransomware.",
+    "false_positives": [
+      "If Cloud App Security identifies, for example, a high rate of file uploads or file deletion activities it may represent an adverse encryption process."
+    ],
+    "from": "now-30m",
+    "index": [
+      "filebeat-*",
+      "logs-o365*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Microsoft 365 Potential ransomware activity",
+    "note": "## Config\n\nThe Microsoft 365 Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\n",
+    "query": "event.dataset:o365.audit and event.provider:SecurityComplianceCenter and event.category:web and event.action:\"Potential ransomware activity\" and event.outcome:success\n",
+    "references": [
+      "https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy",
+      "https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference"
+    ],
+    "risk_score": 47,
+    "rule_id": "721999d0-7ab2-44bf-b328-6e63367b9b29",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "Microsoft 365",
+      "Continuous Monitoring",
+      "SecOps",
+      "Configuration Audit"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0040",
+          "name": "Impact",
+          "reference": "https://attack.mitre.org/tactics/TA0040/"
+        },
+        "technique": [
+          {
+            "id": "T1486",
+            "name": "Data Encrypted for Impact",
+            "reference": "https://attack.mitre.org/techniques/T1486/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 2,
+    "last_update": "8.0.0",
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "8.0.0",
+          "pre_query": "event.dataset:o365.audit and event.provider:SecurityComplianceCenter and event.category:web and event.action:\"Potential ransomware activity\" and event.outcome:success\n",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "added": "7.16.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies when custom applications are allowed in Microsoft Teams. If an organization requires applications other than those available in the Teams app store, custom applications can be developed as packages and uploaded. An adversary may abuse this behavior to establish persistence in an environment.",
+    "false_positives": [
+      "Custom applications may be allowed by a system or network administrator. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior."
+    ],
+    "from": "now-30m",
+    "index": [
+      "filebeat-*",
+      "logs-o365*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Microsoft 365 Teams Custom Application Interaction Allowed",
+    "note": "## Config\n\nThe Microsoft 365 Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:o365.audit and event.provider:MicrosoftTeams and\nevent.category:web and event.action:TeamsTenantSettingChanged and\no365.audit.Name:\"Allow sideloading and interaction of custom apps\" and\no365.audit.NewValue:True and event.outcome:success\n",
+    "references": [
+      "https://docs.microsoft.com/en-us/microsoftteams/platform/concepts/deploy-and-publish/apps-upload"
+    ],
+    "risk_score": 47,
+    "rule_id": "bbd1a775-8267-41fa-9232-20e5582596ac",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "Microsoft 365",
+      "Continuous Monitoring",
+      "SecOps",
+      "Configuration Audit"
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 4,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.11.2",
+          "pre_query": "event.dataset:o365.audit and event.provider:MicrosoftTeams and event.category:web and event.action:TeamsTenantSettingChanged and o365.audit.Name:\"Allow sideloading and interaction of custom apps\" and o365.audit.NewValue:True and event.outcome:success",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 3,
+          "updated": "7.12.0",
+          "pre_query": "event.dataset:o365.audit and event.provider:MicrosoftTeams and event.category:web and event.action:TeamsTenantSettingChanged and o365.audit.Name:\"Allow sideloading and interaction of custom apps\" and o365.audit.NewValue:True and event.outcome:success",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 4,
+          "updated": "7.13.0",
+          "pre_query": "event.dataset:o365.audit and event.provider:MicrosoftTeams and event.category:web and event.action:TeamsTenantSettingChanged and o365.audit.Name:\"Allow sideloading and interaction of custom apps\" and o365.audit.NewValue:True and event.outcome:success",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.13.0",
+    "added": "7.11.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies when external access is enabled in Microsoft Teams. External access lets Teams and Skype for Business users communicate with other users that are outside their organization. An adversary may enable external access or add an allowed domain to exfiltrate data or maintain persistence in an environment.",
+    "false_positives": [
+      "Teams external access may be enabled by a system or network administrator. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior."
+    ],
+    "from": "now-30m",
+    "index": [
+      "filebeat-*",
+      "logs-o365*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Microsoft 365 Teams External Access Enabled",
+    "note": "## Config\n\nThe Microsoft 365 Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:o365.audit and event.provider:(SkypeForBusiness or MicrosoftTeams) and\nevent.category:web and event.action:\"Set-CsTenantFederationConfiguration\" and\no365.audit.Parameters.AllowFederatedUsers:True and event.outcome:success\n",
+    "references": [
+      "https://docs.microsoft.com/en-us/microsoftteams/manage-external-access"
+    ],
+    "risk_score": 47,
+    "rule_id": "27f7c15a-91f8-4c3d-8b9e-1f99cc030a51",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "Microsoft 365",
+      "Continuous Monitoring",
+      "SecOps",
+      "Configuration Audit"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1098",
+            "name": "Account Manipulation",
+            "reference": "https://attack.mitre.org/techniques/T1098/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 4,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.11.2",
+          "pre_query": "event.dataset:o365.audit and event.provider:(SkypeForBusiness or MicrosoftTeams) and event.category:web and event.action:\"Set-CsTenantFederationConfiguration\" and o365.audit.Parameters.AllowFederatedUsers:True and event.outcome:success",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 3,
+          "updated": "7.12.0",
+          "pre_query": "event.dataset:o365.audit and event.provider:(SkypeForBusiness or MicrosoftTeams) and event.category:web and event.action:\"Set-CsTenantFederationConfiguration\" and o365.audit.Parameters.AllowFederatedUsers:True and event.outcome:success",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 4,
+          "updated": "7.13.0",
+          "pre_query": "event.dataset:o365.audit and event.provider:(SkypeForBusiness or MicrosoftTeams) and event.category:web and event.action:\"Set-CsTenantFederationConfiguration\" and o365.audit.Parameters.AllowFederatedUsers:True and event.outcome:success",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.13.0",
+    "added": "7.11.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies when guest access is enabled in Microsoft Teams. Guest access in Teams allows people outside the organization to access teams and channels. An adversary may enable guest access to maintain persistence in an environment.",
+    "false_positives": [
+      "Teams guest access may be enabled by a system or network administrator. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior."
+    ],
+    "from": "now-30m",
+    "index": [
+      "filebeat-*",
+      "logs-o365*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Microsoft 365 Teams Guest Access Enabled",
+    "note": "## Config\n\nThe Microsoft 365 Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:o365.audit and event.provider:(SkypeForBusiness or MicrosoftTeams) and\nevent.category:web and event.action:\"Set-CsTeamsClientConfiguration\" and\no365.audit.Parameters.AllowGuestUser:True and event.outcome:success\n",
+    "references": [
+      "https://docs.microsoft.com/en-us/powershell/module/skype/get-csteamsclientconfiguration?view=skype-ps"
+    ],
+    "risk_score": 47,
+    "rule_id": "5e552599-ddec-4e14-bad1-28aa42404388",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "Microsoft 365",
+      "Continuous Monitoring",
+      "SecOps",
+      "Configuration Audit"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1098",
+            "name": "Account Manipulation",
+            "reference": "https://attack.mitre.org/techniques/T1098/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 4,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.11.2",
+          "pre_query": "event.dataset:o365.audit and event.provider:(SkypeForBusiness or MicrosoftTeams) and event.category:web and event.action:\"Set-CsTeamsClientConfiguration\" and o365.audit.Parameters.AllowGuestUser:True and event.outcome:success",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 3,
+          "updated": "7.12.0",
+          "pre_query": "event.dataset:o365.audit and event.provider:(SkypeForBusiness or MicrosoftTeams) and event.category:web and event.action:\"Set-CsTeamsClientConfiguration\" and o365.audit.Parameters.AllowGuestUser:True and event.outcome:success",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 4,
+          "updated": "7.13.0",
+          "pre_query": "event.dataset:o365.audit and event.provider:(SkypeForBusiness or MicrosoftTeams) and event.category:web and event.action:\"Set-CsTeamsClientConfiguration\" and o365.audit.Parameters.AllowGuestUser:True and event.outcome:success",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.13.0",
+    "added": "7.11.0"
+  },
+  {
+    "author": [
+      "Austin Songer"
+    ],
+    "description": "Identifies that a user has deleted an unusually large volume of files  as reported by Microsoft Cloud App Security.",
+    "false_positives": [
+      "Users or System Administrator cleaning out folders."
+    ],
+    "from": "now-30m",
+    "index": [
+      "filebeat-*",
+      "logs-o365*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Microsoft 365 Unusual Volume of File Deletion",
+    "note": "## Config\n\nThe Microsoft 365 Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\n",
+    "query": "event.dataset:o365.audit and event.provider:SecurityComplianceCenter and event.category:web and event.action:\"Unusual volume of file deletion\" and event.outcome:success\n",
+    "references": [
+      "https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy",
+      "https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference"
+    ],
+    "risk_score": 47,
+    "rule_id": "b2951150-658f-4a60-832f-a00d1e6c6745",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "Microsoft 365",
+      "Continuous Monitoring",
+      "SecOps",
+      "Configuration Audit"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0040",
+          "name": "Impact",
+          "reference": "https://attack.mitre.org/tactics/TA0040/"
+        },
+        "technique": [
+          {
+            "id": "T1485",
+            "name": "Data Destruction",
+            "reference": "https://attack.mitre.org/techniques/T1485/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 1,
+    "last_update": "7.16.0",
+    "added": "7.16.0"
+  },
+  {
+    "author": [
+      "Austin Songer"
+    ],
+    "description": "Identifies when a user has been restricted from sending email due to exceeding sending limits of the service policies per the Security Compliance Center.",
+    "false_positives": [
+      "A user sending emails using personal distribution folders may trigger the event."
+    ],
+    "from": "now-30m",
+    "index": [
+      "filebeat-*",
+      "logs-o365*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Microsoft 365 User Restricted from Sending Email",
+    "note": "## Config\n\nThe Microsoft 365 Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\n",
+    "query": "event.dataset:o365.audit and event.provider:SecurityComplianceCenter and event.category:web and event.action:\"User restricted from sending email\" and event.outcome:success\n",
+    "references": [
+      "https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy",
+      "https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference"
+    ],
+    "risk_score": 47,
+    "rule_id": "0136b315-b566-482f-866c-1d8e2477ba16",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "Microsoft 365",
+      "Continuous Monitoring",
+      "SecOps",
+      "Configuration Audit"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0001",
+          "name": "Initial Access",
+          "reference": "https://attack.mitre.org/tactics/TA0001/"
+        },
+        "technique": [
+          {
+            "id": "T1078",
+            "name": "Valid Accounts",
+            "reference": "https://attack.mitre.org/techniques/T1078/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 1,
+    "last_update": "7.16.0",
+    "added": "7.16.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "An instance of MSBuild, the Microsoft Build Engine, loaded DLLs (dynamically linked libraries) responsible for Windows credential management. This technique is sometimes used for credential dumping.",
+    "false_positives": [
+      "The Build Engine is commonly used by Windows developers but use by non-engineers is unusual."
+    ],
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Microsoft Build Engine Loading Windows Credential Libraries",
+    "query": "sequence by process.entity_id\n [process where event.type == \"start\" and (process.name : \"MSBuild.exe\" or process.pe.original_file_name == \"MSBuild.exe\")]\n [library where dll.name : (\"vaultcli.dll\", \"SAMLib.DLL\")]\n",
+    "risk_score": 73,
+    "rule_id": "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae5",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Credential Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0006",
+          "name": "Credential Access",
+          "reference": "https://attack.mitre.org/tactics/TA0006/"
+        },
+        "technique": [
+          {
+            "id": "T1003",
+            "name": "OS Credential Dumping",
+            "reference": "https://attack.mitre.org/techniques/T1003/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 8,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.9.0",
+          "pre_query": "(winlog.event_data.OriginalFileName: (vaultcli.dll or SAMLib.DLL) or dll.name: (vaultcli.dll or SAMLib.DLL)) and process.name: MSBuild.exe and event.action: \"Image loaded (rule: ImageLoad)\"",
+          "doc_text": "Updated query."
+        },
+        {
+          "version": 3,
+          "updated": "7.9.1",
+          "pre_query": "event.category:process and event.type:change and (winlog.event_data.OriginalFileName:(vaultcli.dll or SAMLib.DLL) or dll.name:(vaultcli.dll or SAMLib.DLL)) and process.name: MSBuild.exe",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 4,
+          "updated": "7.10.0",
+          "pre_query": "event.category:process and event.type:change and (winlog.event_data.OriginalFileName:(vaultcli.dll or SAMLib.DLL) or dll.name:(vaultcli.dll or SAMLib.DLL)) and process.name: MSBuild.exe",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 5,
+          "updated": "7.11.0",
+          "pre_query": "event.category:process and event.type:change and (winlog.event_data.OriginalFileName:(vaultcli.dll or SAMLib.DLL) or dll.name:(vaultcli.dll or SAMLib.DLL)) and process.name: MSBuild.exe",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        },
+        {
+          "version": 6,
+          "updated": "7.11.2",
+          "pre_query": "event.category:process and event.type:change and (process.pe.original_file_name:(vaultcli.dll or SAMLib.DLL) or dll.name:(vaultcli.dll or SAMLib.DLL)) and process.name: MSBuild.exe",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 7,
+          "updated": "7.12.0",
+          "pre_query": "event.category:process and event.type:change and (process.pe.original_file_name:(vaultcli.dll or SAMLib.DLL) or dll.name:(vaultcli.dll or SAMLib.DLL)) and process.name: MSBuild.exe",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 8,
+          "updated": "7.13.0",
+          "pre_query": "event.category:process and event.type:change and (process.pe.original_file_name:(vaultcli.dll or SAMLib.DLL) or dll.name:(vaultcli.dll or SAMLib.DLL)) and process.name: MSBuild.exe",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.13.0",
+    "added": "7.7.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "An instance of MSBuild, the Microsoft Build Engine, started a PowerShell script or the Visual C# Command Line Compiler. This technique is sometimes used to deploy a malicious payload using the Build Engine.",
+    "false_positives": [
+      "The Build Engine is commonly used by Windows developers but use by non-engineers is unusual. If a build system triggers this rule it can be exempted by process, user or host name."
+    ],
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Microsoft Build Engine Started an Unusual Process",
+    "query": "process where event.type in (\"start\", \"process_started\") and\n  process.parent.name : \"MSBuild.exe\" and\n  process.name : (\"csc.exe\", \"iexplore.exe\", \"powershell.exe\")\n",
+    "references": [
+      "https://blog.talosintelligence.com/2020/02/building-bypass-with-msbuild.html"
+    ],
+    "risk_score": 21,
+    "rule_id": "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae6",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1027",
+            "name": "Obfuscated Files or Information",
+            "reference": "https://attack.mitre.org/techniques/T1027/",
+            "subtechnique": [
+              {
+                "id": "T1027.004",
+                "name": "Compile After Delivery",
+                "reference": "https://attack.mitre.org/techniques/T1027/004/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 8,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.9.0",
+          "pre_query": "process.parent.name:MSBuild.exe and process.name:(csc.exe or iexplore.exe or powershell.exe)",
+          "doc_text": "Updated query."
+        },
+        {
+          "version": 3,
+          "updated": "7.9.1",
+          "pre_query": "event.category:process and event.type:(start or process_started) and process.parent.name:MSBuild.exe and process.name:(csc.exe or iexplore.exe or powershell.exe)",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 4,
+          "updated": "7.10.0",
+          "pre_query": "event.category:process and event.type:(start or process_started) and process.parent.name:MSBuild.exe and process.name:(csc.exe or iexplore.exe or powershell.exe)",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 5,
+          "updated": "7.11.0",
+          "pre_query": "event.category:process and event.type:(start or process_started) and process.parent.name:MSBuild.exe and process.name:(csc.exe or iexplore.exe or powershell.exe)",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 6,
+          "updated": "7.11.2",
+          "pre_query": "event.category:process and event.type:(start or process_started) and process.parent.name:MSBuild.exe and process.name:(csc.exe or iexplore.exe or powershell.exe)",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 7,
+          "updated": "7.12.0",
+          "pre_query": "event.category:process and event.type:(start or process_started) and process.parent.name:MSBuild.exe and process.name:(csc.exe or iexplore.exe or powershell.exe)",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 8,
+          "updated": "7.13.0",
+          "pre_query": "event.category:process and event.type:(start or process_started) and process.parent.name:MSBuild.exe and process.name:(csc.exe or iexplore.exe or powershell.exe)",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.13.0",
+    "added": "7.7.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "An instance of MSBuild, the Microsoft Build Engine, was started by a script or the Windows command interpreter. This behavior is unusual and is sometimes used by malicious payloads.",
+    "false_positives": [
+      "The Build Engine is commonly used by Windows developers but use by non-engineers is unusual."
+    ],
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Microsoft Build Engine Started by a Script Process",
+    "query": "process where event.type == \"start\" and\n  (process.name : \"MSBuild.exe\" or process.pe.original_file_name == \"MSBuild.exe\") and\n  process.parent.name : (\"cmd.exe\", \"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\", \"cscript.exe\", \"wscript.exe\", \"mshta.exe\")\n",
+    "risk_score": 21,
+    "rule_id": "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae2",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1127",
+            "name": "Trusted Developer Utilities Proxy Execution",
+            "reference": "https://attack.mitre.org/techniques/T1127/",
+            "subtechnique": [
+              {
+                "id": "T1127.001",
+                "name": "MSBuild",
+                "reference": "https://attack.mitre.org/techniques/T1127/001/"
+              }
+            ]
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0002",
+          "name": "Execution",
+          "reference": "https://attack.mitre.org/tactics/TA0002/"
+        },
+        "technique": []
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 10,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.9.0",
+          "pre_query": "process.name:MSBuild.exe and process.parent.name:(cmd.exe or powershell.exe or cscript.exe or wscript.exe) and event.action:\"Process Create (rule: ProcessCreate)\"",
+          "doc_text": "Updated query."
+        },
+        {
+          "version": 3,
+          "updated": "7.9.1",
+          "pre_query": "event.category:process and event.type: start and process.name:MSBuild.exe and process.parent.name:(cmd.exe or powershell.exe or cscript.exe or wscript.exe)",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 4,
+          "updated": "7.10.0",
+          "pre_query": "event.category:process and event.type: start and process.name:MSBuild.exe and process.parent.name:(cmd.exe or powershell.exe or cscript.exe or wscript.exe)",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 5,
+          "updated": "7.11.0",
+          "pre_query": "event.category:process and event.type: start and process.name:MSBuild.exe and process.parent.name:(cmd.exe or powershell.exe or cscript.exe or wscript.exe)",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 6,
+          "updated": "7.11.2",
+          "pre_query": "event.category:process and event.type: start and process.name:MSBuild.exe and process.parent.name:(cmd.exe or powershell.exe or cscript.exe or wscript.exe)",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 7,
+          "updated": "7.12.0",
+          "pre_query": "event.category:process and event.type: start and process.name:MSBuild.exe and process.parent.name:(cmd.exe or powershell.exe or cscript.exe or wscript.exe)",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 8,
+          "updated": "7.13.0",
+          "pre_query": "event.category:process and event.type: start and process.name:MSBuild.exe and process.parent.name:(cmd.exe or powershell.exe or cscript.exe or wscript.exe)",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        },
+        {
+          "version": 10,
+          "updated": "7.16.0",
+          "pre_query": "process where event.type == \"start\" and\n  (process.name : \"MSBuild.exe\" or process.pe.original_file_name == \"MSBuild.exe\") and\n  process.parent.name : (\"cmd.exe\", \"powershell.exe\", \"cscript.exe\", \"wscript.exe\", \"mshta.exe\")\n",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.16.0",
+    "added": "7.7.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "An instance of MSBuild, the Microsoft Build Engine, was started by Explorer or the WMI (Windows Management Instrumentation) subsystem. This behavior is unusual and is sometimes used by malicious payloads.",
+    "false_positives": [
+      "The Build Engine is commonly used by Windows developers but use by non-engineers is unusual."
+    ],
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Microsoft Build Engine Started by a System Process",
+    "query": "process where event.type in (\"start\", \"process_started\") and\n  process.name : \"MSBuild.exe\" and\n  process.parent.name : (\"explorer.exe\", \"wmiprvse.exe\")\n",
+    "risk_score": 47,
+    "rule_id": "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae3",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1127",
+            "name": "Trusted Developer Utilities Proxy Execution",
+            "reference": "https://attack.mitre.org/techniques/T1127/",
+            "subtechnique": [
+              {
+                "id": "T1127.001",
+                "name": "MSBuild",
+                "reference": "https://attack.mitre.org/techniques/T1127/001/"
+              }
+            ]
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0002",
+          "name": "Execution",
+          "reference": "https://attack.mitre.org/tactics/TA0002/"
+        },
+        "technique": []
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 9,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.9.0",
+          "pre_query": "process.name:MSBuild.exe and process.parent.name:(explorer.exe or wmiprvse.exe) and event.action:\"Process Create (rule: ProcessCreate)\"",
+          "doc_text": "Updated query."
+        },
+        {
+          "version": 3,
+          "updated": "7.9.1",
+          "pre_query": "event.category:process and event.type:(start or process_started) and process.name:MSBuild.exe and process.parent.name:(explorer.exe or wmiprvse.exe)",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 4,
+          "updated": "7.10.0",
+          "pre_query": "event.category:process and event.type:(start or process_started) and process.name:MSBuild.exe and process.parent.name:(explorer.exe or wmiprvse.exe)",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 5,
+          "updated": "7.11.0",
+          "pre_query": "event.category:process and event.type:(start or process_started) and process.name:MSBuild.exe and process.parent.name:(explorer.exe or wmiprvse.exe)",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 6,
+          "updated": "7.11.2",
+          "pre_query": "event.category:process and event.type:(start or process_started) and process.name:MSBuild.exe and process.parent.name:(explorer.exe or wmiprvse.exe)",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 7,
+          "updated": "7.12.0",
+          "pre_query": "event.category:process and event.type:(start or process_started) and process.name:MSBuild.exe and process.parent.name:(explorer.exe or wmiprvse.exe)",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 8,
+          "updated": "7.13.0",
+          "pre_query": "event.category:process and event.type:(start or process_started) and process.name:MSBuild.exe and process.parent.name:(explorer.exe or wmiprvse.exe)",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        },
+        {
+          "version": 9,
+          "updated": "7.16.0",
+          "pre_query": "process where event.type in (\"start\", \"process_started\") and\n  process.name : \"MSBuild.exe\" and\n  process.parent.name : (\"explorer.exe\", \"wmiprvse.exe\")\n",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.16.0",
+    "added": "7.7.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "An instance of MSBuild, the Microsoft Build Engine, was started by Excel or Word. This is unusual behavior for the Build Engine and could have been caused by an Excel or Word document executing a malicious script payload.",
+    "false_positives": [
+      "The Build Engine is commonly used by Windows developers but use by non-engineers is unusual. It is quite unusual for this program to be started by an Office application like Word or Excel."
+    ],
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Microsoft Build Engine Started by an Office Application",
+    "query": "process where event.type in (\"start\", \"process_started\") and\n  process.name : \"MSBuild.exe\" and\n  process.parent.name : (\"eqnedt32.exe\",\n                         \"excel.exe\",\n                         \"fltldr.exe\",\n                         \"msaccess.exe\",\n                         \"mspub.exe\",\n                         \"outlook.exe\",\n                         \"powerpnt.exe\",\n                         \"winword.exe\" )\n",
+    "references": [
+      "https://blog.talosintelligence.com/2020/02/building-bypass-with-msbuild.html"
+    ],
+    "risk_score": 73,
+    "rule_id": "c5dc3223-13a2-44a2-946c-e9dc0aa0449c",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1127",
+            "name": "Trusted Developer Utilities Proxy Execution",
+            "reference": "https://attack.mitre.org/techniques/T1127/",
+            "subtechnique": [
+              {
+                "id": "T1127.001",
+                "name": "MSBuild",
+                "reference": "https://attack.mitre.org/techniques/T1127/001/"
+              }
+            ]
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0002",
+          "name": "Execution",
+          "reference": "https://attack.mitre.org/tactics/TA0002/"
+        },
+        "technique": []
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 9,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.9.0",
+          "pre_query": "process.name:MSBuild.exe and process.parent.name:(eqnedt32.exe or excel.exe or fltldr.exe or msaccess.exe or mspub.exe or outlook.exe or powerpnt.exe or winword.exe) and event.action: \"Process Create (rule: ProcessCreate)\"",
+          "doc_text": "Updated query."
+        },
+        {
+          "version": 3,
+          "updated": "7.9.1",
+          "pre_query": "event.category:process and event.type:(start or process_started) and process.name:MSBuild.exe and process.parent.name:(eqnedt32.exe or excel.exe or fltldr.exe or msaccess.exe or mspub.exe or outlook.exe or powerpnt.exe or winword.exe)",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 4,
+          "updated": "7.10.0",
+          "pre_query": "event.category:process and event.type:(start or process_started) and process.name:MSBuild.exe and process.parent.name:(eqnedt32.exe or excel.exe or fltldr.exe or msaccess.exe or mspub.exe or outlook.exe or powerpnt.exe or winword.exe)",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 5,
+          "updated": "7.11.0",
+          "pre_query": "event.category:process and event.type:(start or process_started) and process.name:MSBuild.exe and process.parent.name:(eqnedt32.exe or excel.exe or fltldr.exe or msaccess.exe or mspub.exe or outlook.exe or powerpnt.exe or winword.exe)",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 6,
+          "updated": "7.11.2",
+          "pre_query": "event.category:process and event.type:(start or process_started) and process.name:MSBuild.exe and process.parent.name:(eqnedt32.exe or excel.exe or fltldr.exe or msaccess.exe or mspub.exe or outlook.exe or powerpnt.exe or winword.exe)",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 7,
+          "updated": "7.12.0",
+          "pre_query": "event.category:process and event.type:(start or process_started) and process.name:MSBuild.exe and process.parent.name:(eqnedt32.exe or excel.exe or fltldr.exe or msaccess.exe or mspub.exe or outlook.exe or powerpnt.exe or winword.exe)",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 8,
+          "updated": "7.13.0",
+          "pre_query": "event.category:process and event.type:(start or process_started) and process.name:MSBuild.exe and process.parent.name:(eqnedt32.exe or excel.exe or fltldr.exe or msaccess.exe or mspub.exe or outlook.exe or powerpnt.exe or winword.exe)",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        },
+        {
+          "version": 9,
+          "updated": "7.16.0",
+          "pre_query": "process where event.type in (\"start\", \"process_started\") and\n  process.name : \"MSBuild.exe\" and\n  process.parent.name : (\"eqnedt32.exe\",\n                         \"excel.exe\",\n                         \"fltldr.exe\",\n                         \"msaccess.exe\",\n                         \"mspub.exe\",\n                         \"outlook.exe\",\n                         \"powerpnt.exe\",\n                         \"winword.exe\" )\n",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.16.0",
+    "added": "7.7.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "An instance of MSBuild, the Microsoft Build Engine, was started after being renamed. This is uncommon behavior and may indicate an attempt to run unnoticed or undetected.",
+    "false_positives": [
+      "The Build Engine is commonly used by Windows developers but use by non-engineers is unusual."
+    ],
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Microsoft Build Engine Using an Alternate Name",
+    "query": "process where event.type in (\"start\", \"process_started\") and\n  process.pe.original_file_name == \"MSBuild.exe\" and\n  not process.name : \"MSBuild.exe\"\n",
+    "risk_score": 21,
+    "rule_id": "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae4",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1036",
+            "name": "Masquerading",
+            "reference": "https://attack.mitre.org/techniques/T1036/",
+            "subtechnique": [
+              {
+                "id": "T1036.003",
+                "name": "Rename System Utilities",
+                "reference": "https://attack.mitre.org/techniques/T1036/003/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 9,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.9.0",
+          "pre_query": "(pe.original_file_name:MSBuild.exe or winlog.event_data.OriginalFileName: MSBuild.exe) and not process.name: MSBuild.exe and event.action: \"Process Create (rule: ProcessCreate)\"",
+          "doc_text": "Updated query."
+        },
+        {
+          "version": 3,
+          "updated": "7.9.1",
+          "pre_query": "event.category:process and event.type:(start or process_started) and (pe.original_file_name:MSBuild.exe or winlog.event_data.OriginalFileName:MSBuild.exe) and not process.name: MSBuild.exe",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 4,
+          "updated": "7.10.0",
+          "pre_query": "event.category:process and event.type:(start or process_started) and (pe.original_file_name:MSBuild.exe or winlog.event_data.OriginalFileName:MSBuild.exe) and not process.name: MSBuild.exe",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        },
+        {
+          "version": 5,
+          "updated": "7.11.0",
+          "pre_query": "event.category:process and event.type:(start or process_started) and (process.pe.original_file_name:MSBuild.exe or winlog.event_data.OriginalFileName:MSBuild.exe) and not process.name: MSBuild.exe",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        },
+        {
+          "version": 6,
+          "updated": "7.11.2",
+          "pre_query": "event.category:process and event.type:(start or process_started) and process.pe.original_file_name:MSBuild.exe and not process.name: MSBuild.exe",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 7,
+          "updated": "7.12.0",
+          "pre_query": "event.category:process and event.type:(start or process_started) and process.pe.original_file_name:MSBuild.exe and not process.name: MSBuild.exe",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 8,
+          "updated": "7.13.0",
+          "pre_query": "event.category:process and event.type:(start or process_started) and process.pe.original_file_name:MSBuild.exe and not process.name: MSBuild.exe",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        },
+        {
+          "version": 9,
+          "updated": "7.16.0",
+          "pre_query": "process where event.type in (\"start\", \"process_started\") and\n  process.pe.original_file_name == \"MSBuild.exe\" and\n  not process.name : \"MSBuild.exe\"\n",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.16.0",
+    "added": "7.7.0"
+  },
+  {
+    "author": [
+      "Elastic",
+      "Austin Songer"
+    ],
+    "description": "Identifies suspicious processes being spawned by the Microsoft Exchange Server Unified Messaging (UM) service. This activity has been observed exploiting CVE-2021-26857.",
+    "false_positives": [
+      "Legitimate processes may be spawned from the Microsoft Exchange Server Unified Messaging (UM) service. If known processes are causing false positives, they can be exempted from the rule."
+    ],
+    "from": "now-9m",
+    "index": [
+      "logs-endpoint.events.*",
+      "winlogbeat-*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Microsoft Exchange Server UM Spawning Suspicious Processes",
+    "query": "process where event.type == \"start\" and\n  process.parent.name : (\"UMService.exe\", \"UMWorkerProcess.exe\") and\n    not process.name : (\"werfault.exe\", \"wermgr.exe\")\n",
+    "references": [
+      "https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers",
+      "https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities"
+    ],
+    "risk_score": 47,
+    "rule_id": "483c4daf-b0c6-49e0-adf3-0bfa93231d6b",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Initial Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0001",
+          "name": "Initial Access",
+          "reference": "https://attack.mitre.org/tactics/TA0001/"
+        },
+        "technique": [
+          {
+            "id": "T1190",
+            "name": "Exploit Public-Facing Application",
+            "reference": "https://attack.mitre.org/techniques/T1190/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 1,
+    "last_update": "7.12.0",
+    "added": "7.12.0"
+  },
+  {
+    "author": [
+      "Elastic",
+      "Austin Songer"
+    ],
+    "description": "Identifies suspicious files being written by the Microsoft Exchange Server Unified Messaging (UM) service. This activity has been observed exploiting CVE-2021-26858.",
+    "false_positives": [
+      "Files generated during installation will generate a lot of noise, so the rule should only be enabled after the fact.",
+      "This rule was tuned using the following baseline: https://raw.githubusercontent.com/microsoft/CSS-Exchange/main/Security/Baselines/baseline_15.2.792.5.csv from Microsoft. Depending on version, consult https://github.com/microsoft/CSS-Exchange/tree/main/Security/Baselines to help determine normalcy."
+    ],
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Microsoft Exchange Server UM Writing Suspicious Files",
+    "note": "## Triage and analysis\n\nPositive hits can be checked against the established Microsoft [baselines](https://github.com/microsoft/CSS-Exchange/tree/main/Security/Baselines).\n\nMicrosoft highly recommends that the best course of action is patching, but this may not protect already compromised systems\nfrom existing intrusions. Other tools for detecting and mitigating can be found within their Exchange support\n[repository](https://github.com/microsoft/CSS-Exchange/tree/main/Security)\n",
+    "query": "file where event.type == \"creation\" and\n  process.name : (\"UMWorkerProcess.exe\", \"umservice.exe\") and\n  file.extension : (\"php\", \"jsp\", \"js\", \"aspx\", \"asmx\", \"asax\", \"cfm\", \"shtml\") and\n  (\n    file.path : \"?:\\\\inetpub\\\\wwwroot\\\\aspnet_client\\\\*\" or\n\n    (file.path : \"?:\\\\*\\\\Microsoft\\\\Exchange Server*\\\\FrontEnd\\\\HttpProxy\\\\owa\\\\auth\\\\*\" and\n       not (file.path : \"?:\\\\*\\\\Microsoft\\\\Exchange Server*\\\\FrontEnd\\\\HttpProxy\\\\owa\\\\auth\\\\version\\\\*\" or\n            file.name : (\"errorFE.aspx\", \"expiredpassword.aspx\", \"frowny.aspx\", \"GetIdToken.htm\", \"logoff.aspx\",\n                        \"logon.aspx\", \"OutlookCN.aspx\", \"RedirSuiteServiceProxy.aspx\", \"signout.aspx\"))) or\n\n    (file.path : \"?:\\\\*\\\\Microsoft\\\\Exchange Server*\\\\FrontEnd\\\\HttpProxy\\\\ecp\\\\auth\\\\*\" and\n       not file.name : \"TimeoutLogoff.aspx\")\n  )\n",
+    "references": [
+      "https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers",
+      "https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities"
+    ],
+    "risk_score": 47,
+    "rule_id": "6cd1779c-560f-4b68-a8f1-11009b27fe63",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Initial Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0001",
+          "name": "Initial Access",
+          "reference": "https://attack.mitre.org/tactics/TA0001/"
+        },
+        "technique": [
+          {
+            "id": "T1190",
+            "name": "Exploit Public-Facing Application",
+            "reference": "https://attack.mitre.org/techniques/T1190/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 2,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.13.0",
+          "pre_query": "file where event.type == \"creation\" and\n  process.parent.name : (\"UMWorkerProcess.exe\", \"umservice.exe\") and\n  file.extension : (\"php\", \"jsp\", \"js\", \"aspx\", \"asmx\", \"asax\", \"cfm\", \"shtml\") and\n  (\n    file.path : (\"C:\\\\inetpub\\\\wwwroot\\\\aspnet_client\\\\*\",\n                 \"C:\\\\*\\\\FrontEnd\\\\HttpProxy\\\\owa\\\\auth\\\\*\") or\n    (file.path : \"C:\\\\*\\\\FrontEnd\\\\HttpProxy\\\\ecp\\\\auth\\\\*\" and not file.name : \"TimeoutLogoff.aspx\")\n  )\n",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.13.0",
+    "added": "7.12.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies suspicious processes being spawned by the Microsoft Exchange Server worker process (w3wp). This activity may indicate exploitation activity or access to an existing web shell backdoor.",
+    "from": "now-9m",
+    "index": [
+      "logs-endpoint.events.*",
+      "winlogbeat-*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Microsoft Exchange Worker Spawning Suspicious Processes",
+    "query": "process where event.type == \"start\" and\n  process.parent.name : \"w3wp.exe\" and process.parent.args : \"MSExchange*AppPool\" and\n  (process.name : (\"cmd.exe\", \"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\") or\n  process.pe.original_file_name in (\"cmd.exe\", \"powershell.exe\", \"pwsh.dll\", \"powershell_ise.exe\"))\n",
+    "references": [
+      "https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers",
+      "https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities",
+      "https://discuss.elastic.co/t/detection-and-response-for-hafnium-activity/266289"
+    ],
+    "risk_score": 73,
+    "rule_id": "f81ee52c-297e-46d9-9205-07e66931df26",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Initial Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0001",
+          "name": "Initial Access",
+          "reference": "https://attack.mitre.org/tactics/TA0001/"
+        },
+        "technique": [
+          {
+            "id": "T1190",
+            "name": "Exploit Public-Facing Application",
+            "reference": "https://attack.mitre.org/techniques/T1190/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 2,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.16.0",
+          "pre_query": "process where event.type == \"start\" and\n  process.parent.name : \"w3wp.exe\" and process.parent.args : \"MSExchange*AppPool\" and\n  (process.name : (\"cmd.exe\", \"powershell.exe\", \"pwsh.exe\") or\n  process.pe.original_file_name : (\"cmd.exe\", \"powershell.exe\", \"pwsh.exe\"))\n",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.16.0",
+    "added": "7.12.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies use of aspnet_regiis to decrypt Microsoft IIS connection strings. An attacker with Microsoft IIS web server access via a webshell or alike can decrypt and dump any hardcoded connection strings, such as the MSSQL service account password using aspnet_regiis command.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "max_signals": 33,
+    "name": "Microsoft IIS Connection Strings Decryption",
+    "query": "process where event.type in (\"start\", \"process_started\") and\n  (process.name : \"aspnet_regiis.exe\" or process.pe.original_file_name == \"aspnet_regiis.exe\") and\n  process.args : \"connectionStrings\" and process.args : \"-pdf\"\n",
+    "references": [
+      "https://blog.netspi.com/decrypting-iis-passwords-to-break-out-of-the-dmz-part-1/",
+      "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/greenbug-espionage-telco-south-asia"
+    ],
+    "risk_score": 73,
+    "rule_id": "c25e9c87-95e1-4368-bfab-9fd34cf867ec",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Credential Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0006",
+          "name": "Credential Access",
+          "reference": "https://attack.mitre.org/tactics/TA0006/"
+        },
+        "technique": [
+          {
+            "id": "T1003",
+            "name": "OS Credential Dumping",
+            "reference": "https://attack.mitre.org/techniques/T1003/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 4,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.11.0",
+          "pre_query": "event.category:process and event.type:(start or process_started) and (process.name:aspnet_regiis.exe or process.pe.original_file_name:aspnet_regiis.exe or winlog.event_data.OriginalFileName:aspnet_regiis.exe) and process.args:(connectionStrings and \"-pdf\")",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        },
+        {
+          "version": 3,
+          "updated": "7.11.2",
+          "pre_query": "process where event.type in (\"start\", \"process_started\") and\n  (process.name : \"aspnet_regiis.exe\" or process.pe.original_file_name == \"aspnet_regiis.exe\") and\n  process.args : \"connectionStrings\" and process.args : \"-pdf\"\n",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 4,
+          "updated": "7.12.0",
+          "pre_query": "process where event.type in (\"start\", \"process_started\") and\n  (process.name : \"aspnet_regiis.exe\" or process.pe.original_file_name == \"aspnet_regiis.exe\") and\n  process.args : \"connectionStrings\" and process.args : \"-pdf\"\n",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.12.0",
+    "added": "7.10.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the Internet Information Services (IIS) command-line tool, AppCmd, being used to list passwords. An attacker with IIS web server access via a web shell can decrypt and dump the IIS AppPool service account password using AppCmd.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "max_signals": 33,
+    "name": "Microsoft IIS Service Account Password Dumped",
+    "query": "process where event.type in (\"start\", \"process_started\") and\n   (process.name : \"appcmd.exe\" or process.pe.original_file_name == \"appcmd.exe\") and \n   process.args : \"/list\" and process.args : \"/text*password\"\n",
+    "references": [
+      "https://blog.netspi.com/decrypting-iis-passwords-to-break-out-of-the-dmz-part-1/"
+    ],
+    "risk_score": 73,
+    "rule_id": "0564fb9d-90b9-4234-a411-82a546dc1343",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Credential Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0006",
+          "name": "Credential Access",
+          "reference": "https://attack.mitre.org/tactics/TA0006/"
+        },
+        "technique": [
+          {
+            "id": "T1003",
+            "name": "OS Credential Dumping",
+            "reference": "https://attack.mitre.org/techniques/T1003/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 4,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.11.0",
+          "pre_query": "event.category:process AND event.type:(start OR process_started) AND (process.name:appcmd.exe OR process.pe.original_file_name:appcmd.exe or winlog.event_data.OriginalFileName:appcmd.exe) AND process.args:(/[lL][iI][sS][tT]/ AND /\\/[tT][eE][xX][tT]\\:[pP][aA][sS][sS][wW][oO][rR][dD]/)",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        },
+        {
+          "version": 3,
+          "updated": "7.11.2",
+          "pre_query": "process where event.type in (\"start\", \"process_started\") and\n   (process.name : \"appcmd.exe\" or process.pe.original_file_name == \"appcmd.exe\") and \n   process.args : \"/list\" and process.args : \"/text*password\"\n",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 4,
+          "updated": "7.12.0",
+          "pre_query": "process where event.type in (\"start\", \"process_started\") and\n   (process.name : \"appcmd.exe\" or process.pe.original_file_name == \"appcmd.exe\") and \n   process.args : \"/list\" and process.args : \"/text*password\"\n",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.12.0",
+    "added": "7.10.0"
+  },
+  {
+    "author": [
+      "Austin Songer"
+    ],
+    "description": "Identifies when one or more features on Microsoft Defender are disabled. Adversaries may disable or tamper Microsoft Defender features to evade detection and conceal malicious behavior.",
+    "false_positives": [
+      "Legitimate Windows Defender configuration changes"
+    ],
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Microsoft Windows Defender Tampering",
+    "query": "registry where event.type in (\"creation\", \"change\") and\n  (registry.path : \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\PUAProtection\" and\n  registry.data.strings : \"0\") or\n  (registry.path : \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender Security Center\\\\App and Browser protection\\\\DisallowExploitProtectionOverride\" and\n  registry.data.strings : \"1\") or\n  (registry.path : \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\DisableAntiSpyware\" and\n  registry.data.strings : \"1\") or\n  (registry.path : \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\Features\\\\TamperProtection\" and\n  registry.data.strings : \"0\") or\n  (registry.path : \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\Real-Time Protection\\\\DisableRealtimeMonitoring\" and\n  registry.data.strings : \"1\") or\n  (registry.path : \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\Real-Time Protection\\\\DisableIntrusionPreventionSystem\" and\n  registry.data.strings : \"1\") or\n  (registry.path : \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\Real-Time Protection\\\\DisableScriptScanning\" and\n  registry.data.strings : \"1\") or\n  (registry.path : \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\Windows Defender Exploit Guard\\\\Controlled Folder Access\\\\EnableControlledFolderAccess\" and\n  registry.data.strings : \"0\") or\n  (registry.path : \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\Real-Time Protection\\\\DisableIOAVProtection\" and\n  registry.data.strings : \"1\") or\n  (registry.path : \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\Reporting\\\\DisableEnhancedNotifications\" and\n  registry.data.strings : \"1\") or\n  (registry.path : \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\SpyNet\\\\DisableBlockAtFirstSeen\" and\n  registry.data.strings : \"1\") or\n  (registry.path : \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\SpyNet\\\\SpynetReporting\" and\n  registry.data.strings : \"0\") or\n  (registry.path : \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\SpyNet\\\\SubmitSamplesConsent\" and\n  registry.data.strings : \"0\") or\n  (registry.path : \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\Real-Time Protection\\\\DisableBehaviorMonitoring\" and\n  registry.data.strings : \"1\")\n",
+    "references": [
+      "https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/",
+      "https://www.tenforums.com/tutorials/32236-enable-disable-microsoft-defender-pua-protection-windows-10-a.html",
+      "https://www.tenforums.com/tutorials/104025-turn-off-core-isolation-memory-integrity-windows-10-a.html",
+      "https://www.tenforums.com/tutorials/105533-enable-disable-windows-defender-exploit-protection-settings.html",
+      "https://www.tenforums.com/tutorials/123792-turn-off-tamper-protection-microsoft-defender-antivirus.html",
+      "https://www.tenforums.com/tutorials/51514-turn-off-microsoft-defender-periodic-scanning-windows-10-a.html",
+      "https://www.tenforums.com/tutorials/3569-turn-off-real-time-protection-microsoft-defender-antivirus.html",
+      "https://www.tenforums.com/tutorials/99576-how-schedule-scan-microsoft-defender-antivirus-windows-10-a.html"
+    ],
+    "risk_score": 47,
+    "rule_id": "fe794edd-487f-4a90-b285-3ee54f2af2d3",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1562",
+            "name": "Impair Defenses",
+            "reference": "https://attack.mitre.org/techniques/T1562/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 1,
+    "last_update": "8.0.0",
+    "added": "8.0.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the password log file from the default Mimikatz memssp module.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Mimikatz Memssp Log File Detected",
+    "query": "file where file.name : \"mimilsa.log\" and process.name : \"lsass.exe\"\n",
+    "risk_score": 73,
+    "rule_id": "ebb200e8-adf0-43f8-a0bb-4ee5b5d852c6",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Credential Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0006",
+          "name": "Credential Access",
+          "reference": "https://attack.mitre.org/tactics/TA0006/"
+        },
+        "technique": [
+          {
+            "id": "T1003",
+            "name": "OS Credential Dumping",
+            "reference": "https://attack.mitre.org/techniques/T1003/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 4,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.11.2",
+          "pre_query": "event.category:file and file.name:mimilsa.log and process.name:lsass.exe",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 3,
+          "updated": "7.12.0",
+          "pre_query": "event.category:file and file.name:mimilsa.log and process.name:lsass.exe",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 4,
+          "updated": "7.13.0",
+          "pre_query": "event.category:file and file.name:mimilsa.log and process.name:lsass.exe",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.13.0",
+    "added": "7.10.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "JScript tries to query the AmsiEnable registry key from the HKEY_USERS registry hive before initializing Antimalware Scan Interface (AMSI). If this key is set to 0, AMSI is not enabled for the JScript process. An adversary can modify this key to disable AMSI protections.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Modification of AmsiEnable Registry Key",
+    "query": "registry where event.type in (\"creation\", \"change\") and\n  registry.path: \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows Script\\\\Settings\\\\AmsiEnable\" and\n  registry.data.strings: \"0\"\n",
+    "references": [
+      "https://hackinparis.com/data/slides/2019/talks/HIP2019-Dominic_Chell-Cracking_The_Perimeter_With_Sharpshooter.pdf",
+      "https://docs.microsoft.com/en-us/windows/win32/amsi/antimalware-scan-interface-portal"
+    ],
+    "risk_score": 73,
+    "rule_id": "f874315d-5188-4b4a-8521-d1c73093a7e4",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1562",
+            "name": "Impair Defenses",
+            "reference": "https://attack.mitre.org/techniques/T1562/",
+            "subtechnique": [
+              {
+                "id": "T1562.001",
+                "name": "Disable or Modify Tools",
+                "reference": "https://attack.mitre.org/techniques/T1562/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 2,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.15.0",
+          "pre_query": "registry where event.type in (\"creation\", \"change\") and\n  registry.path: \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows Script\\\\Settings\\\\AmsiEnable\" and\n  registry.data.strings: \"0\"\n",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.15.0",
+    "added": "7.14.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies use of bcdedit.exe to delete boot configuration data. This tactic is sometimes used as by malware or an attacker as a destructive technique.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Modification of Boot Configuration",
+    "query": "process where event.type in (\"start\", \"process_started\") and\n  (process.name : \"bcdedit.exe\" or process.pe.original_file_name == \"bcdedit.exe\") and\n  (process.args : \"/set\" and process.args : \"bootstatuspolicy\" and process.args : \"ignoreallfailures\") or\n  (process.args : \"no\" and process.args : \"recoveryenabled\")\n",
+    "risk_score": 21,
+    "rule_id": "69c251fb-a5d6-4035-b5ec-40438bd829ff",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Impact"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0040",
+          "name": "Impact",
+          "reference": "https://attack.mitre.org/tactics/TA0040/"
+        },
+        "technique": [
+          {
+            "id": "T1490",
+            "name": "Inhibit System Recovery",
+            "reference": "https://attack.mitre.org/techniques/T1490/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 9,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.9.0",
+          "pre_query": "event.action:\"Process Create (rule: ProcessCreate)\" and process.name:bcdedit.exe and process.args:(/set and (bootstatuspolicy and ignoreallfailures or no and recoveryenabled))",
+          "doc_text": "Updated query."
+        },
+        {
+          "version": 3,
+          "updated": "7.9.1",
+          "pre_query": "event.category:process and event.type:(start or process_started) and process.name:bcdedit.exe and process.args:(/set and (bootstatuspolicy and ignoreallfailures or no and recoveryenabled))",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 4,
+          "updated": "7.10.0",
+          "pre_query": "event.category:process and event.type:(start or process_started) and process.name:bcdedit.exe and process.args:(/set and (bootstatuspolicy and ignoreallfailures or no and recoveryenabled))",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 5,
+          "updated": "7.11.0",
+          "pre_query": "event.category:process and event.type:(start or process_started) and process.name:bcdedit.exe and process.args:(/set and (bootstatuspolicy and ignoreallfailures or no and recoveryenabled))",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 6,
+          "updated": "7.11.2",
+          "pre_query": "event.category:process and event.type:(start or process_started) and process.name:bcdedit.exe and process.args:(/set and (bootstatuspolicy and ignoreallfailures or no and recoveryenabled))",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 7,
+          "updated": "7.12.0",
+          "pre_query": "event.category:process and event.type:(start or process_started) and process.name:bcdedit.exe and process.args:(/set and (bootstatuspolicy and ignoreallfailures or no and recoveryenabled))",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 8,
+          "updated": "7.13.0",
+          "pre_query": "event.category:process and event.type:(start or process_started) and process.name:bcdedit.exe and process.args:(/set and (bootstatuspolicy and ignoreallfailures or no and recoveryenabled))",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        },
+        {
+          "version": 9,
+          "updated": "7.16.0",
+          "pre_query": "process where event.type in (\"start\", \"process_started\") and\n  (process.name : \"bcdedit.exe\" or process.pe.original_file_name == \"bcdedit.exe\") and\n  (process.args : \"/set\" and process.args : \"bootstatuspolicy\" and process.args : \"ignoreallfailures\") or\n  (process.args : \"no\" and process.args : \"recoveryenabled\")\n",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.16.0",
+    "added": "7.7.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies modification of the dynamic linker preload shared object (ld.so.preload). Adversaries may execute malicious payloads by hijacking the dynamic linker used to load libraries.",
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Modification of Dynamic Linker Preload Shared Object",
+    "query": "event.category:file and not event.type:deletion and file.path:/etc/ld.so.preload\n",
+    "references": [
+      "https://www.anomali.com/blog/rocke-evolves-its-arsenal-with-a-new-malware-family-written-in-golang"
+    ],
+    "risk_score": 47,
+    "rule_id": "717f82c2-7741-4f9b-85b8-d06aeb853f4f",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "Threat Detection",
+      "Privilege Escalation"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0004",
+          "name": "Privilege Escalation",
+          "reference": "https://attack.mitre.org/tactics/TA0004/"
+        },
+        "technique": [
+          {
+            "id": "T1574",
+            "name": "Hijack Execution Flow",
+            "reference": "https://attack.mitre.org/techniques/T1574/",
+            "subtechnique": [
+              {
+                "id": "T1574.006",
+                "name": "Dynamic Linker Hijacking",
+                "reference": "https://attack.mitre.org/techniques/T1574/006/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 2,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.15.0",
+          "pre_query": "event.category:file and not event.type:deletion and file.path:/etc/ld.so.preload\n",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.15.0",
+    "added": "7.12.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies modifications to an environment variable using the built-in launchctl command. Adversaries may execute their own malicious payloads by hijacking certain environment variables to load arbitrary libraries or bypass certain restrictions.",
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Modification of Environment Variable via Launchctl",
+    "query": "event.category:process and event.type:start and\n  process.name:launchctl and\n  process.args:(setenv and not (JAVA*_HOME or\n                                RUNTIME_JAVA_HOME or\n                                DBUS_LAUNCHD_SESSION_BUS_SOCKET or\n                                ANT_HOME or\n                                LG_WEBOS_TV_SDK_HOME or\n                                WEBOS_CLI_TV or\n                                EDEN_ENV)\n                ) and\n  not process.parent.executable:(\"/Applications/NoMachine.app/Contents/Frameworks/bin/nxserver.bin\" or\n                                 \"/usr/local/bin/kr\" or\n                                 \"/Applications/NoMachine.app/Contents/Frameworks/bin/nxserver.bin\" or\n                                 \"/Applications/IntelliJ IDEA CE.app/Contents/jbr/Contents/Home/lib/jspawnhelper\")\n",
+    "references": [
+      "https://github.com/rapid7/metasploit-framework/blob/master//modules/post/osx/escalate/tccbypass.rb"
+    ],
+    "risk_score": 47,
+    "rule_id": "7453e19e-3dbf-4e4e-9ae0-33d6c6ed15e1",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "macOS",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1574",
+            "name": "Hijack Execution Flow",
+            "reference": "https://attack.mitre.org/techniques/T1574/",
+            "subtechnique": [
+              {
+                "id": "T1574.007",
+                "name": "Path Interception by PATH Environment Variable",
+                "reference": "https://attack.mitre.org/techniques/T1574/007/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 2,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.13.0",
+          "pre_query": "event.category:process and event.type:start and process.name:launchctl and process.args:(setenv and not (JAVA*_HOME or RUNTIME_JAVA_HOME or DBUS_LAUNCHD_SESSION_BUS_SOCKET or ANT_HOME))",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.13.0",
+    "added": "7.12.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Adversaries may modify SSH related binaries for persistence or credential access by patching sensitive functions to enable unauthorized access or by logging SSH credentials for exfiltration.",
+    "false_positives": [
+      "Trusted OpenSSH executable updates. It's recommended to verify the integrity of OpenSSH binary changes."
+    ],
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Modification of OpenSSH Binaries",
+    "query": "event.category:file and event.type:change and \n process.name:* and\n (file.path:(/usr/sbin/sshd or /usr/bin/ssh or /usr/bin/sftp or /usr/bin/scp) or file.name:libkeyutils.so) and\n not process.executable:/usr/bin/dpkg\n",
+    "references": [
+      "https://blog.angelalonso.es/2016/09/anatomy-of-real-linux-intrusion-part-ii.html"
+    ],
+    "risk_score": 47,
+    "rule_id": "0415f22a-2336-45fa-ba07-618a5942e22c",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "Threat Detection",
+      "Credential Access",
+      "Persistence"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1543",
+            "name": "Create or Modify System Process",
+            "reference": "https://attack.mitre.org/techniques/T1543/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0006",
+          "name": "Credential Access",
+          "reference": "https://attack.mitre.org/tactics/TA0006/"
+        },
+        "technique": [
+          {
+            "id": "T1556",
+            "name": "Modify Authentication Process",
+            "reference": "https://attack.mitre.org/techniques/T1556/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 1,
+    "last_update": "7.12.0",
+    "added": "7.12.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies changes to the Safari configuration using the built-in defaults command. Adversaries may attempt to enable or disable certain Safari settings, such as enabling JavaScript from Apple Events to ease in the hijacking of the users browser.",
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Modification of Safari Settings via Defaults Command",
+    "query": "event.category:process and event.type:start and\n  process.name:defaults and process.args:\n    (com.apple.Safari and write and not\n      (\n      UniversalSearchEnabled or\n      SuppressSearchSuggestions or\n      WebKitTabToLinksPreferenceKey or\n      ShowFullURLInSmartSearchField or\n      com.apple.Safari.ContentPageGroupIdentifier.WebKit2TabsToLinks\n      )\n    )\n",
+    "references": [
+      "https://objectivebythesea.com/v2/talks/OBTS_v2_Zohar.pdf"
+    ],
+    "risk_score": 47,
+    "rule_id": "6482255d-f468-45ea-a5b3-d3a7de1331ae",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "macOS",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1562",
+            "name": "Impair Defenses",
+            "reference": "https://attack.mitre.org/techniques/T1562/",
+            "subtechnique": [
+              {
+                "id": "T1562.001",
+                "name": "Disable or Modify Tools",
+                "reference": "https://attack.mitre.org/techniques/T1562/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 1,
+    "last_update": "7.12.0",
+    "added": "7.12.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Adversaries may modify the standard authentication module for persistence via patching the normal authorization process or modifying the login configuration to allow unauthorized access or elevate privileges.",
+    "false_positives": [
+      "Trusted system module updates or allowed Pluggable Authentication Module (PAM) daemon configuration changes."
+    ],
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Modification of Standard Authentication Module or Configuration",
+    "query": "event.category:file and event.type:change and \n  (file.name:pam_*.so or file.path:(/etc/pam.d/* or /private/etc/pam.d/*)) and \n  process.executable:\n    (* and \n      not \n      (\n        /bin/yum or \n        \"/usr/sbin/pam-auth-update\" or \n        /usr/libexec/packagekitd or \n        /usr/bin/dpkg or \n        /usr/bin/vim or \n        /usr/libexec/xpcproxy or \n        /usr/bin/bsdtar or \n        /usr/local/bin/brew or\n        /usr/bin/rsync or\n        /usr/bin/yum or\n        /var/lib/docker/*/bin/yum or\n        /var/lib/docker/*/bin/dpkg or\n        ./merged/var/lib/docker/*/bin/dpkg or\n        \"/System/Library/PrivateFrameworks/PackageKit.framework/Versions/A/XPCServices/package_script_service.xpc/Contents/MacOS/package_script_service\"\n      )\n    ) and\n  not file.path:\n         (\n           /tmp/snap.rootfs_*/pam_*.so or\n           /tmp/newroot/lib/*/pam_*.so or\n           /private/var/folders/*/T/com.apple.fileprovider.ArchiveService/TemporaryItems/*/lib/security/pam_*.so or\n           /tmp/newroot/usr/lib64/security/pam_*.so\n         )\n",
+    "references": [
+      "https://github.com/zephrax/linux-pam-backdoor",
+      "https://github.com/eurialo/pambd",
+      "http://0x90909090.blogspot.com/2016/06/creating-backdoor-in-pam-in-5-line-of.html",
+      "https://www.trendmicro.com/en_us/research/19/i/skidmap-linux-malware-uses-rootkit-capabilities-to-hide-cryptocurrency-mining-payload.html"
+    ],
+    "risk_score": 47,
+    "rule_id": "93f47b6f-5728-4004-ba00-625083b3dcb0",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "macOS",
+      "Linux",
+      "Threat Detection",
+      "Credential Access",
+      "Persistence"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1543",
+            "name": "Create or Modify System Process",
+            "reference": "https://attack.mitre.org/techniques/T1543/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0006",
+          "name": "Credential Access",
+          "reference": "https://attack.mitre.org/tactics/TA0006/"
+        },
+        "technique": [
+          {
+            "id": "T1556",
+            "name": "Modify Authentication Process",
+            "reference": "https://attack.mitre.org/techniques/T1556/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 2,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.13.0",
+          "pre_query": "event.category:file and event.type:change and (file.name:pam_*.so or file.path:(/etc/pam.d/* or /private/etc/pam.d/*)) and process.executable: (* and not ( /bin/yum or \"/usr/sbin/pam-auth-update\" or /usr/libexec/packagekitd or /usr/bin/dpkg or /usr/bin/vim or /usr/libexec/xpcproxy or /usr/bin/bsdtar or /usr/local/bin/brew ) )",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.13.0",
+    "added": "7.12.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies attempts to modify the WDigest security provider in the registry to force the user's password to be stored in clear text in memory. This behavior can be indicative of an adversary attempting to weaken the security configuration of an endpoint. Once the UseLogonCredential value is modified, the adversary may attempt to dump clear text passwords from memory.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Modification of WDigest Security Provider",
+    "query": "registry where event.type in (\"creation\", \"change\") and\n  registry.path:\"HKLM\\\\SYSTEM\\\\*ControlSet*\\\\Control\\\\SecurityProviders\\\\WDigest\\\\UseLogonCredential\" and\n  registry.data.strings:\"1\"\n",
+    "references": [
+      "https://www.csoonline.com/article/3438824/how-to-detect-and-halt-credential-theft-via-windows-wdigest.html",
+      "https://www.praetorian.com/blog/mitigating-mimikatz-wdigest-cleartext-credential-theft?edition=2019"
+    ],
+    "risk_score": 73,
+    "rule_id": "d703a5af-d5b0-43bd-8ddb-7a5d500b7da5",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Credential Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0006",
+          "name": "Credential Access",
+          "reference": "https://attack.mitre.org/tactics/TA0006/"
+        },
+        "technique": [
+          {
+            "id": "T1003",
+            "name": "OS Credential Dumping",
+            "reference": "https://attack.mitre.org/techniques/T1003/",
+            "subtechnique": [
+              {
+                "id": "T1003.001",
+                "name": "LSASS Memory",
+                "reference": "https://attack.mitre.org/techniques/T1003/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 1,
+    "last_update": "7.12.0",
+    "added": "7.12.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Detects attempts to modify or delete a sign on policy for an Okta application. An adversary may attempt to modify or delete the sign on policy for an Okta application in order to remove or weaken an organization's security controls.",
+    "false_positives": [
+      "Consider adding exceptions to this rule to filter false positives if sign on policies for Okta applications are regularly modified or deleted in your organization."
+    ],
+    "index": [
+      "filebeat-*",
+      "logs-okta*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Modification or Removal of an Okta Application Sign-On Policy",
+    "note": "## Config\n\nThe Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:okta.system and event.action:(application.policy.sign_on.update or application.policy.sign_on.rule.delete)\n",
+    "references": [
+      "https://help.okta.com/en/prod/Content/Topics/Security/App_Based_Signon.htm",
+      "https://developer.okta.com/docs/reference/api/system-log/",
+      "https://developer.okta.com/docs/reference/api/event-types/"
+    ],
+    "risk_score": 47,
+    "rule_id": "cd16fb10-0261-46e8-9932-a0336278cdbe",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Identity",
+      "Okta",
+      "Continuous Monitoring",
+      "SecOps",
+      "Identity and Access"
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 6,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.10.0",
+          "pre_query": "event.module:okta and event.dataset:okta.system and event.action:(application.policy.sign_on.update or application.policy.sign_on.rule.delete)",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        },
+        {
+          "version": 3,
+          "updated": "7.11.0",
+          "pre_query": "event.dataset:okta.system and event.action:(application.policy.sign_on.update or application.policy.sign_on.rule.delete)",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 4,
+          "updated": "7.11.2",
+          "pre_query": "event.dataset:okta.system and event.action:(application.policy.sign_on.update or application.policy.sign_on.rule.delete)",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 5,
+          "updated": "7.12.0",
+          "pre_query": "event.dataset:okta.system and event.action:(application.policy.sign_on.update or application.policy.sign_on.rule.delete)",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 6,
+          "updated": "7.13.0",
+          "pre_query": "event.dataset:okta.system and event.action:(application.policy.sign_on.update or application.policy.sign_on.rule.delete)",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.13.0",
+    "added": "7.9.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the use of net.exe to mount a WebDav or hidden remote share. This may indicate lateral movement or preparation for data exfiltration.",
+    "from": "now-9m",
+    "index": [
+      "logs-endpoint.events.*",
+      "winlogbeat-*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Mounting Hidden or WebDav Remote Shares",
+    "query": "process where event.type in (\"start\", \"process_started\") and\n ((process.name : \"net.exe\" or process.pe.original_file_name == \"net.exe\") or ((process.name : \"net1.exe\" or process.pe.original_file_name == \"net1.exe\") and\n not process.parent.name : \"net.exe\")) and\n process.args : \"use\" and\n /* including hidden and webdav based online shares such as onedrive  */\n process.args : (\"\\\\\\\\*\\\\*$*\", \"\\\\\\\\*@SSL\\\\*\", \"http*\") and\n /* excluding shares deletion operation */\n not process.args : \"/d*\"\n",
+    "risk_score": 21,
+    "rule_id": "c4210e1c-64f2-4f48-b67e-b5a8ffe3aa14",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Lateral Movement"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0008",
+          "name": "Lateral Movement",
+          "reference": "https://attack.mitre.org/tactics/TA0008/"
+        },
+        "technique": [
+          {
+            "id": "T1021",
+            "name": "Remote Services",
+            "reference": "https://attack.mitre.org/techniques/T1021/",
+            "subtechnique": [
+              {
+                "id": "T1021.002",
+                "name": "SMB/Windows Admin Shares",
+                "reference": "https://attack.mitre.org/techniques/T1021/002/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 3,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.11.2",
+          "pre_query": "process where event.type in (\"start\", \"process_started\") and\n ((process.name : \"net.exe\" or process.pe.original_file_name == \"net.exe\") or ((process.name : \"net1.exe\" or process.pe.original_file_name == \"net1.exe\") and\n not process.parent.name : \"net.exe\")) and\n process.args : \"use\" and\n /* including hidden and webdav based online shares such as onedrive  */\n process.args : (\"\\\\\\\\*\\\\*$*\", \"\\\\\\\\*@SSL\\\\*\", \"http*\") and\n /* excluding shares deletion operation */\n not process.args : \"/d*\"\n",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 3,
+          "updated": "7.12.0",
+          "pre_query": "process where event.type in (\"start\", \"process_started\") and\n ((process.name : \"net.exe\" or process.pe.original_file_name == \"net.exe\") or ((process.name : \"net1.exe\" or process.pe.original_file_name == \"net1.exe\") and\n not process.parent.name : \"net.exe\")) and\n process.args : \"use\" and\n /* including hidden and webdav based online shares such as onedrive  */\n process.args : (\"\\\\\\\\*\\\\*$*\", \"\\\\\\\\*@SSL\\\\*\", \"http*\") and\n /* excluding shares deletion operation */\n not process.args : \"/d*\"\n",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.12.0",
+    "added": "7.11.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies MsBuild.exe making outbound network connections. This may indicate adversarial activity as MsBuild is often leveraged by adversaries to execute code and evade detection.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "MsBuild Making Network Connections",
+    "query": "sequence by process.entity_id\n  [process where process.name : \"MSBuild.exe\" and event.type == \"start\"]\n  [network where process.name : \"MSBuild.exe\" and\n     not cidrmatch(destination.ip, \"127.0.0.1\", \"::1\")]\n",
+    "risk_score": 47,
+    "rule_id": "0e79980b-4250-4a50-a509-69294c14e84b",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1127",
+            "name": "Trusted Developer Utilities Proxy Execution",
+            "reference": "https://attack.mitre.org/techniques/T1127/",
+            "subtechnique": [
+              {
+                "id": "T1127.001",
+                "name": "MSBuild",
+                "reference": "https://attack.mitre.org/techniques/T1127/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "type": "eql",
+    "version": 8,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.7.0",
+          "pre_query": "event.action:\"Network connection detected (rule: NetworkConnect)\" and process.name:MSBuild.exe and not destination.ip:(\"127.0.0.1\" or \"::1\")",
+          "doc_text": "Updated query."
+        },
+        {
+          "version": 3,
+          "updated": "7.9.0",
+          "pre_query": "event.action:\"Network connection detected (rule: NetworkConnect)\" and process.name:MSBuild.exe and not destination.ip:(127.0.0.1 or \"::1\")",
+          "doc_text": "Updated query."
+        },
+        {
+          "version": 4,
+          "updated": "7.9.1",
+          "pre_query": "event.category:network and event.type:connection and process.name:MSBuild.exe and not destination.ip:(127.0.0.1 or \"::1\")",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 5,
+          "updated": "7.10.0",
+          "pre_query": "event.category:network and event.type:connection and process.name:MSBuild.exe and not destination.ip:(127.0.0.1 or \"::1\")",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        },
+        {
+          "version": 6,
+          "updated": "7.11.0",
+          "pre_query": "sequence by process.entity_id\n  [process where process.name : \"MSBuild.exe\" and event.type == \"start\"]\n  [network where process.name : \"MSBuild.exe\" and\n     not cidrmatch(destination.ip, \"127.0.0.1\", \"::1\")]\n",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 7,
+          "updated": "7.12.0",
+          "pre_query": "sequence by process.entity_id\n  [process where process.name : \"MSBuild.exe\" and event.type == \"start\"]\n  [network where process.name : \"MSBuild.exe\" and\n     not cidrmatch(destination.ip, \"127.0.0.1\", \"::1\")]\n",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 8,
+          "updated": "7.16.0",
+          "pre_query": "sequence by process.entity_id\n  [process where process.name : \"MSBuild.exe\" and event.type == \"start\"]\n  [network where process.name : \"MSBuild.exe\" and\n     not cidrmatch(destination.ip, \"127.0.0.1\", \"::1\")]\n",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.16.0",
+    "added": "7.6.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies Mshta.exe making outbound network connections. This may indicate adversarial activity, as Mshta is often leveraged by adversaries to execute malicious scripts and evade detection.",
+    "from": "now-20m",
+    "index": [
+      "logs-endpoint.events.*",
+      "winlogbeat-*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Mshta Making Network Connections",
+    "query": "sequence by process.entity_id with maxspan=10m\n  [process where event.type in (\"start\", \"process_started\") and process.name : \"mshta.exe\" and\n     not process.parent.name : \"Microsoft.ConfigurationManagement.exe\" and\n     not (process.parent.executable : \"C:\\\\Amazon\\\\Amazon Assistant\\\\amazonAssistantService.exe\" or\n          process.parent.executable : \"C:\\\\TeamViewer\\\\TeamViewer.exe\") and\n     not process.args : \"ADSelfService_Enroll.hta\"]\n  [network where process.name : \"mshta.exe\"]\n",
+    "risk_score": 21,
+    "rule_id": "c2d90150-0133-451c-a783-533e736c12d7",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1218",
+            "name": "Signed Binary Proxy Execution",
+            "reference": "https://attack.mitre.org/techniques/T1218/",
+            "subtechnique": [
+              {
+                "id": "T1218.005",
+                "name": "Mshta",
+                "reference": "https://attack.mitre.org/techniques/T1218/005/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "type": "eql",
+    "version": 5,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.11.0",
+          "pre_query": "sequence by process.entity_id with maxspan=2h\n  [process where event.type in (\"start\", \"process_started\") and process.name : \"mshta.exe\" and\n     not process.parent.name : \"Microsoft.ConfigurationManagement.exe\" and\n     not (process.parent.executable : \"C:\\\\Amazon\\\\Amazon Assistant\\\\amazonAssistantService.exe\" or\n          process.parent.executable : \"C:\\\\TeamViewer\\\\TeamViewer.exe\") and\n     not process.args : \"ADSelfService_Enroll.hta\"]\n  [network where process.name : \"mshta.exe\"]\n",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 3,
+          "updated": "7.12.0",
+          "pre_query": "sequence by process.entity_id with maxspan=2h\n  [process where event.type in (\"start\", \"process_started\") and process.name : \"mshta.exe\" and\n     not process.parent.name : \"Microsoft.ConfigurationManagement.exe\" and\n     not (process.parent.executable : \"C:\\\\Amazon\\\\Amazon Assistant\\\\amazonAssistantService.exe\" or\n          process.parent.executable : \"C:\\\\TeamViewer\\\\TeamViewer.exe\") and\n     not process.args : \"ADSelfService_Enroll.hta\"]\n  [network where process.name : \"mshta.exe\"]\n",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 4,
+          "updated": "7.14.0",
+          "pre_query": "sequence by process.entity_id with maxspan=2h\n  [process where event.type in (\"start\", \"process_started\") and process.name : \"mshta.exe\" and\n     not process.parent.name : \"Microsoft.ConfigurationManagement.exe\" and\n     not (process.parent.executable : \"C:\\\\Amazon\\\\Amazon Assistant\\\\amazonAssistantService.exe\" or\n          process.parent.executable : \"C:\\\\TeamViewer\\\\TeamViewer.exe\") and\n     not process.args : \"ADSelfService_Enroll.hta\"]\n  [network where process.name : \"mshta.exe\"]\n",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        },
+        {
+          "version": 5,
+          "updated": "7.15.0",
+          "pre_query": "sequence by process.entity_id with maxspan=10m\n  [process where event.type in (\"start\", \"process_started\") and process.name : \"mshta.exe\" and\n     not process.parent.name : \"Microsoft.ConfigurationManagement.exe\" and\n     not (process.parent.executable : \"C:\\\\Amazon\\\\Amazon Assistant\\\\amazonAssistantService.exe\" or\n          process.parent.executable : \"C:\\\\TeamViewer\\\\TeamViewer.exe\") and\n     not process.args : \"ADSelfService_Enroll.hta\"]\n  [network where process.name : \"mshta.exe\"]\n",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.15.0",
+    "added": "7.10.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies when multi-factor authentication (MFA) is disabled for an Azure user account. An adversary may disable MFA for a user account in order to weaken the authentication requirements for the account.",
+    "from": "now-25m",
+    "index": [
+      "filebeat-*",
+      "logs-azure*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Multi-Factor Authentication Disabled for an Azure User",
+    "note": "## Config\n\nThe Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:azure.auditlogs and azure.auditlogs.operation_name:\"Disable Strong Authentication\" and event.outcome:(Success or success)\n",
+    "risk_score": 47,
+    "rule_id": "dafa3235-76dc-40e2-9f71-1773b96d24cf",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "Azure",
+      "Continuous Monitoring",
+      "SecOps",
+      "Identity and Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1098",
+            "name": "Account Manipulation",
+            "reference": "https://attack.mitre.org/techniques/T1098/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 5,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.11.0",
+          "pre_query": "event.dataset:azure.auditlogs and azure.auditlogs.operation_name:\"Disable Strong Authentication\" and event.outcome:Success",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        },
+        {
+          "version": 3,
+          "updated": "7.11.2",
+          "pre_query": "event.dataset:azure.auditlogs and azure.auditlogs.operation_name:\"Disable Strong Authentication\" and event.outcome:(Success or success)",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 4,
+          "updated": "7.12.0",
+          "pre_query": "event.dataset:azure.auditlogs and azure.auditlogs.operation_name:\"Disable Strong Authentication\" and event.outcome:(Success or success)",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 5,
+          "updated": "7.13.0",
+          "pre_query": "event.dataset:azure.auditlogs and azure.auditlogs.operation_name:\"Disable Strong Authentication\" and event.outcome:(Success or success)",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.13.0",
+    "added": "7.10.0"
+  },
+  {
+    "author": [
+      "Elastic",
+      "Austin Songer"
+    ],
+    "description": "Identifies a copy operation of the Active Directory Domain Database (ntds.dit) or Security Account Manager (SAM) files. Those files contain sensitive information including hashed domain and/or local credentials.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "max_signals": 33,
+    "name": "NTDS or SAM Database File Copied",
+    "query": "process where event.type in (\"start\", \"process_started\") and\n  (\n    (process.pe.original_file_name in (\"Cmd.Exe\", \"PowerShell.EXE\", \"XCOPY.EXE\") and\n       process.args : (\"copy\", \"xcopy\", \"Copy-Item\", \"move\", \"cp\", \"mv\")\n    ) or\n    (process.pe.original_file_name : \"esentutl.exe\" and process.args : (\"*/y*\", \"*/vss*\", \"*/d*\"))\n  ) and\n  process.args : (\"*\\\\ntds.dit\", \"*\\\\config\\\\SAM\", \"\\\\*\\\\GLOBALROOT\\\\Device\\\\HarddiskVolumeShadowCopy*\\\\*\", \"*/system32/config/SAM*\")\n",
+    "references": [
+      "https://thedfirreport.com/2020/11/23/pysa-mespinoza-ransomware/",
+      "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.002/T1003.002.md#atomic-test-3---esentutlexe-sam-copy"
+    ],
+    "risk_score": 73,
+    "rule_id": "3bc6deaa-fbd4-433a-ae21-3e892f95624f",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Credential Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0006",
+          "name": "Credential Access",
+          "reference": "https://attack.mitre.org/tactics/TA0006/"
+        },
+        "technique": [
+          {
+            "id": "T1003",
+            "name": "OS Credential Dumping",
+            "reference": "https://attack.mitre.org/techniques/T1003/",
+            "subtechnique": [
+              {
+                "id": "T1003.002",
+                "name": "Security Account Manager",
+                "reference": "https://attack.mitre.org/techniques/T1003/002/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 5,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.11.2",
+          "pre_query": "process where event.type in (\"start\", \"process_started\") and\n process.pe.original_file_name in (\"Cmd.Exe\", \"PowerShell.EXE\", \"XCOPY.EXE\") and\n process.args : (\"copy\", \"xcopy\", \"Copy-Item\", \"move\", \"cp\", \"mv\") and\n process.args : (\"*\\\\ntds.dit\", \"*\\\\config\\\\SAM\", \"\\\\*\\\\GLOBALROOT\\\\Device\\\\HarddiskVolumeShadowCopy*\\\\*\")\n",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 3,
+          "updated": "7.12.0",
+          "pre_query": "process where event.type in (\"start\", \"process_started\") and\n process.pe.original_file_name in (\"Cmd.Exe\", \"PowerShell.EXE\", \"XCOPY.EXE\") and\n process.args : (\"copy\", \"xcopy\", \"Copy-Item\", \"move\", \"cp\", \"mv\") and\n process.args : (\"*\\\\ntds.dit\", \"*\\\\config\\\\SAM\", \"\\\\*\\\\GLOBALROOT\\\\Device\\\\HarddiskVolumeShadowCopy*\\\\*\")\n",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 4,
+          "updated": "7.15.0",
+          "pre_query": "process where event.type in (\"start\", \"process_started\") and\n process.pe.original_file_name in (\"Cmd.Exe\", \"PowerShell.EXE\", \"XCOPY.EXE\") and\n process.args : (\"copy\", \"xcopy\", \"Copy-Item\", \"move\", \"cp\", \"mv\") and\n process.args : (\"*\\\\ntds.dit\", \"*\\\\config\\\\SAM\", \"\\\\*\\\\GLOBALROOT\\\\Device\\\\HarddiskVolumeShadowCopy*\\\\*\")\n",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        },
+        {
+          "version": 5,
+          "updated": "7.16.0",
+          "pre_query": "process where event.type in (\"start\", \"process_started\") and\n  (\n    (process.pe.original_file_name in (\"Cmd.Exe\", \"PowerShell.EXE\", \"XCOPY.EXE\") and\n       process.args : (\"copy\", \"xcopy\", \"Copy-Item\", \"move\", \"cp\", \"mv\")\n    ) or\n    (process.pe.original_file_name : \"esentutl.exe\" and process.args : (\"*/y*\", \"*/vss*\", \"*/d*\"))\n  ) and\n  process.args : (\"*\\\\ntds.dit\", \"*\\\\config\\\\SAM\", \"\\\\*\\\\GLOBALROOT\\\\Device\\\\HarddiskVolumeShadowCopy*\\\\*\", \"*/system32/config/SAM*\")\n",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.16.0",
+    "added": "7.11.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the SYSTEM account using an account discovery utility. This could be a sign of discovery activity after an adversary has achieved privilege escalation.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Net command via SYSTEM account",
+    "query": "process where event.type in (\"start\", \"process_started\") and \n  user.id in (\"S-1-5-18\", \"S-1-5-19\", \"S-1-5-20\") and\n  process.name : \"whoami.exe\" or\n  (process.name : \"net1.exe\" and not process.parent.name : \"net.exe\")\n",
+    "risk_score": 21,
+    "rule_id": "2856446a-34e6-435b-9fb5-f8f040bfa7ed",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Discovery"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0007",
+          "name": "Discovery",
+          "reference": "https://attack.mitre.org/tactics/TA0007/"
+        },
+        "technique": [
+          {
+            "id": "T1033",
+            "name": "System Owner/User Discovery",
+            "reference": "https://attack.mitre.org/techniques/T1033/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 8,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.9.0",
+          "pre_query": "(process.name:net.exe or process.name:net1.exe and not process.parent.name:net.exe) and user.name:SYSTEM and event.action:\"Process Create (rule: ProcessCreate)\"",
+          "doc_text": "Updated query."
+        },
+        {
+          "version": 3,
+          "updated": "7.9.1",
+          "pre_query": "event.category:process and event.type:(start or process_started) and (process.name:net.exe or process.name:net1.exe and not process.parent.name:net.exe) and user.name:SYSTEM",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 4,
+          "updated": "7.10.0",
+          "pre_query": "event.category:process and event.type:(start or process_started) and (process.name:net.exe or process.name:net1.exe and not process.parent.name:net.exe) and user.name:SYSTEM",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        },
+        {
+          "version": 5,
+          "updated": "7.11.2",
+          "pre_query": "event.category:process and event.type:(start or process_started) and (process.name:(whoami.exe or net.exe) or process.name:net1.exe and not process.parent.name:net.exe) and user.name:SYSTEM",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 6,
+          "updated": "7.12.0",
+          "pre_query": "event.category:process and event.type:(start or process_started) and (process.name:(whoami.exe or net.exe) or process.name:net1.exe and not process.parent.name:net.exe) and user.name:SYSTEM",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 7,
+          "updated": "7.13.0",
+          "pre_query": "event.category:process and event.type:(start or process_started) and (process.name:(whoami.exe or net.exe) or process.name:net1.exe and not process.parent.name:net.exe) and user.name:SYSTEM",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        },
+        {
+          "version": 8,
+          "updated": "7.16.0",
+          "pre_query": "process where event.type in (\"start\", \"process_started\") and \n  user.id in (\"S-1-5-18\", \"S-1-5-19\", \"S-1-5-20\") and\n  process.name : \"whoami.exe\" or\n  (process.name : \"net1.exe\" and not process.parent.name : \"net.exe\")\n",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.16.0",
+    "added": "7.7.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "A netcat process is engaging in network activity on a Linux host. Netcat is often used as a persistence mechanism by exporting a reverse shell or by serving a shell on a listening port. Netcat is also sometimes used for data exfiltration.",
+    "false_positives": [
+      "Netcat is a dual-use tool that can be used for benign or malicious activity. Netcat is included in some Linux distributions so its presence is not necessarily suspicious. Some normal use of this program, while uncommon, may originate from scripts, automation tools, and frameworks."
+    ],
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Netcat Network Activity",
+    "query": "sequence by process.entity_id\n  [process where (process.name == \"nc\" or process.name == \"ncat\" or process.name == \"netcat\" or\n                  process.name == \"netcat.openbsd\" or process.name == \"netcat.traditional\") and\n     event.type == \"start\"]\n  [network where (process.name == \"nc\" or process.name == \"ncat\" or process.name == \"netcat\" or\n                  process.name == \"netcat.openbsd\" or process.name == \"netcat.traditional\")]\n",
+    "references": [
+      "http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet",
+      "https://www.sans.org/security-resources/sec560/netcat_cheat_sheet_v1.pdf",
+      "https://en.wikipedia.org/wiki/Netcat"
+    ],
+    "risk_score": 47,
+    "rule_id": "adb961e0-cb74-42a0-af9e-29fc41f88f5f",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "Threat Detection"
+    ],
+    "type": "eql",
+    "version": 6,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.7.0",
+          "pre_query": "process.name: (nc or ncat or netcat or netcat.openbsd or netcat.traditional) and event.action: (connected-to or bound-socket or socket_opened)",
+          "doc_text": "Updated query."
+        },
+        {
+          "version": 3,
+          "updated": "7.9.0",
+          "pre_query": "process.name:(nc or ncat or netcat or netcat.openbsd or netcat.traditional) and event.action:(bound-socket or connected-to or socket_opened)",
+          "doc_text": "Updated query."
+        },
+        {
+          "version": 4,
+          "updated": "7.9.1",
+          "pre_query": "event.category:network and event.type:(access or connection or start) and process.name:(nc or ncat or netcat or netcat.openbsd or netcat.traditional)",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 5,
+          "updated": "7.10.0",
+          "pre_query": "event.category:network and event.type:(access or connection or start) and process.name:(nc or ncat or netcat or netcat.openbsd or netcat.traditional)",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        },
+        {
+          "version": 6,
+          "updated": "7.12.0",
+          "pre_query": "sequence by process.entity_id\n  [process where (process.name == \"nc\" or process.name == \"ncat\" or process.name == \"netcat\" or\n                  process.name == \"netcat.openbsd\" or process.name == \"netcat.traditional\") and\n     event.type == \"start\"]\n  [network where (process.name == \"nc\" or process.name == \"ncat\" or process.name == \"netcat\" or\n                  process.name == \"netcat.openbsd\" or process.name == \"netcat.traditional\")]\n",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.12.0",
+    "added": "7.6.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies certutil.exe making a network connection. Adversaries could abuse certutil.exe to download a certificate, or malware, from a remote URL.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Network Connection via Certutil",
+    "query": "sequence by process.entity_id\n  [process where process.name : \"certutil.exe\" and event.type == \"start\"]\n  [network where process.name : \"certutil.exe\" and\n    not cidrmatch(destination.ip, \"10.0.0.0/8\", \"127.0.0.0/8\", \"169.254.0.0/16\", \"172.16.0.0/12\", \"192.0.0.0/24\",\n                                  \"192.0.0.0/29\", \"192.0.0.8/32\", \"192.0.0.9/32\", \"192.0.0.10/32\", \"192.0.0.170/32\",\n                                  \"192.0.0.171/32\", \"192.0.2.0/24\", \"192.31.196.0/24\", \"192.52.193.0/24\",\n                                  \"192.168.0.0/16\", \"192.88.99.0/24\", \"224.0.0.0/4\", \"100.64.0.0/10\", \"192.175.48.0/24\",\n                                  \"198.18.0.0/15\", \"198.51.100.0/24\", \"203.0.113.0/24\", \"240.0.0.0/4\", \"::1\",\n                                  \"FE80::/10\", \"FF00::/8\")]\n",
+    "references": [
+      "https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml"
+    ],
+    "risk_score": 21,
+    "rule_id": "3838e0e3-1850-4850-a411-2e8c5ba40ba8",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Command and Control"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0011",
+          "name": "Command and Control",
+          "reference": "https://attack.mitre.org/tactics/TA0011/"
+        },
+        "technique": [
+          {
+            "id": "T1105",
+            "name": "Ingress Tool Transfer",
+            "reference": "https://attack.mitre.org/techniques/T1105/"
+          }
+        ]
+      }
+    ],
+    "type": "eql",
+    "version": 6,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.9.0",
+          "pre_query": "process.name:certutil.exe and event.action:\"Network connection detected (rule: NetworkConnect)\" and not destination.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16)",
+          "doc_text": "Updated query."
+        },
+        {
+          "version": 3,
+          "updated": "7.9.1",
+          "pre_query": "event.category:network and event.type:connection and process.name:certutil.exe and not destination.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16)",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 4,
+          "updated": "7.10.0",
+          "pre_query": "event.category:network and event.type:connection and process.name:certutil.exe and not destination.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16)",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        },
+        {
+          "version": 5,
+          "updated": "7.12.0",
+          "pre_query": "sequence by process.entity_id\n  [process where process.name : \"certutil.exe\" and event.type == \"start\"]\n  [network where process.name : \"certutil.exe\" and\n    not cidrmatch(destination.ip, \"10.0.0.0/8\", \"172.16.0.0/12\", \"192.168.0.0/16\")]\n",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 6,
+          "updated": "7.14.0",
+          "pre_query": "sequence by process.entity_id\n  [process where process.name : \"certutil.exe\" and event.type == \"start\"]\n  [network where process.name : \"certutil.exe\" and\n    not cidrmatch(destination.ip, \"10.0.0.0/8\", \"172.16.0.0/12\", \"192.168.0.0/16\")]\n",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.14.0",
+    "added": "7.7.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Compiled HTML files (.chm) are commonly distributed as part of the Microsoft HTML Help system. Adversaries may conceal malicious code in a CHM file and deliver it to a victim for execution. CHM content is loaded by the HTML Help executable program (hh.exe).",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Network Connection via Compiled HTML File",
+    "query": "sequence by process.entity_id\n  [process where process.name : \"hh.exe\" and event.type == \"start\"]\n  [network where process.name : \"hh.exe\" and\n     not cidrmatch(destination.ip, \"10.0.0.0/8\", \"127.0.0.0/8\", \"169.254.0.0/16\", \"172.16.0.0/12\", \"192.0.0.0/24\",\n       \"192.0.0.0/29\", \"192.0.0.8/32\", \"192.0.0.9/32\", \"192.0.0.10/32\", \"192.0.0.170/32\", \"192.0.0.171/32\",\n       \"192.0.2.0/24\", \"192.31.196.0/24\", \"192.52.193.0/24\", \"192.168.0.0/16\", \"192.88.99.0/24\", \"224.0.0.0/4\",\n       \"100.64.0.0/10\", \"192.175.48.0/24\",\"198.18.0.0/15\", \"198.51.100.0/24\", \"203.0.113.0/24\", \"240.0.0.0/4\", \"::1\",\n       \"FE80::/10\", \"FF00::/8\")]\n",
+    "references": [
+      "https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml"
+    ],
+    "risk_score": 21,
+    "rule_id": "b29ee2be-bf99-446c-ab1a-2dc0183394b8",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Execution"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0002",
+          "name": "Execution",
+          "reference": "https://attack.mitre.org/tactics/TA0002/"
+        },
+        "technique": [
+          {
+            "id": "T1204",
+            "name": "User Execution",
+            "reference": "https://attack.mitre.org/techniques/T1204/",
+            "subtechnique": [
+              {
+                "id": "T1204.002",
+                "name": "Malicious File",
+                "reference": "https://attack.mitre.org/techniques/T1204/002/"
+              }
+            ]
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1218",
+            "name": "Signed Binary Proxy Execution",
+            "reference": "https://attack.mitre.org/techniques/T1218/",
+            "subtechnique": [
+              {
+                "id": "T1218.001",
+                "name": "Compiled HTML File",
+                "reference": "https://attack.mitre.org/techniques/T1218/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "type": "eql",
+    "version": 9,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.7.0",
+          "pre_query": "process.name:hh.exe and event.action:\"Network connection detected (rule: NetworkConnect)\" and not destination.ip:10.0.0.0/8 and not destination.ip:172.16.0.0/12 and not destination.ip:192.168.0.0/16",
+          "doc_text": "Updated query."
+        },
+        {
+          "version": 3,
+          "updated": "7.9.0",
+          "pre_query": "process.name:hh.exe and event.action:\"Network connection detected (rule: NetworkConnect)\" and not destination.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16)",
+          "doc_text": "Updated query."
+        },
+        {
+          "version": 4,
+          "updated": "7.9.1",
+          "pre_query": "event.category:network and event.type:connection and process.name:hh.exe and not destination.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16)",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 5,
+          "updated": "7.10.0",
+          "pre_query": "event.category:network and event.type:connection and process.name:hh.exe and not destination.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16)",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        },
+        {
+          "version": 6,
+          "updated": "7.11.0",
+          "pre_query": "sequence by process.entity_id\n  [process where process.name : \"hh.exe\" and event.type == \"start\"]\n  [network where process.name : \"hh.exe\" and\n     not cidrmatch(destination.ip, \"10.0.0.0/8\", \"172.16.0.0/12\", \"192.168.0.0/16\")]\n",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 7,
+          "updated": "7.12.0",
+          "pre_query": "sequence by process.entity_id\n  [process where process.name : \"hh.exe\" and event.type == \"start\"]\n  [network where process.name : \"hh.exe\" and\n     not cidrmatch(destination.ip, \"10.0.0.0/8\", \"172.16.0.0/12\", \"192.168.0.0/16\")]\n",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 8,
+          "updated": "7.14.0",
+          "pre_query": "sequence by process.entity_id\n  [process where process.name : \"hh.exe\" and event.type == \"start\"]\n  [network where process.name : \"hh.exe\" and\n     not cidrmatch(destination.ip, \"10.0.0.0/8\", \"172.16.0.0/12\", \"192.168.0.0/16\")]\n",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        },
+        {
+          "version": 9,
+          "updated": "7.16.0",
+          "pre_query": "sequence by process.entity_id\n  [process where process.name : \"hh.exe\" and event.type == \"start\"]\n  [network where process.name : \"hh.exe\" and\n     not cidrmatch(destination.ip, \"10.0.0.0/8\", \"127.0.0.0/8\", \"169.254.0.0/16\", \"172.16.0.0/12\", \"192.0.0.0/24\",\n       \"192.0.0.0/29\", \"192.0.0.8/32\", \"192.0.0.9/32\", \"192.0.0.10/32\", \"192.0.0.170/32\", \"192.0.0.171/32\",\n       \"192.0.2.0/24\", \"192.31.196.0/24\", \"192.52.193.0/24\", \"192.168.0.0/16\", \"192.88.99.0/24\", \"224.0.0.0/4\",\n       \"100.64.0.0/10\", \"192.175.48.0/24\",\"198.18.0.0/15\", \"198.51.100.0/24\", \"203.0.113.0/24\", \"240.0.0.0/4\", \"::1\",\n       \"FE80::/10\", \"FF00::/8\")]\n",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.16.0",
+    "added": "7.6.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies msxsl.exe making a network connection. This may indicate adversarial activity as msxsl.exe is often leveraged by adversaries to execute malicious scripts and evade detection.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Network Connection via MsXsl",
+    "query": "sequence by process.entity_id\n  [process where process.name : \"msxsl.exe\" and event.type == \"start\"]\n  [network where process.name : \"msxsl.exe\" and\n     not cidrmatch(destination.ip, \"10.0.0.0/8\", \"127.0.0.0/8\", \"169.254.0.0/16\", \"172.16.0.0/12\", \"192.0.0.0/24\",\n       \"192.0.0.0/29\", \"192.0.0.8/32\", \"192.0.0.9/32\", \"192.0.0.10/32\", \"192.0.0.170/32\", \"192.0.0.171/32\",\n       \"192.0.2.0/24\", \"192.31.196.0/24\", \"192.52.193.0/24\", \"192.168.0.0/16\", \"192.88.99.0/24\", \"224.0.0.0/4\",\n       \"100.64.0.0/10\", \"192.175.48.0/24\",\"198.18.0.0/15\", \"198.51.100.0/24\", \"203.0.113.0/24\", \"240.0.0.0/4\", \"::1\",\n       \"FE80::/10\", \"FF00::/8\")]\n",
+    "references": [
+      "https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml"
+    ],
+    "risk_score": 21,
+    "rule_id": "b86afe07-0d98-4738-b15d-8d7465f95ff5",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1220",
+            "name": "XSL Script Processing",
+            "reference": "https://attack.mitre.org/techniques/T1220/"
+          }
+        ]
+      }
+    ],
+    "type": "eql",
+    "version": 7,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.9.0",
+          "pre_query": "process.name:msxsl.exe and event.action:\"Network connection detected (rule: NetworkConnect)\" and not destination.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16)",
+          "doc_text": "Updated query."
+        },
+        {
+          "version": 3,
+          "updated": "7.9.1",
+          "pre_query": "event.category:network and event.type:connection and process.name:msxsl.exe and not destination.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16)",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 4,
+          "updated": "7.10.0",
+          "pre_query": "event.category:network and event.type:connection and process.name:msxsl.exe and not destination.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16)",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        },
+        {
+          "version": 5,
+          "updated": "7.11.0",
+          "pre_query": "sequence by process.entity_id\n  [process where process.name : \"msxsl.exe\" and event.type == \"start\"]\n  [network where process.name : \"msxsl.exe\" and\n     not cidrmatch(destination.ip, \"10.0.0.0/8\", \"172.16.0.0/12\", \"192.168.0.0/16\")]\n",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 6,
+          "updated": "7.12.0",
+          "pre_query": "sequence by process.entity_id\n  [process where process.name : \"msxsl.exe\" and event.type == \"start\"]\n  [network where process.name : \"msxsl.exe\" and\n     not cidrmatch(destination.ip, \"10.0.0.0/8\", \"172.16.0.0/12\", \"192.168.0.0/16\")]\n",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 7,
+          "updated": "7.14.0",
+          "pre_query": "sequence by process.entity_id\n  [process where process.name : \"msxsl.exe\" and event.type == \"start\"]\n  [network where process.name : \"msxsl.exe\" and\n     not cidrmatch(destination.ip, \"10.0.0.0/8\", \"172.16.0.0/12\", \"192.168.0.0/16\")]\n",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.14.0",
+    "added": "7.7.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the native Windows tools regsvr32.exe, regsvr64.exe, RegSvcs.exe, or RegAsm.exe making a network connection. This may be indicative of an attacker bypassing allowlists or running arbitrary scripts via a signed Microsoft binary.",
+    "false_positives": [
+      "Security testing may produce events like this. Activity of this kind performed by non-engineers and ordinary users is unusual."
+    ],
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Network Connection via Registration Utility",
+    "query": "sequence by process.entity_id\n  [process where event.type == \"start\" and\n   process.name : (\"regsvr32.exe\", \"RegAsm.exe\", \"RegSvcs.exe\") and\n   not (\n         user.id == \"S-1-5-18\" and\n         (process.parent.name : \"msiexec.exe\" or process.parent.executable : (\"C:\\\\Program Files (x86)\\\\*.exe\", \"C:\\\\Program Files\\\\*.exe\"))\n       )\n   ]\n  [network where process.name : (\"regsvr32.exe\", \"RegAsm.exe\", \"RegSvcs.exe\")  and\n   not cidrmatch(destination.ip, \"10.0.0.0/8\", \"127.0.0.0/8\", \"169.254.0.0/16\", \"172.16.0.0/12\", \"192.0.0.0/24\",\n       \"192.0.0.0/29\", \"192.0.0.8/32\", \"192.0.0.9/32\", \"192.0.0.10/32\", \"192.0.0.170/32\", \"192.0.0.171/32\",\n       \"192.0.2.0/24\", \"192.31.196.0/24\", \"192.52.193.0/24\", \"192.168.0.0/16\", \"192.88.99.0/24\", \"224.0.0.0/4\",\n       \"100.64.0.0/10\", \"192.175.48.0/24\",\"198.18.0.0/15\", \"198.51.100.0/24\", \"203.0.113.0/24\", \"240.0.0.0/4\", \"::1\",\n       \"FE80::/10\", \"FF00::/8\") and network.protocol != \"dns\"]\n",
+    "references": [
+      "https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml"
+    ],
+    "risk_score": 21,
+    "rule_id": "fb02b8d3-71ee-4af1-bacd-215d23f17efa",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Execution"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0002",
+          "name": "Execution",
+          "reference": "https://attack.mitre.org/tactics/TA0002/"
+        },
+        "technique": []
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1218",
+            "name": "Signed Binary Proxy Execution",
+            "reference": "https://attack.mitre.org/techniques/T1218/",
+            "subtechnique": [
+              {
+                "id": "T1218.010",
+                "name": "Regsvr32",
+                "reference": "https://attack.mitre.org/techniques/T1218/010/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "type": "eql",
+    "version": 9,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.7.0",
+          "pre_query": "(process.name:regsvr32.exe or process.name:regsvr64.exe) and event.action:\"Network connection detected (rule: NetworkConnect)\" and not destination.ip:169.254.169.254/32 and not destination.ip:10.0.0.0/8 and not destination.ip:172.16.0.0/12 and not destination.ip:192.168.0.0/16",
+          "doc_text": "Updated query."
+        },
+        {
+          "version": 3,
+          "updated": "7.9.0",
+          "pre_query": "process.name:(regsvr32.exe or regsvr64.exe) and event.action:\"Network connection detected (rule: NetworkConnect)\" and not destination.ip:(10.0.0.0/8 or 169.254.169.254 or 172.16.0.0/12 or 192.168.0.0/16)",
+          "doc_text": "Updated query."
+        },
+        {
+          "version": 4,
+          "updated": "7.9.1",
+          "pre_query": "event.category:network and event.type:connection and process.name:(regsvr32.exe or regsvr64.exe) and not destination.ip:(10.0.0.0/8 or 169.254.169.254 or 172.16.0.0/12 or 192.168.0.0/16)",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 5,
+          "updated": "7.10.0",
+          "pre_query": "event.category:network and event.type:connection and process.name:(regsvr32.exe or regsvr64.exe) and not destination.ip:(10.0.0.0/8 or 169.254.169.254 or 172.16.0.0/12 or 192.168.0.0/16)",
+          "doc_text": "Updated query.",
+          "pre_name": "Network Connection via Regsvr"
+        },
+        {
+          "version": 6,
+          "updated": "7.11.0",
+          "pre_query": "sequence by process.entity_id\n  [process where (process.name : \"regsvr32.exe\" or process.name : \"regsvr64.exe\" or\n                  process.name : \"RegAsm.exe\" or process.name : \"RegSvcs.exe\") and\n     event.type == \"start\"]\n  [network where (process.name : \"regsvr32.exe\" or process.name : \"regsvr64.exe\" or\n                  process.name : \"RegAsm.exe\" or process.name : \"RegSvcs.exe\") and\n     not cidrmatch(destination.ip, \"10.0.0.0/8\", \"169.254.169.254\", \"172.16.0.0/12\", \"192.168.0.0/16\")]\n",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 7,
+          "updated": "7.12.0",
+          "pre_query": "sequence by process.entity_id\n  [process where (process.name : \"regsvr32.exe\" or process.name : \"regsvr64.exe\" or\n                  process.name : \"RegAsm.exe\" or process.name : \"RegSvcs.exe\") and\n     event.type == \"start\"]\n  [network where (process.name : \"regsvr32.exe\" or process.name : \"regsvr64.exe\" or\n                  process.name : \"RegAsm.exe\" or process.name : \"RegSvcs.exe\") and\n     not cidrmatch(destination.ip, \"10.0.0.0/8\", \"169.254.169.254\", \"172.16.0.0/12\", \"192.168.0.0/16\")]\n",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 8,
+          "updated": "7.13.0",
+          "pre_query": "sequence by process.entity_id\n  [process where (process.name : \"regsvr32.exe\" or process.name : \"regsvr64.exe\" or\n                  process.name : \"RegAsm.exe\" or process.name : \"RegSvcs.exe\") and\n     event.type == \"start\"]\n  [network where (process.name : \"regsvr32.exe\" or process.name : \"regsvr64.exe\" or\n                  process.name : \"RegAsm.exe\" or process.name : \"RegSvcs.exe\") and\n     not cidrmatch(destination.ip, \"10.0.0.0/8\", \"169.254.169.254\", \"172.16.0.0/12\", \"192.168.0.0/16\")]\n",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        },
+        {
+          "version": 9,
+          "updated": "7.14.0",
+          "pre_query": "sequence by process.entity_id\n  [process where event.type == \"start\" and\n   process.name : (\"regsvr32.exe\", \"RegAsm.exe\", \"RegSvcs.exe\") and\n   not (\n         user.id == \"S-1-5-18\" and\n         (process.parent.name : \"msiexec.exe\" or process.parent.executable : (\"C:\\\\Program Files (x86)\\\\*.exe\", \"C:\\\\Program Files\\\\*.exe\"))\n       )\n   ]\n  [network where process.name : (\"regsvr32.exe\", \"RegAsm.exe\", \"RegSvcs.exe\")  and\n   not cidrmatch(destination.ip, \"10.0.0.0/8\", \"169.254.169.254\", \"172.16.0.0/12\", \"192.168.0.0/16\") and network.protocol != \"dns\"]\n",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.14.0",
+    "added": "7.6.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Binaries signed with trusted digital certificates can execute on Windows systems protected by digital signature validation. Adversaries may use these binaries to 'live off the land' and execute malicious files that could bypass application allowlists and signature validation.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Network Connection via Signed Binary",
+    "query": "sequence by process.entity_id\n  [process where (process.name : \"expand.exe\" or process.name : \"extrac32.exe\" or\n                 process.name : \"ieexec.exe\" or process.name : \"makecab.exe\") and\n                 event.type == \"start\"]\n  [network where (process.name : \"expand.exe\" or process.name : \"extrac32.exe\" or\n                 process.name : \"ieexec.exe\" or process.name : \"makecab.exe\") and\n    not cidrmatch(destination.ip,\n      \"10.0.0.0/8\", \"127.0.0.0/8\", \"169.254.0.0/16\", \"172.16.0.0/12\", \"192.0.0.0/24\", \"192.0.0.0/29\", \"192.0.0.8/32\",\n      \"192.0.0.9/32\", \"192.0.0.10/32\", \"192.0.0.170/32\", \"192.0.0.171/32\", \"192.0.2.0/24\", \"192.31.196.0/24\",\n      \"192.52.193.0/24\", \"192.168.0.0/16\", \"192.88.99.0/24\", \"224.0.0.0/4\", \"100.64.0.0/10\", \"192.175.48.0/24\",\n      \"198.18.0.0/15\", \"198.51.100.0/24\", \"203.0.113.0/24\", \"240.0.0.0/4\", \"::1\", \"FE80::/10\", \"FF00::/8\")]\n",
+    "references": [
+      "https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml"
+    ],
+    "risk_score": 21,
+    "rule_id": "63e65ec3-43b1-45b0-8f2d-45b34291dc44",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1218",
+            "name": "Signed Binary Proxy Execution",
+            "reference": "https://attack.mitre.org/techniques/T1218/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0002",
+          "name": "Execution",
+          "reference": "https://attack.mitre.org/tactics/TA0002/"
+        },
+        "technique": []
+      }
+    ],
+    "type": "eql",
+    "version": 9,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.7.0",
+          "pre_query": "(process.name:expand.exe or process.name:extrac.exe or process.name:ieexec.exe or process.name:makecab.exe) and event.action:\"Network connection detected (rule: NetworkConnect)\" and not destination.ip:10.0.0.0/8 and not destination.ip:172.16.0.0/12 and not destination.ip:192.168.0.0/16",
+          "doc_text": "Updated query."
+        },
+        {
+          "version": 3,
+          "updated": "7.9.0",
+          "pre_query": "process.name:(expand.exe or extrac.exe or ieexec.exe or makecab.exe) and event.action:\"Network connection detected (rule: NetworkConnect)\" and not destination.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16)",
+          "doc_text": "Updated query."
+        },
+        {
+          "version": 4,
+          "updated": "7.9.1",
+          "pre_query": "event.category:network and event.type:connection and process.name:(expand.exe or extrac.exe or ieexec.exe or makecab.exe) and not destination.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16)",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 5,
+          "updated": "7.10.0",
+          "pre_query": "event.category:network and event.type:connection and process.name:(expand.exe or extrac.exe or ieexec.exe or makecab.exe) and not destination.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16)",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        },
+        {
+          "version": 6,
+          "updated": "7.11.0",
+          "pre_query": "sequence by process.entity_id\n  [process where (process.name : \"expand.exe\" or process.name : \"extrac.exe\" or\n                 process.name : \"ieexec.exe\" or process.name : \"makecab.exe\") and\n     event.type == \"start\"]\n  [network where (process.name : \"expand.exe\" or process.name : \"extrac.exe\" or\n                 process.name : \"ieexec.exe\" or process.name : \"makecab.exe\") and\n     not cidrmatch(destination.ip, \"10.0.0.0/8\", \"172.16.0.0/12\", \"192.168.0.0/16\")]\n",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 7,
+          "updated": "7.12.0",
+          "pre_query": "sequence by process.entity_id\n  [process where (process.name : \"expand.exe\" or process.name : \"extrac.exe\" or\n                 process.name : \"ieexec.exe\" or process.name : \"makecab.exe\") and\n     event.type == \"start\"]\n  [network where (process.name : \"expand.exe\" or process.name : \"extrac.exe\" or\n                 process.name : \"ieexec.exe\" or process.name : \"makecab.exe\") and\n     not cidrmatch(destination.ip, \"10.0.0.0/8\", \"172.16.0.0/12\", \"192.168.0.0/16\")]\n",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 8,
+          "updated": "7.14.0",
+          "pre_query": "sequence by process.entity_id\n  [process where (process.name : \"expand.exe\" or process.name : \"extrac.exe\" or\n                 process.name : \"ieexec.exe\" or process.name : \"makecab.exe\") and\n     event.type == \"start\"]\n  [network where (process.name : \"expand.exe\" or process.name : \"extrac.exe\" or\n                 process.name : \"ieexec.exe\" or process.name : \"makecab.exe\") and\n     not cidrmatch(destination.ip, \"10.0.0.0/8\", \"172.16.0.0/12\", \"192.168.0.0/16\")]\n",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        },
+        {
+          "version": 9,
+          "updated": "7.16.0",
+          "pre_query": "sequence by process.entity_id\n  [process where (process.name : \"expand.exe\" or process.name : \"extrac.exe\" or\n                 process.name : \"ieexec.exe\" or process.name : \"makecab.exe\") and\n                 event.type == \"start\"]\n  [network where (process.name : \"expand.exe\" or process.name : \"extrac.exe\" or\n                 process.name : \"ieexec.exe\" or process.name : \"makecab.exe\") and\n    not cidrmatch(destination.ip,\n      \"10.0.0.0/8\", \"127.0.0.0/8\", \"169.254.0.0/16\", \"172.16.0.0/12\", \"192.0.0.0/24\", \"192.0.0.0/29\", \"192.0.0.8/32\",\n      \"192.0.0.9/32\", \"192.0.0.10/32\", \"192.0.0.170/32\", \"192.0.0.171/32\", \"192.0.2.0/24\", \"192.31.196.0/24\",\n      \"192.52.193.0/24\", \"192.168.0.0/16\", \"192.88.99.0/24\", \"224.0.0.0/4\", \"100.64.0.0/10\", \"192.175.48.0/24\",\n      \"198.18.0.0/15\", \"198.51.100.0/24\", \"203.0.113.0/24\", \"240.0.0.0/4\", \"::1\", \"FE80::/10\", \"FF00::/8\")]\n",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.16.0",
+    "added": "7.6.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Adversaries may register a rogue network logon provider module for persistence and/or credential access via intercepting the authentication credentials in clear text during user logon.",
+    "false_positives": [
+      "Authorized third party network logon providers."
+    ],
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Network Logon Provider Registry Modification",
+    "query": "registry where registry.data.strings != null and\n registry.path : \"HKLM\\\\SYSTEM\\\\*ControlSet*\\\\Services\\\\*\\\\NetworkProvider\\\\ProviderPath\" and\n /* Excluding default NetworkProviders RDPNP, LanmanWorkstation and webclient. */\n not ( user.id : \"S-1-5-18\" and\n       registry.data.strings in\n                (\"%SystemRoot%\\\\System32\\\\ntlanman.dll\",\n                 \"%SystemRoot%\\\\System32\\\\drprov.dll\",\n                 \"%SystemRoot%\\\\System32\\\\davclnt.dll\")\n      )\n",
+    "references": [
+      "https://github.com/gtworek/PSBits/tree/master/PasswordStealing/NPPSpy",
+      "https://docs.microsoft.com/en-us/windows/win32/api/npapi/nf-npapi-nplogonnotify"
+    ],
+    "risk_score": 47,
+    "rule_id": "54c3d186-0461-4dc3-9b33-2dc5c7473936",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Persistence",
+      "Credential Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0006",
+          "name": "Credential Access",
+          "reference": "https://attack.mitre.org/tactics/TA0006/"
+        },
+        "technique": [
+          {
+            "id": "T1556",
+            "name": "Modify Authentication Process",
+            "reference": "https://attack.mitre.org/techniques/T1556/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1543",
+            "name": "Create or Modify System Process",
+            "reference": "https://attack.mitre.org/techniques/T1543/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 1,
+    "last_update": "7.13.0",
+    "added": "7.13.0"
+  },
+  {
+    "anomaly_threshold": 75,
+    "author": [
+      "Elastic"
+    ],
+    "description": "A machine learning job detected a rare destination country name in the network logs. This can be due to initial access, persistence, command-and-control, or exfiltration activity. For example, when a user clicks on a link in a phishing email or opens a malicious document, a request may be sent to download and run a payload from a server in a country which does not normally appear in network traffic or business work-flows. Malware instances and persistence mechanisms may communicate with command-and-control (C2) infrastructure in their country of origin, which may be an unusual destination country for the source network.",
+    "false_positives": [
+      "Business workflows that occur very occasionally, and involve a business relationship with an organization in a country that does not routinely appear in network events, can trigger this alert. A new business workflow with an organization in a country with which no workflows previously existed may trigger this alert - although the model will learn that the new destination country is no longer anomalous as the activity becomes ongoing. Business travelers who roam to many countries for brief periods may trigger this alert."
+    ],
+    "from": "now-30m",
+    "interval": "15m",
+    "license": "Elastic License v2",
+    "machine_learning_job_id": "rare_destination_country",
+    "name": "Network Traffic to Rare Destination Country",
+    "references": [
+      "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"
+    ],
+    "risk_score": 21,
+    "rule_id": "35f86980-1fb1-4dff-b311-3be941549c8d",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Network",
+      "Threat Detection",
+      "ML"
+    ],
+    "type": "machine_learning",
+    "version": 2,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.14.0",
+          "pre_query": "N/A",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.14.0",
+    "added": "7.13.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the use of the Exchange PowerShell cmdlet, Set-CASMailbox, to add a new ActiveSync allowed device. Adversaries may target user email to collect sensitive information.",
+    "false_positives": [
+      "Legitimate exchange system administration activity."
+    ],
+    "from": "now-9m",
+    "index": [
+      "logs-endpoint.events.*",
+      "winlogbeat-*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "New ActiveSyncAllowedDeviceID Added via PowerShell",
+    "query": "process where event.type in (\"start\", \"process_started\") and\n  process.name: (\"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\") and process.args : \"Set-CASMailbox*ActiveSyncAllowedDeviceIDs*\"\n",
+    "references": [
+      "https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/",
+      "https://docs.microsoft.com/en-us/powershell/module/exchange/set-casmailbox?view=exchange-ps"
+    ],
+    "risk_score": 47,
+    "rule_id": "ce64d965-6cb0-466d-b74f-8d2c76f47f05",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Persistence"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1098",
+            "name": "Account Manipulation",
+            "reference": "https://attack.mitre.org/techniques/T1098/",
+            "subtechnique": [
+              {
+                "id": "T1098.002",
+                "name": "Exchange Email Delegate Permissions",
+                "reference": "https://attack.mitre.org/techniques/T1098/002/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 6,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.11.2",
+          "pre_query": "process where event.type in (\"start\", \"process_started\") and\n  process.name: (\"powershell.exe\", \"pwsh.exe\") and process.args : \"Set-CASMailbox*ActiveSyncAllowedDeviceIDs*\"\n",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 3,
+          "updated": "7.12.0",
+          "pre_query": "process where event.type in (\"start\", \"process_started\") and\n  process.name: (\"powershell.exe\", \"pwsh.exe\") and process.args : \"Set-CASMailbox*ActiveSyncAllowedDeviceIDs*\"\n",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 4,
+          "updated": "7.15.0",
+          "pre_query": "process where event.type in (\"start\", \"process_started\") and\n  process.name: (\"powershell.exe\", \"pwsh.exe\") and process.args : \"Set-CASMailbox*ActiveSyncAllowedDeviceIDs*\"\n",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 6,
+          "updated": "7.16.0",
+          "pre_query": "process where event.type in (\"start\", \"process_started\") and\n  process.name: (\"powershell.exe\", \"pwsh.exe\") and process.args : \"Set-CASMailbox*ActiveSyncAllowedDeviceIDs*\"\n",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.16.0",
+    "added": "7.11.0"
+  },
+  {
+    "author": [
+      "Austin Songer"
+    ],
+    "description": "Identifies a new or modified federation domain, which can be used to create a trust between O365 and an external identity provider.",
+    "index": [
+      "filebeat-*",
+      "logs-o365*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "New or Modified Federation Domain",
+    "note": "## Config\n\nThe Microsoft 365 Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:(\"Set-AcceptedDomain\" or \n\"Set-MsolDomainFederationSettings\" or \"Add-FederatedDomain\" or \"New-AcceptedDomain\" or \"Remove-AcceptedDomain\" or \"Remove-FederatedDomain\") and \nevent.outcome:success\n",
+    "references": [
+      "https://docs.microsoft.com/en-us/powershell/module/exchange/remove-accepteddomain?view=exchange-ps",
+      "https://docs.microsoft.com/en-us/powershell/module/exchange/remove-federateddomain?view=exchange-ps",
+      "https://docs.microsoft.com/en-us/powershell/module/exchange/new-accepteddomain?view=exchange-ps",
+      "https://docs.microsoft.com/en-us/powershell/module/exchange/add-federateddomain?view=exchange-ps",
+      "https://docs.microsoft.com/en-us/powershell/module/exchange/set-accepteddomain?view=exchange-ps",
+      "https://docs.microsoft.com/en-us/powershell/module/msonline/set-msoldomainfederationsettings?view=azureadps-1.0"
+    ],
+    "risk_score": 21,
+    "rule_id": "684554fc-0777-47ce-8c9b-3d01f198d7f8",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "Microsoft 365",
+      "Continuous Monitoring",
+      "SecOps",
+      "Identity and Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0004",
+          "name": "Privilege Escalation",
+          "reference": "https://attack.mitre.org/tactics/TA0004/"
+        },
+        "technique": [
+          {
+            "id": "T1484",
+            "name": "Domain Policy Modification",
+            "reference": "https://attack.mitre.org/techniques/T1484/",
+            "subtechnique": [
+              {
+                "id": "T1484.002",
+                "name": "Domain Trust Modification",
+                "reference": "https://attack.mitre.org/techniques/T1484/002/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 1,
+    "last_update": "7.16.0",
+    "added": "7.16.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Nping ran on a Linux host. Nping is part of the Nmap tool suite and has the ability to construct raw packets for a wide variety of security testing applications, including denial of service testing.",
+    "false_positives": [
+      "Some normal use of this command may originate from security engineers and network or server administrators, but this is usually not routine or unannounced. Use of `Nping` by non-engineers or ordinary users is uncommon."
+    ],
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Nping Process Activity",
+    "query": "event.category:process and event.type:(start or process_started) and process.name:nping\n",
+    "references": [
+      "https://en.wikipedia.org/wiki/Nmap"
+    ],
+    "risk_score": 47,
+    "rule_id": "0d69150b-96f8-467c-a86d-a67a3378ce77",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "Threat Detection"
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 7,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.7.0",
+          "pre_query": "process.name: nping and event.action:executed",
+          "doc_text": "Updated query."
+        },
+        {
+          "version": 3,
+          "updated": "7.9.0",
+          "pre_query": "process.name:nping and event.action:executed",
+          "doc_text": "Updated query."
+        },
+        {
+          "version": 4,
+          "updated": "7.9.1",
+          "pre_query": "event.category:process and event.type:(start or process_started) and process.name:nping",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 5,
+          "updated": "7.10.0",
+          "pre_query": "event.category:process and event.type:(start or process_started) and process.name:nping",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 6,
+          "updated": "7.11.2",
+          "pre_query": "event.category:process and event.type:(start or process_started) and process.name:nping",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 7,
+          "updated": "7.12.0",
+          "pre_query": "event.category:process and event.type:(start or process_started) and process.name:nping",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.12.0",
+    "added": "7.6.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies NullSessionPipe registry modifications that specify which pipes can be accessed anonymously. This could be indicative of adversary lateral movement preparation by making the added pipe available to everyone.",
+    "from": "now-9m",
+    "index": [
+      "logs-endpoint.events.*",
+      "winlogbeat-*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "NullSessionPipe Registry Modification",
+    "query": "registry where\nregistry.path : \"HKLM\\\\SYSTEM\\\\*ControlSet*\\\\services\\\\LanmanServer\\\\Parameters\\\\NullSessionPipes\" and\nregistry.data.strings != null\n",
+    "references": [
+      "https://www.welivesecurity.com/2019/05/29/turla-powershell-usage/",
+      "https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/network-access-restrict-anonymous-access-to-named-pipes-and-shares"
+    ],
+    "risk_score": 47,
+    "rule_id": "ddab1f5f-7089-44f5-9fda-de5b11322e77",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Lateral Movement"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0008",
+          "name": "Lateral Movement",
+          "reference": "https://attack.mitre.org/tactics/TA0008/"
+        },
+        "technique": [
+          {
+            "id": "T1021",
+            "name": "Remote Services",
+            "reference": "https://attack.mitre.org/techniques/T1021/",
+            "subtechnique": [
+              {
+                "id": "T1021.002",
+                "name": "SMB/Windows Admin Shares",
+                "reference": "https://attack.mitre.org/techniques/T1021/002/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 1,
+    "last_update": "7.13.0",
+    "added": "7.13.0"
+  },
+  {
+    "author": [
+      "Elastic",
+      "Austin Songer"
+    ],
+    "description": "Identifies accounts with a high number of single sign-on (SSO) logon errors. Excessive logon errors may indicate an attempt to brute force a password or SSO token.",
+    "false_positives": [
+      "Automated processes that attempt to authenticate using expired credentials and unbounded retries may lead to false positives."
+    ],
+    "from": "now-20m",
+    "index": [
+      "filebeat-*",
+      "logs-o365*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "O365 Excessive Single Sign-On Logon Errors",
+    "note": "## Config\n\nThe Microsoft 365 Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:o365.audit and event.provider:AzureActiveDirectory and event.category:authentication and o365.audit.LogonError:\"SsoArtifactInvalidOrExpired\"\n",
+    "risk_score": 73,
+    "rule_id": "2de10e77-c144-4e69-afb7-344e7127abd0",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "Microsoft 365",
+      "Continuous Monitoring",
+      "SecOps",
+      "Identity and Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0006",
+          "name": "Credential Access",
+          "reference": "https://attack.mitre.org/tactics/TA0006/"
+        },
+        "technique": [
+          {
+            "id": "T1110",
+            "name": "Brute Force",
+            "reference": "https://attack.mitre.org/techniques/T1110/"
+          }
+        ]
+      }
+    ],
+    "threshold": {
+      "field": [
+        "user.id"
+      ],
+      "value": 5
+    },
+    "type": "threshold",
+    "version": 3,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.15.0",
+          "pre_query": "event.dataset:o365.audit and event.provider:AzureActiveDirectory and event.category:web and o365.audit.LogonError:\"SsoArtifactInvalidOrExpired\"\n",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 3,
+          "updated": "8.0.0",
+          "pre_query": "event.dataset:o365.audit and event.provider:AzureActiveDirectory and event.category:web and o365.audit.LogonError:\"SsoArtifactInvalidOrExpired\"\n",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "8.0.0",
+    "added": "7.14.0"
+  },
+  {
+    "author": [
+      "Elastic",
+      "Austin Songer"
+    ],
+    "description": "Identifies the assignment of rights to accesss content from another mailbox. An adversary may use the compromised account to send messages to other accounts in the network of the target business while creating inbox rules, so messages can evade spam/phishing detection mechanisms.",
+    "false_positives": [
+      "Assignment of rights to a service account."
+    ],
+    "index": [
+      "filebeat-*",
+      "logs-o365*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "O365 Exchange Suspicious Mailbox Right Delegation",
+    "note": "## Config\n\nThe Microsoft 365 Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:o365.audit and event.provider:Exchange and event.action:Add-MailboxPermission and \no365.audit.Parameters.AccessRights:(FullAccess or SendAs or SendOnBehalf) and event.outcome:success\n",
+    "risk_score": 21,
+    "rule_id": "0ce6487d-8069-4888-9ddd-61b52490cebc",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "Microsoft 365",
+      "Continuous Monitoring",
+      "SecOps",
+      "Configuration Audit"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1098",
+            "name": "Account Manipulation",
+            "reference": "https://attack.mitre.org/techniques/T1098/",
+            "subtechnique": [
+              {
+                "id": "T1098.002",
+                "name": "Exchange Email Delegate Permissions",
+                "reference": "https://attack.mitre.org/techniques/T1098/002/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 1,
+    "last_update": "7.16.0",
+    "added": "7.16.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Detects the occurrence of mailbox audit bypass associations. The mailbox audit is responsible for logging specified mailbox events (like accessing a folder or a message or permanently deleting a message). However, actions taken by some authorized accounts, such as accounts used by third-party tools or accounts used for lawful monitoring, can create a large number of mailbox audit log entries and may not be of interest to your organization. Because of this, administrators can create bypass associations, allowing certain accounts to perform their tasks without being logged. Attackers can abuse this allowlist mechanism to conceal actions taken, as the mailbox audit will log no activity done by the account.",
+    "false_positives": [
+      "Legitimate whitelisting of noisy accounts"
+    ],
+    "from": "now-30m",
+    "index": [
+      "filebeat-*",
+      "logs-o365*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "O365 Mailbox Audit Logging Bypass",
+    "note": "## Config\n\nThe Microsoft 365 Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:o365.audit and event.provider:Exchange and event.action:Set-MailboxAuditBypassAssociation and event.outcome:success\n",
+    "references": [
+      "https://twitter.com/misconfig/status/1476144066807140355"
+    ],
+    "risk_score": 47,
+    "rule_id": "675239ea-c1bc-4467-a6d3-b9e2cc7f676d",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "Microsoft 365",
+      "Continuous Monitoring",
+      "SecOps",
+      "Initial Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1562",
+            "name": "Impair Defenses",
+            "reference": "https://attack.mitre.org/techniques/T1562/",
+            "subtechnique": [
+              {
+                "id": "T1562.001",
+                "name": "Disable or Modify Tools",
+                "reference": "https://attack.mitre.org/techniques/T1562/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 1,
+    "last_update": "8.0.0",
+    "added": "8.0.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies a high number of failed Okta user authentication attempts from a single IP address, which could be indicative of a brute force or password spraying attack. An adversary may attempt a brute force or password spraying attack to obtain unauthorized access to user accounts.",
+    "false_positives": [
+      "Automated processes that attempt to authenticate using expired credentials and unbounded retries may lead to false positives."
+    ],
+    "index": [
+      "filebeat-*",
+      "logs-okta*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Okta Brute Force or Password Spraying Attack",
+    "note": "## Config\n\nThe Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:okta.system and event.category:authentication and event.outcome:failure\n",
+    "references": [
+      "https://developer.okta.com/docs/reference/api/system-log/",
+      "https://developer.okta.com/docs/reference/api/event-types/"
+    ],
+    "risk_score": 47,
+    "rule_id": "42bf698b-4738-445b-8231-c834ddefd8a0",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Identity",
+      "Okta",
+      "Continuous Monitoring",
+      "SecOps",
+      "Identity and Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0006",
+          "name": "Credential Access",
+          "reference": "https://attack.mitre.org/tactics/TA0006/"
+        },
+        "technique": [
+          {
+            "id": "T1110",
+            "name": "Brute Force",
+            "reference": "https://attack.mitre.org/techniques/T1110/"
+          }
+        ]
+      }
+    ],
+    "threshold": {
+      "field": [
+        "source.ip"
+      ],
+      "value": 25
+    },
+    "type": "threshold",
+    "version": 5,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.10.0",
+          "pre_query": "event.module:okta and event.dataset:okta.system and event.category:authentication and event.outcome:failure",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        },
+        {
+          "version": 3,
+          "updated": "7.11.0",
+          "pre_query": "event.dataset:okta.system and event.category:authentication and event.outcome:failure",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 4,
+          "updated": "7.12.0",
+          "pre_query": "event.dataset:okta.system and event.category:authentication and event.outcome:failure",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 5,
+          "updated": "7.13.0",
+          "pre_query": "event.dataset:okta.system and event.category:authentication and event.outcome:failure",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.13.0",
+    "added": "7.9.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the PowerShell process loading the Task Scheduler COM DLL followed by an outbound RPC network connection within a short time period. This may indicate lateral movement or remote discovery via scheduled tasks.",
+    "false_positives": [
+      "Legitimate scheduled tasks may be created during installation of new software."
+    ],
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Outbound Scheduled Task Activity via PowerShell",
+    "query": "sequence by host.id, process.entity_id with maxspan = 5s\n [library where dll.name : \"taskschd.dll\" and process.name : (\"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\")]\n [network where process.name : (\"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\") and destination.port == 135 and not destination.address in (\"127.0.0.1\", \"::1\")]\n",
+    "references": [
+      "https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/"
+    ],
+    "risk_score": 47,
+    "rule_id": "5cd55388-a19c-47c7-8ec4-f41656c2fded",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Execution"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0002",
+          "name": "Execution",
+          "reference": "https://attack.mitre.org/tactics/TA0002/"
+        },
+        "technique": [
+          {
+            "id": "T1053",
+            "name": "Scheduled Task/Job",
+            "reference": "https://attack.mitre.org/techniques/T1053/",
+            "subtechnique": [
+              {
+                "id": "T1053.005",
+                "name": "Scheduled Task",
+                "reference": "https://attack.mitre.org/techniques/T1053/005/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "type": "eql",
+    "version": 4,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.12.0",
+          "pre_query": "sequence by host.id, process.entity_id with maxspan = 5s\n [library where file.name: \"taskschd.dll\" and process.name: (\"powershell.exe\", \"pwsh.exe\")]\n [network where process.name : (\"powershell.exe\", \"pwsh.exe\") and destination.port == 135 and not destination.address in (\"127.0.0.1\", \"::1\")]\n",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        },
+        {
+          "version": 4,
+          "updated": "7.16.0",
+          "pre_query": "sequence by host.id, process.entity_id with maxspan = 5s\n [library where dll.name : \"taskschd.dll\" and process.name : (\"powershell.exe\", \"pwsh.exe\")]\n [network where process.name : (\"powershell.exe\", \"pwsh.exe\") and destination.port == 135 and not destination.address in (\"127.0.0.1\", \"::1\")]\n",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.16.0",
+    "added": "7.11.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies parent process spoofing used to thwart detection. Adversaries may spoof the parent process identifier (PPID) of a new process to evade process-monitoring defenses or to elevate privileges.",
+    "from": "now-9m",
+    "index": [
+      "logs-endpoint.events.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Parent Process PID Spoofing",
+    "query": "/* This rule is compatible with Elastic Endpoint only */\n\nsequence by host.id, user.id with maxspan=5m\n [process where event.type == \"start\" and\n  process.Ext.token.integrity_level_name != \"system\" and\n  (\n    process.pe.original_file_name : (\"winword.exe\", \"excel.exe\", \"outlook.exe\", \"powerpnt.exe\", \"eqnedt32.exe\",\n                                     \"fltldr.exe\", \"mspub.exe\", \"msaccess.exe\", \"powershell.exe\", \"pwsh.exe\",\n                                     \"cscript.exe\", \"wscript.exe\", \"rundll32.exe\", \"regsvr32.exe\", \"msbuild.exe\",\n                                     \"mshta.exe\", \"wmic.exe\", \"cmstp.exe\", \"msxsl.exe\") or\n    process.executable : (\"?:\\\\Users\\\\*.exe\",\n                          \"?:\\\\ProgramData\\\\*.exe\",\n                          \"?:\\\\Windows\\\\Microsoft.NET\\\\*.exe\",\n                          \"?:\\\\Windows\\\\Temp\\\\*.exe\",\n                          \"?:\\\\Windows\\\\Tasks\\\\*\") or\n    process.code_signature.trusted != true\n  )\n  ] by process.pid\n [process where event.type == \"start\" and process.parent.Ext.real.pid > 0 and\n  /* process.parent.Ext.real.pid is only populated if the parent process pid doesn't match */\n  \n  not (process.name : \"msedge.exe\" and process.parent.name : \"sihost.exe\")\n ] by process.parent.Ext.real.pid\n",
+    "references": [
+      "https://blog.didierstevens.com/2017/03/20/"
+    ],
+    "risk_score": 73,
+    "rule_id": "c88d4bd0-5649-4c52-87ea-9be59dbfbcf2",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1134",
+            "name": "Access Token Manipulation",
+            "reference": "https://attack.mitre.org/techniques/T1134/",
+            "subtechnique": [
+              {
+                "id": "T1134.004",
+                "name": "Parent PID Spoofing",
+                "reference": "https://attack.mitre.org/techniques/T1134/004/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "type": "eql",
+    "version": 1,
+    "last_update": "7.14.0",
+    "added": "7.14.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies use of the Windows file system utility (fsutil.exe ) to gather information about attached peripheral devices and components connected to a computer system.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Peripheral Device Discovery",
+    "query": "process where event.type in (\"start\", \"process_started\") and\n  (process.name : \"fsutil.exe\" or process.pe.original_file_name == \"fsutil.exe\") and \n  process.args : \"fsinfo\" and process.args : \"drives\"\n",
+    "risk_score": 21,
+    "rule_id": "0c7ca5c2-728d-4ad9-b1c5-bbba83ecb1f4",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Discovery"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0007",
+          "name": "Discovery",
+          "reference": "https://attack.mitre.org/tactics/TA0007/"
+        },
+        "technique": [
+          {
+            "id": "T1120",
+            "name": "Peripheral Device Discovery",
+            "reference": "https://attack.mitre.org/techniques/T1120/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 3,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.11.2",
+          "pre_query": "process where event.type in (\"start\", \"process_started\") and\n  (process.name : \"fsutil.exe\" or process.pe.original_file_name == \"fsutil.exe\") and \n  process.args : \"fsinfo\" and process.args : \"drives\"\n",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 3,
+          "updated": "7.12.0",
+          "pre_query": "process where event.type in (\"start\", \"process_started\") and\n  (process.name : \"fsutil.exe\" or process.pe.original_file_name == \"fsutil.exe\") and \n  process.args : \"fsinfo\" and process.args : \"drives\"\n",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.12.0",
+    "added": "7.11.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Elastic Endgame detected Permission Theft. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information.",
+    "from": "now-15m",
+    "index": [
+      "endgame-*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "max_signals": 10000,
+    "name": "Permission Theft - Detected - Elastic Endgame",
+    "query": "event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:token_protection_event or endgame.event_subtype_full:token_protection_event)\n",
+    "risk_score": 73,
+    "rule_id": "c3167e1b-f73c-41be-b60b-87f4df707fe3",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Elastic Endgame"
+    ],
+    "type": "query",
+    "version": 7,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.7.0",
+          "pre_query": "event.kind:alert and event.module:endgame and event.action:token_protection_event and endgame.metadata.type:detection",
+          "doc_text": "Updated query."
+        },
+        {
+          "version": 3,
+          "updated": "7.9.0",
+          "pre_query": "event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:token_protection_event or endgame.event_subtype_full:token_protection_event)",
+          "doc_text": "Formatting only",
+          "pre_name": "Permission Theft - Detected - Elastic Endpoint"
+        },
+        {
+          "version": 4,
+          "updated": "7.10.0",
+          "pre_query": "event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:token_protection_event or endgame.event_subtype_full:token_protection_event)",
+          "doc_text": "Formatting only",
+          "pre_name": "Permission Theft - Detected - Elastic Endpoint Security"
+        },
+        {
+          "version": 5,
+          "updated": "7.12.0",
+          "pre_query": "event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:token_protection_event or endgame.event_subtype_full:token_protection_event)",
+          "doc_text": "Formatting only",
+          "pre_name": "Permission Theft - Detected - Endpoint Security",
+          "duplicate_old_file": "permission-theft-detected-endpoint-security"
+        },
+        {
+          "version": 6,
+          "updated": "7.12.1",
+          "pre_query": "event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:token_protection_event or endgame.event_subtype_full:token_protection_event)",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 7,
+          "updated": "8.0.0",
+          "pre_query": "event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:token_protection_event or endgame.event_subtype_full:token_protection_event)\n",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "8.0.0",
+    "added": "7.6.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Elastic Endgame prevented Permission Theft. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information.",
+    "from": "now-15m",
+    "index": [
+      "endgame-*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "max_signals": 10000,
+    "name": "Permission Theft - Prevented - Elastic Endgame",
+    "query": "event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:token_protection_event or endgame.event_subtype_full:token_protection_event)\n",
+    "risk_score": 47,
+    "rule_id": "453f659e-0429-40b1-bfdb-b6957286e04b",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Elastic Endgame"
+    ],
+    "type": "query",
+    "version": 7,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.7.0",
+          "pre_query": "event.kind:alert and event.module:endgame and event.action:token_protection_event and endgame.metadata.type:prevention",
+          "doc_text": "Updated query."
+        },
+        {
+          "version": 3,
+          "updated": "7.9.0",
+          "pre_query": "event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:token_protection_event or endgame.event_subtype_full:token_protection_event)",
+          "doc_text": "Formatting only",
+          "pre_name": "Permission Theft - Prevented - Elastic Endpoint"
+        },
+        {
+          "version": 4,
+          "updated": "7.10.0",
+          "pre_query": "event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:token_protection_event or endgame.event_subtype_full:token_protection_event)",
+          "doc_text": "Formatting only",
+          "pre_name": "Permission Theft - Prevented - Elastic Endpoint Security"
+        },
+        {
+          "version": 5,
+          "updated": "7.12.0",
+          "pre_query": "event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:token_protection_event or endgame.event_subtype_full:token_protection_event)",
+          "doc_text": "Formatting only",
+          "pre_name": "Permission Theft - Prevented - Endpoint Security",
+          "duplicate_old_file": "permission-theft-prevented-endpoint-security"
+        },
+        {
+          "version": 6,
+          "updated": "7.12.1",
+          "pre_query": "event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:token_protection_event or endgame.event_subtype_full:token_protection_event)",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 7,
+          "updated": "8.0.0",
+          "pre_query": "event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:token_protection_event or endgame.event_subtype_full:token_protection_event)\n",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "8.0.0",
+    "added": "7.6.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "An adversary can use the Background Intelligent Transfer Service (BITS) SetNotifyCmdLine method to execute a program that runs after a job finishes transferring data or after a job enters a specified state in order to persist on a system.",
+    "from": "now-9m",
+    "index": [
+      "logs-endpoint.events.*",
+      "winlogbeat-*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Persistence via BITS Job Notify Cmdline",
+    "query": "process where event.type == \"start\" and\n  process.parent.name : \"svchost.exe\" and process.parent.args : \"BITS\" and\n  not process.executable :\n              (\"?:\\\\Windows\\\\System32\\\\WerFaultSecure.exe\",\n               \"?:\\\\Windows\\\\System32\\\\WerFault.exe\",\n               \"?:\\\\Windows\\\\System32\\\\wermgr.exe\",\n               \"?:\\\\WINDOWS\\\\system32\\\\directxdatabaseupdater.exe\")\n",
+    "references": [
+      "https://pentestlab.blog/2019/10/30/persistence-bits-jobs/",
+      "https://docs.microsoft.com/en-us/windows/win32/api/bits1_5/nf-bits1_5-ibackgroundcopyjob2-setnotifycmdline",
+      "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/bitsadmin-setnotifycmdline",
+      "https://www.elastic.co/blog/hunting-for-persistence-using-elastic-security-part-2"
+    ],
+    "risk_score": 47,
+    "rule_id": "c3b915e0-22f3-4bf7-991d-b643513c722f",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Persistence"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1197",
+            "name": "BITS Jobs",
+            "reference": "https://attack.mitre.org/techniques/T1197/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 1,
+    "last_update": "7.13.0",
+    "added": "7.13.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the creation or modification of a DirectoryService PlugIns (dsplug) file. The DirectoryService daemonlaunches on each system boot and automatically reloads after crash. It scans and executes bundles that are located in the DirectoryServices PlugIns folder and can be abused by adversaries to maintain persistence.",
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Persistence via DirectoryService Plugin Modification",
+    "query": "event.category:file and not event.type:deletion and\n  file.path:/Library/DirectoryServices/PlugIns/*.dsplug\n",
+    "references": [
+      "https://blog.chichou.me/2019/11/21/two-macos-persistence-tricks-abusing-plugins/"
+    ],
+    "risk_score": 47,
+    "rule_id": "89fa6cb7-6b53-4de2-b604-648488841ab8",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "macOS",
+      "Threat Detection",
+      "Persistence"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1547",
+            "name": "Boot or Logon Autostart Execution",
+            "reference": "https://attack.mitre.org/techniques/T1547/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 1,
+    "last_update": "7.12.0",
+    "added": "7.12.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "An adversary can establish persistence by modifying an existing macOS dock property list in order to execute a malicious application instead of the intended one when invoked.",
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Persistence via Docker Shortcut Modification",
+    "query": "event.category : file and event.action : modification and \n file.path : /Users/*/Library/Preferences/com.apple.dock.plist and \n not process.name : (xpcproxy or cfprefsd or plutil or jamf or PlistBuddy or InstallerRemotePluginService)\n",
+    "references": [
+      "https://github.com/specterops/presentations/raw/master/Leo%20Pitt/Hey_Im_Still_in_Here_Modern_macOS_Persistence_SO-CON2020.pdf"
+    ],
+    "risk_score": 47,
+    "rule_id": "c81cefcb-82b9-4408-a533-3c3df549e62d",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "macOS",
+      "Threat Detection",
+      "Persistence"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1543",
+            "name": "Create or Modify System Process",
+            "reference": "https://attack.mitre.org/techniques/T1543/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 2,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.15.0",
+          "pre_query": "event.category : file and event.action : modification and \n file.path : /Users/*/Library/Preferences/com.apple.dock.plist and \n not process.name : (xpcproxy or cfprefsd or plutil or jamf or PlistBuddy or InstallerRemotePluginService)\n",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.15.0",
+    "added": "7.12.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "A Folder Action script is executed when the folder to which it is attached has items added or removed, or when its window is opened, closed, moved, or resized. Adversaries may abuse this feature to establish persistence by utilizing a malicious script.",
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Persistence via Folder Action Script",
+    "query": "sequence by host.id with maxspan=5s\n [process where event.type in (\"start\", \"process_started\", \"info\") and process.name == \"com.apple.foundation.UserScriptService\"] by process.pid\n [process where event.type in (\"start\", \"process_started\") and process.name in (\"osascript\", \"python\", \"tcl\", \"node\", \"perl\", \"ruby\", \"php\", \"bash\", \"csh\", \"zsh\", \"sh\")] by process.parent.pid\n",
+    "references": [
+      "https://posts.specterops.io/folder-actions-for-persistence-on-macos-8923f222343d"
+    ],
+    "risk_score": 47,
+    "rule_id": "c292fa52-4115-408a-b897-e14f684b3cb7",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "macOS",
+      "Threat Detection",
+      "Execution",
+      "Persistence"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1037",
+            "name": "Boot or Logon Initialization Scripts",
+            "reference": "https://attack.mitre.org/techniques/T1037/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0002",
+          "name": "Execution",
+          "reference": "https://attack.mitre.org/tactics/TA0002/"
+        },
+        "technique": [
+          {
+            "id": "T1059",
+            "name": "Command and Scripting Interpreter",
+            "reference": "https://attack.mitre.org/techniques/T1059/"
+          }
+        ]
+      }
+    ],
+    "type": "eql",
+    "version": 4,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.12.0",
+          "pre_query": "sequence by host.id with maxspan=5s\n [process where event.type in (\"start\", \"process_started\", \"info\") and process.name == \"com.apple.foundation.UserScriptService\"] by process.pid\n [process where event.type in (\"start\", \"process_started\") and process.name in (\"osascript\", \"sh\")] by process.ppid\n",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 3,
+          "updated": "7.14.0",
+          "pre_query": "sequence by host.id with maxspan=5s\n [process where event.type in (\"start\", \"process_started\", \"info\") and process.name == \"com.apple.foundation.UserScriptService\"] by process.pid\n [process where event.type in (\"start\", \"process_started\") and process.name in (\"osascript\", \"sh\")] by process.ppid\n",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        },
+        {
+          "version": 4,
+          "updated": "8.0.0",
+          "pre_query": "sequence by host.id with maxspan=5s\n [process where event.type in (\"start\", \"process_started\", \"info\") and process.name == \"com.apple.foundation.UserScriptService\"] by process.pid\n [process where event.type in (\"start\", \"process_started\") and process.name in (\"osascript\", \"sh\")] by process.parent.pid\n",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "8.0.0",
+    "added": "7.11.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies a persistence mechanism that utilizes the NtSetValueKey native API to create a hidden (null terminated) registry key. An adversary may use this method to hide from system utilities such as the Registry Editor (regedit).",
+    "from": "now-9m",
+    "index": [
+      "logs-endpoint.events.*",
+      "winlogbeat-*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Persistence via Hidden Run Key Detected",
+    "query": "/* Registry Path ends with backslash */\nregistry where /* length(registry.data.strings) > 0 and */\n registry.path : (\"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\\", \n                  \"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\\", \n                  \"HKLM\\\\Software\\\\WOW6432Node\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\\", \n                  \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\\\\", \n                  \"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\\\\")\n",
+    "references": [
+      "https://github.com/outflanknl/SharpHide",
+      "https://github.com/ewhitehats/InvisiblePersistence/blob/master/InvisibleRegValues_Whitepaper.pdf"
+    ],
+    "risk_score": 73,
+    "rule_id": "a9b05c3b-b304-4bf9-970d-acdfaef2944c",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Persistence"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1547",
+            "name": "Boot or Logon Autostart Execution",
+            "reference": "https://attack.mitre.org/techniques/T1547/",
+            "subtechnique": [
+              {
+                "id": "T1547.001",
+                "name": "Registry Run Keys / Startup Folder",
+                "reference": "https://attack.mitre.org/techniques/T1547/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 3,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.11.2",
+          "pre_query": "/* Registry Path ends with backslash */\nregistry where /* length(registry.data.strings) > 0 and */\n registry.path : (\"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\\", \n                  \"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\\", \n                  \"HKLM\\\\Software\\\\WOW6432Node\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\\", \n                  \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\\\\", \n                  \"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\\\\")\n",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 3,
+          "updated": "7.12.0",
+          "pre_query": "/* Registry Path ends with backslash */\nregistry where /* length(registry.data.strings) > 0 and */\n registry.path : (\"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\\", \n                  \"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\\", \n                  \"HKLM\\\\Software\\\\WOW6432Node\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\\", \n                  \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\\\\", \n                  \"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\\\\")\n",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.12.0",
+    "added": "7.11.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the creation or modification of a K Desktop Environment (KDE) AutoStart script or desktop file that will execute upon each user logon. Adversaries may abuse this method for persistence.",
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Persistence via KDE AutoStart Script or Desktop File Modification",
+    "query": "file where event.type != \"deletion\" and\n  file.extension in (\"sh\", \"desktop\") and\n  file.path :\n    (\n      \"/home/*/.config/autostart/*\", \"/root/.config/autostart/*\",\n      \"/home/*/.kde/Autostart/*\", \"/root/.kde/Autostart/*\",\n      \"/home/*/.kde4/Autostart/*\", \"/root/.kde4/Autostart/*\",\n      \"/home/*/.kde/share/autostart/*\", \"/root/.kde/share/autostart/*\",\n      \"/home/*/.kde4/share/autostart/*\", \"/root/.kde4/share/autostart/*\",\n      \"/home/*/.local/share/autostart/*\", \"/root/.local/share/autostart/*\",\n      \"/home/*/.config/autostart-scripts/*\", \"/root/.config/autostart-scripts/*\",\n      \"/etc/xdg/autostart/*\", \"/usr/share/autostart/*\"\n    )\n",
+    "references": [
+      "https://userbase.kde.org/System_Settings/Autostart",
+      "https://www.amnesty.org/en/latest/research/2020/09/german-made-finspy-spyware-found-in-egypt-and-mac-and-linux-versions-revealed/",
+      "https://www.intezer.com/blog/research/operation-electrorat-attacker-creates-fake-companies-to-drain-your-crypto-wallets/"
+    ],
+    "risk_score": 47,
+    "rule_id": "e3e904b3-0a8e-4e68-86a8-977a163e21d3",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "Threat Detection",
+      "Persistence"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1547",
+            "name": "Boot or Logon Autostart Execution",
+            "reference": "https://attack.mitre.org/techniques/T1547/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 1,
+    "last_update": "7.12.0",
+    "added": "7.12.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies use of the Defaults command to install a login or logoff hook in MacOS. An adversary may abuse this capability to establish persistence in an environment by inserting code to be executed at login or logout.",
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Persistence via Login or Logout Hook",
+    "query": "process where event.type == \"start\" and\n process.name == \"defaults\" and process.args == \"write\" and process.args in (\"LoginHook\", \"LogoutHook\") and\n not process.args :\n       (\n         \"Support/JAMF/ManagementFrameworkScripts/logouthook.sh\",\n         \"Support/JAMF/ManagementFrameworkScripts/loginhook.sh\",\n         \"/Library/Application Support/JAMF/ManagementFrameworkScripts/logouthook.sh\",\n         \"/Library/Application Support/JAMF/ManagementFrameworkScripts/loginhook.sh\"\n       )\n",
+    "references": [
+      "https://www.virusbulletin.com/uploads/pdf/conference_slides/2014/Wardle-VB2014.pdf",
+      "https://www.manpagez.com/man/1/defaults/"
+    ],
+    "risk_score": 47,
+    "rule_id": "5d0265bf-dea9-41a9-92ad-48a8dcd05080",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "macOS",
+      "Threat Detection",
+      "Persistence"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1037",
+            "name": "Boot or Logon Initialization Scripts",
+            "reference": "https://attack.mitre.org/techniques/T1037/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 4,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.11.2",
+          "pre_query": "process where event.type in (\"start\", \"process_started\") and\n process.name == \"defaults\" and process.args == \"write\" and process.args in (\"LoginHook\", \"LogoutHook\")\n",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 3,
+          "updated": "7.12.0",
+          "pre_query": "process where event.type in (\"start\", \"process_started\") and\n process.name == \"defaults\" and process.args == \"write\" and process.args in (\"LoginHook\", \"LogoutHook\")\n",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 4,
+          "updated": "7.13.0",
+          "pre_query": "process where event.type in (\"start\", \"process_started\") and\n process.name == \"defaults\" and process.args == \"write\" and process.args in (\"LoginHook\", \"LogoutHook\")\n",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.13.0",
+    "added": "7.11.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Detects attempts to establish persistence on an endpoint by abusing Microsoft Office add-ins.",
+    "from": "now-9m",
+    "index": [
+      "logs-endpoint.events.*",
+      "winlogbeat-*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Persistence via Microsoft Office AddIns",
+    "query": "file where event.type != \"deletion\" and\n file.extension : (\"wll\",\"xll\",\"ppa\",\"ppam\",\"xla\",\"xlam\") and\n file.path :\n    (\n    \"C:\\\\Users\\\\*\\\\AppData\\\\Roaming\\\\Microsoft\\\\Word\\\\Startup\\\\*\",\n    \"C:\\\\Users\\\\*\\\\AppData\\\\Roaming\\\\Microsoft\\\\AddIns\\\\*\",\n    \"C:\\\\Users\\\\*\\\\AppData\\\\Roaming\\\\Microsoft\\\\Excel\\\\XLSTART\\\\*\"\n    )\n",
+    "references": [
+      "https://labs.mwrinfosecurity.com/blog/add-in-opportunities-for-office-persistence/"
+    ],
+    "risk_score": 73,
+    "rule_id": "f44fa4b6-524c-4e87-8d9e-a32599e4fb7c",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Persistence"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1137",
+            "name": "Office Application Startup",
+            "reference": "https://attack.mitre.org/techniques/T1137/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 3,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.11.2",
+          "pre_query": "file where event.type != \"deletion\" and\n wildcard(file.extension,\"wll\",\"xll\",\"ppa\",\"ppam\",\"xla\",\"xlam\") and\n wildcard(file.path, \"C:\\\\Users\\\\*\\\\AppData\\\\Roaming\\\\Microsoft\\\\Word\\\\Startup\\\\*\",\n                     \"C:\\\\Users\\\\*\\\\AppData\\\\Roaming\\\\Microsoft\\\\AddIns\\\\*\",\n                     \"C:\\\\Users\\\\*\\\\AppData\\\\Roaming\\\\Microsoft\\\\Excel\\\\XLSTART\\\\*\")\n",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 3,
+          "updated": "7.12.0",
+          "pre_query": "file where event.type != \"deletion\" and\n wildcard(file.extension,\"wll\",\"xll\",\"ppa\",\"ppam\",\"xla\",\"xlam\") and\n wildcard(file.path, \"C:\\\\Users\\\\*\\\\AppData\\\\Roaming\\\\Microsoft\\\\Word\\\\Startup\\\\*\",\n                     \"C:\\\\Users\\\\*\\\\AppData\\\\Roaming\\\\Microsoft\\\\AddIns\\\\*\",\n                     \"C:\\\\Users\\\\*\\\\AppData\\\\Roaming\\\\Microsoft\\\\Excel\\\\XLSTART\\\\*\")\n",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.12.0",
+    "added": "7.11.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Detects attempts to establish persistence on an endpoint by installing a rogue Microsoft Outlook VBA Template.",
+    "false_positives": [
+      "A legitimate VBA for Outlook is usually configured interactively via OUTLOOK.EXE."
+    ],
+    "from": "now-9m",
+    "index": [
+      "logs-endpoint.events.*",
+      "winlogbeat-*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Persistence via Microsoft Outlook VBA",
+    "query": "file where event.type != \"deletion\" and\n file.path : \"C:\\\\Users\\\\*\\\\AppData\\\\Roaming\\\\Microsoft\\\\Outlook\\\\VbaProject.OTM\"\n",
+    "references": [
+      "https://www.mdsec.co.uk/2020/11/a-fresh-outlook-on-mail-based-persistence/",
+      "https://www.linkedin.com/pulse/outlook-backdoor-using-vba-samir-b-/"
+    ],
+    "risk_score": 47,
+    "rule_id": "397945f3-d39a-4e6f-8bcb-9656c2031438",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Persistence"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1137",
+            "name": "Office Application Startup",
+            "reference": "https://attack.mitre.org/techniques/T1137/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 3,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.11.2",
+          "pre_query": "file where event.type != \"deletion\" and\n wildcard(file.path, \"C:\\\\Users\\\\*\\\\AppData\\\\Roaming\\\\Microsoft\\\\Outlook\\\\VbaProject.OTM\")\n",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 3,
+          "updated": "7.12.0",
+          "pre_query": "file where event.type != \"deletion\" and\n wildcard(file.path, \"C:\\\\Users\\\\*\\\\AppData\\\\Roaming\\\\Microsoft\\\\Outlook\\\\VbaProject.OTM\")\n",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.12.0",
+    "added": "7.11.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "A job can be used to schedule programs or scripts to be executed at a specified date and time. Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code.",
+    "false_positives": [
+      "Legitimate scheduled jobs may be created during installation of new software."
+    ],
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Persistence via Scheduled Job Creation",
+    "query": "file where event.type != \"deletion\" and\n file.path : \"?:\\\\Windows\\\\Tasks\\\\*\" and file.extension : \"job\"\n",
+    "risk_score": 47,
+    "rule_id": "1327384f-00f3-44d5-9a8c-2373ba071e92",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Persistence"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1053",
+            "name": "Scheduled Task/Job",
+            "reference": "https://attack.mitre.org/techniques/T1053/",
+            "subtechnique": [
+              {
+                "id": "T1053.005",
+                "name": "Scheduled Task",
+                "reference": "https://attack.mitre.org/techniques/T1053/005/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 2,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.16.0",
+          "pre_query": "file where event.type != \"deletion\" and\n file.path : \"?:\\\\Windows\\\\Tasks\\\\*\" and file.extension : \"job\"\n",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.16.0",
+    "added": "7.13.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Detects the successful hijack of Microsoft Compatibility Appraiser scheduled task to establish persistence with an integrity level of system.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Persistence via TelemetryController Scheduled Task Hijack",
+    "query": "process where event.type in (\"start\", \"process_started\") and\n  process.parent.name : \"CompatTelRunner.exe\" and process.args : \"-cv*\" and\n  not process.name : (\"conhost.exe\",\n                      \"DeviceCensus.exe\",\n                      \"CompatTelRunner.exe\",\n                      \"DismHost.exe\",\n                      \"rundll32.exe\",\n                      \"powershell.exe\")\n",
+    "references": [
+      "https://www.trustedsec.com/blog/abusing-windows-telemetry-for-persistence/?utm_content=131234033&utm_medium=social&utm_source=twitter&hss_channel=tw-403811306"
+    ],
+    "risk_score": 73,
+    "rule_id": "68921d85-d0dc-48b3-865f-43291ca2c4f2",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Persistence"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1053",
+            "name": "Scheduled Task/Job",
+            "reference": "https://attack.mitre.org/techniques/T1053/",
+            "subtechnique": [
+              {
+                "id": "T1053.005",
+                "name": "Scheduled Task",
+                "reference": "https://attack.mitre.org/techniques/T1053/005/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 6,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.11.0",
+          "pre_query": "event.category:process and event.type:(start or process_started) and process.parent.name:(CompatTelRunner.exe or compattelrunner.exe) and not process.name:(conhost.exe or DeviceCensus.exe or devicecensus.exe or CompatTelRunner.exe or compattelrunner.exe or DismHost.exe or dismhost.exe or rundll32.exe)",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        },
+        {
+          "version": 3,
+          "updated": "7.11.2",
+          "pre_query": "event.category:process and event.type:(start or process_started) and process.parent.name:(CompatTelRunner.exe or compattelrunner.exe) and process.args:-cv* and not process.name:(conhost.exe or DeviceCensus.exe or devicecensus.exe or CompatTelRunner.exe or compattelrunner.exe or DismHost.exe or dismhost.exe or rundll32.exe or powershell.exe)",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 4,
+          "updated": "7.12.0",
+          "pre_query": "event.category:process and event.type:(start or process_started) and process.parent.name:(CompatTelRunner.exe or compattelrunner.exe) and process.args:-cv* and not process.name:(conhost.exe or DeviceCensus.exe or devicecensus.exe or CompatTelRunner.exe or compattelrunner.exe or DismHost.exe or dismhost.exe or rundll32.exe or powershell.exe)",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 5,
+          "updated": "7.13.0",
+          "pre_query": "event.category:process and event.type:(start or process_started) and process.parent.name:(CompatTelRunner.exe or compattelrunner.exe) and process.args:-cv* and not process.name:(conhost.exe or DeviceCensus.exe or devicecensus.exe or CompatTelRunner.exe or compattelrunner.exe or DismHost.exe or dismhost.exe or rundll32.exe or powershell.exe)",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        },
+        {
+          "version": 6,
+          "updated": "7.16.0",
+          "pre_query": "process where event.type in (\"start\", \"process_started\") and\n  process.parent.name : \"CompatTelRunner.exe\" and process.args : \"-cv*\" and\n  not process.name : (\"conhost.exe\",\n                      \"DeviceCensus.exe\",\n                      \"CompatTelRunner.exe\",\n                      \"DismHost.exe\",\n                      \"rundll32.exe\",\n                      \"powershell.exe\")\n",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.16.0",
+    "added": "7.10.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies potential hijacking of the Microsoft Update Orchestrator Service to establish persistence with an integrity level of SYSTEM.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Persistence via Update Orchestrator Service Hijack",
+    "query": "process where event.type == \"start\" and\n  process.parent.executable : \"C:\\\\Windows\\\\System32\\\\svchost.exe\" and\n  process.parent.args : \"UsoSvc\" and\n  not process.executable :\n         (\n          \"C:\\\\Windows\\\\System32\\\\UsoClient.exe\",\n          \"C:\\\\Windows\\\\System32\\\\MusNotification.exe\",\n          \"C:\\\\Windows\\\\System32\\\\MusNotificationUx.exe\",\n          \"C:\\\\Windows\\\\System32\\\\MusNotifyIcon.exe\",\n          \"C:\\\\Windows\\\\System32\\\\WerFault.exe\",\n          \"C:\\\\Windows\\\\System32\\\\WerMgr.exe\"\n          )\n",
+    "references": [
+      "https://github.com/irsl/CVE-2020-1313"
+    ],
+    "risk_score": 73,
+    "rule_id": "265db8f5-fc73-4d0d-b434-6483b56372e2",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Persistence"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1543",
+            "name": "Create or Modify System Process",
+            "reference": "https://attack.mitre.org/techniques/T1543/",
+            "subtechnique": [
+              {
+                "id": "T1543.003",
+                "name": "Windows Service",
+                "reference": "https://attack.mitre.org/techniques/T1543/003/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 4,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.11.0",
+          "pre_query": "event.category:process and event.type:(start or process_started) and process.parent.name:svchost.exe and process.parent.args:(UsoSvc or usosvc) and not process.name:(UsoClient.exe or usoclient.exe or MusNotification.exe or musnotification.exe or MusNotificationUx.exe or musnotificationux.exe)",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 3,
+          "updated": "7.11.2",
+          "pre_query": "event.category:process and event.type:(start or process_started) and process.parent.name:svchost.exe and process.parent.args:(UsoSvc or usosvc) and not process.name:(UsoClient.exe or usoclient.exe or MusNotification.exe or musnotification.exe or MusNotificationUx.exe or musnotificationux.exe)",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 4,
+          "updated": "7.12.0",
+          "pre_query": "event.category:process and event.type:(start or process_started) and process.parent.name:svchost.exe and process.parent.args:(UsoSvc or usosvc) and not process.name:(UsoClient.exe or usoclient.exe or MusNotification.exe or musnotification.exe or MusNotificationUx.exe or musnotificationux.exe)",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.12.0",
+    "added": "7.10.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "An adversary can use Windows Management Instrumentation (WMI) to install event filters, providers, consumers, and bindings that execute code when a defined event occurs. Adversaries may use the capabilities of WMI to subscribe to an event and execute arbitrary code when that event occurs, providing persistence on a system.",
+    "from": "now-9m",
+    "index": [
+      "logs-endpoint.events.*",
+      "winlogbeat-*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Persistence via WMI Event Subscription",
+    "query": "process where event.type in (\"start\", \"process_started\") and\n  (process.name : \"wmic.exe\" or process.pe.original_file_name == \"wmic.exe\") and\n  process.args : \"create\" and\n  process.args : (\"ActiveScriptEventConsumer\", \"CommandLineEventConsumer\")\n",
+    "risk_score": 21,
+    "rule_id": "9b6813a1-daf1-457e-b0e6-0bb4e55b8a4c",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Persistence"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1546",
+            "name": "Event Triggered Execution",
+            "reference": "https://attack.mitre.org/techniques/T1546/",
+            "subtechnique": [
+              {
+                "id": "T1546.003",
+                "name": "Windows Management Instrumentation Event Subscription",
+                "reference": "https://attack.mitre.org/techniques/T1546/003/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 4,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.11.2",
+          "pre_query": "process where event.type in (\"start\", \"process_started\") and\n  (process.name : \"wmic.exe\" or process.pe.original_file_name == \"wmic.exe\") and\n  process.args : \"create\" and\n  process.args : (\"ActiveScriptEventConsumer\", \"CommandLineEventConsumer\")\n\n",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        },
+        {
+          "version": 3,
+          "updated": "7.12.0",
+          "pre_query": "process where event.type in (\"start\", \"process_started\") and\n  (process.name : \"wmic.exe\" or process.pe.original_file_name == \"wmic.exe\") and\n  process.args : \"create\" and\n  process.args : (\"ActiveScriptEventConsumer\", \"CommandLineEventConsumer\")\n",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 4,
+          "updated": "7.16.0",
+          "pre_query": "process where event.type in (\"start\", \"process_started\") and\n  (process.name : \"wmic.exe\" or process.pe.original_file_name == \"wmic.exe\") and\n  process.args : \"create\" and\n  process.args : (\"ActiveScriptEventConsumer\", \"CommandLineEventConsumer\")\n",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.16.0",
+    "added": "7.11.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies use of the Windows Management Instrumentation StdRegProv (registry provider) to modify commonly abused registry locations for persistence.",
+    "from": "now-9m",
+    "index": [
+      "logs-endpoint.events.*",
+      "winlogbeat-*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Persistence via WMI Standard Registry Provider",
+    "query": "registry where \n registry.data.strings != null and process.name : \"WmiPrvSe.exe\" and\n registry.path : (\n                  \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\*\",\n                  \"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\*\",\n                  \"HKLM\\\\Software\\\\WOW6432Node\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\*\",\n                  \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\\\*\",\n                  \"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\\\*\",\n                  \"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\*\",\n                  \"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnceEx\\\\*\",\n                  \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\*\",\n                  \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnceEx\\\\*\",\n                  \"HKLM\\\\SYSTEM\\\\*ControlSet*\\\\Services\\\\*\\\\ServiceDLL\",\n                  \"HKLM\\\\SYSTEM\\\\*ControlSet*\\\\Services\\\\*\\\\ImagePath\",\n                  \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\Shell\\\\*\", \n                  \"HKEY_USERS\\\\*\\\\Environment\\\\UserInitMprLogonScript\", \n                  \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows\\\\Load\", \n                  \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\Shell\", \n                  \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\Shell\", \n                  \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Logoff\\\\Script\", \n                  \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Logon\\\\Script\", \n                  \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Shutdown\\\\Script\", \n                  \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Startup\\\\Script\", \n                  \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Ctf\\\\LangBarAddin\\\\*\\\\FilePath\", \n                  \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Internet Explorer\\\\Extensions\\\\*\\\\Exec\", \n                  \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Internet Explorer\\\\Extensions\\\\*\\\\Script\", \n                  \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Command Processor\\\\Autorun\"\n                  )\n",
+    "references": [
+      "https://docs.microsoft.com/en-us/previous-versions/windows/desktop/regprov/stdregprov"
+    ],
+    "risk_score": 73,
+    "rule_id": "70d12c9c-0dbd-4a1a-bc44-1467502c9cf6",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Persistence"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1547",
+            "name": "Boot or Logon Autostart Execution",
+            "reference": "https://attack.mitre.org/techniques/T1547/",
+            "subtechnique": [
+              {
+                "id": "T1547.001",
+                "name": "Registry Run Keys / Startup Folder",
+                "reference": "https://attack.mitre.org/techniques/T1547/001/"
+              }
+            ]
+          },
+          {
+            "id": "T1543",
+            "name": "Create or Modify System Process",
+            "reference": "https://attack.mitre.org/techniques/T1543/",
+            "subtechnique": [
+              {
+                "id": "T1543.003",
+                "name": "Windows Service",
+                "reference": "https://attack.mitre.org/techniques/T1543/003/"
+              }
+            ]
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0002",
+          "name": "Execution",
+          "reference": "https://attack.mitre.org/tactics/TA0002/"
+        },
+        "technique": [
+          {
+            "id": "T1047",
+            "name": "Windows Management Instrumentation",
+            "reference": "https://attack.mitre.org/techniques/T1047/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 1,
+    "last_update": "7.13.0",
+    "added": "7.13.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies script engines creating files in the startup folder, or the creation of script files in the startup folder.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Persistent Scripts in the Startup Directory",
+    "query": "file where event.type != \"deletion\" and user.domain != \"NT AUTHORITY\" and\n  \n  /* detect shortcuts created by wscript.exe or cscript.exe */\n  (file.path : \"C:\\\\*\\\\Programs\\\\Startup\\\\*.lnk\" and\n     process.name : (\"wscript.exe\", \"cscript.exe\")) or\n\n  /* detect vbs or js files created by any process */\n  file.path : (\"C:\\\\*\\\\Programs\\\\Startup\\\\*.vbs\", \n               \"C:\\\\*\\\\Programs\\\\Startup\\\\*.vbe\", \n               \"C:\\\\*\\\\Programs\\\\Startup\\\\*.wsh\", \n               \"C:\\\\*\\\\Programs\\\\Startup\\\\*.wsf\", \n               \"C:\\\\*\\\\Programs\\\\Startup\\\\*.js\")\n",
+    "risk_score": 47,
+    "rule_id": "f7c4dc5a-a58d-491d-9f14-9b66507121c0",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Persistence"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1547",
+            "name": "Boot or Logon Autostart Execution",
+            "reference": "https://attack.mitre.org/techniques/T1547/",
+            "subtechnique": [
+              {
+                "id": "T1547.001",
+                "name": "Registry Run Keys / Startup Folder",
+                "reference": "https://attack.mitre.org/techniques/T1547/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 3,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.11.2",
+          "pre_query": "file where event.type != \"deletion\" and user.domain != \"NT AUTHORITY\" and\n  \n  /* detect shortcuts created by wscript.exe or cscript.exe */\n  (file.path : \"C:\\\\*\\\\Programs\\\\Startup\\\\*.lnk\" and\n     process.name : (\"wscript.exe\", \"cscript.exe\")) or\n\n  /* detect vbs or js files created by any process */\n  file.path : (\"C:\\\\*\\\\Programs\\\\Startup\\\\*.vbs\", \n               \"C:\\\\*\\\\Programs\\\\Startup\\\\*.vbe\", \n               \"C:\\\\*\\\\Programs\\\\Startup\\\\*.wsh\", \n               \"C:\\\\*\\\\Programs\\\\Startup\\\\*.wsf\", \n               \"C:\\\\*\\\\Programs\\\\Startup\\\\*.js\")\n",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 3,
+          "updated": "7.12.0",
+          "pre_query": "file where event.type != \"deletion\" and user.domain != \"NT AUTHORITY\" and\n  \n  /* detect shortcuts created by wscript.exe or cscript.exe */\n  (file.path : \"C:\\\\*\\\\Programs\\\\Startup\\\\*.lnk\" and\n     process.name : (\"wscript.exe\", \"cscript.exe\")) or\n\n  /* detect vbs or js files created by any process */\n  file.path : (\"C:\\\\*\\\\Programs\\\\Startup\\\\*.vbs\", \n               \"C:\\\\*\\\\Programs\\\\Startup\\\\*.vbe\", \n               \"C:\\\\*\\\\Programs\\\\Startup\\\\*.wsh\", \n               \"C:\\\\*\\\\Programs\\\\Startup\\\\*.wsf\", \n               \"C:\\\\*\\\\Programs\\\\Startup\\\\*.js\")\n",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.12.0",
+    "added": "7.11.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the creation of a new port forwarding rule. An adversary may abuse this technique to bypass network segmentation restrictions.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Port Forwarding Rule Addition",
+    "query": "registry where registry.path : \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Services\\\\PortProxy\\\\v4tov4\\\\*\"\n",
+    "references": [
+      "https://www.fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html"
+    ],
+    "risk_score": 47,
+    "rule_id": "3535c8bb-3bd5-40f4-ae32-b7cd589d5372",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Command and Control"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0011",
+          "name": "Command and Control",
+          "reference": "https://attack.mitre.org/tactics/TA0011/"
+        },
+        "technique": [
+          {
+            "id": "T1572",
+            "name": "Protocol Tunneling",
+            "reference": "https://attack.mitre.org/techniques/T1572/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 4,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.11.2",
+          "pre_query": "registry where registry.path : \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Services\\\\PortProxy\\\\v4tov4\\\\*\"\n",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 3,
+          "updated": "7.12.0",
+          "pre_query": "registry where registry.path : \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Services\\\\PortProxy\\\\v4tov4\\\\*\"\n",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 4,
+          "updated": "7.16.0",
+          "pre_query": "registry where registry.path : \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Services\\\\PortProxy\\\\v4tov4\\\\*\"\n",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.16.0",
+    "added": "7.11.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Detects when a user grants permissions to an Azure-registered application or when an administrator grants tenant-wide permissions to an application. An adversary may create an Azure-registered application that requests access to data such as contact information, email, or documents.",
+    "from": "now-25m",
+    "index": [
+      "filebeat-*",
+      "logs-azure*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Possible Consent Grant Attack via Azure-Registered Application",
+    "note": "## Triage and analysis\n\n- In a consent grant attack, an attacker tricks an end user into granting a malicious application consent to access their data, usually via a phishing attack. After the malicious application has been granted consent, it has account-level access to data without the need for an organizational account.\n- Normal remediation steps, like resetting passwords for breached accounts or requiring Multi-Factor Authentication (MFA) on accounts, are not effective against this type of attack, since these are third-party applications and are external to the organization.\n- Security analysts should review the list of trusted applications for any suspicious items.\n\n\n## Config\n\nThe Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:(azure.activitylogs or azure.auditlogs or o365.audit) and \n  (\n    azure.activitylogs.operation_name:\"Consent to application\" or\n    azure.auditlogs.operation_name:\"Consent to application\" or\n    o365.audit.Operation:\"Consent to application.\"\n  ) and\n  event.outcome:(Success or success)\n",
+    "references": [
+      "https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/detect-and-remediate-illicit-consent-grants?view=o365-worldwide"
+    ],
+    "risk_score": 47,
+    "rule_id": "1c6a8c7a-5cb6-4a82-ba27-d5a5b8a40a38",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "Azure",
+      "Continuous Monitoring",
+      "SecOps",
+      "Identity and Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0001",
+          "name": "Initial Access",
+          "reference": "https://attack.mitre.org/tactics/TA0001/"
+        },
+        "technique": [
+          {
+            "id": "T1566",
+            "name": "Phishing",
+            "reference": "https://attack.mitre.org/techniques/T1566/",
+            "subtechnique": [
+              {
+                "id": "T1566.002",
+                "name": "Spearphishing Link",
+                "reference": "https://attack.mitre.org/techniques/T1566/002/"
+              }
+            ]
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0006",
+          "name": "Credential Access",
+          "reference": "https://attack.mitre.org/tactics/TA0006/"
+        },
+        "technique": [
+          {
+            "id": "T1528",
+            "name": "Steal Application Access Token",
+            "reference": "https://attack.mitre.org/techniques/T1528/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 5,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.11.0",
+          "pre_query": "event.dataset:(azure.activitylogs or azure.auditlogs) and ( azure.activitylogs.operation_name:\"Consent to application\" or azure.auditlogs.operation_name:\"Consent to application\" ) and event.outcome:success",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        },
+        {
+          "version": 3,
+          "updated": "7.11.2",
+          "pre_query": "event.dataset:(azure.activitylogs or azure.auditlogs or o365.audit) and ( azure.activitylogs.operation_name:\"Consent to application\" or azure.auditlogs.operation_name:\"Consent to application\" or o365.audit.Operation:\"Consent to application.\" ) and event.outcome:(Success or success)",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 4,
+          "updated": "7.12.0",
+          "pre_query": "event.dataset:(azure.activitylogs or azure.auditlogs or o365.audit) and ( azure.activitylogs.operation_name:\"Consent to application\" or azure.auditlogs.operation_name:\"Consent to application\" or o365.audit.Operation:\"Consent to application.\" ) and event.outcome:(Success or success)",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 5,
+          "updated": "7.13.0",
+          "pre_query": "event.dataset:(azure.activitylogs or azure.auditlogs or o365.audit) and ( azure.activitylogs.operation_name:\"Consent to application\" or azure.auditlogs.operation_name:\"Consent to application\" or o365.audit.Operation:\"Consent to application.\" ) and event.outcome:(Success or success)",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.13.0",
+    "added": "7.10.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "This rule detects a known command and control pattern in network events. The FIN7 threat group is known to use this command and control technique, while maintaining persistence in their target's network.",
+    "false_positives": [
+      "This rule could identify benign domains that are formatted similarly to FIN7's command and control algorithm. Alerts should be investigated by an analyst to assess the validity of the individual observations."
+    ],
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "filebeat-*",
+      "packetbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "lucene",
+    "license": "Elastic License v2",
+    "name": "Possible FIN7 DGA Command and Control Behavior",
+    "note": "## Triage and analysis\n\nIn the event this rule identifies benign domains in your environment, the `destination.domain` field in the rule can be modified to include those domains. Example: `...AND NOT destination.domain:(zoom.us OR benign.domain1 OR benign.domain2)`.",
+    "query": "event.category:(network OR network_traffic) AND type:(tls OR http) AND network.transport:tcp\nAND destination.domain:/[a-zA-Z]{4,5}\\.(pw|us|club|info|site|top)/ AND NOT destination.domain:zoom.us\n",
+    "references": [
+      "https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html"
+    ],
+    "risk_score": 73,
+    "rule_id": "4a4e23cf-78a2-449c-bac3-701924c269d3",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Network",
+      "Threat Detection",
+      "Command and Control",
+      "Host"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0011",
+          "name": "Command and Control",
+          "reference": "https://attack.mitre.org/tactics/TA0011/"
+        },
+        "technique": [
+          {
+            "id": "T1071",
+            "name": "Application Layer Protocol",
+            "reference": "https://attack.mitre.org/techniques/T1071/"
+          },
+          {
+            "id": "T1568",
+            "name": "Dynamic Resolution",
+            "reference": "https://attack.mitre.org/techniques/T1568/",
+            "subtechnique": [
+              {
+                "id": "T1568.002",
+                "name": "Domain Generation Algorithms",
+                "reference": "https://attack.mitre.org/techniques/T1568/002/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 6,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.11.0",
+          "pre_query": "event.category:(network OR network_traffic) AND type:(tls OR http) AND network.transport:tcp AND destination.domain:/[a-zA-Z]{4,5}\\.(pw|us|club|info|site|top)/ AND NOT destination.domain:zoom.us",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 3,
+          "updated": "7.11.2",
+          "pre_query": "event.category:(network OR network_traffic) AND type:(tls OR http) AND network.transport:tcp AND destination.domain:/[a-zA-Z]{4,5}\\.(pw|us|club|info|site|top)/ AND NOT destination.domain:zoom.us",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 4,
+          "updated": "7.12.0",
+          "pre_query": "event.category:(network OR network_traffic) AND type:(tls OR http) AND network.transport:tcp AND destination.domain:/[a-zA-Z]{4,5}\\.(pw|us|club|info|site|top)/ AND NOT destination.domain:zoom.us",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 5,
+          "updated": "7.13.0",
+          "pre_query": "event.category:(network OR network_traffic) AND type:(tls OR http) AND network.transport:tcp AND destination.domain:/[a-zA-Z]{4,5}\\.(pw|us|club|info|site|top)/ AND NOT destination.domain:zoom.us",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 6,
+          "updated": "7.14.0",
+          "pre_query": "event.category:(network OR network_traffic) AND type:(tls OR http) AND network.transport:tcp AND destination.domain:/[a-zA-Z]{4,5}\\.(pw|us|club|info|site|top)/ AND NOT destination.domain:zoom.us",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.14.0",
+    "added": "7.10.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Detects possible Denial of Service (DoS) attacks against an Okta organization. An adversary may attempt to disrupt an organization's business operations by performing a DoS attack against its Okta service.",
+    "index": [
+      "filebeat-*",
+      "logs-okta*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Possible Okta DoS Attack",
+    "note": "## Config\n\nThe Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:okta.system and event.action:(application.integration.rate_limit_exceeded or system.org.rate_limit.warning or system.org.rate_limit.violation or core.concurrency.org.limit.violation)\n",
+    "references": [
+      "https://developer.okta.com/docs/reference/api/system-log/",
+      "https://developer.okta.com/docs/reference/api/event-types/"
+    ],
+    "risk_score": 47,
+    "rule_id": "e6e3ecff-03dd-48ec-acbd-54a04de10c68",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Identity",
+      "Okta",
+      "Continuous Monitoring",
+      "SecOps",
+      "Monitoring"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0040",
+          "name": "Impact",
+          "reference": "https://attack.mitre.org/tactics/TA0040/"
+        },
+        "technique": [
+          {
+            "id": "T1498",
+            "name": "Network Denial of Service",
+            "reference": "https://attack.mitre.org/techniques/T1498/"
+          },
+          {
+            "id": "T1499",
+            "name": "Endpoint Denial of Service",
+            "reference": "https://attack.mitre.org/techniques/T1499/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 6,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.10.0",
+          "pre_query": "event.module:okta and event.dataset:okta.system and event.action:(application.integration.rate_limit_exceeded or system.org.rate_limit.warning or system.org.rate_limit.violation or core.concurrency.org.limit.violation)",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        },
+        {
+          "version": 3,
+          "updated": "7.11.0",
+          "pre_query": "event.dataset:okta.system and event.action:(application.integration.rate_limit_exceeded or system.org.rate_limit.warning or system.org.rate_limit.violation or core.concurrency.org.limit.violation)",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 4,
+          "updated": "7.11.2",
+          "pre_query": "event.dataset:okta.system and event.action:(application.integration.rate_limit_exceeded or system.org.rate_limit.warning or system.org.rate_limit.violation or core.concurrency.org.limit.violation)",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 5,
+          "updated": "7.12.0",
+          "pre_query": "event.dataset:okta.system and event.action:(application.integration.rate_limit_exceeded or system.org.rate_limit.warning or system.org.rate_limit.violation or core.concurrency.org.limit.violation)",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 6,
+          "updated": "7.13.0",
+          "pre_query": "event.dataset:okta.system and event.action:(application.integration.rate_limit_exceeded or system.org.rate_limit.warning or system.org.rate_limit.violation or core.concurrency.org.limit.violation)",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.13.0",
+    "added": "7.9.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies attempts to add an account to the admin group via the command line. This could be an indication of privilege escalation activity.",
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Potential Admin Group Account Addition",
+    "query": "event.category:process and event.type:(start or process_started) and\n process.name:(dscl or dseditgroup) and process.args:((\"/Groups/admin\" or admin) and (\"-a\" or \"-append\"))\n",
+    "references": [
+      "https://managingosx.wordpress.com/2010/01/14/add-a-user-to-the-admin-group-via-command-line-3-0/"
+    ],
+    "risk_score": 47,
+    "rule_id": "565c2b44-7a21-4818-955f-8d4737967d2e",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "macOS",
+      "Threat Detection",
+      "Privilege Escalation"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0004",
+          "name": "Privilege Escalation",
+          "reference": "https://attack.mitre.org/tactics/TA0004/"
+        },
+        "technique": [
+          {
+            "id": "T1078",
+            "name": "Valid Accounts",
+            "reference": "https://attack.mitre.org/techniques/T1078/",
+            "subtechnique": [
+              {
+                "id": "T1078.003",
+                "name": "Local Accounts",
+                "reference": "https://attack.mitre.org/techniques/T1078/003/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 1,
+    "last_update": "7.12.0",
+    "added": "7.12.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "The Application Shim was created to allow for backward compatibility of software as the operating system codebase changes over time. This Windows functionality has been abused by attackers to stealthily gain persistence and arbitrary code execution in legitimate Windows processes.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Potential Application Shimming via Sdbinst",
+    "query": "process where event.type in (\"start\", \"process_started\") and process.name : \"sdbinst.exe\"\n",
+    "risk_score": 21,
+    "rule_id": "fd4a992d-6130-4802-9ff8-829b89ae801f",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Persistence"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1546",
+            "name": "Event Triggered Execution",
+            "reference": "https://attack.mitre.org/techniques/T1546/",
+            "subtechnique": [
+              {
+                "id": "T1546.011",
+                "name": "Application Shimming",
+                "reference": "https://attack.mitre.org/techniques/T1546/011/"
+              }
+            ]
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0004",
+          "name": "Privilege Escalation",
+          "reference": "https://attack.mitre.org/tactics/TA0004/"
+        },
+        "technique": [
+          {
+            "id": "T1546",
+            "name": "Event Triggered Execution",
+            "reference": "https://attack.mitre.org/techniques/T1546/",
+            "subtechnique": [
+              {
+                "id": "T1546.011",
+                "name": "Application Shimming",
+                "reference": "https://attack.mitre.org/techniques/T1546/011/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 8,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.7.0",
+          "pre_query": "event.code:1 and process.name:sdbinst.exe",
+          "doc_text": "Formatting only"
+        },
+        {
+          "version": 3,
+          "updated": "7.9.0",
+          "pre_query": "event.code:1 and process.name:sdbinst.exe",
+          "doc_text": "Formatting only"
+        },
+        {
+          "version": 4,
+          "updated": "7.10.0",
+          "pre_query": "event.code:1 and process.name:sdbinst.exe",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        },
+        {
+          "version": 5,
+          "updated": "7.11.0",
+          "pre_query": "event.category:process and event.type:(start or process_started) and process.name:sdbinst.exe",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 6,
+          "updated": "7.11.2",
+          "pre_query": "event.category:process and event.type:(start or process_started) and process.name:sdbinst.exe",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 7,
+          "updated": "7.12.0",
+          "pre_query": "event.category:process and event.type:(start or process_started) and process.name:sdbinst.exe",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 8,
+          "updated": "7.13.0",
+          "pre_query": "event.category:process and event.type:(start or process_started) and process.name:sdbinst.exe",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.13.0",
+    "added": "7.6.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies instances of Internet Explorer (iexplore.exe) being started via the Component Object Model (COM) making unusual network connections. Adversaries could abuse Internet Explorer via COM to avoid suspicious processes making network connections and bypass host-based firewall restrictions.",
+    "false_positives": [
+      "Processes such as MS Office using IEproxy to render HTML content."
+    ],
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Potential Command and Control via Internet Explorer",
+    "query": "sequence by host.id, user.id with maxspan = 5s\n  [library where dll.name : \"IEProxy.dll\" and process.name : (\"rundll32.exe\", \"regsvr32.exe\")]\n  [process where event.type == \"start\" and process.parent.name : \"iexplore.exe\" and process.parent.args : \"-Embedding\"]\n  /* IE started via COM in normal conditions makes few connections, mainly to Microsoft and OCSP related domains, add FPs here */\n  [network where network.protocol == \"dns\" and process.name : \"iexplore.exe\" and\n   not dns.question.name :\n   (\n    \"*.microsoft.com\",\n    \"*.digicert.com\",\n    \"*.msocsp.com\",\n    \"*.windowsupdate.com\",\n    \"*.bing.com\",\n    \"*.identrust.com\",\n    \"*.sharepoint.com\",\n    \"*.office365.com\",\n    \"*.office.com\"\n    )\n  ]\n",
+    "risk_score": 47,
+    "rule_id": "acd611f3-2b93-47b3-a0a3-7723bcc46f6d",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Command and Control"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0011",
+          "name": "Command and Control",
+          "reference": "https://attack.mitre.org/tactics/TA0011/"
+        },
+        "technique": [
+          {
+            "id": "T1071",
+            "name": "Application Layer Protocol",
+            "reference": "https://attack.mitre.org/techniques/T1071/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0002",
+          "name": "Execution",
+          "reference": "https://attack.mitre.org/tactics/TA0002/"
+        },
+        "technique": [
+          {
+            "id": "T1559",
+            "name": "Inter-Process Communication",
+            "reference": "https://attack.mitre.org/techniques/T1559/",
+            "subtechnique": [
+              {
+                "id": "T1559.001",
+                "name": "Component Object Model",
+                "reference": "https://attack.mitre.org/techniques/T1559/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "type": "eql",
+    "version": 4,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.12.0",
+          "pre_query": "sequence by host.id, process.entity_id with maxspan = 1s\n  [process where event.type:\"start\" and process.parent.name:\"iexplore.exe\" and process.parent.args:\"-Embedding\"]\n  /* IE started via COM in normal conditions makes few connections, mainly to Microsoft and OCSP related domains, add FPs here */\n  [network where network.protocol : \"dns\" and process.name:\"iexplore.exe\" and\n   not wildcard(dns.question.name, \"*.microsoft.com\", \n                                   \"*.digicert.com\", \n                                   \"*.msocsp.com\", \n                                   \"*.windowsupdate.com\", \n                                   \"*.bing.com\",\n                                   \"*.identrust.com\")\n  ]\n",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        },
+        {
+          "version": 3,
+          "updated": "7.13.0",
+          "pre_query": "sequence by host.id, process.entity_id with maxspan = 1s\n  [process where event.type == \"start\" and process.parent.name : \"iexplore.exe\" and process.parent.args : \"-Embedding\"]\n  /* IE started via COM in normal conditions makes few connections, mainly to Microsoft and OCSP related domains, add FPs here */\n  [network where network.protocol == \"dns\" and process.name : \"iexplore.exe\" and\n   not dns.question.name :\n   (\n    \"*.microsoft.com\",\n    \"*.digicert.com\",\n    \"*.msocsp.com\",\n    \"*.windowsupdate.com\",\n    \"*.bing.com\",\n    \"*.identrust.com\"\n    )\n  ]\n",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        },
+        {
+          "version": 4,
+          "updated": "7.16.0",
+          "pre_query": "sequence by host.id, user.id with maxspan = 5s\n  [library where dll.name : \"IEProxy.dll\" and process.name : (\"rundll32.exe\", \"regsvr32.exe\")]\n  [process where event.type == \"start\" and process.parent.name : \"iexplore.exe\" and process.parent.args : \"-Embedding\"]\n  /* IE started via COM in normal conditions makes few connections, mainly to Microsoft and OCSP related domains, add FPs here */\n  [network where network.protocol == \"dns\" and process.name : \"iexplore.exe\" and\n   not dns.question.name :\n   (\n    \"*.microsoft.com\",\n    \"*.digicert.com\",\n    \"*.msocsp.com\",\n    \"*.windowsupdate.com\",\n    \"*.bing.com\",\n    \"*.identrust.com\",\n    \"*.sharepoint.com\",\n    \"*.office365.com\",\n    \"*.office.com\"\n    )\n  ]\n",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.16.0",
+    "added": "7.11.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the execution of a Chromium based browser with the debugging process argument, which may indicate an attempt to steal authentication cookies. An adversary may steal web application or service session cookies and use them to gain access web applications or Internet services as an authenticated user without needing credentials.",
+    "false_positives": [
+      "Developers performing browsers plugin or extension debugging."
+    ],
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "max_signals": 33,
+    "name": "Potential Cookies Theft via Browser Debugging",
+    "query": "process where event.type in (\"start\", \"process_started\", \"info\") and\n  process.name in (\n             \"Microsoft Edge\",\n             \"chrome.exe\",\n             \"Google Chrome\",\n             \"google-chrome-stable\",\n             \"google-chrome-beta\",\n             \"google-chrome\",\n             \"msedge.exe\") and\n   process.args : (\"--remote-debugging-port=*\", \n                   \"--remote-debugging-targets=*\",  \n                   \"--remote-debugging-pipe=*\") and\n   process.args : \"--user-data-dir=*\" and not process.args:\"--remote-debugging-port=0\"\n",
+    "references": [
+      "https://github.com/defaultnamehere/cookie_crimes",
+      "https://embracethered.com/blog/posts/2020/cookie-crimes-on-mirosoft-edge/",
+      "https://github.com/rapid7/metasploit-framework/blob/master/documentation/modules/post/multi/gather/chrome_cookies.md",
+      "https://posts.specterops.io/hands-in-the-cookie-jar-dumping-cookies-with-chromiums-remote-debugger-port-34c4f468844e"
+    ],
+    "risk_score": 47,
+    "rule_id": "027ff9ea-85e7-42e3-99d2-bbb7069e02eb",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "Windows",
+      "macOS",
+      "Threat Detection",
+      "Credential Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0006",
+          "name": "Credential Access",
+          "reference": "https://attack.mitre.org/tactics/TA0006/"
+        },
+        "technique": [
+          {
+            "id": "T1539",
+            "name": "Steal Web Session Cookie",
+            "reference": "https://attack.mitre.org/techniques/T1539/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 1,
+    "last_update": "7.12.0",
+    "added": "7.12.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies suspicious access to an LSASS handle via DuplicateHandle from an unknown call trace module. This may indicate an attempt to bypass the NtOpenProcess API to evade detection and dump LSASS memory for credential access.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Potential Credential Access via DuplicateHandle in LSASS",
+    "query": "process where event.code == \"10\" and \n\n /* LSASS requesting DuplicateHandle access right to another process */\n process.name : \"lsass.exe\" and winlog.event_data.GrantedAccess == \"0x40\" and\n\n /* call is coming from an unknown executable region */\n winlog.event_data.CallTrace : \"*UNKNOWN*\"\n",
+    "references": [
+      "https://github.com/CCob/MirrorDump"
+    ],
+    "risk_score": 47,
+    "rule_id": "02a4576a-7480-4284-9327-548a806b5e48",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Credential Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0006",
+          "name": "Credential Access",
+          "reference": "https://attack.mitre.org/tactics/TA0006/"
+        },
+        "technique": [
+          {
+            "id": "T1003",
+            "name": "OS Credential Dumping",
+            "reference": "https://attack.mitre.org/techniques/T1003/",
+            "subtechnique": [
+              {
+                "id": "T1003.001",
+                "name": "LSASS Memory",
+                "reference": "https://attack.mitre.org/techniques/T1003/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 2,
+    "last_update": "8.0.0",
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "8.0.0",
+          "pre_query": "process where event.code == \"10\" and \n\n /* LSASS requesting DuplicateHandle access right to another process */\n process.name : \"lsass.exe\" and winlog.event_data.GrantedAccess == \"0x40\" and\n\n /* call is coming from an unknown executable region */\n winlog.event_data.CallTrace : \"*UNKNOWN*\"\n",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "added": "7.16.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies suspicious access to LSASS handle from a call trace pointing to DBGHelp.dll or DBGCore.dll, which both export the MiniDumpWriteDump method that can be used to dump LSASS memory content in preperation for credential access.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Potential Credential Access via LSASS Memory Dump",
+    "query": "process where event.code == \"10\" and\n  winlog.event_data.TargetImage : \"?:\\\\WINDOWS\\\\system32\\\\lsass.exe\" and\n  \n   /* DLLs exporting MiniDumpWriteDump API to create an lsass mdmp*/\n  winlog.event_data.CallTrace : (\"*dbhelp*\", \"*dbgcore*\") and\n  \n   /* case of lsass crashing */\n  not process.executable : (\"?:\\\\Windows\\\\System32\\\\WerFault.exe\", \"?:\\\\Windows\\\\System32\\\\WerFaultSecure.exe\")\n",
+    "references": [
+      "https://www.ired.team/offensive-security/credential-access-and-credential-dumping/dump-credentials-from-lsass-process-without-mimikatz"
+    ],
+    "risk_score": 73,
+    "rule_id": "9960432d-9b26-409f-972b-839a959e79e2",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Credential Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0006",
+          "name": "Credential Access",
+          "reference": "https://attack.mitre.org/tactics/TA0006/"
+        },
+        "technique": [
+          {
+            "id": "T1003",
+            "name": "OS Credential Dumping",
+            "reference": "https://attack.mitre.org/techniques/T1003/",
+            "subtechnique": [
+              {
+                "id": "T1003.001",
+                "name": "LSASS Memory",
+                "reference": "https://attack.mitre.org/techniques/T1003/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 1,
+    "last_update": "8.0.0",
+    "added": "8.0.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies suspicious renamed COMSVCS.DLL Image Load, which exports the MiniDump function that can be used to dump a process memory. This may indicate an attempt to dump LSASS memory while bypassing command line based detection in preparation for credential access.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Potential Credential Access via Renamed COM+ Services DLL",
+    "note": "## Config\n\nYou will need to enable logging of ImageLoads in your Sysmon configuration to include COMSVCS.DLL by Imphash or Original\nFile Name.",
+    "query": "sequence by process.entity_id with maxspan=1m\n [process where event.category == \"process\" and\n    process.name : \"rundll32.exe\"]\n [process where event.category == \"process\" and event.dataset : \"windows.sysmon_operational\" and event.code == \"7\" and\n   (file.pe.original_file_name : \"COMSVCS.DLL\" or file.pe.imphash : \"EADBCCBB324829ACB5F2BBE87E5549A8\") and\n    /* renamed COMSVCS */\n    not file.name : \"COMSVCS.DLL\"]\n",
+    "references": [
+      "https://modexp.wordpress.com/2019/08/30/minidumpwritedump-via-com-services-dll/"
+    ],
+    "risk_score": 73,
+    "rule_id": "c5c9f591-d111-4cf8-baec-c26a39bc31ef",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Credential Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0006",
+          "name": "Credential Access",
+          "reference": "https://attack.mitre.org/tactics/TA0006/"
+        },
+        "technique": [
+          {
+            "id": "T1003",
+            "name": "OS Credential Dumping",
+            "reference": "https://attack.mitre.org/techniques/T1003/",
+            "subtechnique": [
+              {
+                "id": "T1003.001",
+                "name": "LSASS Memory",
+                "reference": "https://attack.mitre.org/techniques/T1003/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 1,
+    "last_update": "8.0.0",
+    "added": "8.0.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the execution of known Windows utilities often abused to dump LSASS memory or the Active Directory database (NTDS.dit) in preparation for credential access.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Potential Credential Access via Windows Utilities",
+    "query": "process where event.type in (\"start\", \"process_started\") and\n/* update here with any new lolbas with dump capability */\n(process.pe.original_file_name == \"procdump\" and process.args : \"-ma\") or\n(process.name : \"ProcessDump.exe\" and not process.parent.executable regex~ \"\"\"C:\\\\Program Files( \\(x86\\))?\\\\Cisco Systems\\\\.*\"\"\") or\n(process.pe.original_file_name == \"WriteMiniDump.exe\" and not process.parent.executable regex~ \"\"\"C:\\\\Program Files( \\(x86\\))?\\\\Steam\\\\.*\"\"\") or\n(process.pe.original_file_name == \"RUNDLL32.EXE\" and (process.args : \"MiniDump*\" or process.command_line : \"*comsvcs.dll*#24*\")) or\n(process.pe.original_file_name == \"RdrLeakDiag.exe\" and process.args : \"/fullmemdmp\") or\n(process.pe.original_file_name == \"SqlDumper.exe\" and process.args : \"0x01100*\") or\n(process.pe.original_file_name == \"TTTracer.exe\" and process.args : \"-dumpFull\" and process.args : \"-attach\") or\n(process.pe.original_file_name == \"ntdsutil.exe\" and process.args : \"create*full*\") or\n(process.pe.original_file_name == \"diskshadow.exe\" and process.args : \"/s\")\n",
+    "references": [
+      "https://lolbas-project.github.io/"
+    ],
+    "risk_score": 73,
+    "rule_id": "00140285-b827-4aee-aa09-8113f58a08f3",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Credential Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0006",
+          "name": "Credential Access",
+          "reference": "https://attack.mitre.org/tactics/TA0006/"
+        },
+        "technique": [
+          {
+            "id": "T1003",
+            "name": "OS Credential Dumping",
+            "reference": "https://attack.mitre.org/techniques/T1003/",
+            "subtechnique": [
+              {
+                "id": "T1003.001",
+                "name": "LSASS Memory",
+                "reference": "https://attack.mitre.org/techniques/T1003/001/"
+              },
+              {
+                "id": "T1003.003",
+                "name": "NTDS",
+                "reference": "https://attack.mitre.org/techniques/T1003/003/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 5,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.11.2",
+          "pre_query": "process where event.type in (\"start\", \"process_started\") and\n/* update here with any new lolbas with dump capability */\n(process.pe.original_file_name == \"procdump\" and process.args : \"-ma\") or\n(process.name : \"ProcessDump.exe\" and not process.parent.executable : \"C:\\\\Program Files*\\\\Cisco Systems\\\\*.exe\") or\n(process.pe.original_file_name == \"WriteMiniDump.exe\" and not process.parent.executable : \"C:\\\\Program Files*\\\\Steam\\\\*.exe\") or\n(process.pe.original_file_name == \"RUNDLL32.EXE\" and (process.args : \"MiniDump*\" or process.command_line : \"*comsvcs.dll*#24*\")) or\n(process.pe.original_file_name == \"RdrLeakDiag.exe\" and process.args : \"/fullmemdmp\") or\n(process.pe.original_file_name == \"SqlDumper.exe\" and process.args : \"0x01100*\") or\n(process.pe.original_file_name == \"TTTracer.exe\" and process.args : \"-dumpFull\" and process.args : \"-attach\") or\n(process.pe.original_file_name == \"ntdsutil.exe\" and process.args : \"create*full*\") or\n(process.pe.original_file_name == \"diskshadow.exe\" and process.args : \"/s\")\n",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 3,
+          "updated": "7.12.0",
+          "pre_query": "process where event.type in (\"start\", \"process_started\") and\n/* update here with any new lolbas with dump capability */\n(process.pe.original_file_name == \"procdump\" and process.args : \"-ma\") or\n(process.name : \"ProcessDump.exe\" and not process.parent.executable : \"C:\\\\Program Files*\\\\Cisco Systems\\\\*.exe\") or\n(process.pe.original_file_name == \"WriteMiniDump.exe\" and not process.parent.executable : \"C:\\\\Program Files*\\\\Steam\\\\*.exe\") or\n(process.pe.original_file_name == \"RUNDLL32.EXE\" and (process.args : \"MiniDump*\" or process.command_line : \"*comsvcs.dll*#24*\")) or\n(process.pe.original_file_name == \"RdrLeakDiag.exe\" and process.args : \"/fullmemdmp\") or\n(process.pe.original_file_name == \"SqlDumper.exe\" and process.args : \"0x01100*\") or\n(process.pe.original_file_name == \"TTTracer.exe\" and process.args : \"-dumpFull\" and process.args : \"-attach\") or\n(process.pe.original_file_name == \"ntdsutil.exe\" and process.args : \"create*full*\") or\n(process.pe.original_file_name == \"diskshadow.exe\" and process.args : \"/s\")\n",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 4,
+          "updated": "7.14.0",
+          "pre_query": "process where event.type in (\"start\", \"process_started\") and\n/* update here with any new lolbas with dump capability */\n(process.pe.original_file_name == \"procdump\" and process.args : \"-ma\") or\n(process.name : \"ProcessDump.exe\" and not process.parent.executable : \"C:\\\\Program Files*\\\\Cisco Systems\\\\*.exe\") or\n(process.pe.original_file_name == \"WriteMiniDump.exe\" and not process.parent.executable : \"C:\\\\Program Files*\\\\Steam\\\\*.exe\") or\n(process.pe.original_file_name == \"RUNDLL32.EXE\" and (process.args : \"MiniDump*\" or process.command_line : \"*comsvcs.dll*#24*\")) or\n(process.pe.original_file_name == \"RdrLeakDiag.exe\" and process.args : \"/fullmemdmp\") or\n(process.pe.original_file_name == \"SqlDumper.exe\" and process.args : \"0x01100*\") or\n(process.pe.original_file_name == \"TTTracer.exe\" and process.args : \"-dumpFull\" and process.args : \"-attach\") or\n(process.pe.original_file_name == \"ntdsutil.exe\" and process.args : \"create*full*\") or\n(process.pe.original_file_name == \"diskshadow.exe\" and process.args : \"/s\")\n",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        },
+        {
+          "version": 5,
+          "updated": "7.16.0",
+          "pre_query": "process where event.type in (\"start\", \"process_started\") and\n/* update here with any new lolbas with dump capability */\n(process.pe.original_file_name == \"procdump\" and process.args : \"-ma\") or\n(process.name : \"ProcessDump.exe\" and not process.parent.executable regex~ \"\"\"C:\\\\Program Files( \\(x86\\))?\\\\Cisco Systems\\\\.*\"\"\") or\n(process.pe.original_file_name == \"WriteMiniDump.exe\" and not process.parent.executable regex~ \"\"\"C:\\\\Program Files( \\(x86\\))?\\\\Steam\\\\.*\"\"\") or\n(process.pe.original_file_name == \"RUNDLL32.EXE\" and (process.args : \"MiniDump*\" or process.command_line : \"*comsvcs.dll*#24*\")) or\n(process.pe.original_file_name == \"RdrLeakDiag.exe\" and process.args : \"/fullmemdmp\") or\n(process.pe.original_file_name == \"SqlDumper.exe\" and process.args : \"0x01100*\") or\n(process.pe.original_file_name == \"TTTracer.exe\" and process.args : \"-dumpFull\" and process.args : \"-attach\") or\n(process.pe.original_file_name == \"ntdsutil.exe\" and process.args : \"create*full*\") or\n(process.pe.original_file_name == \"diskshadow.exe\" and process.args : \"/s\")\n",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.16.0",
+    "added": "7.11.0"
+  },
+  {
+    "author": [
+      "Elastic",
+      "Dennis Perto"
+    ],
+    "description": "Identifies a Windows trusted program that is known to be vulnerable to DLL Search Order Hijacking starting after being renamed or from a non-standard path. This is uncommon behavior and may indicate an attempt to evade defenses via side-loading a malicious DLL within the memory space of one of those processes.",
+    "false_positives": [
+      "Microsoft Antimalware Service Executable installed on non default installation path."
+    ],
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Potential DLL Side-Loading via Microsoft Antimalware Service Executable",
+    "query": "process where event.type == \"start\" and\n  (process.pe.original_file_name == \"MsMpEng.exe\" and not process.name : \"MsMpEng.exe\") or\n  (process.name : \"MsMpEng.exe\" and not\n        process.executable : (\"?:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\*.exe\",\n                              \"?:\\\\Program Files\\\\Windows Defender\\\\*.exe\",\n                              \"?:\\\\Program Files (x86)\\\\Windows Defender\\\\*.exe\",\n                              \"?:\\\\Program Files\\\\Microsoft Security Client\\\\*.exe\",\n                              \"?:\\\\Program Files (x86)\\\\Microsoft Security Client\\\\*.exe\"))\n",
+    "references": [
+      "https://news.sophos.com/en-us/2021/07/04/independence-day-revil-uses-supply-chain-exploit-to-attack-hundreds-of-businesses/"
+    ],
+    "risk_score": 73,
+    "rule_id": "053a0387-f3b5-4ba5-8245-8002cca2bd08",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1574",
+            "name": "Hijack Execution Flow",
+            "reference": "https://attack.mitre.org/techniques/T1574/",
+            "subtechnique": [
+              {
+                "id": "T1574.002",
+                "name": "DLL Side-Loading",
+                "reference": "https://attack.mitre.org/techniques/T1574/002/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 2,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.16.0",
+          "pre_query": "process where event.type == \"start\" and\n  (process.pe.original_file_name == \"MsMpEng.exe\" and not process.name : \"MsMpEng.exe\") or\n  (process.name : \"MsMpEng.exe\" and not\n        process.executable : (\"?:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\*.exe\",\n                              \"?:\\\\Program Files\\\\Windows Defender\\\\*.exe\",\n                              \"?:\\\\Program Files (x86)\\\\Windows Defender\\\\*.exe\"))\n",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.16.0",
+    "added": "7.14.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies an instance of a Windows trusted program that is known to be vulnerable to DLL Search Order Hijacking starting after being renamed or from a non-standard path. This is uncommon behavior and may indicate an attempt to evade defenses via side loading a malicious DLL within the memory space of one of those processes.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Potential DLL SideLoading via Trusted Microsoft Programs",
+    "query": "process where event.type == \"start\" and\n  process.pe.original_file_name in (\"WinWord.exe\", \"EXPLORER.EXE\", \"w3wp.exe\", \"DISM.EXE\") and\n  not (process.name : (\"winword.exe\", \"explorer.exe\", \"w3wp.exe\", \"Dism.exe\") or\n         process.executable : (\"?:\\\\Windows\\\\explorer.exe\",\n                               \"?:\\\\Program Files\\\\Microsoft Office\\\\root\\\\Office*\\\\WINWORD.EXE\",\n                               \"?:\\\\Program Files?(x86)\\\\Microsoft Office\\\\root\\\\Office*\\\\WINWORD.EXE\",\n                               \"?:\\\\Windows\\\\System32\\\\Dism.exe\",\n                               \"?:\\\\Windows\\\\SysWOW64\\\\Dism.exe\",\n                               \"?:\\\\Windows\\\\System32\\\\inetsrv\\\\w3wp.exe\")\n         )\n",
+    "risk_score": 73,
+    "rule_id": "1160dcdb-0a0a-4a79-91d8-9b84616edebd",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1036",
+            "name": "Masquerading",
+            "reference": "https://attack.mitre.org/techniques/T1036/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 5,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.11.0",
+          "pre_query": "event.category:process and event.type:(start or process_started) and (process.pe.original_file_name:(WinWord.exe or EXPLORER.EXE or w3wp.exe or DISM.EXE) or winlog.event_data.OriginalFileName:(WinWord.exe or EXPLORER.EXE or w3wp.exe or DISM.EXE)) and not (process.name:(winword.exe or WINWORD.EXE or explorer.exe or w3wp.exe or Dism.exe) or process.executable:(\"C:\\Windows\\explorer.exe\" or C\\:\\\\Program?Files\\\\Microsoft?Office\\\\root\\\\Office*\\\\WINWORD.EXE or C\\:\\\\Program?Files?\\(x86\\)\\\\Microsoft?Office\\\\root\\\\Office*\\\\WINWORD.EXE or \"C:\\Windows\\System32\\Dism.exe\" or \"C:\\Windows\\SysWOW64\\Dism.exe\" or \"C:\\Windows\\System32\\inetsrv\\w3wp.exe\"))",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        },
+        {
+          "version": 3,
+          "updated": "7.11.2",
+          "pre_query": "event.category:process and event.type:(start or process_started) and process.pe.original_file_name:(WinWord.exe or EXPLORER.EXE or w3wp.exe or DISM.EXE) and not (process.name:(winword.exe or WINWORD.EXE or explorer.exe or w3wp.exe or Dism.exe) or process.executable:(\"C:\\Windows\\explorer.exe\" or C\\:\\\\Program?Files\\\\Microsoft?Office\\\\root\\\\Office*\\\\WINWORD.EXE or C\\:\\\\Program?Files?\\(x86\\)\\\\Microsoft?Office\\\\root\\\\Office*\\\\WINWORD.EXE or \"C:\\Windows\\System32\\Dism.exe\" or \"C:\\Windows\\SysWOW64\\Dism.exe\" or \"C:\\Windows\\System32\\inetsrv\\w3wp.exe\"))",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 4,
+          "updated": "7.12.0",
+          "pre_query": "event.category:process and event.type:(start or process_started) and process.pe.original_file_name:(WinWord.exe or EXPLORER.EXE or w3wp.exe or DISM.EXE) and not (process.name:(winword.exe or WINWORD.EXE or explorer.exe or w3wp.exe or Dism.exe) or process.executable:(\"C:\\Windows\\explorer.exe\" or C\\:\\\\Program?Files\\\\Microsoft?Office\\\\root\\\\Office*\\\\WINWORD.EXE or C\\:\\\\Program?Files?\\(x86\\)\\\\Microsoft?Office\\\\root\\\\Office*\\\\WINWORD.EXE or \"C:\\Windows\\System32\\Dism.exe\" or \"C:\\Windows\\SysWOW64\\Dism.exe\" or \"C:\\Windows\\System32\\inetsrv\\w3wp.exe\"))",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 5,
+          "updated": "7.13.0",
+          "pre_query": "event.category:process and event.type:(start or process_started) and process.pe.original_file_name:(WinWord.exe or EXPLORER.EXE or w3wp.exe or DISM.EXE) and not (process.name:(winword.exe or WINWORD.EXE or explorer.exe or w3wp.exe or Dism.exe) or process.executable:(\"C:\\Windows\\explorer.exe\" or C\\:\\\\Program?Files\\\\Microsoft?Office\\\\root\\\\Office*\\\\WINWORD.EXE or C\\:\\\\Program?Files?\\(x86\\)\\\\Microsoft?Office\\\\root\\\\Office*\\\\WINWORD.EXE or \"C:\\Windows\\System32\\Dism.exe\" or \"C:\\Windows\\SysWOW64\\Dism.exe\" or \"C:\\Windows\\System32\\inetsrv\\w3wp.exe\"))",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.13.0",
+    "added": "7.10.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Iodine is a tool for tunneling Internet protocol version 4 (IPV4) traffic over the DNS protocol to circumvent firewalls, network security groups, and network access lists while evading detection.",
+    "false_positives": [
+      "Normal use of Iodine is uncommon apart from security testing and research. Use by non-security engineers is very uncommon."
+    ],
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Potential DNS Tunneling via Iodine",
+    "query": "event.category:process and event.type:(start or process_started) and process.name:(iodine or iodined)\n",
+    "references": [
+      "https://code.kryo.se/iodine/"
+    ],
+    "risk_score": 73,
+    "rule_id": "041d4d41-9589-43e2-ba13-5680af75ebc2",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "Threat Detection"
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 7,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.7.0",
+          "pre_query": "process.name: (iodine or iodined) and event.action:executed",
+          "doc_text": "Updated query."
+        },
+        {
+          "version": 3,
+          "updated": "7.9.0",
+          "pre_query": "process.name:(iodine or iodined) and event.action:executed",
+          "doc_text": "Updated query."
+        },
+        {
+          "version": 4,
+          "updated": "7.9.1",
+          "pre_query": "event.category:process and event.type:(start or process_started) and process.name:(iodine or iodined)",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 5,
+          "updated": "7.10.0",
+          "pre_query": "event.category:process and event.type:(start or process_started) and process.name:(iodine or iodined)",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 6,
+          "updated": "7.11.2",
+          "pre_query": "event.category:process and event.type:(start or process_started) and process.name:(iodine or iodined)",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 7,
+          "updated": "7.12.0",
+          "pre_query": "event.category:process and event.type:(start or process_started) and process.name:(iodine or iodined)",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.12.0",
+    "added": "7.6.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "This rule identifies a large number (15) of nslookup.exe executions with an explicit query type from the same host. This may indicate command and control activity utilizing the DNS protocol.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Potential DNS Tunneling via NsLookup",
+    "query": "event.category:process and event.type:start and process.name:nslookup.exe and process.args:(-querytype=* or -qt=* or -q=* or -type=*)\n",
+    "references": [
+      "https://unit42.paloaltonetworks.com/dns-tunneling-in-the-wild-overview-of-oilrigs-dns-tunneling/"
+    ],
+    "risk_score": 47,
+    "rule_id": "3a59fc81-99d3-47ea-8cd6-d48d561fca20",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Command and Control"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0011",
+          "name": "Command and Control",
+          "reference": "https://attack.mitre.org/tactics/TA0011/"
+        },
+        "technique": [
+          {
+            "id": "T1071",
+            "name": "Application Layer Protocol",
+            "reference": "https://attack.mitre.org/techniques/T1071/",
+            "subtechnique": [
+              {
+                "id": "T1071.004",
+                "name": "DNS",
+                "reference": "https://attack.mitre.org/techniques/T1071/004/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "threshold": {
+      "field": [
+        "host.id"
+      ],
+      "value": 15
+    },
+    "type": "threshold",
+    "version": 3,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.12.0",
+          "pre_query": "event.category:process and event.type:start and process.name:nslookup.exe and process.args:(-querytype=* or -qt=* or -q=* or -type=*)",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 3,
+          "updated": "7.16.0",
+          "pre_query": "event.category:process and event.type:start and process.name:nslookup.exe and process.args:(-querytype=* or -qt=* or -q=* or -type=*)\n",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.16.0",
+    "added": "7.11.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies potential attempts to disable Security-Enhanced Linux (SELinux), which is a Linux kernel security feature to support access control policies. Adversaries may disable security tools to avoid possible detection of their tools and activities.",
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Potential Disabling of SELinux",
+    "query": "event.category:process and event.type:(start or process_started) and process.name:setenforce and process.args:0\n",
+    "risk_score": 47,
+    "rule_id": "eb9eb8ba-a983-41d9-9c93-a1c05112ca5e",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1562",
+            "name": "Impair Defenses",
+            "reference": "https://attack.mitre.org/techniques/T1562/",
+            "subtechnique": [
+              {
+                "id": "T1562.001",
+                "name": "Disable or Modify Tools",
+                "reference": "https://attack.mitre.org/techniques/T1562/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 7,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.9.0",
+          "pre_query": "event.action:executed and process.name:setenforce and process.args:0",
+          "doc_text": "Updated query."
+        },
+        {
+          "version": 3,
+          "updated": "7.9.1",
+          "pre_query": "event.category:process and event.type:(start or process_started) and process.name:setenforce and process.args:0",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 4,
+          "updated": "7.10.0",
+          "pre_query": "event.category:process and event.type:(start or process_started) and process.name:setenforce and process.args:0",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 5,
+          "updated": "7.11.0",
+          "pre_query": "event.category:process and event.type:(start or process_started) and process.name:setenforce and process.args:0",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 6,
+          "updated": "7.11.2",
+          "pre_query": "event.category:process and event.type:(start or process_started) and process.name:setenforce and process.args:0",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 7,
+          "updated": "7.12.0",
+          "pre_query": "event.category:process and event.type:(start or process_started) and process.name:setenforce and process.args:0",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.12.0",
+    "added": "7.8.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "The Filter Manager Control Program (fltMC.exe) binary may be abused by adversaries to unload a filter driver and evade defenses.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Potential Evasion via Filter Manager",
+    "query": "process where event.type in (\"start\", \"process_started\") and \n process.name : \"fltMC.exe\" and process.args : \"unload\"\n",
+    "risk_score": 47,
+    "rule_id": "06dceabf-adca-48af-ac79-ffdf4c3b1e9a",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1562",
+            "name": "Impair Defenses",
+            "reference": "https://attack.mitre.org/techniques/T1562/",
+            "subtechnique": [
+              {
+                "id": "T1562.001",
+                "name": "Disable or Modify Tools",
+                "reference": "https://attack.mitre.org/techniques/T1562/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 8,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.7.0",
+          "pre_query": "event.code:1 and process.name:fltMC.exe",
+          "doc_text": "Formatting only"
+        },
+        {
+          "version": 3,
+          "updated": "7.9.0",
+          "pre_query": "event.code:1 and process.name:fltMC.exe",
+          "doc_text": "Formatting only"
+        },
+        {
+          "version": 4,
+          "updated": "7.10.0",
+          "pre_query": "event.code:1 and process.name:fltMC.exe",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        },
+        {
+          "version": 5,
+          "updated": "7.11.2",
+          "pre_query": "event.category:process and event.type:(start or process_started) and process.name:fltMC.exe",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 6,
+          "updated": "7.12.0",
+          "pre_query": "event.category:process and event.type:(start or process_started) and process.name:fltMC.exe",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 7,
+          "updated": "7.13.0",
+          "pre_query": "event.category:process and event.type:(start or process_started) and process.name:fltMC.exe",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        },
+        {
+          "version": 8,
+          "updated": "7.16.0",
+          "pre_query": "process where event.type in (\"start\", \"process_started\") and \n process.name : \"fltMC.exe\" and process.args : \"unload\"\n",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.16.0",
+    "added": "7.6.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies attempts to create a local account that will be hidden from the macOS logon window. This may indicate an attempt to evade user attention while maintaining persistence using a separate local account.",
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Potential Hidden Local User Account Creation",
+    "query": "event.category:process and event.type:(start or process_started) and\n process.name:dscl and process.args:(IsHidden and create and (true or 1 or yes))\n",
+    "references": [
+      "https://support.apple.com/en-us/HT203998"
+    ],
+    "risk_score": 47,
+    "rule_id": "41b638a1-8ab6-4f8e-86d9-466317ef2db5",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "macOS",
+      "Threat Detection",
+      "Persistence"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1078",
+            "name": "Valid Accounts",
+            "reference": "https://attack.mitre.org/techniques/T1078/",
+            "subtechnique": [
+              {
+                "id": "T1078.003",
+                "name": "Local Accounts",
+                "reference": "https://attack.mitre.org/techniques/T1078/003/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 1,
+    "last_update": "7.12.0",
+    "added": "7.12.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies use of Bifrost, a known macOS Kerberos pentesting tool, which can be used to dump cached Kerberos tickets or attempt unauthorized authentication techniques such as pass-the-ticket/hash and kerberoasting.",
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Potential Kerberos Attack via Bifrost",
+    "query": "event.category:process and event.type:start and \n process.args:(\"-action\" and (\"-kerberoast\" or askhash or asktgs or asktgt or s4u or (\"-ticket\" and ptt) or (dump and (tickets or keytab))))\n",
+    "references": [
+      "https://github.com/its-a-feature/bifrost"
+    ],
+    "risk_score": 73,
+    "rule_id": "16904215-2c95-4ac8-bf5c-12354e047192",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "macOS",
+      "Threat Detection",
+      "Credential Access",
+      "Lateral Movement"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0008",
+          "name": "Lateral Movement",
+          "reference": "https://attack.mitre.org/tactics/TA0008/"
+        },
+        "technique": [
+          {
+            "id": "T1550",
+            "name": "Use Alternate Authentication Material",
+            "reference": "https://attack.mitre.org/techniques/T1550/",
+            "subtechnique": [
+              {
+                "id": "T1550.003",
+                "name": "Pass the Ticket",
+                "reference": "https://attack.mitre.org/techniques/T1550/003/"
+              }
+            ]
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0006",
+          "name": "Credential Access",
+          "reference": "https://attack.mitre.org/tactics/TA0006/"
+        },
+        "technique": [
+          {
+            "id": "T1558",
+            "name": "Steal or Forge Kerberos Tickets",
+            "reference": "https://attack.mitre.org/techniques/T1558/",
+            "subtechnique": [
+              {
+                "id": "T1558.003",
+                "name": "Kerberoasting",
+                "reference": "https://attack.mitre.org/techniques/T1558/003/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 2,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.16.0",
+          "pre_query": "event.category:process and event.type:start and \n process.args:(\"-action\" and (\"-kerberoast\" or askhash or asktgs or asktgt or s4u or (\"-ticket\" and ptt) or (dump and (tickets or keytab))))\n",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.16.0",
+    "added": "7.12.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Adversaries can use the autostart mechanism provided by the Local Security Authority (LSA) authentication packages for privilege escalation or persistence by placing a reference to a binary in the Windows registry. The binary will then be executed by SYSTEM when the authentication packages are loaded.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Potential LSA Authentication Package Abuse",
+    "query": "registry where event.type == \"change\" and\n  registry.path : \"HKLM\\\\SYSTEM\\\\*ControlSet*\\\\Control\\\\Lsa\\\\Authentication Packages\" and\n  /* exclude SYSTEM SID - look for changes by non-SYSTEM user */\n  not user.id : \"S-1-5-18\"\n",
+    "risk_score": 47,
+    "rule_id": "e9abe69b-1deb-4e19-ac4a-5d5ac00f72eb",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Privilege Escalation"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0004",
+          "name": "Privilege Escalation",
+          "reference": "https://attack.mitre.org/tactics/TA0004/"
+        },
+        "technique": [
+          {
+            "id": "T1547",
+            "name": "Boot or Logon Autostart Execution",
+            "reference": "https://attack.mitre.org/techniques/T1547/",
+            "subtechnique": [
+              {
+                "id": "T1547.002",
+                "name": "Authentication Package",
+                "reference": "https://attack.mitre.org/techniques/T1547/002/"
+              }
+            ]
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1547",
+            "name": "Boot or Logon Autostart Execution",
+            "reference": "https://attack.mitre.org/techniques/T1547/",
+            "subtechnique": [
+              {
+                "id": "T1547.002",
+                "name": "Authentication Package",
+                "reference": "https://attack.mitre.org/techniques/T1547/002/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 1,
+    "last_update": "7.12.0",
+    "added": "7.12.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the creation of an LSASS process clone via PssCaptureSnapShot where the parent process is the initial LSASS process instance. This may indicate an attempt to evade detection and dump LSASS memory for credential access.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Potential LSASS Clone Creation via PssCaptureSnapShot",
+    "note": "## Config\n\nThis is meant to run only on datasources using Windows security event 4688 that captures the process clone creation.",
+    "query": "process where event.code:\"4688\" and\n  process.executable : \"?:\\\\Windows\\\\System32\\\\lsass.exe\" and\n  process.parent.executable : \"?:\\\\Windows\\\\System32\\\\lsass.exe\"\n",
+    "references": [
+      "https://www.matteomalvica.com/blog/2019/12/02/win-defender-atp-cred-bypass/",
+      "https://medium.com/@Achilles8284/the-birth-of-a-process-part-2-97c6fb9c42a2"
+    ],
+    "risk_score": 73,
+    "rule_id": "a16612dd-b30e-4d41-86a0-ebe70974ec00",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Credential Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0006",
+          "name": "Credential Access",
+          "reference": "https://attack.mitre.org/tactics/TA0006/"
+        },
+        "technique": [
+          {
+            "id": "T1003",
+            "name": "OS Credential Dumping",
+            "reference": "https://attack.mitre.org/techniques/T1003/",
+            "subtechnique": [
+              {
+                "id": "T1003.001",
+                "name": "LSASS Memory",
+                "reference": "https://attack.mitre.org/techniques/T1003/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 1,
+    "last_update": "8.0.0",
+    "added": "8.0.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies suspicious access to an LSASS handle via PssCaptureSnapShot where two successive process access are performed by the same process and targeting two different instances of LSASS. This may indicate an attempt to evade detection and dump LSASS memory for credential access.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-windows.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Potential LSASS Memory Dump via PssCaptureSnapShot",
+    "note": "## Config\n\nThis is meant to run only on datasources using agents v7.14+ since versions prior to that will be missing the threshold\nrule cardinality feature.",
+    "query": "event.category:process and event.code:10 and\n winlog.event_data.TargetImage:(\"C:\\\\Windows\\\\system32\\\\lsass.exe\" or\n                                 \"c:\\\\Windows\\\\system32\\\\lsass.exe\" or\n                                 \"c:\\\\Windows\\\\System32\\\\lsass.exe\")\n",
+    "references": [
+      "https://www.matteomalvica.com/blog/2019/12/02/win-defender-atp-cred-bypass/",
+      "https://twitter.com/sbousseaden/status/1280619931516747777?lang=en"
+    ],
+    "risk_score": 73,
+    "rule_id": "0f93cb9a-1931-48c2-8cd0-f173fd3e5283",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Credential Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0006",
+          "name": "Credential Access",
+          "reference": "https://attack.mitre.org/tactics/TA0006/"
+        },
+        "technique": [
+          {
+            "id": "T1003",
+            "name": "OS Credential Dumping",
+            "reference": "https://attack.mitre.org/techniques/T1003/",
+            "subtechnique": [
+              {
+                "id": "T1003.001",
+                "name": "LSASS Memory",
+                "reference": "https://attack.mitre.org/techniques/T1003/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "threshold": {
+      "cardinality": [
+        {
+          "field": "winlog.event_data.TargetProcessId",
+          "value": 2
+        }
+      ],
+      "field": [
+        "process.entity_id"
+      ],
+      "value": 2
+    },
+    "timestamp_override": "event.ingested",
+    "type": "threshold",
+    "version": 1,
+    "last_update": "8.0.0",
+    "added": "8.0.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the creation of a suspicious zip file prepended with special characters. Sandboxed Microsoft Office applications on macOS are allowed to write files that start with special characters, which can be combined with an AutoStart location to achieve sandbox evasion.",
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Potential Microsoft Office Sandbox Evasion",
+    "query": "event.category:file and not event.type:deletion and file.name:~$*.zip\n",
+    "references": [
+      "https://i.blackhat.com/USA-20/Wednesday/us-20-Wardle-Office-Drama-On-macOS.pdf",
+      "https://www.mdsec.co.uk/2018/08/escaping-the-sandbox-microsoft-office-on-macos/",
+      "https://desi-jarvis.medium.com/office365-macos-sandbox-escape-fcce4fa4123c"
+    ],
+    "risk_score": 73,
+    "rule_id": "d22a85c6-d2ad-4cc4-bf7b-54787473669a",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "macOS",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 1,
+    "last_update": "7.12.0",
+    "added": "7.12.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Windows contains accessibility features that may be launched with a key combination before a user has logged in. An adversary can modify the way these programs are launched to get a command prompt or backdoor without logging in to the system.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Potential Modification of Accessibility Binaries",
+    "query": "process where event.type in (\"start\", \"process_started\", \"info\") and\n process.parent.name : (\"Utilman.exe\", \"winlogon.exe\") and user.name == \"SYSTEM\" and\n process.args :\n    (\n    \"C:\\\\Windows\\\\System32\\\\osk.exe\",\n    \"C:\\\\Windows\\\\System32\\\\Magnify.exe\",\n    \"C:\\\\Windows\\\\System32\\\\Narrator.exe\",\n    \"C:\\\\Windows\\\\System32\\\\Sethc.exe\",\n    \"utilman.exe\",\n    \"ATBroker.exe\",\n    \"DisplaySwitch.exe\",\n    \"sethc.exe\"\n    )\n and not process.pe.original_file_name in\n    (\n    \"osk.exe\",\n    \"sethc.exe\",\n    \"utilman2.exe\",\n    \"DisplaySwitch.exe\",\n    \"ATBroker.exe\",\n    \"ScreenMagnifier.exe\",\n    \"SR.exe\",\n    \"Narrator.exe\",\n    \"magnify.exe\",\n    \"MAGNIFY.EXE\"\n    )\n\n/* uncomment once in winlogbeat to avoid bypass with rogue process with matching pe original file name */\n/* and process.code_signature.subject_name == \"Microsoft Windows\" and process.code_signature.status == \"trusted\" */\n",
+    "references": [
+      "https://www.elastic.co/blog/practical-security-engineering-stateful-detection"
+    ],
+    "risk_score": 73,
+    "rule_id": "7405ddf1-6c8e-41ce-818f-48bea6bcaed8",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Persistence"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1546",
+            "name": "Event Triggered Execution",
+            "reference": "https://attack.mitre.org/techniques/T1546/",
+            "subtechnique": [
+              {
+                "id": "T1546.008",
+                "name": "Accessibility Features",
+                "reference": "https://attack.mitre.org/techniques/T1546/008/"
+              }
+            ]
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0004",
+          "name": "Privilege Escalation",
+          "reference": "https://attack.mitre.org/tactics/TA0004/"
+        },
+        "technique": [
+          {
+            "id": "T1546",
+            "name": "Event Triggered Execution",
+            "reference": "https://attack.mitre.org/techniques/T1546/",
+            "subtechnique": [
+              {
+                "id": "T1546.008",
+                "name": "Accessibility Features",
+                "reference": "https://attack.mitre.org/techniques/T1546/008/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 7,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.7.0",
+          "pre_query": "event.code:1 and process.parent.name:winlogon.exe and (process.name:atbroker.exe or process.name:displayswitch.exe or process.name:magnify.exe or process.name:narrator.exe or process.name:osk.exe or process.name:sethc.exe or process.name:utilman.exe)",
+          "doc_text": "Updated query."
+        },
+        {
+          "version": 3,
+          "updated": "7.9.0",
+          "pre_query": "event.code:1 and process.parent.name:winlogon.exe and process.name:(atbroker.exe or displayswitch.exe or magnify.exe or narrator.exe or osk.exe or sethc.exe or utilman.exe)",
+          "doc_text": "Formatting only"
+        },
+        {
+          "version": 4,
+          "updated": "7.10.0",
+          "pre_query": "event.code:1 and process.parent.name:winlogon.exe and process.name:(atbroker.exe or displayswitch.exe or magnify.exe or narrator.exe or osk.exe or sethc.exe or utilman.exe)",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        },
+        {
+          "version": 5,
+          "updated": "7.11.0",
+          "pre_query": "event.category:process and event.type:(start or process_started) and process.parent.name:winlogon.exe and not process.name:(atbroker.exe or displayswitch.exe or magnify.exe or narrator.exe or osk.exe or sethc.exe or utilman.exe)",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        },
+        {
+          "version": 6,
+          "updated": "7.11.2",
+          "pre_query": "process where event.type in (\"start\", \"process_started\", \"info\") and\n process.parent.name : (\"Utilman.exe\", \"winlogon.exe\") and user.name == \"SYSTEM\" and\n process.args :\n    (\n    \"C:\\\\Windows\\\\System32\\\\osk.exe\",\n    \"C:\\\\Windows\\\\System32\\\\Magnify.exe\",\n    \"C:\\\\Windows\\\\System32\\\\Narrator.exe\",\n    \"C:\\\\Windows\\\\System32\\\\Sethc.exe\",\n    \"utilman.exe\",\n    \"ATBroker.exe\",\n    \"DisplaySwitch.exe\",\n    \"sethc.exe\"\n    )\n and not process.pe.original_file_name in\n    (\n    \"osk.exe\",\n    \"sethc.exe\",\n    \"utilman2.exe\",\n    \"DisplaySwitch.exe\",\n    \"ATBroker.exe\",\n    \"ScreenMagnifier.exe\",\n    \"SR.exe\",\n    \"Narrator.exe\",\n    \"magnify.exe\",\n    \"MAGNIFY.EXE\"\n    )\n\n/* uncomment once in winlogbeat to avoid bypass with rogue process with matching pe original file name */\n/* and process.code_signature.subject_name == \"Microsoft Windows\" and process.code_signature.status == \"trusted\" */\n",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 7,
+          "updated": "7.12.0",
+          "pre_query": "process where event.type in (\"start\", \"process_started\", \"info\") and\n process.parent.name : (\"Utilman.exe\", \"winlogon.exe\") and user.name == \"SYSTEM\" and\n process.args :\n    (\n    \"C:\\\\Windows\\\\System32\\\\osk.exe\",\n    \"C:\\\\Windows\\\\System32\\\\Magnify.exe\",\n    \"C:\\\\Windows\\\\System32\\\\Narrator.exe\",\n    \"C:\\\\Windows\\\\System32\\\\Sethc.exe\",\n    \"utilman.exe\",\n    \"ATBroker.exe\",\n    \"DisplaySwitch.exe\",\n    \"sethc.exe\"\n    )\n and not process.pe.original_file_name in\n    (\n    \"osk.exe\",\n    \"sethc.exe\",\n    \"utilman2.exe\",\n    \"DisplaySwitch.exe\",\n    \"ATBroker.exe\",\n    \"ScreenMagnifier.exe\",\n    \"SR.exe\",\n    \"Narrator.exe\",\n    \"magnify.exe\",\n    \"MAGNIFY.EXE\"\n    )\n\n/* uncomment once in winlogbeat to avoid bypass with rogue process with matching pe original file name */\n/* and process.code_signature.subject_name == \"Microsoft Windows\" and process.code_signature.status == \"trusted\" */\n",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.12.0",
+    "added": "7.6.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies a Secure Shell (SSH) client or server process creating or writing to a known SSH backdoor log file. Adversaries may modify SSH related binaries for persistence or credential access via patching sensitive functions to enable unauthorized access or to log SSH credentials for exfiltration.",
+    "false_positives": [
+      "Updates to approved and trusted SSH executables can trigger this rule."
+    ],
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Potential OpenSSH Backdoor Logging Activity",
+    "query": "file where event.type == \"change\" and process.executable : (\"/usr/sbin/sshd\", \"/usr/bin/ssh\") and\n  (\n    file.name : (\".*\", \"~*\") or\n    file.extension : (\"in\", \"out\", \"ini\", \"h\", \"gz\", \"so\", \"sock\", \"sync\", \"0\", \"1\", \"2\", \"3\", \"4\", \"5\", \"6\", \"7\", \"8\", \"9\") or\n    file.path : \n    (\n      \"/private/etc/*--\", \n      \"/usr/share/*\", \n      \"/usr/include/*\", \n      \"/usr/local/include/*\", \n      \"/private/tmp/*\", \n      \"/private/var/tmp/*\",\n      \"/usr/tmp/*\", \n      \"/usr/share/man/*\", \n      \"/usr/local/share/*\", \n      \"/usr/lib/*.so.*\", \n      \"/private/etc/ssh/.sshd_auth\",\n      \"/usr/bin/ssd\", \n      \"/private/var/opt/power\", \n      \"/private/etc/ssh/ssh_known_hosts\", \n      \"/private/var/html/lol\", \n      \"/private/var/log/utmp\", \n      \"/private/var/lib\",\n      \"/var/run/sshd/sshd.pid\",\n      \"/var/run/nscd/ns.pid\",\n      \"/var/run/udev/ud.pid\",\n      \"/var/run/udevd.pid\"\n    )\n  )\n",
+    "references": [
+      "https://github.com/eset/malware-ioc/tree/master/sshdoor",
+      "https://www.welivesecurity.com/wp-content/uploads/2021/01/ESET_Kobalos.pdf"
+    ],
+    "risk_score": 73,
+    "rule_id": "f28e2be4-6eca-4349-bdd9-381573730c22",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "Threat Detection",
+      "Persistence",
+      "Credential Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0006",
+          "name": "Credential Access",
+          "reference": "https://attack.mitre.org/tactics/TA0006/"
+        },
+        "technique": [
+          {
+            "id": "T1556",
+            "name": "Modify Authentication Process",
+            "reference": "https://attack.mitre.org/techniques/T1556/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1554",
+            "name": "Compromise Client Software Binary",
+            "reference": "https://attack.mitre.org/techniques/T1554/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 1,
+    "last_update": "7.12.0",
+    "added": "7.12.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies a high number (25) of failed Microsoft 365 user authentication attempts from a single IP address within 30 minutes, which could be indicative of a password spraying attack. An adversary may attempt a password spraying attack to obtain unauthorized access to user accounts.",
+    "false_positives": [
+      "Automated processes that attempt to authenticate using expired credentials and unbounded retries may lead to false positives."
+    ],
+    "from": "now-30m",
+    "index": [
+      "filebeat-*",
+      "logs-o365*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Potential Password Spraying of Microsoft 365 User Accounts",
+    "note": "## Config\n\nThe Microsoft 365 Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:o365.audit and event.provider:(Exchange or AzureActiveDirectory) and event.category:authentication and \nevent.action:(\"UserLoginFailed\" or \"PasswordLogonInitialAuthUsingPassword\") and event.outcome:failure\n",
+    "risk_score": 73,
+    "rule_id": "3efee4f0-182a-40a8-a835-102c68a4175d",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "Microsoft 365",
+      "Continuous Monitoring",
+      "SecOps",
+      "Identity and Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0006",
+          "name": "Credential Access",
+          "reference": "https://attack.mitre.org/tactics/TA0006/"
+        },
+        "technique": [
+          {
+            "id": "T1110",
+            "name": "Brute Force",
+            "reference": "https://attack.mitre.org/techniques/T1110/"
+          }
+        ]
+      }
+    ],
+    "threshold": {
+      "field": [
+        "source.ip"
+      ],
+      "value": 25
+    },
+    "type": "threshold",
+    "version": 4,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.12.0",
+          "pre_query": "event.dataset:o365.audit and event.provider:AzureActiveDirectory and event.category:authentication and event.action:UserLoginFailed and event.outcome:failure",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 3,
+          "updated": "7.13.0",
+          "pre_query": "event.dataset:o365.audit and event.provider:AzureActiveDirectory and event.category:authentication and event.action:UserLoginFailed and event.outcome:failure",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 4,
+          "updated": "7.14.0",
+          "pre_query": "event.dataset:o365.audit and event.provider:AzureActiveDirectory and event.category:authentication and event.action:UserLoginFailed and event.outcome:failure",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.14.0",
+    "added": "7.11.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies modifications to the Atom desktop text editor Init File. Adversaries may add malicious JavaScript code to the init.coffee file that will be executed upon the Atom application opening.",
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Potential Persistence via Atom Init Script Modification",
+    "query": "event.category:\"file\" and not event.type:\"deletion\" and\n file.path:/Users/*/.atom/init.coffee and not process.name:(Atom or xpcproxy) and not user.name:root\n",
+    "references": [
+      "https://github.com/D00MFist/PersistentJXA/blob/master/AtomPersist.js",
+      "https://flight-manual.atom.io/hacking-atom/sections/the-init-file/"
+    ],
+    "risk_score": 21,
+    "rule_id": "b4449455-f986-4b5a-82ed-e36b129331f7",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "macOS",
+      "Threat Detection",
+      "Persistence"
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 1,
+    "last_update": "7.12.0",
+    "added": "7.12.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the creation or modification of the login window property list (plist). Adversaries may modify plist files to run a program during system boot or user login for persistence.",
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Potential Persistence via Login Hook",
+    "note": "## Triage and analysis\n\nStarting in Mac OS X 10.7 (Lion), users can specify certain applications to be re-opened when a user reboots their machine. This can be abused to establish or maintain persistence on a compromised system.",
+    "query": "event.category:\"file\" and not event.type:\"deletion\" and\n file.name:\"com.apple.loginwindow.plist\" and\n process.name:(* and not (systemmigrationd or DesktopServicesHelper or diskmanagementd or rsync or launchd or cfprefsd or xpcproxy or ManagedClient or MCXCompositor))\n",
+    "references": [
+      "https://github.com/D00MFist/PersistentJXA/blob/master/LoginScript.js"
+    ],
+    "risk_score": 47,
+    "rule_id": "ac412404-57a5-476f-858f-4e8fbb4f48d8",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "macOS",
+      "Threat Detection",
+      "Persistence"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1547",
+            "name": "Boot or Logon Autostart Execution",
+            "reference": "https://attack.mitre.org/techniques/T1547/",
+            "subtechnique": [
+              {
+                "id": "T1547.011",
+                "name": "Plist Modification",
+                "reference": "https://attack.mitre.org/techniques/T1547/011/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 2,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.13.0",
+          "pre_query": "event.category:\"file\" and not event.type:\"deletion\" and file.name:\"com.apple.loginwindow.plist\" and process.name:(* and not (systemmigrationd or DesktopServicesHelper or diskmanagementd or rsync or launchd or cfprefsd or xpcproxy or ManagedClient or MCXCompositor))",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.13.0",
+    "added": "7.12.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the creation or modification of the default configuration for periodic tasks. Adversaries may abuse periodic tasks to execute malicious code or maintain persistence.",
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Potential Persistence via Periodic Tasks",
+    "query": "event.category:\"file\" and not event.type:\"deletion\" and\n file.path:(/private/etc/periodic/* or /private/etc/defaults/periodic.conf or /private/etc/periodic.conf)\n",
+    "references": [
+      "https://opensource.apple.com/source/crontabs/crontabs-13/private/etc/defaults/periodic.conf.auto.html",
+      "https://www.oreilly.com/library/view/mac-os-x/0596003706/re328.html",
+      "https://github.com/D00MFist/PersistentJXA/blob/master/PeriodicPersist.js"
+    ],
+    "risk_score": 21,
+    "rule_id": "48ec9452-e1fd-4513-a376-10a1a26d2c83",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "macOS",
+      "Threat Detection",
+      "Persistence"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1053",
+            "name": "Scheduled Task/Job",
+            "reference": "https://attack.mitre.org/techniques/T1053/",
+            "subtechnique": [
+              {
+                "id": "T1053.003",
+                "name": "Cron",
+                "reference": "https://attack.mitre.org/techniques/T1053/003/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 1,
+    "last_update": "7.12.0",
+    "added": "7.12.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Windows operating systems are utilizing the time provider architecture in order to obtain accurate time stamps from other network devices or clients in the network. Time providers are implemented in the form of a DLL file which resides in System32 folder. The service W32Time initiates during the startup of Windows and loads w32time.dll. Adversaries may abuse this architecture to establish persistence, specifically by registering and enabling a malicious DLL as a time provider.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Potential Persistence via Time Provider Modification",
+    "query": "registry where event.type:\"change\" and\n  registry.path:\"HKLM\\\\SYSTEM\\\\*ControlSet*\\\\Services\\\\W32Time\\\\TimeProviders\\\\*\" and\n  registry.data.strings:\"*.dll\"\n",
+    "references": [
+      "https://pentestlab.blog/2019/10/22/persistence-time-providers/"
+    ],
+    "risk_score": 47,
+    "rule_id": "14ed1aa9-ebfd-4cf9-a463-0ac59ec55204",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Persistence"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1547",
+            "name": "Boot or Logon Autostart Execution",
+            "reference": "https://attack.mitre.org/techniques/T1547/",
+            "subtechnique": [
+              {
+                "id": "T1547.003",
+                "name": "Time Providers",
+                "reference": "https://attack.mitre.org/techniques/T1547/003/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 1,
+    "last_update": "7.12.0",
+    "added": "7.12.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies port monitor and print processor registry modifications. Adversaries may abuse port monitor and print processors to run malicious DLLs during system boot that will be executed as SYSTEM for privilege escalation and/or persistence, if permissions allow writing a fully-qualified pathname for that DLL.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Potential Port Monitor or Print Processor Registration Abuse",
+    "query": "registry where event.type in (\"creation\", \"change\") and\n  registry.path : (\"HKLM\\\\SYSTEM\\\\*ControlSet*\\\\Control\\\\Print\\\\Monitors\\\\*\",\n    \"HLLM\\\\SYSTEM\\\\*ControlSet*\\\\Control\\\\Print\\\\Environments\\\\Windows*\\\\Print Processors\\\\*\") and\n  registry.data.strings : \"*.dll\" and\n  /* exclude SYSTEM SID - look for changes by non-SYSTEM user */\n  not user.id : \"S-1-5-18\"\n",
+    "references": [
+      "https://www.welivesecurity.com/2020/05/21/no-game-over-winnti-group/"
+    ],
+    "risk_score": 47,
+    "rule_id": "8f3e91c7-d791-4704-80a1-42c160d7aa27",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Privilege Escalation"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0004",
+          "name": "Privilege Escalation",
+          "reference": "https://attack.mitre.org/tactics/TA0004/"
+        },
+        "technique": [
+          {
+            "id": "T1547",
+            "name": "Boot or Logon Autostart Execution",
+            "reference": "https://attack.mitre.org/techniques/T1547/",
+            "subtechnique": [
+              {
+                "id": "T1547.010",
+                "name": "Port Monitors",
+                "reference": "https://attack.mitre.org/techniques/T1547/010/"
+              }
+            ]
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1547",
+            "name": "Boot or Logon Autostart Execution",
+            "reference": "https://attack.mitre.org/techniques/T1547/",
+            "subtechnique": [
+              {
+                "id": "T1547.010",
+                "name": "Port Monitors",
+                "reference": "https://attack.mitre.org/techniques/T1547/010/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 1,
+    "last_update": "7.12.0",
+    "added": "7.12.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Detects attempts to exploit privilege escalation vulnerabilities related to the Print Spooler service. For more information refer to CVE-2021-34527 and verify that the impacted system is investigated.",
+    "from": "now-9m",
+    "index": [
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Potential PrintNightmare Exploit Registry Modification",
+    "query": "/* This rule is not compatible with Sysmon due to schema issues */\n\nregistry where process.name : \"spoolsv.exe\" and\n  (registry.path : \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Control\\\\Print\\\\Environments\\\\Windows*\\\\Drivers\\\\Version-3\\\\mimikatz*\\\\Data File\" or\n  (registry.path : \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Control\\\\Print\\\\Environments\\\\Windows*\\\\Drivers\\\\Version-3\\\\*\\\\Configuration File\" and\n   registry.data.strings : (\"kernelbase.dll\", \"ntdll.dll\", \"kernel32.dll\", \"winhttp.dll\", \"user32.dll\")))\n",
+    "references": [
+      "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527",
+      "https://github.com/afwu/PrintNightmare"
+    ],
+    "risk_score": 73,
+    "rule_id": "6506c9fd-229e-4722-8f0f-69be759afd2a",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Privilege Escalation"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0004",
+          "name": "Privilege Escalation",
+          "reference": "https://attack.mitre.org/tactics/TA0004/"
+        },
+        "technique": [
+          {
+            "id": "T1068",
+            "name": "Exploitation for Privilege Escalation",
+            "reference": "https://attack.mitre.org/techniques/T1068/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 1,
+    "last_update": "7.14.0",
+    "added": "7.14.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Detects the creation or modification of a print driver with an unusual file name. This may indicate attempts to exploit privilege escalation vulnerabilities related to the Print Spooler service. For more information refer to CVE-2021-34527 and verify that the impacted system is investigated.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Potential PrintNightmare File Modification",
+    "query": "/* This rule is compatible with both Sysmon and Elastic Endpoint */\n\nfile where process.name : \"spoolsv.exe\" and \n file.name : (\"kernelbase.dll\", \"ntdll.dll\", \"kernel32.dll\", \"winhttp.dll\", \"user32.dll\") and\n file.path : \"?:\\\\Windows\\\\System32\\\\spool\\\\drivers\\\\x64\\\\3\\\\*\"\n",
+    "references": [
+      "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527",
+      "https://github.com/afwu/PrintNightmare"
+    ],
+    "risk_score": 73,
+    "rule_id": "5e87f165-45c2-4b80-bfa5-52822552c997",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Privilege Escalation"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0004",
+          "name": "Privilege Escalation",
+          "reference": "https://attack.mitre.org/tactics/TA0004/"
+        },
+        "technique": [
+          {
+            "id": "T1068",
+            "name": "Exploitation for Privilege Escalation",
+            "reference": "https://attack.mitre.org/techniques/T1068/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 1,
+    "last_update": "7.14.0",
+    "added": "7.14.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies use of the Secure Copy Protocol (SCP) to copy files locally by abusing the auto addition of the Secure Shell Daemon (sshd) to the authorized application list for Full Disk Access. This may indicate attempts to bypass macOS privacy controls to access sensitive files.",
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Potential Privacy Control Bypass via Localhost Secure Copy",
+    "query": "process where event.type in (\"start\", \"process_started\") and \n process.name:\"scp\" and\n process.args:\"StrictHostKeyChecking=no\" and \n process.command_line:(\"scp *localhost:/*\", \"scp *127.0.0.1:/*\") and\n not process.args:\"vagrant@*127.0.0.1*\"\n",
+    "references": [
+      "https://blog.trendmicro.com/trendlabs-security-intelligence/xcsset-mac-malware-infects-xcode-projects-performs-uxss-attack-on-safari-other-browsers-leverages-zero-day-exploits/"
+    ],
+    "risk_score": 73,
+    "rule_id": "c02c8b9f-5e1d-463c-a1b0-04edcdfe1a3d",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "macOS",
+      "Threat Detection",
+      "Privilege Escalation",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1548",
+            "name": "Abuse Elevation Control Mechanism",
+            "reference": "https://attack.mitre.org/techniques/T1548/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0004",
+          "name": "Privilege Escalation",
+          "reference": "https://attack.mitre.org/tactics/TA0004/"
+        },
+        "technique": [
+          {
+            "id": "T1548",
+            "name": "Abuse Elevation Control Mechanism",
+            "reference": "https://attack.mitre.org/techniques/T1548/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 1,
+    "last_update": "7.12.0",
+    "added": "7.12.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the use of sqlite3 to directly modify the Transparency, Consent, and Control (TCC) SQLite database. This may indicate an attempt to bypass macOS privacy controls, including access to sensitive resources like the system camera, microphone, address book, and calendar.",
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Potential Privacy Control Bypass via TCCDB Modification",
+    "query": "process where event.type in (\"start\", \"process_started\") and process.name : \"sqlite*\" and \n process.args : \"/*/Application Support/com.apple.TCC/TCC.db\"\n",
+    "references": [
+      "https://applehelpwriter.com/2016/08/29/discovering-how-dropbox-hacks-your-mac/",
+      "https://github.com/bp88/JSS-Scripts/blob/master/TCC.db%20Modifier.sh",
+      "https://medium.com/@mattshockl/cve-2020-9934-bypassing-the-os-x-transparency-consent-and-control-tcc-framework-for-4e14806f1de8"
+    ],
+    "risk_score": 47,
+    "rule_id": "eea82229-b002-470e-a9e1-00be38b14d32",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "macOS",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1562",
+            "name": "Impair Defenses",
+            "reference": "https://attack.mitre.org/techniques/T1562/",
+            "subtechnique": [
+              {
+                "id": "T1562.001",
+                "name": "Disable or Modify Tools",
+                "reference": "https://attack.mitre.org/techniques/T1562/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 2,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.15.0",
+          "pre_query": "process where event.type in (\"start\", \"process_started\") and process.name : \"sqlite*\" and \n process.args : \"/*/Application Support/com.apple.TCC/TCC.db\"\n",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.15.0",
+    "added": "7.12.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies a potential exploitation of InstallerTakeOver (CVE-2021-41379) default PoC execution. Successful exploitation allows an unprivileged user to escalate privileges to SYSTEM.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Potential Privilege Escalation via InstallerFileTakeOver",
+    "note": "## Triage and analysis.\n\n### Investigating Potential Priivilege Escalation via InstallerFileTakeOver\n\nInstallerFileTakeOver is a weaponized EoP PoC to the CVE-2021-41379 vulnerability. Upon successful exploitation,\nan unprivileged user will escalate privileges to SYSTEM/NT AUTHORITY.\n\nThis rule detects the default execution of the PoC, which overwrites the `elevation_service.exe` DACL and copy itself\nto the location to escalate privileges. An attacker is able to still take over any file that is not in use (locked), which is outside the scope of this rule.\n\n#### Possible investigation steps:\n\n- Check for the digital signature of the executable\n- Look for additional processes spawned by the process, command lines and network communications.\n- Look for additional alerts involving the host and the user.\n\n### False Positive Analysis\n\n- Verify whether the digital signature exists in the executable, and if it is valid.\n\n### Related Rules\n\n- Suspicious DLL Loaded for Persistence or Privilege Escalation - bfeaf89b-a2a7-48a3-817f-e41829dc61ee\n\n### Response and Remediation\n\n- Immediate response should be taken to validate activity, investigate and potentially isolate activity to prevent further\npost-compromise behavior.\n",
+    "query": "/* This rule is compatible with both Sysmon and Elastic Endpoint */\n\nprocess where event.type == \"start\" and \n    user.id : \"S-1-5-18\" and\n    (\n      (process.name : \"elevation_service.exe\" and \n       not process.pe.original_file_name == \"elevation_service.exe\") or\n\n      (process.parent.name : \"elevation_service.exe\" and \n       process.name : (\"rundll32.exe\", \"cmd.exe\", \"powershell.exe\")) \n    )\n",
+    "references": [
+      "https://github.com/klinix5/InstallerFileTakeOver"
+    ],
+    "risk_score": 73,
+    "rule_id": "58c6d58b-a0d3-412d-b3b8-0981a9400607",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Privilege Escalation"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0004",
+          "name": "Privilege Escalation",
+          "reference": "https://attack.mitre.org/tactics/TA0004/"
+        },
+        "technique": [
+          {
+            "id": "T1068",
+            "name": "Exploitation for Privilege Escalation",
+            "reference": "https://attack.mitre.org/techniques/T1068/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 1,
+    "last_update": "8.0.0",
+    "added": "8.0.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "A sudoers file specifies the commands users or groups can run and from which terminals. Adversaries can take advantage of these configurations to execute commands as other users or spawn processes with higher privileges.",
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Potential Privilege Escalation via Sudoers File Modification",
+    "query": "event.category:process and event.type:start and process.args:(echo and *NOPASSWD*ALL*)\n",
+    "risk_score": 73,
+    "rule_id": "76152ca1-71d0-4003-9e37-0983e12832da",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "macOS",
+      "Threat Detection",
+      "Privilege Escalation"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0004",
+          "name": "Privilege Escalation",
+          "reference": "https://attack.mitre.org/tactics/TA0004/"
+        },
+        "technique": [
+          {
+            "id": "T1548",
+            "name": "Abuse Elevation Control Mechanism",
+            "reference": "https://attack.mitre.org/techniques/T1548/",
+            "subtechnique": [
+              {
+                "id": "T1548.003",
+                "name": "Sudo and Sudo Caching",
+                "reference": "https://attack.mitre.org/techniques/T1548/003/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 1,
+    "last_update": "7.12.0",
+    "added": "7.12.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies process execution followed by a file overwrite of an executable by the same parent process. This may indicate an evasion attempt to execute malicious code in a stealthy way.",
+    "from": "now-9m",
+    "index": [
+      "logs-endpoint.events.*",
+      "winlogbeat-*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Potential Process Herpaderping Attempt",
+    "query": "sequence with maxspan=5s\n   [process where event.type == \"start\" and not process.parent.executable : \"C:\\\\Windows\\\\SoftwareDistribution\\\\*.exe\"] by host.id, process.executable, process.parent.entity_id\n   [file where event.type == \"change\" and event.action == \"overwrite\" and file.extension == \"exe\"] by host.id, file.path, process.entity_id\n",
+    "references": [
+      "https://github.com/jxy-s/herpaderping"
+    ],
+    "risk_score": 73,
+    "rule_id": "ccc55af4-9882-4c67-87b4-449a7ae8079c",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1036",
+            "name": "Masquerading",
+            "reference": "https://attack.mitre.org/techniques/T1036/"
+          }
+        ]
+      }
+    ],
+    "type": "eql",
+    "version": 2,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.12.0",
+          "pre_query": "sequence with maxspan=5s\n   [process where event.type == \"start\" and not process.parent.executable : \"C:\\\\Windows\\\\SoftwareDistribution\\\\*.exe\"] by host.id, process.executable, process.parent.entity_id\n   [file where event.type == \"change\" and event.action == \"overwrite\" and file.extension == \"exe\"] by host.id, file.path, process.entity_id\n",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.12.0",
+    "added": "7.11.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Detects the use of Windows API functions that are commonly abused by malware and security tools to load malicious code or inject it into remote processes.",
+    "false_positives": [
+      "Legitimate Powershell Scripts that make use of these Functions"
+    ],
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-windows.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Potential Process Injection via PowerShell",
+    "note": "## Triage and analysis.\n\n### Investigating Potential Process Injection via PowerShell\n\nPowerShell is one of the main tools used by system administrators for automation, report routines, and other tasks.\n\nPowerShell also has solid capabilities to make the interaction with the Win32 API in an uncomplicated and reliable way,\nlike the execution of inline C# code, PSReflect, Get-ProcAddress, etc.\n\nRed Team tooling and Malware Developers take advantage of these capabilities to develop stagers and loaders that inject\npayloads directly into the memory, without touching the disk.\n\n#### Possible investigation steps:\n\n- Examine script content that triggered the detection. \n- Investigate script execution chain (parent process tree)\n- Inspect any file or network events from the suspicious powershell host process instance.\n- If the action is suspicious for the user, check for any other activities done by the user in the last 48 hours.\n\n### False Positive Analysis\n\n- Verify whether the script content is malicious/harmful.\n\n### Related Rules\n\n- PowerShell PSReflect Script - 56f2e9b5-4803-4e44-a0a4-a52dc79d57fe\n\n### Response and Remediation\n\n- Immediate response should be taken to validate, investigate, and potentially contain the activity to prevent further\npost-compromise behavior.\n\n## Config\n\nThe 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration > \nAdministrative Templates > \nWindows PowerShell > \nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```\n",
+    "query": "event.category:process and \n  powershell.file.script_block_text : (\n   (VirtualAlloc or VirtualAllocEx or VirtualProtect or LdrLoadDll or LoadLibrary or LoadLibraryA or\n      LoadLibraryEx or GetProcAddress or OpenProcess or OpenProcessToken or AdjustTokenPrivileges) and\n   (WriteProcessMemory or CreateRemoteThread or NtCreateThreadEx or CreateThread or QueueUserAPC or\n      SuspendThread or ResumeThread)\n  )\n",
+    "references": [
+      "https://github.com/EmpireProject/Empire/blob/master/data/module_source/management/Invoke-PSInject.ps1",
+      "https://github.com/EmpireProject/Empire/blob/master/data/module_source/management/Invoke-ReflectivePEInjection.ps1",
+      "https://github.com/BC-SECURITY/Empire/blob/master/empire/server/data/module_source/credentials/Invoke-Mimikatz.ps1"
+    ],
+    "risk_score": 73,
+    "rule_id": "2e29e96a-b67c-455a-afe4-de6183431d0d",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1055",
+            "name": "Process Injection",
+            "reference": "https://attack.mitre.org/techniques/T1055/",
+            "subtechnique": [
+              {
+                "id": "T1055.001",
+                "name": "Dynamic-link Library Injection",
+                "reference": "https://attack.mitre.org/techniques/T1055/001/"
+              },
+              {
+                "id": "T1055.002",
+                "name": "Portable Executable Injection",
+                "reference": "https://attack.mitre.org/techniques/T1055/002/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 2,
+    "last_update": "8.0.0",
+    "added": "8.0.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the execution of the EarthWorm tunneler. Adversaries may tunnel network communications to and from a victim system within a separate protocol to avoid detection and network filtering, or to enable access to otherwise unreachable systems.",
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Potential Protocol Tunneling via EarthWorm",
+    "query": "process where event.type == \"start\" and\n process.args : \"-s\" and process.args : \"-d\" and process.args : \"rssocks\"\n",
+    "references": [
+      "http://rootkiter.com/EarthWorm/",
+      "https://decoded.avast.io/luigicamastra/apt-group-targeting-governmental-agencies-in-east-asia/"
+    ],
+    "risk_score": 47,
+    "rule_id": "9f1c4ca3-44b5-481d-ba42-32dc215a2769",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "Threat Detection",
+      "Command and Control"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0011",
+          "name": "Command and Control",
+          "reference": "https://attack.mitre.org/tactics/TA0011/"
+        },
+        "technique": [
+          {
+            "id": "T1572",
+            "name": "Protocol Tunneling",
+            "reference": "https://attack.mitre.org/techniques/T1572/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 1,
+    "last_update": "7.13.0",
+    "added": "7.13.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the modification of the Remote Desktop Protocol (RDP) Shadow registry or the execution of processes indicative of an active RDP shadowing session. An adversary may abuse the RDP Shadowing feature to spy on or control other users active RDP sessions.",
+    "from": "now-9m",
+    "index": [
+      "logs-endpoint.events.*",
+      "winlogbeat-*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Potential Remote Desktop Shadowing Activity",
+    "query": "/* Identifies the modification of RDP Shadow registry or\n  the execution of processes indicative of active shadow RDP session */\n\nany where \n  (event.category == \"registry\" and\n     registry.path : \"HKLM\\\\Software\\\\Policies\\\\Microsoft\\\\Windows NT\\\\Terminal Services\\\\Shadow\"\n  ) or\n  (event.category == \"process\" and \n     (process.name : (\"RdpSaUacHelper.exe\", \"RdpSaProxy.exe\") and process.parent.name : \"svchost.exe\") or\n     (process.pe.original_file_name : \"mstsc.exe\" and process.args : \"/shadow:*\")\n  )\n",
+    "references": [
+      "https://bitsadm.in/blog/spying-on-users-using-rdp-shadowing",
+      "https://swarm.ptsecurity.com/remote-desktop-services-shadowing/"
+    ],
+    "risk_score": 73,
+    "rule_id": "c57f8579-e2a5-4804-847f-f2732edc5156",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Lateral Movement"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0008",
+          "name": "Lateral Movement",
+          "reference": "https://attack.mitre.org/tactics/TA0008/"
+        },
+        "technique": [
+          {
+            "id": "T1021",
+            "name": "Remote Services",
+            "reference": "https://attack.mitre.org/techniques/T1021/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 1,
+    "last_update": "7.13.0",
+    "added": "7.13.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies potential use of an SSH utility to establish RDP over a reverse SSH Tunnel. This can be used by attackers to enable routing of network packets that would otherwise not reach their intended destination.",
+    "from": "now-9m",
+    "index": [
+      "logs-endpoint.events.*",
+      "winlogbeat-*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Potential Remote Desktop Tunneling Detected",
+    "query": "process where event.type in (\"start\", \"process_started\") and\n  /* RDP port and usual SSH tunneling related switches in command line */\n  process.args : \"*:3389\" and\n  process.args : (\"-L\", \"-P\", \"-R\", \"-pw\", \"-ssh\")\n",
+    "references": [
+      "https://blog.netspi.com/how-to-access-rdp-over-a-reverse-ssh-tunnel/"
+    ],
+    "risk_score": 73,
+    "rule_id": "76fd43b7-3480-4dd9-8ad7-8bd36bfad92f",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Command and Control"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0011",
+          "name": "Command and Control",
+          "reference": "https://attack.mitre.org/tactics/TA0011/"
+        },
+        "technique": [
+          {
+            "id": "T1572",
+            "name": "Protocol Tunneling",
+            "reference": "https://attack.mitre.org/techniques/T1572/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 4,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.11.2",
+          "pre_query": "process where event.type in (\"start\", \"process_started\", \"info\") and \n/* RDP port and usual SSH tunneling related switches in commandline */\nwildcard(process.args, \"*:3389\") and wildcard(process.args,\"-L\", \"-P\", \"-R\", \"-pw\", \"-ssh\") \n",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        },
+        {
+          "version": 3,
+          "updated": "7.12.0",
+          "pre_query": "process where event.type in (\"start\", \"process_started\", \"info\") and \n/* RDP port and usual SSH tunneling related switches in commandline */\nwildcard(process.args, \"*:3389\") and wildcard(process.args,\"-L\", \"-P\", \"-R\", \"-pw\", \"-ssh\")\n",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        },
+        {
+          "version": 4,
+          "updated": "7.16.0",
+          "pre_query": "process where event.type in (\"start\", \"process_started\") and\n  /* RDP port and usual SSH tunneling related switches in command line */\n  process.args : \"*:3389\" and\n  process.args : (\"-L\", \"-P\", \"-R\", \"-pw\", \"-ssh\")\n",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.16.0",
+    "added": "7.11.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the execution of a shell process with suspicious arguments which may be indicative of reverse shell activity.",
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Potential Reverse Shell Activity via Terminal",
+    "query": "process where event.type in (\"start\", \"process_started\") and\n  process.name in (\"sh\", \"bash\", \"zsh\", \"dash\", \"zmodload\") and\n  process.args:(\"*/dev/tcp/*\", \"*/dev/udp/*\", \"zsh/net/tcp\", \"zsh/net/udp\")\n",
+    "references": [
+      "https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md",
+      "https://github.com/WangYihang/Reverse-Shell-Manager",
+      "https://www.netsparker.com/blog/web-security/understanding-reverse-shells/"
+    ],
+    "risk_score": 73,
+    "rule_id": "a1a0375f-22c2-48c0-81a4-7c2d11cc6856",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "macOS",
+      "Threat Detection",
+      "Execution"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0002",
+          "name": "Execution",
+          "reference": "https://attack.mitre.org/tactics/TA0002/"
+        },
+        "technique": [
+          {
+            "id": "T1059",
+            "name": "Command and Scripting Interpreter",
+            "reference": "https://attack.mitre.org/techniques/T1059/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 1,
+    "last_update": "7.12.0",
+    "added": "7.12.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies a high number (20) of macOS SSH KeyGen process executions from the same host. An adversary may attempt a brute force attack to obtain unauthorized access to user accounts.",
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Potential SSH Brute Force Detected",
+    "query": "event.category:process and event.type:start and process.name:\"sshd-keygen-wrapper\" and process.parent.name:launchd\n",
+    "references": [
+      "https://themittenmac.com/detecting-ssh-activity-via-process-monitoring/"
+    ],
+    "risk_score": 47,
+    "rule_id": "ace1e989-a541-44df-93a8-a8b0591b63c0",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "macOS",
+      "Threat Detection",
+      "Credential Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0006",
+          "name": "Credential Access",
+          "reference": "https://attack.mitre.org/tactics/TA0006/"
+        },
+        "technique": [
+          {
+            "id": "T1110",
+            "name": "Brute Force",
+            "reference": "https://attack.mitre.org/techniques/T1110/"
+          }
+        ]
+      }
+    ],
+    "threshold": {
+      "field": [
+        "host.id"
+      ],
+      "value": 20
+    },
+    "type": "threshold",
+    "version": 2,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.12.0",
+          "pre_query": "event.category:process and event.type:start and process.name:\"sshd-keygen-wrapper\" and process.parent.name:launchd",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.12.0",
+    "added": "7.11.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Detects file name patterns generated by the use of Sysinternals SDelete utility to securely delete a file via multiple file overwrite and rename operations.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Potential Secure File Deletion via SDelete Utility",
+    "note": "## Triage and analysis\n\nVerify process details such as command line and hash to confirm this activity legitimacy.",
+    "query": "file where event.type == \"change\" and file.name : \"*AAA.AAA\"\n",
+    "risk_score": 21,
+    "rule_id": "5aee924b-6ceb-4633-980e-1bde8cdb40c5",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1070",
+            "name": "Indicator Removal on Host",
+            "reference": "https://attack.mitre.org/techniques/T1070/",
+            "subtechnique": [
+              {
+                "id": "T1070.004",
+                "name": "File Deletion",
+                "reference": "https://attack.mitre.org/techniques/T1070/004/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 5,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.11.0",
+          "pre_query": "event.category:file AND event.type:change AND file.name:/.+A+\\.AAA/",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        },
+        {
+          "version": 3,
+          "updated": "7.11.2",
+          "pre_query": "file where event.type == \"change\" and wildcard(file.name,\"*AAA.AAA\")\n",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 4,
+          "updated": "7.12.0",
+          "pre_query": "file where event.type == \"change\" and wildcard(file.name,\"*AAA.AAA\")\n",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        },
+        {
+          "version": 5,
+          "updated": "7.13.0",
+          "pre_query": "file where event.type == \"change\" and file.name : \"*AAA.AAA\"\n",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.13.0",
+    "added": "7.10.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies potential behavior of SharpRDP, which is a tool that can be used to perform authenticated command execution against a remote target via Remote Desktop Protocol (RDP) for the purposes of lateral movement.",
+    "from": "now-9m",
+    "index": [
+      "logs-endpoint.events.*",
+      "winlogbeat-*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Potential SharpRDP Behavior",
+    "query": "/* Incoming RDP followed by a new RunMRU string value set to cmd, powershell, taskmgr or tsclient, followed by process execution within 1m */\n\nsequence by host.id with maxspan=1m\n  [network where event.type == \"start\" and process.name : \"svchost.exe\" and destination.port == 3389 and \n   network.direction : (\"incoming\", \"ingress\") and network.transport == \"tcp\" and\n   source.ip != \"127.0.0.1\" and source.ip != \"::1\"\n  ]\n\n  [registry where process.name : \"explorer.exe\" and \n   registry.path : (\"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\RunMRU\\\\*\") and\n   registry.data.strings : (\"cmd.exe*\", \"powershell.exe*\", \"taskmgr*\", \"\\\\\\\\tsclient\\\\*.exe\\\\*\")\n  ]\n  \n  [process where event.type in (\"start\", \"process_started\") and\n   (process.parent.name : (\"cmd.exe\", \"powershell.exe\", \"taskmgr.exe\") or process.args : (\"\\\\\\\\tsclient\\\\*.exe\")) and \n   not process.name : \"conhost.exe\"\n   ]\n",
+    "references": [
+      "https://posts.specterops.io/revisiting-remote-desktop-lateral-movement-8fb905cb46c3",
+      "https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES/blob/master/Lateral%20Movement/LM_sysmon_3_12_13_1_SharpRDP.evtx"
+    ],
+    "risk_score": 73,
+    "rule_id": "8c81e506-6e82-4884-9b9a-75d3d252f967",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Lateral Movement"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0008",
+          "name": "Lateral Movement",
+          "reference": "https://attack.mitre.org/tactics/TA0008/"
+        },
+        "technique": [
+          {
+            "id": "T1021",
+            "name": "Remote Services",
+            "reference": "https://attack.mitre.org/techniques/T1021/",
+            "subtechnique": [
+              {
+                "id": "T1021.001",
+                "name": "Remote Desktop Protocol",
+                "reference": "https://attack.mitre.org/techniques/T1021/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "type": "eql",
+    "version": 5,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.12.0",
+          "pre_query": "/* Incoming RDP followed by a new RunMRU string value set to cmd, powershell, taskmgr or tsclient, followed by process execution within 1m */\n\nsequence by host.id with maxspan=1m\n  [network where event.type == \"start\" and process.name : \"svchost.exe\" and destination.port == 3389 and \n   network.direction == \"incoming\" and network.transport == \"tcp\" and\n   source.address != \"127.0.0.1\" and source.address != \"::1\"\n  ]\n\n  [registry where process.name : \"explorer.exe\" and \n   registry.path : (\"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\RunMRU\\\\*\") and\n   registry.data.strings : (\"cmd.exe*\", \"powershell.exe*\", \"taskmgr*\", \"\\\\\\\\tsclient\\\\*.exe\\\\*\")\n  ]\n  \n  [process where event.type in (\"start\", \"process_started\") and\n   (process.parent.name : (\"cmd.exe\", \"powershell.exe\", \"taskmgr.exe\") or process.args : (\"\\\\\\\\tsclient\\\\*.exe\")) and \n   not process.name : \"conhost.exe\"\n   ]\n",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 4,
+          "updated": "7.16.0",
+          "pre_query": "/* Incoming RDP followed by a new RunMRU string value set to cmd, powershell, taskmgr or tsclient, followed by process execution within 1m */\n\nsequence by host.id with maxspan=1m\n  [network where event.type == \"start\" and process.name : \"svchost.exe\" and destination.port == 3389 and \n   network.direction == \"incoming\" and network.transport == \"tcp\" and\n   source.address != \"127.0.0.1\" and source.address != \"::1\"\n  ]\n\n  [registry where process.name : \"explorer.exe\" and \n   registry.path : (\"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\RunMRU\\\\*\") and\n   registry.data.strings : (\"cmd.exe*\", \"powershell.exe*\", \"taskmgr*\", \"\\\\\\\\tsclient\\\\*.exe\\\\*\")\n  ]\n  \n  [process where event.type in (\"start\", \"process_started\") and\n   (process.parent.name : (\"cmd.exe\", \"powershell.exe\", \"taskmgr.exe\") or process.args : (\"\\\\\\\\tsclient\\\\*.exe\")) and \n   not process.name : \"conhost.exe\"\n   ]\n",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        },
+        {
+          "version": 5,
+          "updated": "8.0.0",
+          "pre_query": "/* Incoming RDP followed by a new RunMRU string value set to cmd, powershell, taskmgr or tsclient, followed by process execution within 1m */\n\nsequence by host.id with maxspan=1m\n  [network where event.type == \"start\" and process.name : \"svchost.exe\" and destination.port == 3389 and \n   network.direction : (\"incoming\", \"ingress\") and network.transport == \"tcp\" and\n   source.address != \"127.0.0.1\" and source.address != \"::1\"\n  ]\n\n  [registry where process.name : \"explorer.exe\" and \n   registry.path : (\"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\RunMRU\\\\*\") and\n   registry.data.strings : (\"cmd.exe*\", \"powershell.exe*\", \"taskmgr*\", \"\\\\\\\\tsclient\\\\*.exe\\\\*\")\n  ]\n  \n  [process where event.type in (\"start\", \"process_started\") and\n   (process.parent.name : (\"cmd.exe\", \"powershell.exe\", \"taskmgr.exe\") or process.args : (\"\\\\\\\\tsclient\\\\*.exe\")) and \n   not process.name : \"conhost.exe\"\n   ]\n",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "8.0.0",
+    "added": "7.11.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies suspicious commands executed via a web server, which may suggest a vulnerability and remote shell access.",
+    "false_positives": [
+      "Network monitoring or management products may have a web server component that runs shell commands as part of normal behavior."
+    ],
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Potential Shell via Web Server",
+    "query": "event.category:process and event.type:(start or process_started) and process.name:(bash or dash) and\n  user.name:(apache or nginx or www or \"www-data\")\n",
+    "references": [
+      "https://pentestlab.blog/tag/web-shell/"
+    ],
+    "risk_score": 47,
+    "rule_id": "231876e7-4d1f-4d63-a47c-47dd1acdc1cb",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "Threat Detection",
+      "Persistence"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1505",
+            "name": "Server Software Component",
+            "reference": "https://attack.mitre.org/techniques/T1505/",
+            "subtechnique": [
+              {
+                "id": "T1505.003",
+                "name": "Web Shell",
+                "reference": "https://attack.mitre.org/techniques/T1505/003/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 9,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.6.1",
+          "pre_query": "process.name: bash and user.name: (apache or www or \"wwww-data\") and event.action:executed",
+          "doc_text": "Updated query."
+        },
+        {
+          "version": 3,
+          "updated": "7.8.0",
+          "pre_query": "process.name:bash and user.name:(apache or www or www-data) and event.action:executed",
+          "doc_text": "Updated query."
+        },
+        {
+          "version": 4,
+          "updated": "7.9.0",
+          "pre_query": "process.name:(bash or dash) and user.name:(apache or nginx or www or \"www-data\") and event.action:executed",
+          "doc_text": "Updated query."
+        },
+        {
+          "version": 5,
+          "updated": "7.9.1",
+          "pre_query": "event.category:process and event.type:(start or process_started) and process.name:(bash or dash) and user.name:(apache or nginx or www or \"www-data\")",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 6,
+          "updated": "7.10.0",
+          "pre_query": "event.category:process and event.type:(start or process_started) and process.name:(bash or dash) and user.name:(apache or nginx or www or \"www-data\")",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 7,
+          "updated": "7.11.0",
+          "pre_query": "event.category:process and event.type:(start or process_started) and process.name:(bash or dash) and user.name:(apache or nginx or www or \"www-data\")",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 8,
+          "updated": "7.11.2",
+          "pre_query": "event.category:process and event.type:(start or process_started) and process.name:(bash or dash) and user.name:(apache or nginx or www or \"www-data\")",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 9,
+          "updated": "7.12.0",
+          "pre_query": "event.category:process and event.type:(start or process_started) and process.name:(bash or dash) and user.name:(apache or nginx or www or \"www-data\")",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.12.0",
+    "added": "7.6.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies suspicious instances of the Windows Error Reporting process (WerFault.exe or Wermgr.exe) with matching command-line and process executable values performing outgoing network connections. This may be indicative of a masquerading attempt to evade suspicious child process behavior detections.",
+    "false_positives": [
+      "Legit Application Crash with rare Werfault commandline value"
+    ],
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Potential Windows Error Manager Masquerading",
+    "query": "sequence by host.id, process.entity_id with maxspan = 5s\n  [process where event.type:\"start\" and process.name : (\"wermgr.exe\", \"WerFault.exe\") and process.args_count == 1]\n  [network where process.name : (\"wermgr.exe\", \"WerFault.exe\") and network.protocol != \"dns\" and\n    network.direction : (\"outgoing\", \"egress\") and destination.ip !=\"::1\" and destination.ip !=\"127.0.0.1\"\n  ]\n",
+    "references": [
+      "https://twitter.com/SBousseaden/status/1235533224337641473",
+      "https://www.hexacorn.com/blog/2019/09/20/werfault-command-line-switches-v0-1/",
+      "https://app.any.run/tasks/26051d84-b68e-4afb-8a9a-76921a271b81/"
+    ],
+    "risk_score": 47,
+    "rule_id": "6ea41894-66c3-4df7-ad6b-2c5074eb3df8",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1036",
+            "name": "Masquerading",
+            "reference": "https://attack.mitre.org/techniques/T1036/"
+          }
+        ]
+      }
+    ],
+    "type": "eql",
+    "version": 4,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.11.0",
+          "pre_query": "event.category:process and event.type:(start or process_started) and process.name:WerFault.exe and not process.args:(((\"-u\" or \"-pss\") and \"-p\" and \"-s\") or (\"/h\" and \"/shared\") or (\"-k\" and \"-lcq\"))",
+          "doc_text": "Updated query.",
+          "pre_name": "Process Potentially Masquerading as WerFault"
+        },
+        {
+          "version": 3,
+          "updated": "7.12.0",
+          "pre_query": "sequence by host.id, process.entity_id with maxspan = 5s\n  [process where event.type:\"start\" and process.name : (\"wermgr.exe\", \"WerFault.exe\") and process.args_count == 1]\n  [network where process.name : (\"wermgr.exe\", \"WerFault.exe\") and network.protocol != \"dns\" and\n    network.direction == \"outgoing\" and destination.ip !=\"::1\" and destination.ip !=\"127.0.0.1\"\n  ]\n",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 4,
+          "updated": "7.16.0",
+          "pre_query": "sequence by host.id, process.entity_id with maxspan = 5s\n  [process where event.type:\"start\" and process.name : (\"wermgr.exe\", \"WerFault.exe\") and process.args_count == 1]\n  [network where process.name : (\"wermgr.exe\", \"WerFault.exe\") and network.protocol != \"dns\" and\n    network.direction == \"outgoing\" and destination.ip !=\"::1\" and destination.ip !=\"127.0.0.1\"\n  ]\n",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.16.0",
+    "added": "7.10.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Detects the use of Win32 API Functions that can be used to capture user Keystrokes in PowerShell Scripts. Attackers use this technique to capture user input, looking for credentials and/or other valuable data.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-windows.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "PowerShell Keylogging Script",
+    "note": "## Triage and analysis.\n\n### Investigating PowerShell Keylogging Script\n\nPowerShell is one of the main tools used by system administrators for automation, report routines, and other tasks.\n\nAttackers can abuse PowerShell capabilities to capture user Keystrokes with the goal of stealing credentials and other\nvaluable information as Credit Card data and confidential conversations.\n\n#### Possible investigation steps:\n\n- Examine script content that triggered the detection. \n- Investigate script execution chain (parent process tree)\n- Inspect any file or network events from the suspicious powershell host process instance.\n- If the action is suspicious for the user, check for any other activities done by the user in the last 48 hours.\n\n### False Positive Analysis\n\n- Verify whether the script content is malicious/harmful.\n\n### Related Rules\n\n- PowerShell PSReflect Script - 56f2e9b5-4803-4e44-a0a4-a52dc79d57fe\n\n### Response and Remediation\n\n- Immediate response should be taken to validate, investigate, and potentially contain the activity to prevent further\npost-compromise behavior.\n\n## Config\n\nThe 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration > \nAdministrative Templates > \nWindows PowerShell > \nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```\n",
+    "query": "event.category:process and \n  ( \n   powershell.file.script_block_text : (GetAsyncKeyState or NtUserGetAsyncKeyState or GetKeyboardState or Get-Keystrokes) or \n   powershell.file.script_block_text : ((SetWindowsHookA or SetWindowsHookW or SetWindowsHookEx or SetWindowsHookExA or NtUserSetWindowsHookEx) and (GetForegroundWindow or GetWindowTextA or GetWindowTextW or WM_KEYBOARD_LL))\n   )\n",
+    "references": [
+      "https://github.com/EmpireProject/Empire/blob/master/data/module_source/collection/Get-Keystrokes.ps1",
+      "https://github.com/MojtabaTajik/FunnyKeylogger/blob/master/FunnyLogger.ps1"
+    ],
+    "risk_score": 73,
+    "rule_id": "bd2c86a0-8b61-4457-ab38-96943984e889",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Collection"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0009",
+          "name": "Collection",
+          "reference": "https://attack.mitre.org/tactics/TA0009/"
+        },
+        "technique": [
+          {
+            "id": "T1056",
+            "name": "Input Capture",
+            "reference": "https://attack.mitre.org/techniques/T1056/",
+            "subtechnique": [
+              {
+                "id": "T1056.001",
+                "name": "Keylogging",
+                "reference": "https://attack.mitre.org/techniques/T1056/001/"
+              }
+            ]
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0002",
+          "name": "Execution",
+          "reference": "https://attack.mitre.org/tactics/TA0002/"
+        },
+        "technique": [
+          {
+            "id": "T1059",
+            "name": "Command and Scripting Interpreter",
+            "reference": "https://attack.mitre.org/techniques/T1059/",
+            "subtechnique": [
+              {
+                "id": "T1059.001",
+                "name": "PowerShell",
+                "reference": "https://attack.mitre.org/techniques/T1059/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 2,
+    "last_update": "8.0.0",
+    "added": "8.0.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "This rule detects PowerShell scripts that have capabilities to dump process memory using WindowsErrorReporting or Dbghelp.dll MiniDumpWriteDump. Attackers can use this tooling to dump LSASS and get access to credentials.",
+    "false_positives": [
+      "Powershell Scripts that use this capability for troubleshooting."
+    ],
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-windows.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "PowerShell MiniDump Script",
+    "note": "## Triage and analysis.\n\n### Investigating PowerShell MiniDump Script\n\nPowerShell is one of the main tools used by system administrators for automation, report routines, and other tasks.\n\nProcess Memory Dump capabilities can be abused by attackers to extract credentials from LSASS or to obtain other privileged\ninformation stored in the process memory.\n\n#### Possible investigation steps:\n\n- Examine script content that triggered the detection. \n- Investigate script execution chain (parent process tree)\n- Inspect any file or network events from the suspicious powershell host process instance.\n- If the action is suspicious for the user, check for any other activities done by the user in the last 48 hours.\n\n### False Positive Analysis\n\n- Verify whether the script content is malicious/harmful.\n\n### Related Rules\n\n- PowerShell PSReflect Script - 56f2e9b5-4803-4e44-a0a4-a52dc79d57fe\n- Potential Process Injection via PowerShell - 2e29e96a-b67c-455a-afe4-de6183431d0d\n\n### Response and Remediation\n\n- Immediate response should be taken to validate, investigate, and potentially contain the activity to prevent further\npost-compromise behavior.\n\n## Config\n\nThe 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration > \nAdministrative Templates > \nWindows PowerShell > \nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```\n",
+    "query": "event.category:process and powershell.file.script_block_text:(MiniDumpWriteDump or MiniDumpWithFullMemory or pmuDetirWpmuDiniM)\n",
+    "references": [
+      "https://github.com/PowerShellMafia/PowerSploit/blob/master/Exfiltration/Out-Minidump.ps1",
+      "https://github.com/FuzzySecurity/PowerShell-Suite/blob/master/Get-ProcessMiniDump.ps1",
+      "https://github.com/atc-project/atc-data/blob/master/docs/Logging_Policies/LP_0109_windows_powershell_script_block_log.md"
+    ],
+    "risk_score": 73,
+    "rule_id": "577ec21e-56fe-4065-91d8-45eb8224fe77",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Credential Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0006",
+          "name": "Credential Access",
+          "reference": "https://attack.mitre.org/tactics/TA0006/"
+        },
+        "technique": [
+          {
+            "id": "T1003",
+            "name": "OS Credential Dumping",
+            "reference": "https://attack.mitre.org/techniques/T1003/",
+            "subtechnique": [
+              {
+                "id": "T1003.001",
+                "name": "LSASS Memory",
+                "reference": "https://attack.mitre.org/techniques/T1003/001/"
+              }
+            ]
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0002",
+          "name": "Execution",
+          "reference": "https://attack.mitre.org/tactics/TA0002/"
+        },
+        "technique": [
+          {
+            "id": "T1059",
+            "name": "Command and Scripting Interpreter",
+            "reference": "https://attack.mitre.org/techniques/T1059/",
+            "subtechnique": [
+              {
+                "id": "T1059.001",
+                "name": "PowerShell",
+                "reference": "https://attack.mitre.org/techniques/T1059/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 3,
+    "last_update": "8.0.0",
+    "changelog": {
+      "changes": [
+        {
+          "version": 3,
+          "updated": "8.0.0",
+          "pre_query": "event.code:\"4104\" and powershell.file.script_block_text:(MiniDumpWriteDump or MiniDumpWithFullMemory or pmuDetirWpmuDiniM)\n",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        }
+      ]
+    },
+    "added": "7.16.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Detects the use of PSReflect in PowerShell scripts. Attackers leverage PSReflect as a library that enables PowerShell to access win32 API functions.",
+    "false_positives": [
+      "Legitimate Powershell Scripts that make use of PSReflect to access the win32 API"
+    ],
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-windows.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "PowerShell PSReflect Script",
+    "note": "## Triage and analysis\n### Investigating PowerShell PSReflect Script\n\nPowerShell is one of the main tools in the belt of system administrators for automation, report routines, and other tasks.\n\nPSReflect is a library that enables PowerShell to access win32 API functions in an uncomplicated way. It also helps to\ncreate enums and structs easily\u2014all without touching the disk.\n\nAlthough this is an interesting project for every developer and admin out there, it is mainly used in the red team and\nmalware tooling for its capabilities.\n\nDetecting the core implementation of PSReflect means detecting most of the tooling that uses windows API through\nPowerShell, enabling the defender to discover tools being dropped in the environment.\n\n#### Possible investigation steps:\n- Check for additional PowerShell logs that indicate that the script/command was run.\n- Gather the script content that may be split into multiple script blocks, and identify its capabilities.\n- If the action is suspicious for the user, check for any other activities done by the user in the last 48 hours.\n- Look for additional alerts involving the host and the user.\n\n### False Positive Analysis\n- Verify whether the script content is malicious/harmful.\n\n### Related Rules\n- PowerShell Suspicious Discovery Related Windows API Functions - 61ac3638-40a3-44b2-855a-985636ca985e\n- PowerShell Keylogging Script - bd2c86a0-8b61-4457-ab38-96943984e889\n- PowerShell Suspicious Script with Audio Capture Capabilities - 2f2f4939-0b34-40c2-a0a3-844eb7889f43\n- Potential Process Injection via PowerShell - 2e29e96a-b67c-455a-afe4-de6183431d0d\n- PowerShell Reflection Assembly Load - e26f042e-c590-4e82-8e05-41e81bd822ad\n- PowerShell Suspicious Payload Encoded and Compressed - 81fe9dc6-a2d7-4192-a2d8-eed98afc766a\n- PowerShell Suspicious Script with Screenshot Capabilities - 959a7353-1129-4aa7-9084-30746b256a70\n\n### Response and Remediation\n- Immediate response should be taken to validate activity, investigate and potentially isolate activity to prevent further\npost-compromise behavior.\n\n## Config\nThe 'PowerShell Script Block Logging' logging policy is required be configured (Enable).\n\nSteps to implement the logging policy with with Advanced Audit Configuration:\n```\nComputer Configuration > \nAdministrative Templates > \nWindows PowerShell > \nTurn on PowerShell Script Block Logging (Enable)\n```\nSteps to implement the logging policy via registry:\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```\n",
+    "query": "event.category:process and \n  powershell.file.script_block_text:(\n    New-InMemoryModule or\n    Add-Win32Type or\n    psenum or\n    DefineDynamicAssembly or\n    DefineDynamicModule or\n    Reflection.TypeAttributes or\n    Reflection.Emit.OpCodes or\n    Reflection.Emit.CustomAttributeBuilder or\n    Runtime.InteropServices.DllImportAttribute\n  )\n",
+    "references": [
+      "https://github.com/mattifestation/PSReflect/blob/master/PSReflect.psm1",
+      "https://github.com/atc-project/atc-data/blob/master/docs/Logging_Policies/LP_0109_windows_powershell_script_block_log.md"
+    ],
+    "risk_score": 47,
+    "rule_id": "56f2e9b5-4803-4e44-a0a4-a52dc79d57fe",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Execution"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0002",
+          "name": "Execution",
+          "reference": "https://attack.mitre.org/tactics/TA0002/"
+        },
+        "technique": [
+          {
+            "id": "T1059",
+            "name": "Command and Scripting Interpreter",
+            "reference": "https://attack.mitre.org/techniques/T1059/",
+            "subtechnique": [
+              {
+                "id": "T1059.001",
+                "name": "PowerShell",
+                "reference": "https://attack.mitre.org/techniques/T1059/001/"
+              }
+            ]
+          },
+          {
+            "id": "T1106",
+            "name": "Native API",
+            "reference": "https://attack.mitre.org/techniques/T1106/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 1,
+    "last_update": "8.0.0",
+    "added": "8.0.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "This rule detects the use of discovery-related Windows API functions in PowerShell Scripts. Attackers can use these functions to perform various situational awareness related activities, like enumerating users, shares, sessions, domain trusts, groups, etc.",
+    "false_positives": [
+      "Legitimate Powershell Scripts that make use of these Functions"
+    ],
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-windows.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "PowerShell Suspicious Discovery Related Windows API Functions",
+    "note": "## Triage and analysis.\n\n### Investigating PowerShell Suspicious Discovery Related Windows API Functions\n\nPowerShell is one of the main tools used by system administrators for automation, report routines, and other tasks.\n\nAttackers can use PowerShell to interact with the Win32 API to bypass file based AntiVirus detections, using libraries\nlike PSReflect or Get-ProcAddress Cmdlet.\n\n#### Possible investigation steps:\n\n- Examine script content that triggered the detection. \n- Investigate script execution chain (parent process tree).\n- Inspect any file or network events from the suspicious powershell host process instance.\n- If the action is suspicious for the user, check for any other activities done by the user in the last 48 hours.\n\n### False Positive Analysis\n\n- Verify whether the script content is malicious/harmful.\n\n### Related Rules\n\n- PowerShell PSReflect Script - 56f2e9b5-4803-4e44-a0a4-a52dc79d57fe\n\n### Response and Remediation\n\n- Immediate response should be taken to validate, investigate, and potentially contain the activity to prevent further\npost-compromise behavior.\n\n## Config\n\nThe 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration > \nAdministrative Templates > \nWindows PowerShell > \nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```\n",
+    "query": "event.category:process and \n  powershell.file.script_block_text : (\n    NetShareEnum or\n    NetWkstaUserEnum or\n    NetSessionEnum or\n    NetLocalGroupEnum or\n    NetLocalGroupGetMembers or\n    DsGetSiteName or\n    DsEnumerateDomainTrusts or\n    WTSEnumerateSessionsEx or\n    WTSQuerySessionInformation or\n    LsaGetLogonSessionData or\n    QueryServiceObjectSecurity\n  )\n",
+    "references": [
+      "https://github.com/BC-SECURITY/Empire/blob/9259e5106986847d2bb770c4289c0c0f1adf2344/data/module_source/situational_awareness/network/powerview.ps1#L21413",
+      "https://github.com/atc-project/atc-data/blob/master/docs/Logging_Policies/LP_0109_windows_powershell_script_block_log.md"
+    ],
+    "risk_score": 47,
+    "rule_id": "61ac3638-40a3-44b2-855a-985636ca985e",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Discovery"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0007",
+          "name": "Discovery",
+          "reference": "https://attack.mitre.org/tactics/TA0007/"
+        },
+        "technique": [
+          {
+            "id": "T1135",
+            "name": "Network Share Discovery",
+            "reference": "https://attack.mitre.org/techniques/T1135/"
+          },
+          {
+            "id": "T1069",
+            "name": "Permission Groups Discovery",
+            "reference": "https://attack.mitre.org/techniques/T1069/",
+            "subtechnique": [
+              {
+                "id": "T1069.001",
+                "name": "Local Groups",
+                "reference": "https://attack.mitre.org/techniques/T1069/001/"
+              }
+            ]
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0002",
+          "name": "Execution",
+          "reference": "https://attack.mitre.org/tactics/TA0002/"
+        },
+        "technique": [
+          {
+            "id": "T1059",
+            "name": "Command and Scripting Interpreter",
+            "reference": "https://attack.mitre.org/techniques/T1059/",
+            "subtechnique": [
+              {
+                "id": "T1059.001",
+                "name": "PowerShell",
+                "reference": "https://attack.mitre.org/techniques/T1059/001/"
+              }
+            ]
+          },
+          {
+            "id": "T1106",
+            "name": "Native API",
+            "reference": "https://attack.mitre.org/techniques/T1106/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 3,
+    "last_update": "8.0.0",
+    "changelog": {
+      "changes": [
+        {
+          "version": 3,
+          "updated": "8.0.0",
+          "pre_query": "event.code:\"4104\" and \n  powershell.file.script_block_text : (\n    NetShareEnum or\n    NetWkstaUserEnum or\n    NetSessionEnum or\n    NetLocalGroupEnum or\n    NetLocalGroupGetMembers or\n    DsGetSiteName or\n    DsEnumerateDomainTrusts or\n    WTSEnumerateSessionsEx or\n    WTSQuerySessionInformation or\n    LsaGetLogonSessionData or\n    QueryServiceObjectSecurity\n  )\n",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        }
+      ]
+    },
+    "added": "7.16.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the use of .Net functionality for decompression and base64 decoding combined in PowerShell scripts, which Malware and security tools heavily use to deobfuscate payloads and load them directly in memory to bypass defenses.",
+    "false_positives": [
+      "Legitimate PowerShell Scripts which makes use of compression and encoding"
+    ],
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-windows.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "PowerShell Suspicious Payload Encoded and Compressed",
+    "query": "event.category:process and \n  powershell.file.script_block_text : (\n    (System.IO.Compression.DeflateStream or System.IO.Compression.GzipStream or IO.Compression.DeflateStream or IO.Compression.GzipStream) and\n    FromBase64String\n  )\n",
+    "risk_score": 47,
+    "rule_id": "81fe9dc6-a2d7-4192-a2d8-eed98afc766a",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1140",
+            "name": "Deobfuscate/Decode Files or Information",
+            "reference": "https://attack.mitre.org/techniques/T1140/"
+          },
+          {
+            "id": "T1027",
+            "name": "Obfuscated Files or Information",
+            "reference": "https://attack.mitre.org/techniques/T1027/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0002",
+          "name": "Execution",
+          "reference": "https://attack.mitre.org/tactics/TA0002/"
+        },
+        "technique": [
+          {
+            "id": "T1059",
+            "name": "Command and Scripting Interpreter",
+            "reference": "https://attack.mitre.org/techniques/T1059/",
+            "subtechnique": [
+              {
+                "id": "T1059.001",
+                "name": "PowerShell",
+                "reference": "https://attack.mitre.org/techniques/T1059/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 1,
+    "last_update": "8.0.0",
+    "added": "8.0.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Detects PowerShell scripts that can record audio, a common feature in popular post-exploitation tooling.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-windows.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "PowerShell Suspicious Script with Audio Capture Capabilities",
+    "note": "## Triage and analysis.\n\n### Investigating PowerShell Suspicious Script with Audio Capture Capabilities\n\nPowerShell is one of the main tools used by system administrators for automation, report routines, and other tasks.\n\nAttackers can use PowerShell to interact with the Windows API and capture audio from input devices connected to the\ncomputer.\n\n#### Possible investigation steps:\n\n- Examine script content that triggered the detection. \n- Investigate script execution chain (parent process tree)\n- Inspect any file or network events from the suspicious powershell host process instance.\n- If the action is suspicious for the user, check for any other activities done by the user in the last 48 hours.\n\n### False Positive Analysis\n\n- Verify whether the script content is malicious/harmful.\n\n### Related Rules\n\n- PowerShell PSReflect Script - 56f2e9b5-4803-4e44-a0a4-a52dc79d57fe\n- Potential Process Injection via PowerShell - 2e29e96a-b67c-455a-afe4-de6183431d0d\n\n### Response and Remediation\n\n- Immediate response should be taken to validate, investigate, and potentially contain the activity to prevent further\npost-compromise behavior.\n\n## Config\n\nThe 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration > \nAdministrative Templates > \nWindows PowerShell > \nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```\n",
+    "query": "event.category:process and \n  powershell.file.script_block_text : (\n    Get-MicrophoneAudio or (waveInGetNumDevs and mciSendStringA)\n  )\n",
+    "references": [
+      "https://github.com/PowerShellMafia/PowerSploit/blob/master/Exfiltration/Get-MicrophoneAudio.ps1"
+    ],
+    "risk_score": 47,
+    "rule_id": "2f2f4939-0b34-40c2-a0a3-844eb7889f43",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Collection"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0009",
+          "name": "Collection",
+          "reference": "https://attack.mitre.org/tactics/TA0009/"
+        },
+        "technique": [
+          {
+            "id": "T1123",
+            "name": "Audio Capture",
+            "reference": "https://attack.mitre.org/techniques/T1123/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0002",
+          "name": "Execution",
+          "reference": "https://attack.mitre.org/tactics/TA0002/"
+        },
+        "technique": [
+          {
+            "id": "T1059",
+            "name": "Command and Scripting Interpreter",
+            "reference": "https://attack.mitre.org/techniques/T1059/",
+            "subtechnique": [
+              {
+                "id": "T1059.001",
+                "name": "PowerShell",
+                "reference": "https://attack.mitre.org/techniques/T1059/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 3,
+    "last_update": "8.0.0",
+    "changelog": {
+      "changes": [
+        {
+          "version": 3,
+          "updated": "8.0.0",
+          "pre_query": "event.code:\"4104\" and \n  powershell.file.script_block_text : (\n    Get-MicrophoneAudio or (waveInGetNumDevs and mciSendStringA)\n  )\n",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        }
+      ]
+    },
+    "added": "7.16.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Detects PowerShell Scripts that can take screenshots, which is a common feature in post-exploitation kits and RATs (Remote Access Tools).",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-windows.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "PowerShell Suspicious Script with Screenshot Capabilities",
+    "query": "event.category:process and \n  powershell.file.script_block_text : (\n    CopyFromScreen and\n    (System.Drawing.Bitmap or Drawing.Bitmap)\n  )\n",
+    "references": [
+      "https://docs.microsoft.com/en-us/dotnet/api/system.drawing.graphics.copyfromscreen"
+    ],
+    "risk_score": 47,
+    "rule_id": "959a7353-1129-4aa7-9084-30746b256a70",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Collection"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0009",
+          "name": "Collection",
+          "reference": "https://attack.mitre.org/tactics/TA0009/"
+        },
+        "technique": [
+          {
+            "id": "T1113",
+            "name": "Screen Capture",
+            "reference": "https://attack.mitre.org/techniques/T1113/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0002",
+          "name": "Execution",
+          "reference": "https://attack.mitre.org/tactics/TA0002/"
+        },
+        "technique": [
+          {
+            "id": "T1059",
+            "name": "Command and Scripting Interpreter",
+            "reference": "https://attack.mitre.org/techniques/T1059/",
+            "subtechnique": [
+              {
+                "id": "T1059.001",
+                "name": "PowerShell",
+                "reference": "https://attack.mitre.org/techniques/T1059/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 1,
+    "last_update": "8.0.0",
+    "added": "8.0.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies a privilege escalation attempt via named pipe impersonation. An adversary may abuse this technique by utilizing a framework such Metasploit's meterpreter getsystem command.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Privilege Escalation via Named Pipe Impersonation",
+    "query": "process where event.type in (\"start\", \"process_started\") and\n process.pe.original_file_name in (\"Cmd.Exe\", \"PowerShell.EXE\") and \n process.args : \"echo\" and process.args : \">\" and process.args : \"\\\\\\\\.\\\\pipe\\\\*\"\n",
+    "references": [
+      "https://www.ired.team/offensive-security/privilege-escalation/windows-namedpipes-privilege-escalation"
+    ],
+    "risk_score": 73,
+    "rule_id": "3ecbdc9e-e4f2-43fa-8cca-63802125e582",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Privilege Escalation"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0004",
+          "name": "Privilege Escalation",
+          "reference": "https://attack.mitre.org/tactics/TA0004/"
+        },
+        "technique": [
+          {
+            "id": "T1134",
+            "name": "Access Token Manipulation",
+            "reference": "https://attack.mitre.org/techniques/T1134/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 3,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.11.2",
+          "pre_query": "process where event.type in (\"start\", \"process_started\") and\n process.pe.original_file_name in (\"Cmd.Exe\", \"PowerShell.EXE\") and \n process.args : \"echo\" and process.args : \">\" and process.args : \"\\\\\\\\.\\\\pipe\\\\*\"\n",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 3,
+          "updated": "7.12.0",
+          "pre_query": "process where event.type in (\"start\", \"process_started\") and\n process.pe.original_file_name in (\"Cmd.Exe\", \"PowerShell.EXE\") and \n process.args : \"echo\" and process.args : \">\" and process.args : \"\\\\\\\\.\\\\pipe\\\\*\"\n",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.12.0",
+    "added": "7.11.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies a privilege escalation attempt via rogue named pipe impersonation. An adversary may abuse this technique by masquerading as a known named pipe and manipulating a privileged process to connect to it.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Privilege Escalation via Rogue Named Pipe Impersonation",
+    "note": "## Config\n\nNamed Pipe Creation Events need to be enabled within the Sysmon configuration by including the following settings:\n`condition equal \"contains\" and keyword equal \"pipe\"`\n",
+    "query": "file where event.action : \"Pipe Created*\" and\n /* normal sysmon named pipe creation events truncate the pipe keyword */\n  file.name : \"\\\\*\\\\Pipe\\\\*\"\n",
+    "references": [
+      "https://itm4n.github.io/printspoofer-abusing-impersonate-privileges/",
+      "https://github.com/zcgonvh/EfsPotato",
+      "https://twitter.com/SBousseaden/status/1429530155291193354"
+    ],
+    "risk_score": 73,
+    "rule_id": "76ddb638-abf7-42d5-be22-4a70b0bf7241",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Privilege Escalation"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0004",
+          "name": "Privilege Escalation",
+          "reference": "https://attack.mitre.org/tactics/TA0004/"
+        },
+        "technique": [
+          {
+            "id": "T1134",
+            "name": "Access Token Manipulation",
+            "reference": "https://attack.mitre.org/techniques/T1134/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 1,
+    "last_update": "8.0.0",
+    "added": "8.0.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies modifications to the root crontab file. Adversaries may overwrite this file to gain code execution with root privileges by exploiting privileged file write or move related vulnerabilities.",
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Privilege Escalation via Root Crontab File Modification",
+    "query": "event.category:file and not event.type:deletion and\n file.path:/private/var/at/tabs/root and not process.executable:/usr/bin/crontab\n",
+    "references": [
+      "https://phoenhex.re/2017-06-09/pwn2own-diskarbitrationd-privesc",
+      "https://www.exploit-db.com/exploits/42146"
+    ],
+    "risk_score": 73,
+    "rule_id": "0ff84c42-873d-41a2-a4ed-08d74d352d01",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "macOS",
+      "Threat Detection",
+      "Privilege Escalation"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0004",
+          "name": "Privilege Escalation",
+          "reference": "https://attack.mitre.org/tactics/TA0004/"
+        },
+        "technique": [
+          {
+            "id": "T1053",
+            "name": "Scheduled Task/Job",
+            "reference": "https://attack.mitre.org/techniques/T1053/",
+            "subtechnique": [
+              {
+                "id": "T1053.003",
+                "name": "Cron",
+                "reference": "https://attack.mitre.org/techniques/T1053/003/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 1,
+    "last_update": "7.12.0",
+    "added": "7.12.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies a privilege escalation attempt via a rogue Windows directory (Windir) environment variable. This is a known primitive that is often combined with other vulnerabilities to elevate privileges.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Privilege Escalation via Windir Environment Variable",
+    "query": "registry where registry.path : (\"HKEY_USERS\\\\*\\\\Environment\\\\windir\", \"HKEY_USERS\\\\*\\\\Environment\\\\systemroot\") and \n not registry.data.strings : (\"C:\\\\windows\", \"%SystemRoot%\")\n",
+    "references": [
+      "https://www.tiraniddo.dev/2017/05/exploiting-environment-variables-in.html"
+    ],
+    "risk_score": 73,
+    "rule_id": "d563aaba-2e72-462b-8658-3e5ea22db3a6",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Privilege Escalation"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0004",
+          "name": "Privilege Escalation",
+          "reference": "https://attack.mitre.org/tactics/TA0004/"
+        },
+        "technique": [
+          {
+            "id": "T1574",
+            "name": "Hijack Execution Flow",
+            "reference": "https://attack.mitre.org/techniques/T1574/",
+            "subtechnique": [
+              {
+                "id": "T1574.007",
+                "name": "Path Interception by PATH Environment Variable",
+                "reference": "https://attack.mitre.org/techniques/T1574/007/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 3,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.11.2",
+          "pre_query": "registry where registry.path : (\"HKEY_USERS\\\\*\\\\Environment\\\\windir\", \"HKEY_USERS\\\\*\\\\Environment\\\\systemroot\") and \n not registry.data.strings : (\"C:\\\\windows\", \"%SystemRoot%\")\n",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 3,
+          "updated": "7.12.0",
+          "pre_query": "registry where registry.path : (\"HKEY_USERS\\\\*\\\\Environment\\\\windir\", \"HKEY_USERS\\\\*\\\\Environment\\\\systemroot\") and \n not registry.data.strings : (\"C:\\\\windows\", \"%SystemRoot%\")\n",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.12.0",
+    "added": "7.11.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Compiled HTML files (.chm) are commonly distributed as part of the Microsoft HTML Help system. Adversaries may conceal malicious code in a CHM file and deliver it to a victim for execution. CHM content is loaded by the HTML Help executable program (hh.exe).",
+    "false_positives": [
+      "The HTML Help executable program (hh.exe) runs whenever a user clicks a compiled help (.chm) file or menu item that opens the help file inside the Help Viewer. This is not always malicious, but adversaries may abuse this technology to conceal malicious code."
+    ],
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Process Activity via Compiled HTML File",
+    "query": "process where event.type in (\"start\", \"process_started\") and \n process.parent.name : \"hh.exe\" and \n process.name : (\"mshta.exe\", \"cmd.exe\", \"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\", \"cscript.exe\", \"wscript.exe\")\n",
+    "risk_score": 47,
+    "rule_id": "e3343ab9-4245-4715-b344-e11c56b0a47f",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Execution"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0002",
+          "name": "Execution",
+          "reference": "https://attack.mitre.org/tactics/TA0002/"
+        },
+        "technique": [
+          {
+            "id": "T1204",
+            "name": "User Execution",
+            "reference": "https://attack.mitre.org/techniques/T1204/",
+            "subtechnique": [
+              {
+                "id": "T1204.002",
+                "name": "Malicious File",
+                "reference": "https://attack.mitre.org/techniques/T1204/002/"
+              }
+            ]
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1218",
+            "name": "Signed Binary Proxy Execution",
+            "reference": "https://attack.mitre.org/techniques/T1218/",
+            "subtechnique": [
+              {
+                "id": "T1218.001",
+                "name": "Compiled HTML File",
+                "reference": "https://attack.mitre.org/techniques/T1218/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 10,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.7.0",
+          "pre_query": "event.code:1 and process.name:hh.exe",
+          "doc_text": "Formatting only"
+        },
+        {
+          "version": 3,
+          "updated": "7.9.0",
+          "pre_query": "event.code:1 and process.name:hh.exe",
+          "doc_text": "Formatting only"
+        },
+        {
+          "version": 4,
+          "updated": "7.10.0",
+          "pre_query": "event.code:1 and process.name:hh.exe",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        },
+        {
+          "version": 5,
+          "updated": "7.11.0",
+          "pre_query": "event.category:process and event.type:(start or process_started) and process.name:hh.exe",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 6,
+          "updated": "7.11.2",
+          "pre_query": "event.category:process and event.type:(start or process_started) and process.name:hh.exe",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 7,
+          "updated": "7.12.0",
+          "pre_query": "event.category:process and event.type:(start or process_started) and process.name:hh.exe",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 8,
+          "updated": "7.13.0",
+          "pre_query": "event.category:process and event.type:(start or process_started) and process.name:hh.exe",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        },
+        {
+          "version": 10,
+          "updated": "7.16.0",
+          "pre_query": "process where event.type in (\"start\", \"process_started\") and \n process.parent.name : \"hh.exe\" and \n process.name : (\"mshta.exe\", \"cmd.exe\", \"powershell.exe\", \"pwsh.exe\", \"cscript.exe\", \"wscript.exe\")\n",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.16.0",
+    "added": "7.6.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies process execution from suspicious default Windows directories. This is sometimes done by adversaries to hide malware in trusted paths.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Process Execution from an Unusual Directory",
+    "query": "process where event.type in (\"start\", \"process_started\", \"info\") and\n /* add suspicious execution paths here */\nprocess.executable : (\"C:\\\\PerfLogs\\\\*.exe\",\"C:\\\\Users\\\\Public\\\\*.exe\",\"C:\\\\Users\\\\Default\\\\*.exe\",\"C:\\\\Windows\\\\Tasks\\\\*.exe\",\"C:\\\\Intel\\\\*.exe\",\"C:\\\\AMD\\\\Temp\\\\*.exe\",\"C:\\\\Windows\\\\AppReadiness\\\\*.exe\",\n\"C:\\\\Windows\\\\ServiceState\\\\*.exe\",\"C:\\\\Windows\\\\security\\\\*.exe\",\"C:\\\\Windows\\\\IdentityCRL\\\\*.exe\",\"C:\\\\Windows\\\\Branding\\\\*.exe\",\"C:\\\\Windows\\\\csc\\\\*.exe\",\n \"C:\\\\Windows\\\\DigitalLocker\\\\*.exe\",\"C:\\\\Windows\\\\en-US\\\\*.exe\",\"C:\\\\Windows\\\\wlansvc\\\\*.exe\",\"C:\\\\Windows\\\\Prefetch\\\\*.exe\",\"C:\\\\Windows\\\\Fonts\\\\*.exe\",\n \"C:\\\\Windows\\\\diagnostics\\\\*.exe\",\"C:\\\\Windows\\\\TAPI\\\\*.exe\",\"C:\\\\Windows\\\\INF\\\\*.exe\",\"C:\\\\Windows\\\\System32\\\\Speech\\\\*.exe\",\"C:\\\\windows\\\\tracing\\\\*.exe\",\n \"c:\\\\windows\\\\IME\\\\*.exe\",\"c:\\\\Windows\\\\Performance\\\\*.exe\",\"c:\\\\windows\\\\intel\\\\*.exe\",\"c:\\\\windows\\\\ms\\\\*.exe\",\"C:\\\\Windows\\\\dot3svc\\\\*.exe\",\"C:\\\\Windows\\\\ServiceProfiles\\\\*.exe\",\n \"C:\\\\Windows\\\\panther\\\\*.exe\",\"C:\\\\Windows\\\\RemotePackages\\\\*.exe\",\"C:\\\\Windows\\\\OCR\\\\*.exe\",\"C:\\\\Windows\\\\appcompat\\\\*.exe\",\"C:\\\\Windows\\\\apppatch\\\\*.exe\",\"C:\\\\Windows\\\\addins\\\\*.exe\",\n \"C:\\\\Windows\\\\Setup\\\\*.exe\",\"C:\\\\Windows\\\\Help\\\\*.exe\",\"C:\\\\Windows\\\\SKB\\\\*.exe\",\"C:\\\\Windows\\\\Vss\\\\*.exe\",\"C:\\\\Windows\\\\Web\\\\*.exe\",\"C:\\\\Windows\\\\servicing\\\\*.exe\",\"C:\\\\Windows\\\\CbsTemp\\\\*.exe\",\n \"C:\\\\Windows\\\\Logs\\\\*.exe\",\"C:\\\\Windows\\\\WaaS\\\\*.exe\",\"C:\\\\Windows\\\\twain_32\\\\*.exe\",\"C:\\\\Windows\\\\ShellExperiences\\\\*.exe\",\"C:\\\\Windows\\\\ShellComponents\\\\*.exe\",\"C:\\\\Windows\\\\PLA\\\\*.exe\",\n \"C:\\\\Windows\\\\Migration\\\\*.exe\",\"C:\\\\Windows\\\\debug\\\\*.exe\",\"C:\\\\Windows\\\\Cursors\\\\*.exe\",\"C:\\\\Windows\\\\Containers\\\\*.exe\",\"C:\\\\Windows\\\\Boot\\\\*.exe\",\"C:\\\\Windows\\\\bcastdvr\\\\*.exe\",\n \"C:\\\\Windows\\\\assembly\\\\*.exe\",\"C:\\\\Windows\\\\TextInput\\\\*.exe\",\"C:\\\\Windows\\\\security\\\\*.exe\",\"C:\\\\Windows\\\\schemas\\\\*.exe\",\"C:\\\\Windows\\\\SchCache\\\\*.exe\",\"C:\\\\Windows\\\\Resources\\\\*.exe\",\n \"C:\\\\Windows\\\\rescache\\\\*.exe\",\"C:\\\\Windows\\\\Provisioning\\\\*.exe\",\"C:\\\\Windows\\\\PrintDialog\\\\*.exe\",\"C:\\\\Windows\\\\PolicyDefinitions\\\\*.exe\",\"C:\\\\Windows\\\\media\\\\*.exe\",\n \"C:\\\\Windows\\\\Globalization\\\\*.exe\",\"C:\\\\Windows\\\\L2Schemas\\\\*.exe\",\"C:\\\\Windows\\\\LiveKernelReports\\\\*.exe\",\"C:\\\\Windows\\\\ModemLogs\\\\*.exe\",\"C:\\\\Windows\\\\ImmersiveControlPanel\\\\*.exe\") and\n not process.name : (\"SpeechUXWiz.exe\",\"SystemSettings.exe\",\"TrustedInstaller.exe\",\"PrintDialog.exe\",\"MpSigStub.exe\",\"LMS.exe\",\"mpam-*.exe\")\n /* uncomment once in winlogbeat */\n /* and not (process.code_signature.subject_name == \"Microsoft Corporation\" and process.code_signature.trusted == true) */\n",
+    "risk_score": 47,
+    "rule_id": "ebfe1448-7fac-4d59-acea-181bd89b1f7f",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Execution"
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 3,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.11.2",
+          "pre_query": "process where event.type in (\"start\", \"process_started\", \"info\") and\n /* add suspicious execution paths here */\nprocess.executable : (\"C:\\\\PerfLogs\\\\*.exe\",\"C:\\\\Users\\\\Public\\\\*.exe\",\"C:\\\\Users\\\\Default\\\\*.exe\",\"C:\\\\Windows\\\\Tasks\\\\*.exe\",\"C:\\\\Intel\\\\*.exe\",\"C:\\\\AMD\\\\Temp\\\\*.exe\",\"C:\\\\Windows\\\\AppReadiness\\\\*.exe\",\n\"C:\\\\Windows\\\\ServiceState\\\\*.exe\",\"C:\\\\Windows\\\\security\\\\*.exe\",\"C:\\\\Windows\\\\IdentityCRL\\\\*.exe\",\"C:\\\\Windows\\\\Branding\\\\*.exe\",\"C:\\\\Windows\\\\csc\\\\*.exe\",\n \"C:\\\\Windows\\\\DigitalLocker\\\\*.exe\",\"C:\\\\Windows\\\\en-US\\\\*.exe\",\"C:\\\\Windows\\\\wlansvc\\\\*.exe\",\"C:\\\\Windows\\\\Prefetch\\\\*.exe\",\"C:\\\\Windows\\\\Fonts\\\\*.exe\",\n \"C:\\\\Windows\\\\diagnostics\\\\*.exe\",\"C:\\\\Windows\\\\TAPI\\\\*.exe\",\"C:\\\\Windows\\\\INF\\\\*.exe\",\"C:\\\\Windows\\\\System32\\\\Speech\\\\*.exe\",\"C:\\\\windows\\\\tracing\\\\*.exe\",\n \"c:\\\\windows\\\\IME\\\\*.exe\",\"c:\\\\Windows\\\\Performance\\\\*.exe\",\"c:\\\\windows\\\\intel\\\\*.exe\",\"c:\\\\windows\\\\ms\\\\*.exe\",\"C:\\\\Windows\\\\dot3svc\\\\*.exe\",\"C:\\\\Windows\\\\ServiceProfiles\\\\*.exe\",\n \"C:\\\\Windows\\\\panther\\\\*.exe\",\"C:\\\\Windows\\\\RemotePackages\\\\*.exe\",\"C:\\\\Windows\\\\OCR\\\\*.exe\",\"C:\\\\Windows\\\\appcompat\\\\*.exe\",\"C:\\\\Windows\\\\apppatch\\\\*.exe\",\"C:\\\\Windows\\\\addins\\\\*.exe\",\n \"C:\\\\Windows\\\\Setup\\\\*.exe\",\"C:\\\\Windows\\\\Help\\\\*.exe\",\"C:\\\\Windows\\\\SKB\\\\*.exe\",\"C:\\\\Windows\\\\Vss\\\\*.exe\",\"C:\\\\Windows\\\\Web\\\\*.exe\",\"C:\\\\Windows\\\\servicing\\\\*.exe\",\"C:\\\\Windows\\\\CbsTemp\\\\*.exe\",\n \"C:\\\\Windows\\\\Logs\\\\*.exe\",\"C:\\\\Windows\\\\WaaS\\\\*.exe\",\"C:\\\\Windows\\\\twain_32\\\\*.exe\",\"C:\\\\Windows\\\\ShellExperiences\\\\*.exe\",\"C:\\\\Windows\\\\ShellComponents\\\\*.exe\",\"C:\\\\Windows\\\\PLA\\\\*.exe\",\n \"C:\\\\Windows\\\\Migration\\\\*.exe\",\"C:\\\\Windows\\\\debug\\\\*.exe\",\"C:\\\\Windows\\\\Cursors\\\\*.exe\",\"C:\\\\Windows\\\\Containers\\\\*.exe\",\"C:\\\\Windows\\\\Boot\\\\*.exe\",\"C:\\\\Windows\\\\bcastdvr\\\\*.exe\",\n \"C:\\\\Windows\\\\assembly\\\\*.exe\",\"C:\\\\Windows\\\\TextInput\\\\*.exe\",\"C:\\\\Windows\\\\security\\\\*.exe\",\"C:\\\\Windows\\\\schemas\\\\*.exe\",\"C:\\\\Windows\\\\SchCache\\\\*.exe\",\"C:\\\\Windows\\\\Resources\\\\*.exe\",\n \"C:\\\\Windows\\\\rescache\\\\*.exe\",\"C:\\\\Windows\\\\Provisioning\\\\*.exe\",\"C:\\\\Windows\\\\PrintDialog\\\\*.exe\",\"C:\\\\Windows\\\\PolicyDefinitions\\\\*.exe\",\"C:\\\\Windows\\\\media\\\\*.exe\",\n \"C:\\\\Windows\\\\Globalization\\\\*.exe\",\"C:\\\\Windows\\\\L2Schemas\\\\*.exe\",\"C:\\\\Windows\\\\LiveKernelReports\\\\*.exe\",\"C:\\\\Windows\\\\ModemLogs\\\\*.exe\",\"C:\\\\Windows\\\\ImmersiveControlPanel\\\\*.exe\") and\n not process.name : (\"SpeechUXWiz.exe\",\"SystemSettings.exe\",\"TrustedInstaller.exe\",\"PrintDialog.exe\",\"MpSigStub.exe\",\"LMS.exe\",\"mpam-*.exe\")\n /* uncomment once in winlogbeat */\n /* and not (process.code_signature.subject_name == \"Microsoft Corporation\" and process.code_signature.trusted == true) */\n",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 3,
+          "updated": "7.12.0",
+          "pre_query": "process where event.type in (\"start\", \"process_started\", \"info\") and\n /* add suspicious execution paths here */\nprocess.executable : (\"C:\\\\PerfLogs\\\\*.exe\",\"C:\\\\Users\\\\Public\\\\*.exe\",\"C:\\\\Users\\\\Default\\\\*.exe\",\"C:\\\\Windows\\\\Tasks\\\\*.exe\",\"C:\\\\Intel\\\\*.exe\",\"C:\\\\AMD\\\\Temp\\\\*.exe\",\"C:\\\\Windows\\\\AppReadiness\\\\*.exe\",\n\"C:\\\\Windows\\\\ServiceState\\\\*.exe\",\"C:\\\\Windows\\\\security\\\\*.exe\",\"C:\\\\Windows\\\\IdentityCRL\\\\*.exe\",\"C:\\\\Windows\\\\Branding\\\\*.exe\",\"C:\\\\Windows\\\\csc\\\\*.exe\",\n \"C:\\\\Windows\\\\DigitalLocker\\\\*.exe\",\"C:\\\\Windows\\\\en-US\\\\*.exe\",\"C:\\\\Windows\\\\wlansvc\\\\*.exe\",\"C:\\\\Windows\\\\Prefetch\\\\*.exe\",\"C:\\\\Windows\\\\Fonts\\\\*.exe\",\n \"C:\\\\Windows\\\\diagnostics\\\\*.exe\",\"C:\\\\Windows\\\\TAPI\\\\*.exe\",\"C:\\\\Windows\\\\INF\\\\*.exe\",\"C:\\\\Windows\\\\System32\\\\Speech\\\\*.exe\",\"C:\\\\windows\\\\tracing\\\\*.exe\",\n \"c:\\\\windows\\\\IME\\\\*.exe\",\"c:\\\\Windows\\\\Performance\\\\*.exe\",\"c:\\\\windows\\\\intel\\\\*.exe\",\"c:\\\\windows\\\\ms\\\\*.exe\",\"C:\\\\Windows\\\\dot3svc\\\\*.exe\",\"C:\\\\Windows\\\\ServiceProfiles\\\\*.exe\",\n \"C:\\\\Windows\\\\panther\\\\*.exe\",\"C:\\\\Windows\\\\RemotePackages\\\\*.exe\",\"C:\\\\Windows\\\\OCR\\\\*.exe\",\"C:\\\\Windows\\\\appcompat\\\\*.exe\",\"C:\\\\Windows\\\\apppatch\\\\*.exe\",\"C:\\\\Windows\\\\addins\\\\*.exe\",\n \"C:\\\\Windows\\\\Setup\\\\*.exe\",\"C:\\\\Windows\\\\Help\\\\*.exe\",\"C:\\\\Windows\\\\SKB\\\\*.exe\",\"C:\\\\Windows\\\\Vss\\\\*.exe\",\"C:\\\\Windows\\\\Web\\\\*.exe\",\"C:\\\\Windows\\\\servicing\\\\*.exe\",\"C:\\\\Windows\\\\CbsTemp\\\\*.exe\",\n \"C:\\\\Windows\\\\Logs\\\\*.exe\",\"C:\\\\Windows\\\\WaaS\\\\*.exe\",\"C:\\\\Windows\\\\twain_32\\\\*.exe\",\"C:\\\\Windows\\\\ShellExperiences\\\\*.exe\",\"C:\\\\Windows\\\\ShellComponents\\\\*.exe\",\"C:\\\\Windows\\\\PLA\\\\*.exe\",\n \"C:\\\\Windows\\\\Migration\\\\*.exe\",\"C:\\\\Windows\\\\debug\\\\*.exe\",\"C:\\\\Windows\\\\Cursors\\\\*.exe\",\"C:\\\\Windows\\\\Containers\\\\*.exe\",\"C:\\\\Windows\\\\Boot\\\\*.exe\",\"C:\\\\Windows\\\\bcastdvr\\\\*.exe\",\n \"C:\\\\Windows\\\\assembly\\\\*.exe\",\"C:\\\\Windows\\\\TextInput\\\\*.exe\",\"C:\\\\Windows\\\\security\\\\*.exe\",\"C:\\\\Windows\\\\schemas\\\\*.exe\",\"C:\\\\Windows\\\\SchCache\\\\*.exe\",\"C:\\\\Windows\\\\Resources\\\\*.exe\",\n \"C:\\\\Windows\\\\rescache\\\\*.exe\",\"C:\\\\Windows\\\\Provisioning\\\\*.exe\",\"C:\\\\Windows\\\\PrintDialog\\\\*.exe\",\"C:\\\\Windows\\\\PolicyDefinitions\\\\*.exe\",\"C:\\\\Windows\\\\media\\\\*.exe\",\n \"C:\\\\Windows\\\\Globalization\\\\*.exe\",\"C:\\\\Windows\\\\L2Schemas\\\\*.exe\",\"C:\\\\Windows\\\\LiveKernelReports\\\\*.exe\",\"C:\\\\Windows\\\\ModemLogs\\\\*.exe\",\"C:\\\\Windows\\\\ImmersiveControlPanel\\\\*.exe\") and\n not process.name : (\"SpeechUXWiz.exe\",\"SystemSettings.exe\",\"TrustedInstaller.exe\",\"PrintDialog.exe\",\"MpSigStub.exe\",\"LMS.exe\",\"mpam-*.exe\")\n /* uncomment once in winlogbeat */\n /* and not (process.code_signature.subject_name == \"Microsoft Corporation\" and process.code_signature.trusted == true) */\n",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.12.0",
+    "added": "7.11.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Elastic Endgame detected Process Injection. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information.",
+    "from": "now-15m",
+    "index": [
+      "endgame-*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "max_signals": 10000,
+    "name": "Process Injection - Detected - Elastic Endgame",
+    "query": "event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:kernel_shellcode_event or endgame.event_subtype_full:kernel_shellcode_event)\n",
+    "risk_score": 73,
+    "rule_id": "80c52164-c82a-402c-9964-852533d58be1",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Elastic Endgame"
+    ],
+    "type": "query",
+    "version": 7,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.7.0",
+          "pre_query": "event.kind:alert and event.module:endgame and event.action:kernel_shellcode_event and endgame.metadata.type:detection",
+          "doc_text": "Updated query."
+        },
+        {
+          "version": 3,
+          "updated": "7.9.0",
+          "pre_query": "event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:kernel_shellcode_event or endgame.event_subtype_full:kernel_shellcode_event)",
+          "doc_text": "Formatting only",
+          "pre_name": "Process Injection - Detected - Elastic Endpoint"
+        },
+        {
+          "version": 4,
+          "updated": "7.10.0",
+          "pre_query": "event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:kernel_shellcode_event or endgame.event_subtype_full:kernel_shellcode_event)",
+          "doc_text": "Formatting only",
+          "pre_name": "Process Injection - Detected - Elastic Endpoint Security"
+        },
+        {
+          "version": 5,
+          "updated": "7.12.0",
+          "pre_query": "event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:kernel_shellcode_event or endgame.event_subtype_full:kernel_shellcode_event)",
+          "doc_text": "Formatting only",
+          "pre_name": "Process Injection - Detected - Endpoint Security",
+          "duplicate_old_file": "process-injection-detected-endpoint-security"
+        },
+        {
+          "version": 6,
+          "updated": "7.12.1",
+          "pre_query": "event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:kernel_shellcode_event or endgame.event_subtype_full:kernel_shellcode_event)",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 7,
+          "updated": "8.0.0",
+          "pre_query": "event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:kernel_shellcode_event or endgame.event_subtype_full:kernel_shellcode_event)\n",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "8.0.0",
+    "added": "7.6.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Elastic Endgame prevented Process Injection. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information.",
+    "from": "now-15m",
+    "index": [
+      "endgame-*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "max_signals": 10000,
+    "name": "Process Injection - Prevented - Elastic Endgame",
+    "query": "event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:kernel_shellcode_event or endgame.event_subtype_full:kernel_shellcode_event)\n",
+    "risk_score": 47,
+    "rule_id": "990838aa-a953-4f3e-b3cb-6ddf7584de9e",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Elastic Endgame"
+    ],
+    "type": "query",
+    "version": 7,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.7.0",
+          "pre_query": "event.kind:alert and event.module:endgame and event.action:kernel_shellcode_event and endgame.metadata.type:prevention",
+          "doc_text": "Updated query."
+        },
+        {
+          "version": 3,
+          "updated": "7.9.0",
+          "pre_query": "event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:kernel_shellcode_event or endgame.event_subtype_full:kernel_shellcode_event)",
+          "doc_text": "Formatting only",
+          "pre_name": "Process Injection - Prevented - Elastic Endpoint"
+        },
+        {
+          "version": 4,
+          "updated": "7.10.0",
+          "pre_query": "event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:kernel_shellcode_event or endgame.event_subtype_full:kernel_shellcode_event)",
+          "doc_text": "Formatting only",
+          "pre_name": "Process Injection - Prevented - Elastic Endpoint Security"
+        },
+        {
+          "version": 5,
+          "updated": "7.12.0",
+          "pre_query": "event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:kernel_shellcode_event or endgame.event_subtype_full:kernel_shellcode_event)",
+          "doc_text": "Formatting only",
+          "pre_name": "Process Injection - Prevented - Endpoint Security",
+          "duplicate_old_file": "process-injection-prevented-endpoint-security"
+        },
+        {
+          "version": 6,
+          "updated": "7.12.1",
+          "pre_query": "event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:kernel_shellcode_event or endgame.event_subtype_full:kernel_shellcode_event)",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 7,
+          "updated": "8.0.0",
+          "pre_query": "event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:kernel_shellcode_event or endgame.event_subtype_full:kernel_shellcode_event)\n",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "8.0.0",
+    "added": "7.6.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "An instance of MSBuild, the Microsoft Build Engine, created a thread in another process. This technique is sometimes used to evade detection or elevate privileges.",
+    "false_positives": [
+      "The Build Engine is commonly used by Windows developers but use by non-engineers is unusual."
+    ],
+    "index": [
+      "winlogbeat-*",
+      "logs-windows.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Process Injection by the Microsoft Build Engine",
+    "query": "process.name:MSBuild.exe and event.action:\"CreateRemoteThread detected (rule: CreateRemoteThread)\"\n",
+    "risk_score": 21,
+    "rule_id": "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae9",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1055",
+            "name": "Process Injection",
+            "reference": "https://attack.mitre.org/techniques/T1055/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0004",
+          "name": "Privilege Escalation",
+          "reference": "https://attack.mitre.org/tactics/TA0004/"
+        },
+        "technique": [
+          {
+            "id": "T1055",
+            "name": "Process Injection",
+            "reference": "https://attack.mitre.org/techniques/T1055/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 5,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.9.0",
+          "pre_query": "process.name:MSBuild.exe and event.action:\"CreateRemoteThread detected (rule: CreateRemoteThread)\"",
+          "doc_text": "Formatting only"
+        },
+        {
+          "version": 3,
+          "updated": "7.10.0",
+          "pre_query": "process.name:MSBuild.exe and event.action:\"CreateRemoteThread detected (rule: CreateRemoteThread)\"",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 4,
+          "updated": "7.11.2",
+          "pre_query": "process.name:MSBuild.exe and event.action:\"CreateRemoteThread detected (rule: CreateRemoteThread)\"",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 5,
+          "updated": "7.12.0",
+          "pre_query": "process.name:MSBuild.exe and event.action:\"CreateRemoteThread detected (rule: CreateRemoteThread)\"",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.12.0",
+    "added": "7.7.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies a process termination event quickly followed by the deletion of its executable file. Malware tools and other non-native files dropped or created on a system by an adversary may leave traces to indicate to what occurred. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.",
+    "from": "now-9m",
+    "index": [
+      "logs-endpoint.events.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Process Termination followed by Deletion",
+    "query": "sequence by host.id with maxspan=5s\n   [process where event.type == \"end\" and \n    process.code_signature.trusted == false and\n    not process.executable : (\"C:\\\\Windows\\\\SoftwareDistribution\\\\*.exe\", \"C:\\\\Windows\\\\WinSxS\\\\*.exe\")\n   ] by process.executable\n   [file where event.type == \"deletion\" and file.extension : (\"exe\", \"scr\", \"com\")] by file.path\n",
+    "risk_score": 47,
+    "rule_id": "09443c92-46b3-45a4-8f25-383b028b258d",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1070",
+            "name": "Indicator Removal on Host",
+            "reference": "https://attack.mitre.org/techniques/T1070/",
+            "subtechnique": [
+              {
+                "id": "T1070.004",
+                "name": "File Deletion",
+                "reference": "https://attack.mitre.org/techniques/T1070/004/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "type": "eql",
+    "version": 3,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.12.0",
+          "pre_query": "sequence by host.id with maxspan=5s\n   [process where event.type == \"end\" and \n    process.code_signature.trusted == false and\n    not process.executable : (\"C:\\\\Windows\\\\SoftwareDistribution\\\\*.exe\", \"C:\\\\Windows\\\\WinSxS\\\\*.exe\")\n   ] by process.executable\n   [file where event.type == \"deletion\" and file.extension : (\"exe\", \"scr\", \"com\")] by file.path\n",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 3,
+          "updated": "7.16.0",
+          "pre_query": "sequence by host.id with maxspan=5s\n   [process where event.type == \"end\" and \n    process.code_signature.trusted == false and\n    not process.executable : (\"C:\\\\Windows\\\\SoftwareDistribution\\\\*.exe\", \"C:\\\\Windows\\\\WinSxS\\\\*.exe\")\n   ] by process.executable\n   [file where event.type == \"deletion\" and file.extension : (\"exe\", \"scr\", \"com\")] by file.path\n",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.16.0",
+    "added": "7.11.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies execution from a directory masquerading as the Windows Program Files directories. These paths are trusted and usually host trusted third party programs. An adversary may leverage masquerading, along with low privileges to bypass detections whitelisting those folders.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Program Files Directory Masquerading",
+    "query": "process where event.type == \"start\" and\n process.executable : \"C:\\\\*Program*Files*\\\\*.exe\" and\n not process.executable : (\"C:\\\\Program Files\\\\*.exe\", \"C:\\\\Program Files (x86)\\\\*.exe\", \"C:\\\\Users\\\\*.exe\", \"C:\\\\ProgramData\\\\*.exe\")\n",
+    "risk_score": 47,
+    "rule_id": "32c5cf9c-2ef8-4e87-819e-5ccb7cd18b14",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1036",
+            "name": "Masquerading",
+            "reference": "https://attack.mitre.org/techniques/T1036/",
+            "subtechnique": [
+              {
+                "id": "T1036.005",
+                "name": "Match Legitimate Name or Location",
+                "reference": "https://attack.mitre.org/techniques/T1036/005/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 5,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.11.2",
+          "pre_query": "process where event.type in (\"start\", \"process_started\", \"info\") and\n /* capture both fake program files directory in process executable as well as if passed in process args as a dll*/\n  process.args : (\"C:\\\\*Program*Files*\\\\*\", \"C:\\\\*Program*Files*\\\\*\") and\n  not process.args : (\"C:\\\\Program Files\\\\*\", \"C:\\\\Program Files (x86)\\\\*\")\n",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 3,
+          "updated": "7.12.0",
+          "pre_query": "process where event.type in (\"start\", \"process_started\", \"info\") and\n /* capture both fake program files directory in process executable as well as if passed in process args as a dll*/\n  process.args : (\"C:\\\\*Program*Files*\\\\*\", \"C:\\\\*Program*Files*\\\\*\") and\n  not process.args : (\"C:\\\\Program Files\\\\*\", \"C:\\\\Program Files (x86)\\\\*\")\n",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 4,
+          "updated": "7.13.0",
+          "pre_query": "process where event.type in (\"start\", \"process_started\", \"info\") and\n /* capture both fake program files directory in process executable as well as if passed in process args as a dll*/\n  process.args : (\"C:\\\\*Program*Files*\\\\*\", \"C:\\\\*Program*Files*\\\\*\") and\n  not process.args : (\"C:\\\\Program Files\\\\*\", \"C:\\\\Program Files (x86)\\\\*\")\n",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        },
+        {
+          "version": 5,
+          "updated": "7.16.0",
+          "pre_query": "process where event.type == \"start\" and\n process.executable : \"C:\\\\*Program*Files*\\\\*.exe\" and\n not process.executable : (\"C:\\\\Program Files\\\\*.exe\", \"C:\\\\Program Files (x86)\\\\*.exe\", \"C:\\\\Users\\\\*.exe\", \"C:\\\\ProgramData\\\\*.exe\")\n",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.16.0",
+    "added": "7.11.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the use of osascript to execute scripts via standard input that may prompt a user with a rogue dialog for credentials.",
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Prompt for Credentials with OSASCRIPT",
+    "query": "process where event.type in (\"start\", \"process_started\") and process.name : \"osascript\" and\n process.command_line : \"osascript*display dialog*password*\"\n",
+    "references": [
+      "https://github.com/EmpireProject/EmPyre/blob/master/lib/modules/collection/osx/prompt.py",
+      "https://ss64.com/osx/osascript.html"
+    ],
+    "risk_score": 73,
+    "rule_id": "38948d29-3d5d-42e3-8aec-be832aaaf8eb",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "macOS",
+      "Threat Detection",
+      "Credential Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0006",
+          "name": "Credential Access",
+          "reference": "https://attack.mitre.org/tactics/TA0006/"
+        },
+        "technique": [
+          {
+            "id": "T1056",
+            "name": "Input Capture",
+            "reference": "https://attack.mitre.org/techniques/T1056/",
+            "subtechnique": [
+              {
+                "id": "T1056.002",
+                "name": "GUI Input Capture",
+                "reference": "https://attack.mitre.org/techniques/T1056/002/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 3,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.11.2",
+          "pre_query": "process where event.type in (\"start\", \"process_started\") and process.name:\"osascript\" and process.args:\"-e\" and process.args:\"password\"\n",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 3,
+          "updated": "7.12.0",
+          "pre_query": "process where event.type in (\"start\", \"process_started\") and process.name:\"osascript\" and process.args:\"-e\" and process.args:\"password\"\n",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.12.0",
+    "added": "7.11.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies use of the SysInternals tool PsExec.exe making a network connection. This could be an indication of lateral movement.",
+    "false_positives": [
+      "PsExec is a dual-use tool that can be used for benign or malicious activity. It's important to baseline your environment to determine the amount of noise to expect from this tool."
+    ],
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "PsExec Network Connection",
+    "query": "sequence by process.entity_id\n  [process where process.name : \"PsExec.exe\" and event.type == \"start\"]\n  [network where process.name : \"PsExec.exe\"]\n",
+    "risk_score": 21,
+    "rule_id": "55d551c6-333b-4665-ab7e-5d14a59715ce",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Execution"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0002",
+          "name": "Execution",
+          "reference": "https://attack.mitre.org/tactics/TA0002/"
+        },
+        "technique": [
+          {
+            "id": "T1569",
+            "name": "System Services",
+            "reference": "https://attack.mitre.org/techniques/T1569/",
+            "subtechnique": [
+              {
+                "id": "T1569.002",
+                "name": "Service Execution",
+                "reference": "https://attack.mitre.org/techniques/T1569/002/"
+              }
+            ]
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0008",
+          "name": "Lateral Movement",
+          "reference": "https://attack.mitre.org/tactics/TA0008/"
+        },
+        "technique": []
+      }
+    ],
+    "type": "eql",
+    "version": 7,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.7.0",
+          "pre_query": "process.name:PsExec.exe and event.action:\"Network connection detected (rule: NetworkConnect)\" ",
+          "doc_text": "Updated query."
+        },
+        {
+          "version": 3,
+          "updated": "7.9.0",
+          "pre_query": "process.name:PsExec.exe and event.action:\"Network connection detected (rule: NetworkConnect)\"",
+          "doc_text": "Updated query."
+        },
+        {
+          "version": 4,
+          "updated": "7.9.1",
+          "pre_query": "event.category:network and event.type:connection and process.name:PsExec.exe",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 5,
+          "updated": "7.10.0",
+          "pre_query": "event.category:network and event.type:connection and process.name:PsExec.exe",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        },
+        {
+          "version": 6,
+          "updated": "7.11.0",
+          "pre_query": "sequence by process.entity_id\n  [process where process.name : \"PsExec.exe\" and event.type == \"start\"]\n  [network where process.name : \"PsExec.exe\"]\n",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 7,
+          "updated": "7.12.0",
+          "pre_query": "sequence by process.entity_id\n  [process where process.name : \"PsExec.exe\" and event.type == \"start\"]\n  [network where process.name : \"PsExec.exe\"]\n",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.12.0",
+    "added": "7.6.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "This rule detects network events that may indicate the use of RDP traffic from the Internet. RDP is commonly used by system administrators to remotely control a system for maintenance or to use shared resources. It should almost never be directly exposed to the Internet, as it is frequently targeted and exploited by threat actors as an initial access or backdoor vector.",
+    "false_positives": [
+      "Some network security policies allow RDP directly from the Internet but usage that is unfamiliar to server or network owners can be unexpected and suspicious. RDP services may be exposed directly to the Internet in some networks such as cloud environments. In such cases, only RDP gateways, bastions or jump servers may be expected expose RDP directly to the Internet and can be exempted from this rule. RDP may be required by some work-flows such as remote access and support for specialized software products and servers. Such work-flows are usually known and not unexpected."
+    ],
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "filebeat-*",
+      "packetbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "RDP (Remote Desktop Protocol) from the Internet",
+    "query": "event.category:(network or network_traffic) and network.transport:tcp and (destination.port:3389 or event.dataset:zeek.rdp) and\n  not source.ip:(\n    10.0.0.0/8 or\n    127.0.0.0/8 or\n    169.254.0.0/16 or\n    172.16.0.0/12 or\n    192.0.0.0/24 or\n    192.0.0.0/29 or\n    192.0.0.8/32 or\n    192.0.0.9/32 or\n    192.0.0.10/32 or\n    192.0.0.170/32 or\n    192.0.0.171/32 or\n    192.0.2.0/24 or\n    192.31.196.0/24 or\n    192.52.193.0/24 or\n    192.168.0.0/16 or\n    192.88.99.0/24 or\n    224.0.0.0/4 or\n    100.64.0.0/10 or\n    192.175.48.0/24 or\n    198.18.0.0/15 or\n    198.51.100.0/24 or\n    203.0.113.0/24 or\n    240.0.0.0/4 or\n    \"::1\" or\n    \"FE80::/10\" or\n    \"FF00::/8\"\n  ) and\n  destination.ip:(\n    10.0.0.0/8 or\n    172.16.0.0/12 or\n    192.168.0.0/16\n  )\n",
+    "references": [
+      "https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml"
+    ],
+    "risk_score": 47,
+    "rule_id": "8c1bdde8-4204-45c0-9e0c-c85ca3902488",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Network",
+      "Threat Detection",
+      "Command and Control",
+      "Host"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0011",
+          "name": "Command and Control",
+          "reference": "https://attack.mitre.org/tactics/TA0011/"
+        },
+        "technique": []
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0008",
+          "name": "Lateral Movement",
+          "reference": "https://attack.mitre.org/tactics/TA0008/"
+        },
+        "technique": [
+          {
+            "id": "T1021",
+            "name": "Remote Services",
+            "reference": "https://attack.mitre.org/techniques/T1021/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0001",
+          "name": "Initial Access",
+          "reference": "https://attack.mitre.org/tactics/TA0001/"
+        },
+        "technique": [
+          {
+            "id": "T1190",
+            "name": "Exploit Public-Facing Application",
+            "reference": "https://attack.mitre.org/techniques/T1190/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 11,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.6.1",
+          "doc_text": "Removed auditbeat-\\*, packetbeat-*, and winlogbeat-* from the rule indices."
+        },
+        {
+          "version": 3,
+          "updated": "7.7.0",
+          "pre_query": "network.transport: tcp and destination.port: 3389 and (\n network.direction: inbound or (\n not source.ip: (10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16)\n and destination.ip: (10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16)\n )\n)\n",
+          "doc_text": "Updated query."
+        },
+        {
+          "version": 4,
+          "updated": "7.9.0",
+          "pre_query": "network.transport:tcp and destination.port:3389 and not source.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and destination.ip:(10.0.0.0/8 or 127.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 or \"::1\")",
+          "doc_text": "Updated query."
+        },
+        {
+          "version": 5,
+          "updated": "7.10.0",
+          "pre_query": "event.category:(network or network_traffic) and network.transport:tcp and (destination.port:3389 or event.dataset:zeek.rdp) and not source.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and destination.ip:(10.0.0.0/8 or 127.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 or \"::1\")",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 6,
+          "updated": "7.11.0",
+          "pre_query": "event.category:(network or network_traffic) and network.transport:tcp and (destination.port:3389 or event.dataset:zeek.rdp) and not source.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and destination.ip:(10.0.0.0/8 or 127.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 or \"::1\")",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        },
+        {
+          "version": 7,
+          "updated": "7.11.2",
+          "pre_query": "event.category:(network or network_traffic) and network.transport:tcp and (destination.port:3389 or event.dataset:zeek.rdp) and not source.ip:( 10.0.0.0/8 or 127.0.0.0/8 or 169.254.0.0/16 or 172.16.0.0/12 or 192.168.0.0/16 or 224.0.0.0/4 or \"::1\" or \"FE80::/10\" or \"FF00::/8\" ) and destination.ip:( 10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 )",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 8,
+          "updated": "7.12.0",
+          "pre_query": "event.category:(network or network_traffic) and network.transport:tcp and (destination.port:3389 or event.dataset:zeek.rdp) and not source.ip:( 10.0.0.0/8 or 127.0.0.0/8 or 169.254.0.0/16 or 172.16.0.0/12 or 192.168.0.0/16 or 224.0.0.0/4 or \"::1\" or \"FE80::/10\" or \"FF00::/8\" ) and destination.ip:( 10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 )",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 10,
+          "updated": "7.14.0",
+          "pre_query": "event.category:(network or network_traffic) and network.transport:tcp and (destination.port:3389 or event.dataset:zeek.rdp) and not source.ip:( 10.0.0.0/8 or 127.0.0.0/8 or 169.254.0.0/16 or 172.16.0.0/12 or 192.168.0.0/16 or 224.0.0.0/4 or \"::1\" or \"FE80::/10\" or \"FF00::/8\" ) and destination.ip:( 10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 )",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        },
+        {
+          "version": 11,
+          "updated": "7.15.0",
+          "pre_query": "event.category:(network or network_traffic) and network.transport:tcp and (destination.port:3389 or event.dataset:zeek.rdp) and\n  not source.ip:(\n    10.0.0.0/8 or\n    127.0.0.0/8 or\n    169.254.0.0/16 or\n    172.16.0.0/12 or\n    192.0.0.0/24 or\n    192.0.0.0/29 or\n    192.0.0.8/32 or\n    192.0.0.9/32 or\n    192.0.0.10/32 or\n    192.0.0.170/32 or\n    192.0.0.171/32 or\n    192.0.2.0/24 or\n    192.31.196.0/24 or\n    192.52.193.0/24 or\n    192.168.0.0/16 or\n    192.88.99.0/24 or\n    224.0.0.0/4 or\n    100.64.0.0/10 or\n    192.175.48.0/24 or\n    198.18.0.0/15 or\n    198.51.100.0/24 or\n    203.0.113.0/24 or\n    240.0.0.0/4 or\n    \"::1\" or\n    \"FE80::/10\" or\n    \"FF00::/8\"\n  ) and\n  destination.ip:(\n    10.0.0.0/8 or\n    172.16.0.0/12 or\n    192.168.0.0/16\n  )\n",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.15.0",
+    "added": "7.6.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies registry write modifications to enable Remote Desktop Protocol (RDP) access. This could be indicative of adversary lateral movement preparation.",
+    "from": "now-9m",
+    "index": [
+      "logs-endpoint.events.*",
+      "winlogbeat-*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "RDP Enabled via Registry",
+    "query": "registry where\nregistry.path : \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Control\\\\Terminal Server\\\\fDenyTSConnections\" and\nregistry.data.strings == \"0\" and not (process.name : \"svchost.exe\" and user.domain == \"NT AUTHORITY\") and\nnot process.executable : \"C:\\\\Windows\\\\System32\\\\SystemPropertiesRemote.exe\"\n",
+    "risk_score": 47,
+    "rule_id": "58aa72ca-d968-4f34-b9f7-bea51d75eb50",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Lateral Movement"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0008",
+          "name": "Lateral Movement",
+          "reference": "https://attack.mitre.org/tactics/TA0008/"
+        },
+        "technique": [
+          {
+            "id": "T1021",
+            "name": "Remote Services",
+            "reference": "https://attack.mitre.org/techniques/T1021/",
+            "subtechnique": [
+              {
+                "id": "T1021.001",
+                "name": "Remote Desktop Protocol",
+                "reference": "https://attack.mitre.org/techniques/T1021/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 4,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.11.2",
+          "pre_query": "registry where\nregistry.path : \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Control\\\\Terminal Server\\\\fDenyTSConnections\" and\nregistry.data.strings == \"0\" and not (process.name : \"svchost.exe\" and user.domain == \"NT AUTHORITY\") and\nnot process.executable : \"C:\\\\Windows\\\\System32\\\\SystemPropertiesRemote.exe\"\n",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 3,
+          "updated": "7.12.0",
+          "pre_query": "registry where\nregistry.path : \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Control\\\\Terminal Server\\\\fDenyTSConnections\" and\nregistry.data.strings == \"0\" and not (process.name : \"svchost.exe\" and user.domain == \"NT AUTHORITY\") and\nnot process.executable : \"C:\\\\Windows\\\\System32\\\\SystemPropertiesRemote.exe\"\n",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 4,
+          "updated": "7.16.0",
+          "pre_query": "registry where\nregistry.path : \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Control\\\\Terminal Server\\\\fDenyTSConnections\" and\nregistry.data.strings == \"0\" and not (process.name : \"svchost.exe\" and user.domain == \"NT AUTHORITY\") and\nnot process.executable : \"C:\\\\Windows\\\\System32\\\\SystemPropertiesRemote.exe\"\n",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.16.0",
+    "added": "7.11.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "This rule detects network events that may indicate the use of RPC traffic from the Internet. RPC is commonly used by system administrators to remotely control a system for maintenance or to use shared resources. It should almost never be directly exposed to the Internet, as it is frequently targeted and exploited by threat actors as an initial access or backdoor vector.",
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "filebeat-*",
+      "packetbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "RPC (Remote Procedure Call) from the Internet",
+    "query": "event.category:(network or network_traffic) and network.transport:tcp and (destination.port:135 or event.dataset:zeek.dce_rpc) and\n  not source.ip:(\n    10.0.0.0/8 or\n    127.0.0.0/8 or\n    169.254.0.0/16 or\n    172.16.0.0/12 or\n    192.0.0.0/24 or\n    192.0.0.0/29 or\n    192.0.0.8/32 or\n    192.0.0.9/32 or\n    192.0.0.10/32 or\n    192.0.0.170/32 or\n    192.0.0.171/32 or\n    192.0.2.0/24 or\n    192.31.196.0/24 or\n    192.52.193.0/24 or\n    192.168.0.0/16 or\n    192.88.99.0/24 or\n    224.0.0.0/4 or\n    100.64.0.0/10 or\n    192.175.48.0/24 or\n    198.18.0.0/15 or\n    198.51.100.0/24 or\n    203.0.113.0/24 or\n    240.0.0.0/4 or\n    \"::1\" or\n    \"FE80::/10\" or\n    \"FF00::/8\"\n  ) and\n  destination.ip:(\n    10.0.0.0/8 or\n    172.16.0.0/12 or\n    192.168.0.0/16\n  )\n",
+    "references": [
+      "https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml"
+    ],
+    "risk_score": 73,
+    "rule_id": "143cb236-0956-4f42-a706-814bcaa0cf5a",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Network",
+      "Threat Detection",
+      "Initial Access",
+      "Host"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0001",
+          "name": "Initial Access",
+          "reference": "https://attack.mitre.org/tactics/TA0001/"
+        },
+        "technique": [
+          {
+            "id": "T1190",
+            "name": "Exploit Public-Facing Application",
+            "reference": "https://attack.mitre.org/techniques/T1190/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 11,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.6.1",
+          "doc_text": "Removed auditbeat-\\*, packetbeat-*, and winlogbeat-* from the rule indices."
+        },
+        {
+          "version": 3,
+          "updated": "7.7.0",
+          "pre_query": "network.transport: tcp and destination.port: 135 and (\n network.direction: inbound or (\n not source.ip: (10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and\n destination.ip: (10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16)\n )\n)\n",
+          "doc_text": "Updated query."
+        },
+        {
+          "version": 4,
+          "updated": "7.9.0",
+          "pre_query": "network.transport:tcp and destination.port:135 and not source.ip:(10.0.0.0/8 or 127.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 or \"::1\") and destination.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16)",
+          "doc_text": "Updated query."
+        },
+        {
+          "version": 5,
+          "updated": "7.10.0",
+          "pre_query": "event.category:(network or network_traffic) and network.transport:tcp and (destination.port:135 or event.dataset:zeek.dce_rpc) and not source.ip:(10.0.0.0/8 or 127.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 or \"::1\") and destination.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16)",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 6,
+          "updated": "7.11.0",
+          "pre_query": "event.category:(network or network_traffic) and network.transport:tcp and (destination.port:135 or event.dataset:zeek.dce_rpc) and not source.ip:(10.0.0.0/8 or 127.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 or \"::1\") and destination.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16)",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        },
+        {
+          "version": 7,
+          "updated": "7.11.2",
+          "pre_query": "event.category:(network or network_traffic) and network.transport:tcp and (destination.port:135 or event.dataset:zeek.dce_rpc) and not source.ip:( 10.0.0.0/8 or 127.0.0.0/8 or 169.254.0.0/16 or 172.16.0.0/12 or 192.168.0.0/16 or 224.0.0.0/4 or \"::1\" or \"FE80::/10\" or \"FF00::/8\" ) and destination.ip:( 10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 )",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 8,
+          "updated": "7.12.0",
+          "pre_query": "event.category:(network or network_traffic) and network.transport:tcp and (destination.port:135 or event.dataset:zeek.dce_rpc) and not source.ip:( 10.0.0.0/8 or 127.0.0.0/8 or 169.254.0.0/16 or 172.16.0.0/12 or 192.168.0.0/16 or 224.0.0.0/4 or \"::1\" or \"FE80::/10\" or \"FF00::/8\" ) and destination.ip:( 10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 )",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 10,
+          "updated": "7.14.0",
+          "pre_query": "event.category:(network or network_traffic) and network.transport:tcp and (destination.port:135 or event.dataset:zeek.dce_rpc) and not source.ip:( 10.0.0.0/8 or 127.0.0.0/8 or 169.254.0.0/16 or 172.16.0.0/12 or 192.168.0.0/16 or 224.0.0.0/4 or \"::1\" or \"FE80::/10\" or \"FF00::/8\" ) and destination.ip:( 10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 )",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        },
+        {
+          "version": 11,
+          "updated": "7.15.0",
+          "pre_query": "event.category:(network or network_traffic) and network.transport:tcp and (destination.port:135 or event.dataset:zeek.dce_rpc) and\n  not source.ip:(\n    10.0.0.0/8 or\n    127.0.0.0/8 or\n    169.254.0.0/16 or\n    172.16.0.0/12 or\n    192.0.0.0/24 or\n    192.0.0.0/29 or\n    192.0.0.8/32 or\n    192.0.0.9/32 or\n    192.0.0.10/32 or\n    192.0.0.170/32 or\n    192.0.0.171/32 or\n    192.0.2.0/24 or\n    192.31.196.0/24 or\n    192.52.193.0/24 or\n    192.168.0.0/16 or\n    192.88.99.0/24 or\n    224.0.0.0/4 or\n    100.64.0.0/10 or\n    192.175.48.0/24 or\n    198.18.0.0/15 or\n    198.51.100.0/24 or\n    203.0.113.0/24 or\n    240.0.0.0/4 or\n    \"::1\" or\n    \"FE80::/10\" or\n    \"FF00::/8\"\n  ) and\n  destination.ip:(\n    10.0.0.0/8 or\n    172.16.0.0/12 or\n    192.168.0.0/16\n  )\n",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.15.0",
+    "added": "7.6.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "This rule detects network events that may indicate the use of RPC traffic to the Internet. RPC is commonly used by system administrators to remotely control a system for maintenance or to use shared resources. It should almost never be directly exposed to the Internet, as it is frequently targeted and exploited by threat actors as an initial access or backdoor vector.",
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "filebeat-*",
+      "packetbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "RPC (Remote Procedure Call) to the Internet",
+    "query": "event.category:(network or network_traffic) and network.transport:tcp and (destination.port:135 or event.dataset:zeek.dce_rpc) and\n  source.ip:(\n    10.0.0.0/8 or\n    172.16.0.0/12 or\n    192.168.0.0/16\n  ) and\n  not destination.ip:(\n    10.0.0.0/8 or\n    127.0.0.0/8 or\n    169.254.0.0/16 or\n    172.16.0.0/12 or\n    192.0.0.0/24 or\n    192.0.0.0/29 or\n    192.0.0.8/32 or\n    192.0.0.9/32 or\n    192.0.0.10/32 or\n    192.0.0.170/32 or\n    192.0.0.171/32 or\n    192.0.2.0/24 or\n    192.31.196.0/24 or\n    192.52.193.0/24 or\n    192.168.0.0/16 or\n    192.88.99.0/24 or\n    224.0.0.0/4 or\n    100.64.0.0/10 or\n    192.175.48.0/24 or\n    198.18.0.0/15 or\n    198.51.100.0/24 or\n    203.0.113.0/24 or\n    240.0.0.0/4 or\n    \"::1\" or\n    \"FE80::/10\" or\n    \"FF00::/8\"\n  )\n",
+    "references": [
+      "https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml"
+    ],
+    "risk_score": 73,
+    "rule_id": "32923416-763a-4531-bb35-f33b9232ecdb",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Network",
+      "Threat Detection",
+      "Initial Access",
+      "Host"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0001",
+          "name": "Initial Access",
+          "reference": "https://attack.mitre.org/tactics/TA0001/"
+        },
+        "technique": [
+          {
+            "id": "T1190",
+            "name": "Exploit Public-Facing Application",
+            "reference": "https://attack.mitre.org/techniques/T1190/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 11,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.6.1",
+          "doc_text": "Removed auditbeat-\\*, packetbeat-*, and winlogbeat-* from the rule indices."
+        },
+        {
+          "version": 3,
+          "updated": "7.7.0",
+          "pre_query": "network.transport: tcp and destination.port: 135 and (\n network.direction: outbound or (\n source.ip: (10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and\n not destination.ip: (10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16)\n )\n)\n",
+          "doc_text": "Updated query."
+        },
+        {
+          "version": 4,
+          "updated": "7.9.0",
+          "pre_query": "network.transport:tcp and destination.port:135 and source.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and not destination.ip:(10.0.0.0/8 or 127.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 or \"::1\")",
+          "doc_text": "Updated query."
+        },
+        {
+          "version": 5,
+          "updated": "7.10.0",
+          "pre_query": "event.category:(network or network_traffic) and network.transport:tcp and (destination.port:135 or event.dataset:zeek.dce_rpc) and source.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and not destination.ip:(10.0.0.0/8 or 127.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 or \"::1\")",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 6,
+          "updated": "7.11.0",
+          "pre_query": "event.category:(network or network_traffic) and network.transport:tcp and (destination.port:135 or event.dataset:zeek.dce_rpc) and source.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and not destination.ip:(10.0.0.0/8 or 127.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 or \"::1\")",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        },
+        {
+          "version": 7,
+          "updated": "7.11.2",
+          "pre_query": "event.category:(network or network_traffic) and network.transport:tcp and (destination.port:135 or event.dataset:zeek.dce_rpc) and source.ip:( 10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 ) and not destination.ip:( 10.0.0.0/8 or 127.0.0.0/8 or 169.254.0.0/16 or 172.16.0.0/12 or 192.168.0.0/16 or 224.0.0.0/4 or \"::1\" or \"FE80::/10\" or \"FF00::/8\" )",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 8,
+          "updated": "7.12.0",
+          "pre_query": "event.category:(network or network_traffic) and network.transport:tcp and (destination.port:135 or event.dataset:zeek.dce_rpc) and source.ip:( 10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 ) and not destination.ip:( 10.0.0.0/8 or 127.0.0.0/8 or 169.254.0.0/16 or 172.16.0.0/12 or 192.168.0.0/16 or 224.0.0.0/4 or \"::1\" or \"FE80::/10\" or \"FF00::/8\" )",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 10,
+          "updated": "7.14.0",
+          "pre_query": "event.category:(network or network_traffic) and network.transport:tcp and (destination.port:135 or event.dataset:zeek.dce_rpc) and source.ip:( 10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 ) and not destination.ip:( 10.0.0.0/8 or 127.0.0.0/8 or 169.254.0.0/16 or 172.16.0.0/12 or 192.168.0.0/16 or 224.0.0.0/4 or \"::1\" or \"FE80::/10\" or \"FF00::/8\" )",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        },
+        {
+          "version": 11,
+          "updated": "7.15.0",
+          "pre_query": "event.category:(network or network_traffic) and network.transport:tcp and (destination.port:135 or event.dataset:zeek.dce_rpc) and\n  source.ip:(\n    10.0.0.0/8 or\n    172.16.0.0/12 or\n    192.168.0.0/16\n  ) and\n  not destination.ip:(\n    10.0.0.0/8 or\n    127.0.0.0/8 or\n    169.254.0.0/16 or\n    172.16.0.0/12 or\n    192.0.0.0/24 or\n    192.0.0.0/29 or\n    192.0.0.8/32 or\n    192.0.0.9/32 or\n    192.0.0.10/32 or\n    192.0.0.170/32 or\n    192.0.0.171/32 or\n    192.0.2.0/24 or\n    192.31.196.0/24 or\n    192.52.193.0/24 or\n    192.168.0.0/16 or\n    192.88.99.0/24 or\n    224.0.0.0/4 or\n    100.64.0.0/10 or\n    192.175.48.0/24 or\n    198.18.0.0/15 or\n    198.51.100.0/24 or\n    203.0.113.0/24 or\n    240.0.0.0/4 or\n    \"::1\" or\n    \"FE80::/10\" or\n    \"FF00::/8\"\n  )\n",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.15.0",
+    "added": "7.6.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Elastic Endgame detected ransomware. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information.",
+    "from": "now-15m",
+    "index": [
+      "endgame-*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "max_signals": 10000,
+    "name": "Ransomware - Detected - Elastic Endgame",
+    "query": "event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:ransomware_event or endgame.event_subtype_full:ransomware_event)\n",
+    "risk_score": 99,
+    "rule_id": "8cb4f625-7743-4dfb-ae1b-ad92be9df7bd",
+    "severity": "critical",
+    "tags": [
+      "Elastic",
+      "Elastic Endgame"
+    ],
+    "type": "query",
+    "version": 8,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.7.0",
+          "pre_query": "event.kind:alert and event.module:endgame and event.action:ransomware_event and endgame.metadata.type:detection",
+          "doc_text": "Updated query."
+        },
+        {
+          "version": 3,
+          "updated": "7.9.0",
+          "pre_query": "event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:ransomware_event or endgame.event_subtype_full:ransomware_event)",
+          "doc_text": "Formatting only",
+          "pre_name": "Ransomware - Detected - Elastic Endpoint"
+        },
+        {
+          "version": 4,
+          "updated": "7.10.0",
+          "pre_query": "event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:ransomware_event or endgame.event_subtype_full:ransomware_event)",
+          "doc_text": "Formatting only",
+          "pre_name": "Ransomware - Detected - Elastic Endpoint Security"
+        },
+        {
+          "version": 5,
+          "updated": "7.12.0",
+          "pre_query": "event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:ransomware_event or endgame.event_subtype_full:ransomware_event)",
+          "doc_text": "Formatting only",
+          "pre_name": "Ransomware - Detected - Endpoint Security",
+          "duplicate_old_file": "ransomware-detected-endpoint-security"
+        },
+        {
+          "version": 6,
+          "updated": "7.12.1",
+          "pre_query": "event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:ransomware_event or endgame.event_subtype_full:ransomware_event)",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 8,
+          "updated": "8.0.0",
+          "pre_query": "event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:ransomware_event or endgame.event_subtype_full:ransomware_event)\n",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "8.0.0",
+    "added": "7.6.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Elastic Endgame prevented ransomware. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information.",
+    "from": "now-15m",
+    "index": [
+      "endgame-*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "max_signals": 10000,
+    "name": "Ransomware - Prevented - Elastic Endgame",
+    "query": "event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:ransomware_event or endgame.event_subtype_full:ransomware_event)\n",
+    "risk_score": 73,
+    "rule_id": "e3c5d5cb-41d5-4206-805c-f30561eae3ac",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Elastic Endgame"
+    ],
+    "type": "query",
+    "version": 8,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.7.0",
+          "pre_query": "event.kind:alert and event.module:endgame and event.action:ransomware_event and endgame.metadata.type:prevention",
+          "doc_text": "Updated query."
+        },
+        {
+          "version": 3,
+          "updated": "7.9.0",
+          "pre_query": "event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:ransomware_event or endgame.event_subtype_full:ransomware_event)",
+          "doc_text": "Formatting only",
+          "pre_name": "Ransomware - Prevented - Elastic Endpoint"
+        },
+        {
+          "version": 4,
+          "updated": "7.10.0",
+          "pre_query": "event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:ransomware_event or endgame.event_subtype_full:ransomware_event)",
+          "doc_text": "Formatting only",
+          "pre_name": "Ransomware - Prevented - Elastic Endpoint Security"
+        },
+        {
+          "version": 5,
+          "updated": "7.12.0",
+          "pre_query": "event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:ransomware_event or endgame.event_subtype_full:ransomware_event)",
+          "doc_text": "Formatting only",
+          "pre_name": "Ransomware - Prevented - Endpoint Security",
+          "duplicate_old_file": "ransomware-prevented-endpoint-security"
+        },
+        {
+          "version": 6,
+          "updated": "7.12.1",
+          "pre_query": "event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:ransomware_event or endgame.event_subtype_full:ransomware_event)",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 8,
+          "updated": "8.0.0",
+          "pre_query": "event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:ransomware_event or endgame.event_subtype_full:ransomware_event)\n",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "8.0.0",
+    "added": "7.6.0"
+  },
+  {
+    "anomaly_threshold": 50,
+    "author": [
+      "Elastic"
+    ],
+    "description": "A machine learning job detected an unusual error in a CloudTrail message. These can be byproducts of attempted or successful persistence, privilege escalation, defense evasion, discovery, lateral movement, or collection.",
+    "false_positives": [
+      "Rare and unusual errors may indicate an impending service failure state. Rare and unusual user error activity can also be due to manual troubleshooting or reconfiguration attempts by insufficiently privileged users, bugs in cloud automation scripts or workflows, or changes to IAM privileges."
+    ],
+    "from": "now-2h",
+    "interval": "15m",
+    "license": "Elastic License v2",
+    "machine_learning_job_id": "rare_error_code",
+    "name": "Rare AWS Error Code",
+    "note": "## Config\n\nThe AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\n\n## Triage and analysis\n\nInvestigating Unusual CloudTrail Error Activity ###\nDetection alerts from this rule indicate a rare and unusual error code that was associated with the response to an AWS API command or method call. Here are some possible avenues of investigation:\n- Examine the history of the error. Has it manifested before? If the error, which is visible in the `aws.cloudtrail.error_code field`, only manifested recently, it might be related to recent changes in an automation module or script.\n- Examine the request parameters. These may provide indications as to the nature of the task being performed when the error occurred. Is the error related to unsuccessful attempts to enumerate or access objects, data, or secrets? If so, this can sometimes be a byproduct of discovery, privilege escalation, or lateral movement attempts.\n- Consider the user as identified by the `user.name` field. Is this activity part of an expected workflow for the user context? Examine the user identity in the `aws.cloudtrail.user_identity.arn` field and the access key ID in the `aws.cloudtrail.user_identity.access_key_id` field, which can help identify the precise user context. The user agent details in the `user_agent.original` field may also indicate what kind of a client made the request.\n- Consider the source IP address and geolocation for the calling user who issued the command. Do they look normal for the calling user? If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts, or could it be sourcing from an EC2 instance that's not under your control? If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance?",
+    "references": [
+      "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"
+    ],
+    "risk_score": 21,
+    "rule_id": "19de8096-e2b0-4bd8-80c9-34a820813fff",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "AWS",
+      "ML"
+    ],
+    "type": "machine_learning",
+    "version": 7,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.10.0",
+          "pre_query": "N/A",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 3,
+          "updated": "7.12.0",
+          "pre_query": "N/A",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 4,
+          "updated": "7.13.0",
+          "pre_query": "N/A",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 5,
+          "updated": "7.14.0",
+          "pre_query": "N/A",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 6,
+          "updated": "7.15.0",
+          "pre_query": "N/A",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 7,
+          "updated": "7.16.0",
+          "pre_query": "N/A",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.16.0",
+    "added": "7.9.0"
+  },
+  {
+    "anomaly_threshold": 75,
+    "author": [
+      "Elastic"
+    ],
+    "description": "A machine learning job found an unusual user name in the authentication logs. An unusual user name is one way of detecting credentialed access by means of a new or dormant user account. An inactive user account (because the user has left the organization) that becomes active may be due to credentialed access using a compromised account password. Threat actors will sometimes also create new users as a means of persisting in a compromised web application.",
+    "false_positives": [
+      "User accounts that are rarely active, such as a site reliability engineer (SRE) or developer logging into a production server for troubleshooting, may trigger this alert. Under some conditions, a newly created user account may briefly trigger this alert while the model is learning."
+    ],
+    "from": "now-30m",
+    "interval": "15m",
+    "license": "Elastic License v2",
+    "machine_learning_job_id": "auth_rare_user",
+    "name": "Rare User Logon",
+    "references": [
+      "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"
+    ],
+    "risk_score": 21,
+    "rule_id": "138c5dd5-838b-446e-b1ac-c995c7f8108a",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Authentication",
+      "Threat Detection",
+      "ML"
+    ],
+    "type": "machine_learning",
+    "version": 3,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.15.0",
+          "pre_query": "N/A",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 3,
+          "updated": "7.16.0",
+          "pre_query": "N/A",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.16.0",
+    "added": "7.14.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Detects attempts to maintain persistence by creating registry keys using AppCert DLLs. AppCert DLLs are loaded by every process using the common API functions to create processes.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Registry Persistence via AppCert DLL",
+    "query": "registry where\n/* uncomment once stable length(bytes_written_string) > 0 and */\n  registry.path : \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Control\\\\Session Manager\\\\AppCertDLLs\\\\*\"\n",
+    "risk_score": 47,
+    "rule_id": "513f0ffd-b317-4b9c-9494-92ce861f22c7",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Persistence"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1546",
+            "name": "Event Triggered Execution",
+            "reference": "https://attack.mitre.org/techniques/T1546/",
+            "subtechnique": [
+              {
+                "id": "T1546.009",
+                "name": "AppCert DLLs",
+                "reference": "https://attack.mitre.org/techniques/T1546/009/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 3,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.11.2",
+          "pre_query": "registry where\n/* uncomment once stable length(bytes_written_string) > 0 and */\n  registry.path : \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Control\\\\Session Manager\\\\AppCertDLLs\\\\*\"\n",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 3,
+          "updated": "7.12.0",
+          "pre_query": "registry where\n/* uncomment once stable length(bytes_written_string) > 0 and */\n  registry.path : \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Control\\\\Session Manager\\\\AppCertDLLs\\\\*\"\n",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.12.0",
+    "added": "7.11.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Attackers may maintain persistence by creating registry keys using AppInit DLLs. AppInit DLLs are loaded by every process using the common library, user32.dll.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Registry Persistence via AppInit DLL",
+    "query": "registry where\n   registry.path : (\"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows\\\\AppInit_Dlls\", \n                    \"HKLM\\\\SOFTWARE\\\\Wow6432Node\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows\\\\AppInit_Dlls\") and\n   not process.executable : (\"C:\\\\Windows\\\\System32\\\\msiexec.exe\", \n                             \"C:\\\\Windows\\\\SysWOW64\\\\msiexec.exe\", \n                             \"C:\\\\Program Files\\\\Commvault\\\\ContentStore*\\\\Base\\\\cvd.exe\",\n                             \"C:\\\\Program Files (x86)\\\\Commvault\\\\ContentStore*\\\\Base\\\\cvd.exe\")\n",
+    "risk_score": 47,
+    "rule_id": "d0e159cf-73e9-40d1-a9ed-077e3158a855",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Persistence"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1546",
+            "name": "Event Triggered Execution",
+            "reference": "https://attack.mitre.org/techniques/T1546/",
+            "subtechnique": [
+              {
+                "id": "T1546.010",
+                "name": "AppInit DLLs",
+                "reference": "https://attack.mitre.org/techniques/T1546/010/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 3,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.11.2",
+          "pre_query": "registry where\n   registry.path : (\"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows\\\\AppInit_Dlls\", \n                    \"HKLM\\\\SOFTWARE\\\\Wow6432Node\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows\\\\AppInit_Dlls\") and\n   not process.executable : (\"C:\\\\Windows\\\\System32\\\\msiexec.exe\", \n                             \"C:\\\\Windows\\\\SysWOW64\\\\msiexec.exe\", \n                             \"C:\\\\Program Files\\\\Commvault\\\\ContentStore*\\\\Base\\\\cvd.exe\",\n                             \"C:\\\\Program Files (x86)\\\\Commvault\\\\ContentStore*\\\\Base\\\\cvd.exe\")\n",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 3,
+          "updated": "7.12.0",
+          "pre_query": "registry where\n   registry.path : (\"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows\\\\AppInit_Dlls\", \n                    \"HKLM\\\\SOFTWARE\\\\Wow6432Node\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows\\\\AppInit_Dlls\") and\n   not process.executable : (\"C:\\\\Windows\\\\System32\\\\msiexec.exe\", \n                             \"C:\\\\Windows\\\\SysWOW64\\\\msiexec.exe\", \n                             \"C:\\\\Program Files\\\\Commvault\\\\ContentStore*\\\\Base\\\\cvd.exe\",\n                             \"C:\\\\Program Files (x86)\\\\Commvault\\\\ContentStore*\\\\Base\\\\cvd.exe\")\n",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.12.0",
+    "added": "7.11.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies use of the network shell utility (netsh.exe) to enable inbound Remote Desktop Protocol (RDP) connections in the Windows Firewall.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Remote Desktop Enabled in Windows Firewall",
+    "query": "process where event.type in (\"start\", \"process_started\") and\n (process.name : \"netsh.exe\" or process.pe.original_file_name == \"netsh.exe\") and\n process.args : (\"localport=3389\", \"RemoteDesktop\", \"group=\\\"remote desktop\\\"\") and\n process.args : (\"action=allow\", \"enable=Yes\", \"enable\")\n",
+    "risk_score": 47,
+    "rule_id": "074464f9-f30d-4029-8c03-0ed237fffec7",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1562",
+            "name": "Impair Defenses",
+            "reference": "https://attack.mitre.org/techniques/T1562/",
+            "subtechnique": [
+              {
+                "id": "T1562.004",
+                "name": "Disable or Modify System Firewall",
+                "reference": "https://attack.mitre.org/techniques/T1562/004/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 4,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.11.2",
+          "pre_query": "process where event.type in (\"start\", \"process_started\") and\n (process.name : \"netsh.exe\" or process.pe.original_file_name == \"netsh.exe\") and\n process.args : (\"localport=3389\", \"RemoteDesktop\", \"group=\\\"remote desktop\\\"\") and\n process.args : (\"action=allow\", \"enable=Yes\", \"enable\")\n",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 3,
+          "updated": "7.12.0",
+          "pre_query": "process where event.type in (\"start\", \"process_started\") and\n (process.name : \"netsh.exe\" or process.pe.original_file_name == \"netsh.exe\") and\n process.args : (\"localport=3389\", \"RemoteDesktop\", \"group=\\\"remote desktop\\\"\") and\n process.args : (\"action=allow\", \"enable=Yes\", \"enable\")\n",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 4,
+          "updated": "7.16.0",
+          "pre_query": "process where event.type in (\"start\", \"process_started\") and\n (process.name : \"netsh.exe\" or process.pe.original_file_name == \"netsh.exe\") and\n process.args : (\"localport=3389\", \"RemoteDesktop\", \"group=\\\"remote desktop\\\"\") and\n process.args : (\"action=allow\", \"enable=Yes\", \"enable\")\n",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.16.0",
+    "added": "7.11.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the execution of a file that was created by the virtual system process. This may indicate lateral movement via network file shares.",
+    "from": "now-9m",
+    "index": [
+      "logs-endpoint.events.*",
+      "winlogbeat-*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Remote Execution via File Shares",
+    "query": "sequence with maxspan=1m\n  [file where event.type in (\"creation\", \"change\") and process.pid == 4 and file.extension : \"exe\"] by host.id, file.path\n  [process where event.type in (\"start\", \"process_started\")] by host.id, process.executable\n",
+    "references": [
+      "https://blog.menasec.net/2020/08/new-trick-to-detect-lateral-movement.html"
+    ],
+    "risk_score": 47,
+    "rule_id": "ab75c24b-2502-43a0-bf7c-e60e662c811e",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Lateral Movement"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0008",
+          "name": "Lateral Movement",
+          "reference": "https://attack.mitre.org/tactics/TA0008/"
+        },
+        "technique": [
+          {
+            "id": "T1021",
+            "name": "Remote Services",
+            "reference": "https://attack.mitre.org/techniques/T1021/",
+            "subtechnique": [
+              {
+                "id": "T1021.002",
+                "name": "SMB/Windows Admin Shares",
+                "reference": "https://attack.mitre.org/techniques/T1021/002/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "type": "eql",
+    "version": 2,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.12.0",
+          "pre_query": "sequence with maxspan=1m\n  [file where event.type in (\"creation\", \"change\") and process.pid == 4 and file.extension : \"exe\"] by host.id, file.path\n  [process where event.type in (\"start\", \"process_started\")] by host.id, process.executable\n",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.12.0",
+    "added": "7.11.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies a remote file copy attempt to a hidden network share. This may indicate lateral movement or data staging activity.",
+    "from": "now-9m",
+    "index": [
+      "logs-endpoint.events.*",
+      "winlogbeat-*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Remote File Copy to a Hidden Share",
+    "query": "process where event.type in (\"start\", \"process_started\") and\n  process.name : (\"cmd.exe\", \"powershell.exe\", \"robocopy.exe\", \"xcopy.exe\") and \n  process.args : (\"copy*\", \"move*\", \"cp\", \"mv\") and process.args : \"*$*\"\n",
+    "risk_score": 47,
+    "rule_id": "fa01341d-6662-426b-9d0c-6d81e33c8a9d",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Lateral Movement"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0008",
+          "name": "Lateral Movement",
+          "reference": "https://attack.mitre.org/tactics/TA0008/"
+        },
+        "technique": [
+          {
+            "id": "T1021",
+            "name": "Remote Services",
+            "reference": "https://attack.mitre.org/techniques/T1021/",
+            "subtechnique": [
+              {
+                "id": "T1021.002",
+                "name": "SMB/Windows Admin Shares",
+                "reference": "https://attack.mitre.org/techniques/T1021/002/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 3,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.11.2",
+          "pre_query": "process where event.type in (\"start\", \"process_started\") and\n  process.name : (\"cmd.exe\", \"powershell.exe\", \"robocopy.exe\", \"xcopy.exe\") and \n  process.args : (\"copy*\", \"move*\", \"cp\", \"mv\") and process.args : \"*$*\"\n",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 3,
+          "updated": "7.12.0",
+          "pre_query": "process where event.type in (\"start\", \"process_started\") and\n  process.name : (\"cmd.exe\", \"powershell.exe\", \"robocopy.exe\", \"xcopy.exe\") and \n  process.args : (\"copy*\", \"move*\", \"cp\", \"mv\") and process.args : \"*$*\"\n",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.12.0",
+    "added": "7.11.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies an executable or script file remotely downloaded via a TeamViewer transfer session.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Remote File Copy via TeamViewer",
+    "query": "file where event.type == \"creation\" and process.name : \"TeamViewer.exe\" and\n  file.extension : (\"exe\", \"dll\", \"scr\", \"com\", \"bat\", \"ps1\", \"vbs\", \"vbe\", \"js\", \"wsh\", \"hta\")\n",
+    "references": [
+      "https://blog.menasec.net/2019/11/hunting-for-suspicious-use-of.html"
+    ],
+    "risk_score": 47,
+    "rule_id": "b25a7df2-120a-4db2-bd3f-3e4b86b24bee",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Command and Control"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0011",
+          "name": "Command and Control",
+          "reference": "https://attack.mitre.org/tactics/TA0011/"
+        },
+        "technique": [
+          {
+            "id": "T1105",
+            "name": "Ingress Tool Transfer",
+            "reference": "https://attack.mitre.org/techniques/T1105/"
+          },
+          {
+            "id": "T1219",
+            "name": "Remote Access Software",
+            "reference": "https://attack.mitre.org/techniques/T1219/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 5,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.11.2",
+          "pre_query": "event.category:file and event.type:creation and process.name:TeamViewer.exe and file.extension:(exe or dll or scr or com or bat or ps1 or vbs or vbe or js or wsh or hta)",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 3,
+          "updated": "7.12.0",
+          "pre_query": "event.category:file and event.type:creation and process.name:TeamViewer.exe and file.extension:(exe or dll or scr or com or bat or ps1 or vbs or vbe or js or wsh or hta)",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 4,
+          "updated": "7.13.0",
+          "pre_query": "event.category:file and event.type:creation and process.name:TeamViewer.exe and file.extension:(exe or dll or scr or com or bat or ps1 or vbs or vbe or js or wsh or hta)",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        },
+        {
+          "version": 5,
+          "updated": "7.16.0",
+          "pre_query": "file where event.type == \"creation\" and process.name : \"TeamViewer.exe\" and\n  file.extension : (\"exe\", \"dll\", \"scr\", \"com\", \"bat\", \"ps1\", \"vbs\", \"vbe\", \"js\", \"wsh\", \"hta\")\n",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.16.0",
+    "added": "7.10.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the desktopimgdownldr utility being used to download a remote file. An adversary may use desktopimgdownldr to download arbitrary files as an alternative to certutil.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Remote File Download via Desktopimgdownldr Utility",
+    "query": "process where event.type in (\"start\", \"process_started\") and\n  (process.name : \"desktopimgdownldr.exe\" or process.pe.original_file_name == \"desktopimgdownldr.exe\") and\n  process.args : \"/lockscreenurl:http*\"\n",
+    "references": [
+      "https://labs.sentinelone.com/living-off-windows-land-a-new-native-file-downldr/"
+    ],
+    "risk_score": 47,
+    "rule_id": "15c0b7a7-9c34-4869-b25b-fa6518414899",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Command and Control"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0011",
+          "name": "Command and Control",
+          "reference": "https://attack.mitre.org/tactics/TA0011/"
+        },
+        "technique": [
+          {
+            "id": "T1105",
+            "name": "Ingress Tool Transfer",
+            "reference": "https://attack.mitre.org/techniques/T1105/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 5,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.11.0",
+          "pre_query": "event.category:process and event.type:(start or process_started) and (process.name:desktopimgdownldr.exe or process.pe.original_file_name:desktopimgdownldr.exe or winlog.event_data.OriginalFileName:desktopimgdownldr.exe) and process.args:/lockscreenurl\\:http*",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        },
+        {
+          "version": 3,
+          "updated": "7.11.2",
+          "pre_query": "event.category:process and event.type:(start or process_started) and (process.name:desktopimgdownldr.exe or process.pe.original_file_name:desktopimgdownldr.exe) and process.args:/lockscreenurl\\:http*",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 4,
+          "updated": "7.12.0",
+          "pre_query": "event.category:process and event.type:(start or process_started) and (process.name:desktopimgdownldr.exe or process.pe.original_file_name:desktopimgdownldr.exe) and process.args:/lockscreenurl\\:http*",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 5,
+          "updated": "7.13.0",
+          "pre_query": "event.category:process and event.type:(start or process_started) and (process.name:desktopimgdownldr.exe or process.pe.original_file_name:desktopimgdownldr.exe) and process.args:/lockscreenurl\\:http*",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.13.0",
+    "added": "7.10.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the Windows Defender configuration utility (MpCmdRun.exe) being used to download a remote file.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Remote File Download via MpCmdRun",
+    "note": "## Triage and analysis\n\n### Investigating Remote File Download via MpCmdRun\nVerify details such as the parent process, URL reputation, and downloaded file details. Additionally, `MpCmdRun` logs this information in the Appdata Temp folder in `MpCmdRun.log`.",
+    "query": "process where event.type == \"start\" and\n  (process.name : \"MpCmdRun.exe\" or process.pe.original_file_name == \"MpCmdRun.exe\") and\n   process.args : \"-DownloadFile\" and process.args : \"-url\" and process.args : \"-path\"\n",
+    "references": [
+      "https://twitter.com/mohammadaskar2/status/1301263551638761477",
+      "https://www.bleepingcomputer.com/news/microsoft/microsoft-defender-can-ironically-be-used-to-download-malware/"
+    ],
+    "risk_score": 47,
+    "rule_id": "c6453e73-90eb-4fe7-a98c-cde7bbfc504a",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Command and Control"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0011",
+          "name": "Command and Control",
+          "reference": "https://attack.mitre.org/tactics/TA0011/"
+        },
+        "technique": [
+          {
+            "id": "T1105",
+            "name": "Ingress Tool Transfer",
+            "reference": "https://attack.mitre.org/techniques/T1105/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 5,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.11.0",
+          "pre_query": "event.category:process and event.type:(start or process_started) and (process.name:MpCmdRun.exe or process.pe.original_file_name:MpCmdRun.exe or winlog.event_data.OriginalFileName:MpCmdRun.exe) and process.args:((\"-DownloadFile\" or \"-downloadfile\") and \"-url\" and \"-path\")",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        },
+        {
+          "version": 3,
+          "updated": "7.11.2",
+          "pre_query": "event.category:process and event.type:(start or process_started) and (process.name:MpCmdRun.exe or process.pe.original_file_name:MpCmdRun.exe) and process.args:((\"-DownloadFile\" or \"-downloadfile\") and \"-url\" and \"-path\")",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 4,
+          "updated": "7.12.0",
+          "pre_query": "event.category:process and event.type:(start or process_started) and (process.name:MpCmdRun.exe or process.pe.original_file_name:MpCmdRun.exe) and process.args:((\"-DownloadFile\" or \"-downloadfile\") and \"-url\" and \"-path\")",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 5,
+          "updated": "7.13.0",
+          "pre_query": "event.category:process and event.type:(start or process_started) and (process.name:MpCmdRun.exe or process.pe.original_file_name:MpCmdRun.exe) and process.args:((\"-DownloadFile\" or \"-downloadfile\") and \"-url\" and \"-path\")",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.13.0",
+    "added": "7.10.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies powershell.exe being used to download an executable file from an untrusted remote destination.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Remote File Download via PowerShell",
+    "query": "sequence by host.id, process.entity_id with maxspan=30s\n  [network where process.name : (\"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\") and network.protocol == \"dns\" and\n   not dns.question.name : (\"localhost\", \"*.microsoft.com\", \"*.azureedge.net\", \"*.powershellgallery.com\", \"*.windowsupdate.com\", \"metadata.google.internal\") and \n   not user.domain : \"NT AUTHORITY\"]\n    [file where process.name : \"powershell.exe\" and event.type == \"creation\" and file.extension : (\"exe\", \"dll\", \"ps1\", \"bat\") and \n   not file.name : \"__PSScriptPolicy*.ps1\"]\n",
+    "risk_score": 47,
+    "rule_id": "33f306e8-417c-411b-965c-c2812d6d3f4d",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Command and Control"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0011",
+          "name": "Command and Control",
+          "reference": "https://attack.mitre.org/tactics/TA0011/"
+        },
+        "technique": [
+          {
+            "id": "T1105",
+            "name": "Ingress Tool Transfer",
+            "reference": "https://attack.mitre.org/techniques/T1105/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0002",
+          "name": "Execution",
+          "reference": "https://attack.mitre.org/tactics/TA0002/"
+        },
+        "technique": [
+          {
+            "id": "T1059",
+            "name": "Command and Scripting Interpreter",
+            "reference": "https://attack.mitre.org/techniques/T1059/",
+            "subtechnique": [
+              {
+                "id": "T1059.001",
+                "name": "PowerShell",
+                "reference": "https://attack.mitre.org/techniques/T1059/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "type": "eql",
+    "version": 3,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.12.0",
+          "pre_query": "sequence by host.id, process.entity_id with maxspan=30s\n  [network where process.name : \"powershell.exe\" and network.protocol == \"dns\" and\n   not dns.question.name : (\"localhost\", \"*.microsoft.com\", \"*.azureedge.net\", \"*.powershellgallery.com\", \"*.windowsupdate.com\", \"metadata.google.internal\") and \n   not user.domain : \"NT AUTHORITY\"]\n    [file where process.name : \"powershell.exe\" and event.type == \"creation\" and file.extension : (\"exe\", \"dll\", \"ps1\", \"bat\") and \n   not file.name : \"__PSScriptPolicy*.ps1\"]\n",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 3,
+          "updated": "7.16.0",
+          "pre_query": "sequence by host.id, process.entity_id with maxspan=30s\n  [network where process.name : \"powershell.exe\" and network.protocol == \"dns\" and\n   not dns.question.name : (\"localhost\", \"*.microsoft.com\", \"*.azureedge.net\", \"*.powershellgallery.com\", \"*.windowsupdate.com\", \"metadata.google.internal\") and \n   not user.domain : \"NT AUTHORITY\"]\n    [file where process.name : \"powershell.exe\" and event.type == \"creation\" and file.extension : (\"exe\", \"dll\", \"ps1\", \"bat\") and \n   not file.name : \"__PSScriptPolicy*.ps1\"]\n",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.16.0",
+    "added": "7.11.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies built-in Windows script interpreters (cscript.exe or wscript.exe) being used to download an executable file from a remote destination.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Remote File Download via Script Interpreter",
+    "query": "sequence by host.id, process.entity_id\n  [network where process.name : (\"wscript.exe\", \"cscript.exe\") and network.protocol != \"dns\" and\n   network.direction : (\"outgoing\", \"egress\") and network.type == \"ipv4\" and destination.ip != \"127.0.0.1\"\n  ]\n  [file where event.type == \"creation\" and file.extension : (\"exe\", \"dll\")]\n",
+    "risk_score": 47,
+    "rule_id": "1d276579-3380-4095-ad38-e596a01bc64f",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Command and Control"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0011",
+          "name": "Command and Control",
+          "reference": "https://attack.mitre.org/tactics/TA0011/"
+        },
+        "technique": [
+          {
+            "id": "T1105",
+            "name": "Ingress Tool Transfer",
+            "reference": "https://attack.mitre.org/techniques/T1105/"
+          }
+        ]
+      }
+    ],
+    "type": "eql",
+    "version": 3,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.12.0",
+          "pre_query": "sequence by host.id, process.entity_id\n  [network where process.name : (\"wscript.exe\", \"cscript.exe\") and network.protocol != \"dns\" and\n   network.direction == \"outgoing\" and network.type == \"ipv4\" and destination.ip != \"127.0.0.1\"\n  ]\n  [file where event.type == \"creation\" and file.extension : (\"exe\", \"dll\")]\n",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 3,
+          "updated": "7.16.0",
+          "pre_query": "sequence by host.id, process.entity_id\n  [network where process.name : (\"wscript.exe\", \"cscript.exe\") and network.protocol != \"dns\" and\n   network.direction == \"outgoing\" and network.type == \"ipv4\" and destination.ip != \"127.0.0.1\"\n  ]\n  [file where event.type == \"creation\" and file.extension : (\"exe\", \"dll\")]\n",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.16.0",
+    "added": "7.11.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Detects use of the systemsetup command to enable remote SSH Login.",
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Remote SSH Login Enabled via systemsetup Command",
+    "query": "event.category:process and event.type:(start or process_started) and\n process.name:systemsetup and\n process.args:(\"-setremotelogin\" and on)\n",
+    "references": [
+      "https://documents.trendmicro.com/assets/pdf/XCSSET_Technical_Brief.pdf",
+      "https://ss64.com/osx/systemsetup.html",
+      "https://support.apple.com/guide/remote-desktop/about-systemsetup-apd95406b8d/mac"
+    ],
+    "risk_score": 47,
+    "rule_id": "5ae4e6f8-d1bf-40fa-96ba-e29645e1e4dc",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "macOS",
+      "Threat Detection",
+      "Lateral Movement"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0008",
+          "name": "Lateral Movement",
+          "reference": "https://attack.mitre.org/tactics/TA0008/"
+        },
+        "technique": [
+          {
+            "id": "T1021",
+            "name": "Remote Services",
+            "reference": "https://attack.mitre.org/techniques/T1021/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 3,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.11.2",
+          "pre_query": "event.category:process and event.type:(start or process_started) and process.name:systemsetup and process.args:(\"-f\" and \"-setremotelogin\" and on)",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 3,
+          "updated": "7.12.0",
+          "pre_query": "event.category:process and event.type:(start or process_started) and process.name:systemsetup and process.args:(\"-f\" and \"-setremotelogin\" and on)",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.12.0",
+    "added": "7.10.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies remote scheduled task creations on a target host. This could be indicative of adversary lateral movement.",
+    "from": "now-9m",
+    "index": [
+      "logs-endpoint.events.*",
+      "winlogbeat-*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Remote Scheduled Task Creation",
+    "note": "## Triage and analysis\n\n### Investigating Creation of Remote Scheduled Tasks\n\n[Scheduled tasks](https://docs.microsoft.com/en-us/windows/win32/taskschd/about-the-task-scheduler) are a great mechanism used for persistence and executing programs. These features can\nbe used remotely for a variety of legitimate reasons, but at the same time used by malware and adversaries.\nWhen investigating scheduled tasks that have been set-up remotely, one of the first methods should be determining the\noriginal intent behind the configuration and verify if the activity is tied to benign behavior such as software installations or any kind\nof network administrator work. One objective for these alerts is to understand the configured action within the scheduled\ntask, this is captured within the registry event data for this rule and can be base64 decoded to view the value.\n\n#### Possible investigation steps:\n- Review the base64 encoded tasks actions registry value to investigate the task configured action.\n- Determine if task is related to legitimate or benign behavior based on the corresponding process or program tied to the\nscheduled task.\n- Further examination should include both the source and target machines where host-based artifacts and network logs\nshould be reviewed further around the time window of the creation of the scheduled task.\n\n### False Positive Analysis\n- There is a high possibility of benign activity tied to the creation of remote scheduled tasks as it is a general feature\nwithin Windows and used for legitimate purposes for a wide range of activity. Any kind of context should be found to\nfurther understand the source of the activity and determine the intent based on the scheduled task contents.\n\n### Related Rules\n- Service Command Lateral Movement\n- Remotely Started Services via RPC\n\n### Response and Remediation\n- This behavior represents post-exploitation actions such as persistence or lateral movement, immediate response should\nbe taken to review and investigate the activity and potentially isolate involved machines to prevent further post-compromise\nbehavior.\n- Remove scheduled task and any other related artifacts to the activity.\n- Review privileged account management and user account management settings such as implementing GPO policies to further\nrestrict activity or configure settings that only allow Administrators to create remote scheduled tasks.\n",
+    "query": "/* Task Scheduler service incoming connection followed by TaskCache registry modification  */\n\nsequence by host.id, process.entity_id with maxspan = 1m\n   [network where process.name : \"svchost.exe\" and\n   network.direction : (\"incoming\", \"ingress\") and source.port >= 49152 and destination.port >= 49152 and\n   source.ip != \"127.0.0.1\" and source.ip != \"::1\"\n   ]\n   [registry where registry.path : \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Schedule\\\\TaskCache\\\\Tasks\\\\*\\\\Actions\"]\n",
+    "risk_score": 47,
+    "rule_id": "954ee7c8-5437-49ae-b2d6-2960883898e9",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Lateral Movement"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0008",
+          "name": "Lateral Movement",
+          "reference": "https://attack.mitre.org/tactics/TA0008/"
+        },
+        "technique": [
+          {
+            "id": "T1021",
+            "name": "Remote Services",
+            "reference": "https://attack.mitre.org/techniques/T1021/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0002",
+          "name": "Execution",
+          "reference": "https://attack.mitre.org/tactics/TA0002/"
+        },
+        "technique": [
+          {
+            "id": "T1053",
+            "name": "Scheduled Task/Job",
+            "reference": "https://attack.mitre.org/techniques/T1053/",
+            "subtechnique": [
+              {
+                "id": "T1053.005",
+                "name": "Scheduled Task",
+                "reference": "https://attack.mitre.org/techniques/T1053/005/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "type": "eql",
+    "version": 6,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.12.0",
+          "pre_query": "/* Task Scheduler service incoming connection followed by TaskCache registry modification  */\n\nsequence by host.id, process.entity_id with maxspan = 1m\n   [network where process.name : \"svchost.exe\" and\n   network.direction == \"incoming\" and source.port >= 49152 and destination.port >= 49152 and\n   source.address != \"127.0.0.1\" and source.address != \"::1\"\n   ]\n   [registry where registry.path : \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Schedule\\\\TaskCache\\\\Tasks\\\\*\\\\Actions\"]\n",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 3,
+          "updated": "7.13.0",
+          "pre_query": "/* Task Scheduler service incoming connection followed by TaskCache registry modification  */\n\nsequence by host.id, process.entity_id with maxspan = 1m\n   [network where process.name : \"svchost.exe\" and\n   network.direction == \"incoming\" and source.port >= 49152 and destination.port >= 49152 and\n   source.address != \"127.0.0.1\" and source.address != \"::1\"\n   ]\n   [registry where registry.path : \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Schedule\\\\TaskCache\\\\Tasks\\\\*\\\\Actions\"]\n",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 5,
+          "updated": "7.16.0",
+          "pre_query": "/* Task Scheduler service incoming connection followed by TaskCache registry modification  */\n\nsequence by host.id, process.entity_id with maxspan = 1m\n   [network where process.name : \"svchost.exe\" and\n   network.direction == \"incoming\" and source.port >= 49152 and destination.port >= 49152 and\n   source.address != \"127.0.0.1\" and source.address != \"::1\"\n   ]\n   [registry where registry.path : \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Schedule\\\\TaskCache\\\\Tasks\\\\*\\\\Actions\"]\n",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        },
+        {
+          "version": 6,
+          "updated": "8.0.0",
+          "pre_query": "/* Task Scheduler service incoming connection followed by TaskCache registry modification  */\n\nsequence by host.id, process.entity_id with maxspan = 1m\n   [network where process.name : \"svchost.exe\" and\n   network.direction : (\"incoming\", \"ingress\") and source.port >= 49152 and destination.port >= 49152 and\n   source.address != \"127.0.0.1\" and source.address != \"::1\"\n   ]\n   [registry where registry.path : \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Schedule\\\\TaskCache\\\\Tasks\\\\*\\\\Actions\"]\n",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "8.0.0",
+    "added": "7.11.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Discovery of remote system information using built-in commands, which may be used to mover laterally.",
+    "from": "now-9m",
+    "index": [
+      "logs-endpoint.events.*",
+      "winlogbeat-*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Remote System Discovery Commands",
+    "query": "process where event.type in (\"start\", \"process_started\") and\n  (process.name : \"nbtstat.exe\" and process.args : (\"-n\", \"-s\")) or\n  (process.name : \"arp.exe\" and process.args : \"-a\")\n",
+    "risk_score": 21,
+    "rule_id": "0635c542-1b96-4335-9b47-126582d2c19a",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Discovery"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0007",
+          "name": "Discovery",
+          "reference": "https://attack.mitre.org/tactics/TA0007/"
+        },
+        "technique": [
+          {
+            "id": "T1018",
+            "name": "Remote System Discovery",
+            "reference": "https://attack.mitre.org/techniques/T1018/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 3,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.11.2",
+          "pre_query": "process where event.type in (\"start\", \"process_started\") and\n  (process.name : \"nbtstat.exe\" and process.args : (\"-n\", \"-s\")) or\n  (process.name : \"arp.exe\" and process.args : \"-a\")\n",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 3,
+          "updated": "7.12.0",
+          "pre_query": "process where event.type in (\"start\", \"process_started\") and\n  (process.name : \"nbtstat.exe\" and process.args : (\"-n\", \"-s\")) or\n  (process.name : \"arp.exe\" and process.args : \"-a\")\n",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.12.0",
+    "added": "7.11.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies remote execution of Windows services over remote procedure call (RPC). This could be indicative of lateral movement, but will be noisy if commonly done by administrators.\"",
+    "from": "now-9m",
+    "index": [
+      "logs-endpoint.events.*",
+      "winlogbeat-*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Remotely Started Services via RPC",
+    "query": "sequence with maxspan=1s\n   [network where process.name : \"services.exe\" and\n      network.direction : (\"incoming\", \"ingress\") and network.transport == \"tcp\" and \n      source.port >= 49152 and destination.port >= 49152 and source.ip != \"127.0.0.1\" and source.ip != \"::1\"\n   ] by host.id, process.entity_id\n\n   [process where event.type in (\"start\", \"process_started\") and process.parent.name : \"services.exe\" and \n       not (process.name : \"svchost.exe\" and process.args : \"tiledatamodelsvc\") and \n       not (process.name : \"msiexec.exe\" and process.args : \"/V\")\n   \n    /* uncomment if psexec is noisy in your environment */\n    /* and not process.name : \"PSEXESVC.exe\" */\n   ] by host.id, process.parent.entity_id\n",
+    "risk_score": 47,
+    "rule_id": "aa9a274d-6b53-424d-ac5e-cb8ca4251650",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Lateral Movement"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0008",
+          "name": "Lateral Movement",
+          "reference": "https://attack.mitre.org/tactics/TA0008/"
+        },
+        "technique": [
+          {
+            "id": "T1021",
+            "name": "Remote Services",
+            "reference": "https://attack.mitre.org/techniques/T1021/"
+          }
+        ]
+      }
+    ],
+    "type": "eql",
+    "version": 4,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.12.0",
+          "pre_query": "sequence with maxspan=1s\n   [network where process.name : \"services.exe\" and\n      network.direction == \"incoming\" and network.transport == \"tcp\" and \n      source.port >= 49152 and destination.port >= 49152 and source.address not in (\"127.0.0.1\", \"::1\")\n   ] by host.id, process.entity_id\n\n   [process where event.type in (\"start\", \"process_started\") and process.parent.name : \"services.exe\" and \n       not (process.name : \"svchost.exe\" and process.args : \"tiledatamodelsvc\") and \n       not (process.name : \"msiexec.exe\" and process.args : \"/V\")\n   \n    /* uncomment if psexec is noisy in your environment */\n    /* and not process.name : \"PSEXESVC.exe\" */\n   ] by host.id, process.parent.entity_id\n",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 3,
+          "updated": "7.16.0",
+          "pre_query": "sequence with maxspan=1s\n   [network where process.name : \"services.exe\" and\n      network.direction == \"incoming\" and network.transport == \"tcp\" and \n      source.port >= 49152 and destination.port >= 49152 and source.address not in (\"127.0.0.1\", \"::1\")\n   ] by host.id, process.entity_id\n\n   [process where event.type in (\"start\", \"process_started\") and process.parent.name : \"services.exe\" and \n       not (process.name : \"svchost.exe\" and process.args : \"tiledatamodelsvc\") and \n       not (process.name : \"msiexec.exe\" and process.args : \"/V\")\n   \n    /* uncomment if psexec is noisy in your environment */\n    /* and not process.name : \"PSEXESVC.exe\" */\n   ] by host.id, process.parent.entity_id\n",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        },
+        {
+          "version": 4,
+          "updated": "8.0.0",
+          "pre_query": "sequence with maxspan=1s\n   [network where process.name : \"services.exe\" and\n      network.direction : (\"incoming\", \"ingress\") and network.transport == \"tcp\" and \n      source.port >= 49152 and destination.port >= 49152 and source.address not in (\"127.0.0.1\", \"::1\")\n   ] by host.id, process.entity_id\n\n   [process where event.type in (\"start\", \"process_started\") and process.parent.name : \"services.exe\" and \n       not (process.name : \"svchost.exe\" and process.args : \"tiledatamodelsvc\") and \n       not (process.name : \"msiexec.exe\" and process.args : \"/V\")\n   \n    /* uncomment if psexec is noisy in your environment */\n    /* and not process.name : \"PSEXESVC.exe\" */\n   ] by host.id, process.parent.entity_id\n",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "8.0.0",
+    "added": "7.11.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies a suspicious AutoIt process execution. Malware written as an AutoIt script tends to rename the AutoIt executable to avoid detection.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Renamed AutoIt Scripts Interpreter",
+    "query": "process where event.type in (\"start\", \"process_started\", \"info\") and\n  process.pe.original_file_name : \"AutoIt*.exe\" and not process.name : \"AutoIt*.exe\"\n",
+    "risk_score": 47,
+    "rule_id": "2e1e835d-01e5-48ca-b9fc-7a61f7f11902",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1036",
+            "name": "Masquerading",
+            "reference": "https://attack.mitre.org/techniques/T1036/",
+            "subtechnique": [
+              {
+                "id": "T1036.003",
+                "name": "Rename System Utilities",
+                "reference": "https://attack.mitre.org/techniques/T1036/003/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 5,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.11.0",
+          "pre_query": "event.category:process AND event.type:(start OR process_started) AND (process.pe.original_file_name:/[aA][uU][tT][oO][iI][tT]\\d\\.[eE][xX][eE]/ OR winlog.event_data.OriginalFileName:/[aA][uU][tT][oO][iI][tT]\\d\\.[eE][xX][eE]/) AND NOT process.name:/[aA][uU][tT][oO][iI][tT]\\d{1,3}\\.[eE][xX][eE]/",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        },
+        {
+          "version": 3,
+          "updated": "7.11.2",
+          "pre_query": "process where event.type in (\"start\", \"process_started\", \"info\") and\n  process.pe.original_file_name : \"AutoIt*.exe\" and not process.name : \"AutoIt*.exe\"\n",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 4,
+          "updated": "7.12.0",
+          "pre_query": "process where event.type in (\"start\", \"process_started\", \"info\") and\n  process.pe.original_file_name : \"AutoIt*.exe\" and not process.name : \"AutoIt*.exe\"\n",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 5,
+          "updated": "7.16.0",
+          "pre_query": "process where event.type in (\"start\", \"process_started\", \"info\") and\n  process.pe.original_file_name : \"AutoIt*.exe\" and not process.name : \"AutoIt*.exe\"\n",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.16.0",
+    "added": "7.10.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Detects a Roshal Archive (RAR) file or PowerShell script downloaded from the internet by an internal host. Gaining initial access to a system and then downloading encoded or encrypted tools to move laterally is a common practice for adversaries as a way to protect their more valuable tools and tactics, techniques, and procedures (TTPs). This may be atypical behavior for a managed network and can be indicative of malware, exfiltration, or command and control.",
+    "false_positives": [
+      "Downloading RAR or PowerShell files from the Internet may be expected for certain systems. This rule should be tailored to either exclude systems as sources or destinations in which this behavior is expected."
+    ],
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "filebeat-*",
+      "packetbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Roshal Archive (RAR) or PowerShell File Downloaded from the Internet",
+    "note": "## Threat intel\n\nThis activity has been observed in FIN7 campaigns.",
+    "query": "event.category:(network or network_traffic) and network.protocol:http and\n  (url.extension:(ps1 or rar) or url.path:(*.ps1 or *.rar)) and\n    not destination.ip:(\n      10.0.0.0/8 or\n      127.0.0.0/8 or\n      169.254.0.0/16 or\n      172.16.0.0/12 or\n      192.0.0.0/24 or\n      192.0.0.0/29 or\n      192.0.0.8/32 or\n      192.0.0.9/32 or\n      192.0.0.10/32 or\n      192.0.0.170/32 or\n      192.0.0.171/32 or\n      192.0.2.0/24 or\n      192.31.196.0/24 or\n      192.52.193.0/24 or\n      192.168.0.0/16 or\n      192.88.99.0/24 or\n      224.0.0.0/4 or\n      100.64.0.0/10 or\n      192.175.48.0/24 or\n      198.18.0.0/15 or\n      198.51.100.0/24 or\n      203.0.113.0/24 or\n      240.0.0.0/4 or\n      \"::1\" or\n      \"FE80::/10\" or\n      \"FF00::/8\"\n    ) and\n    source.ip:(\n      10.0.0.0/8 or\n      172.16.0.0/12 or\n      192.168.0.0/16\n    )\n",
+    "references": [
+      "https://www.fireeye.com/blog/threat-research/2017/04/fin7-phishing-lnk.html",
+      "https://www.justice.gov/opa/press-release/file/1084361/download",
+      "https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml"
+    ],
+    "risk_score": 47,
+    "rule_id": "ff013cb4-274d-434a-96bb-fe15ddd3ae92",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Network",
+      "Threat Detection",
+      "Command and Control",
+      "Host"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0011",
+          "name": "Command and Control",
+          "reference": "https://attack.mitre.org/tactics/TA0011/"
+        },
+        "technique": [
+          {
+            "id": "T1105",
+            "name": "Ingress Tool Transfer",
+            "reference": "https://attack.mitre.org/techniques/T1105/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 9,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.11.2",
+          "pre_query": "event.category:(network OR network_traffic) AND network.protocol:http AND url.path:/.*(rar|ps1)/ AND source.ip:(10.0.0.0\\/8 OR 172.16.0.0\\/12 OR 192.168.0.0\\/16)",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 3,
+          "updated": "7.12.0",
+          "pre_query": "event.category:(network OR network_traffic) AND network.protocol:http AND url.path:/.*(rar|ps1)/ AND source.ip:(10.0.0.0\\/8 OR 172.16.0.0\\/12 OR 192.168.0.0\\/16)",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 4,
+          "updated": "7.13.0",
+          "pre_query": "event.category:(network OR network_traffic) AND network.protocol:http AND url.path:/.*(rar|ps1)/ AND source.ip:(10.0.0.0\\/8 OR 172.16.0.0\\/12 OR 192.168.0.0\\/16)",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 6,
+          "updated": "7.14.0",
+          "pre_query": "event.category:(network OR network_traffic) AND network.protocol:http AND url.path:/.*(rar|ps1)/ AND source.ip:(10.0.0.0\\/8 OR 172.16.0.0\\/12 OR 192.168.0.0\\/16)",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        },
+        {
+          "version": 7,
+          "updated": "7.15.0",
+          "pre_query": "event.category:(network or network_traffic) and network.protocol:http and\n  (url.extension:(ps1 or rar) or url.path:(*.ps1 or *.rar)) and\n    not destination.ip:(\n      10.0.0.0/8 or\n      127.0.0.0/8 or\n      169.254.0.0/16 or\n      172.16.0.0/12 or\n      192.0.0.0/24 or\n      192.0.0.0/29 or\n      192.0.0.8/32 or\n      192.0.0.9/32 or\n      192.0.0.10/32 or\n      192.0.0.170/32 or\n      192.0.0.171/32 or\n      192.0.2.0/24 or\n      192.31.196.0/24 or\n      192.52.193.0/24 or\n      192.168.0.0/16 or\n      192.88.99.0/24 or\n      224.0.0.0/4 or\n      100.64.0.0/10 or\n      192.175.48.0/24 or\n      198.18.0.0/15 or\n      198.51.100.0/24 or\n      203.0.113.0/24 or\n      240.0.0.0/4 or\n      \"::1\" or\n      \"FE80::/10\" or\n      \"FF00::/8\"\n    ) and\n    source.ip:(\n      10.0.0.0/8 or\n      172.16.0.0/12 or\n      192.168.0.0/16\n    )\n",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 8,
+          "updated": "7.16.0",
+          "pre_query": "event.category:(network or network_traffic) and network.protocol:http and\n  (url.extension:(ps1 or rar) or url.path:(*.ps1 or *.rar)) and\n    not destination.ip:(\n      10.0.0.0/8 or\n      127.0.0.0/8 or\n      169.254.0.0/16 or\n      172.16.0.0/12 or\n      192.0.0.0/24 or\n      192.0.0.0/29 or\n      192.0.0.8/32 or\n      192.0.0.9/32 or\n      192.0.0.10/32 or\n      192.0.0.170/32 or\n      192.0.0.171/32 or\n      192.0.2.0/24 or\n      192.31.196.0/24 or\n      192.52.193.0/24 or\n      192.168.0.0/16 or\n      192.88.99.0/24 or\n      224.0.0.0/4 or\n      100.64.0.0/10 or\n      192.175.48.0/24 or\n      198.18.0.0/15 or\n      198.51.100.0/24 or\n      203.0.113.0/24 or\n      240.0.0.0/4 or\n      \"::1\" or\n      \"FE80::/10\" or\n      \"FF00::/8\"\n    ) and\n    source.ip:(\n      10.0.0.0/8 or\n      172.16.0.0/12 or\n      192.168.0.0/16\n    )\n",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 9,
+          "updated": "8.0.0",
+          "pre_query": "event.category:(network or network_traffic) and network.protocol:http and\n  (url.extension:(ps1 or rar) or url.path:(*.ps1 or *.rar)) and\n    not destination.ip:(\n      10.0.0.0/8 or\n      127.0.0.0/8 or\n      169.254.0.0/16 or\n      172.16.0.0/12 or\n      192.0.0.0/24 or\n      192.0.0.0/29 or\n      192.0.0.8/32 or\n      192.0.0.9/32 or\n      192.0.0.10/32 or\n      192.0.0.170/32 or\n      192.0.0.171/32 or\n      192.0.2.0/24 or\n      192.31.196.0/24 or\n      192.52.193.0/24 or\n      192.168.0.0/16 or\n      192.88.99.0/24 or\n      224.0.0.0/4 or\n      100.64.0.0/10 or\n      192.175.48.0/24 or\n      198.18.0.0/15 or\n      198.51.100.0/24 or\n      203.0.113.0/24 or\n      240.0.0.0/4 or\n      \"::1\" or\n      \"FE80::/10\" or\n      \"FF00::/8\"\n    ) and\n    source.ip:(\n      10.0.0.0/8 or\n      172.16.0.0/12 or\n      192.168.0.0/16\n    )\n",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "8.0.0",
+    "added": "7.10.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies modifications to the registered Subject Interface Package (SIP) providers. SIP providers are used by the Windows cryptographic system to validate file signatures on the system. This may be an attempt to bypass signature validation checks or inject code into critical processes.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "SIP Provider Modification",
+    "query": "registry where event.type:\"change\" and\n  registry.path: (\n    \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Cryptography\\\\OID\\\\EncodingType 0\\\\CryptSIPDllPutSignedDataMsg\\\\{*}\\\\Dll\",\n    \"HKLM\\\\SOFTWARE\\\\WOW6432Node\\\\Microsoft\\\\Cryptography\\\\OID\\\\EncodingType 0\\\\CryptSIPDllPutSignedDataMsg\\\\{*}\\\\Dll\",\n    \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Cryptography\\\\Providers\\\\Trust\\\\FinalPolicy\\\\{*}\\\\$Dll\",\n    \"HKLM\\\\SOFTWARE\\\\WOW6432Node\\\\Microsoft\\\\Cryptography\\\\Providers\\\\Trust\\\\FinalPolicy\\\\{*}\\\\$Dll\"\n    ) and\n  registry.data.strings:\"*.dll\"\n",
+    "references": [
+      "https://github.com/mattifestation/PoCSubjectInterfacePackage"
+    ],
+    "risk_score": 47,
+    "rule_id": "f2c7b914-eda3-40c2-96ac-d23ef91776ca",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1553",
+            "name": "Subvert Trust Controls",
+            "reference": "https://attack.mitre.org/techniques/T1553/",
+            "subtechnique": [
+              {
+                "id": "T1553.003",
+                "name": "SIP and Trust Provider Hijacking",
+                "reference": "https://attack.mitre.org/techniques/T1553/003/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 1,
+    "last_update": "7.12.0",
+    "added": "7.12.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "This rule detects network events that may indicate the use of Windows file sharing (also called SMB or CIFS) traffic to the Internet. SMB is commonly used within networks to share files, printers, and other system resources amongst trusted systems. It should almost never be directly exposed to the Internet, as it is frequently targeted and exploited by threat actors as an initial access or backdoor vector or for data exfiltration.",
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "filebeat-*",
+      "packetbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "SMB (Windows File Sharing) Activity to the Internet",
+    "query": "event.category:(network or network_traffic) and network.transport:tcp and (destination.port:(139 or 445) or event.dataset:zeek.smb) and\n  source.ip:(\n    10.0.0.0/8 or\n    172.16.0.0/12 or\n    192.168.0.0/16\n  ) and\n  not destination.ip:(\n    10.0.0.0/8 or\n    127.0.0.0/8 or\n    169.254.0.0/16 or\n    172.16.0.0/12 or\n    192.0.0.0/24 or\n    192.0.0.0/29 or\n    192.0.0.8/32 or\n    192.0.0.9/32 or\n    192.0.0.10/32 or\n    192.0.0.170/32 or\n    192.0.0.171/32 or\n    192.0.2.0/24 or\n    192.31.196.0/24 or\n    192.52.193.0/24 or\n    192.168.0.0/16 or\n    192.88.99.0/24 or\n    224.0.0.0/4 or\n    100.64.0.0/10 or\n    192.175.48.0/24 or\n    198.18.0.0/15 or\n    198.51.100.0/24 or\n    203.0.113.0/24 or\n    240.0.0.0/4 or\n    \"::1\" or\n    \"FE80::/10\" or\n    \"FF00::/8\"\n  )\n",
+    "references": [
+      "https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml"
+    ],
+    "risk_score": 73,
+    "rule_id": "c82b2bd8-d701-420c-ba43-f11a155b681a",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Network",
+      "Threat Detection",
+      "Initial Access",
+      "Host"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0001",
+          "name": "Initial Access",
+          "reference": "https://attack.mitre.org/tactics/TA0001/"
+        },
+        "technique": [
+          {
+            "id": "T1190",
+            "name": "Exploit Public-Facing Application",
+            "reference": "https://attack.mitre.org/techniques/T1190/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0010",
+          "name": "Exfiltration",
+          "reference": "https://attack.mitre.org/tactics/TA0010/"
+        },
+        "technique": [
+          {
+            "id": "T1048",
+            "name": "Exfiltration Over Alternative Protocol",
+            "reference": "https://attack.mitre.org/techniques/T1048/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 11,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.6.1",
+          "doc_text": "Removed auditbeat-\\*, packetbeat-*, and winlogbeat-* from the rule indices."
+        },
+        {
+          "version": 3,
+          "updated": "7.7.0",
+          "pre_query": "network.transport: tcp and destination.port: (139 or 445) and (\n network.direction: outbound or (\n source.ip: (10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and\n not destination.ip: (10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16)\n )\n)\n",
+          "doc_text": "Updated query."
+        },
+        {
+          "version": 4,
+          "updated": "7.9.0",
+          "pre_query": "network.transport:tcp and destination.port:(139 or 445) and source.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and not destination.ip:(10.0.0.0/8 or 127.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 or \"::1\")",
+          "doc_text": "Updated query."
+        },
+        {
+          "version": 5,
+          "updated": "7.10.0",
+          "pre_query": "event.category:(network or network_traffic) and network.transport:tcp and (destination.port:(139 or 445) or event.dataset:zeek.smb) and source.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and not destination.ip:(10.0.0.0/8 or 127.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 or \"::1\")",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 6,
+          "updated": "7.11.0",
+          "pre_query": "event.category:(network or network_traffic) and network.transport:tcp and (destination.port:(139 or 445) or event.dataset:zeek.smb) and source.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and not destination.ip:(10.0.0.0/8 or 127.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 or \"::1\")",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        },
+        {
+          "version": 7,
+          "updated": "7.11.2",
+          "pre_query": "event.category:(network or network_traffic) and network.transport:tcp and (destination.port:(139 or 445) or event.dataset:zeek.smb) and source.ip:( 10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 ) and not destination.ip:( 10.0.0.0/8 or 127.0.0.0/8 or 169.254.0.0/16 or 172.16.0.0/12 or 192.168.0.0/16 or 224.0.0.0/4 or \"::1\" or \"FE80::/10\" or \"FF00::/8\" )",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 8,
+          "updated": "7.12.0",
+          "pre_query": "event.category:(network or network_traffic) and network.transport:tcp and (destination.port:(139 or 445) or event.dataset:zeek.smb) and source.ip:( 10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 ) and not destination.ip:( 10.0.0.0/8 or 127.0.0.0/8 or 169.254.0.0/16 or 172.16.0.0/12 or 192.168.0.0/16 or 224.0.0.0/4 or \"::1\" or \"FE80::/10\" or \"FF00::/8\" )",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 10,
+          "updated": "7.14.0",
+          "pre_query": "event.category:(network or network_traffic) and network.transport:tcp and (destination.port:(139 or 445) or event.dataset:zeek.smb) and source.ip:( 10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 ) and not destination.ip:( 10.0.0.0/8 or 127.0.0.0/8 or 169.254.0.0/16 or 172.16.0.0/12 or 192.168.0.0/16 or 224.0.0.0/4 or \"::1\" or \"FE80::/10\" or \"FF00::/8\" )",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        },
+        {
+          "version": 11,
+          "updated": "7.15.0",
+          "pre_query": "event.category:(network or network_traffic) and network.transport:tcp and (destination.port:(139 or 445) or event.dataset:zeek.smb) and\n  source.ip:(\n    10.0.0.0/8 or\n    172.16.0.0/12 or\n    192.168.0.0/16\n  ) and\n  not destination.ip:(\n    10.0.0.0/8 or\n    127.0.0.0/8 or\n    169.254.0.0/16 or\n    172.16.0.0/12 or\n    192.0.0.0/24 or\n    192.0.0.0/29 or\n    192.0.0.8/32 or\n    192.0.0.9/32 or\n    192.0.0.10/32 or\n    192.0.0.170/32 or\n    192.0.0.171/32 or\n    192.0.2.0/24 or\n    192.31.196.0/24 or\n    192.52.193.0/24 or\n    192.168.0.0/16 or\n    192.88.99.0/24 or\n    224.0.0.0/4 or\n    100.64.0.0/10 or\n    192.175.48.0/24 or\n    198.18.0.0/15 or\n    198.51.100.0/24 or\n    203.0.113.0/24 or\n    240.0.0.0/4 or\n    \"::1\" or\n    \"FE80::/10\" or\n    \"FF00::/8\"\n  )\n",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.15.0",
+    "added": "7.6.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "This rule detects events that may indicate use of SMTP on TCP port 26. This port is commonly used by several popular mail transfer agents to deconflict with the default SMTP port 25. This port has also been used by a malware family called BadPatch for command and control of Windows systems.",
+    "false_positives": [
+      "Servers that process email traffic may cause false positives and should be excluded from this rule as this is expected behavior."
+    ],
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "filebeat-*",
+      "packetbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "SMTP on Port 26/TCP",
+    "query": "event.category:(network or network_traffic) and network.transport:tcp and (destination.port:26 or (event.dataset:zeek.smtp and destination.port:26))\n",
+    "references": [
+      "https://unit42.paloaltonetworks.com/unit42-badpatch/",
+      "https://isc.sans.edu/forums/diary/Next+up+whats+up+with+TCP+port+26/25564/"
+    ],
+    "risk_score": 21,
+    "rule_id": "d7e62693-aab9-4f66-a21a-3d79ecdd603d",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Network",
+      "Threat Detection",
+      "Command and Control",
+      "Host"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0011",
+          "name": "Command and Control",
+          "reference": "https://attack.mitre.org/tactics/TA0011/"
+        },
+        "technique": []
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0010",
+          "name": "Exfiltration",
+          "reference": "https://attack.mitre.org/tactics/TA0010/"
+        },
+        "technique": [
+          {
+            "id": "T1048",
+            "name": "Exfiltration Over Alternative Protocol",
+            "reference": "https://attack.mitre.org/techniques/T1048/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 8,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.6.1",
+          "doc_text": "Removed auditbeat-\\*, packetbeat-*, and winlogbeat-* from the rule indices."
+        },
+        {
+          "version": 3,
+          "updated": "7.9.0",
+          "pre_query": "network.transport:tcp and destination.port:26",
+          "doc_text": "Updated query."
+        },
+        {
+          "version": 4,
+          "updated": "7.10.0",
+          "pre_query": "event.category:(network or network_traffic) and network.transport:tcp and (destination.port:26 or (event.dataset:zeek.smtp and destination.port:26))",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 5,
+          "updated": "7.11.0",
+          "pre_query": "event.category:(network or network_traffic) and network.transport:tcp and (destination.port:26 or (event.dataset:zeek.smtp and destination.port:26))",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 6,
+          "updated": "7.11.2",
+          "pre_query": "event.category:(network or network_traffic) and network.transport:tcp and (destination.port:26 or (event.dataset:zeek.smtp and destination.port:26))",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 7,
+          "updated": "7.12.0",
+          "pre_query": "event.category:(network or network_traffic) and network.transport:tcp and (destination.port:26 or (event.dataset:zeek.smtp and destination.port:26))",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 8,
+          "updated": "7.14.0",
+          "pre_query": "event.category:(network or network_traffic) and network.transport:tcp and (destination.port:26 or (event.dataset:zeek.smtp and destination.port:26))",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.14.0",
+    "added": "7.6.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "The Secure Shell (SSH) authorized_keys file specifies which users are allowed to log into a server using public key authentication. Adversaries may modify it to maintain persistence on a victim host by adding their own public key(s).",
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "SSH Authorized Keys File Modification",
+    "query": "event.category:file and event.type:(change or creation) and \n file.name:(\"authorized_keys\" or \"authorized_keys2\") and \n not process.executable:\n             (/Library/Developer/CommandLineTools/usr/bin/git or \n              /usr/local/Cellar/maven/*/libexec/bin/mvn or \n              /Library/Java/JavaVirtualMachines/jdk*.jdk/Contents/Home/bin/java or \n              /usr/bin/vim or \n              /usr/local/Cellar/coreutils/*/bin/gcat or \n              /usr/bin/bsdtar or\n              /usr/bin/nautilus or \n              /usr/bin/scp or\n              /usr/bin/touch or \n              /var/lib/docker/*)\n",
+    "risk_score": 47,
+    "rule_id": "2215b8bd-1759-4ffa-8ab8-55c8e6b32e7f",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "macOS",
+      "Threat Detection",
+      "Persistence"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1098",
+            "name": "Account Manipulation",
+            "reference": "https://attack.mitre.org/techniques/T1098/",
+            "subtechnique": [
+              {
+                "id": "T1098.004",
+                "name": "SSH Authorized Keys",
+                "reference": "https://attack.mitre.org/techniques/T1098/004/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 1,
+    "last_update": "7.12.0",
+    "added": "7.12.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "The malware known as SUNBURST targets the SolarWind's Orion business software for command and control. This rule detects post-exploitation command and control activity of the SUNBURST backdoor.",
+    "from": "now-9m",
+    "index": [
+      "logs-endpoint.events.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "SUNBURST Command and Control Activity",
+    "note": "## Triage and analysis\n\nThe SUNBURST malware attempts to hide within the Orion Improvement Program (OIP) network traffic. As this rule detects post-exploitation network traffic, investigations into this should be prioritized.",
+    "query": "network where event.type == \"protocol\" and network.protocol == \"http\" and\n  process.name : (\"ConfigurationWizard.exe\",\n                  \"NetFlowService.exe\",\n                  \"NetflowDatabaseMaintenance.exe\",\n                  \"SolarWinds.Administration.exe\",\n                  \"SolarWinds.BusinessLayerHost.exe\",\n                  \"SolarWinds.BusinessLayerHostx64.exe\",\n                  \"SolarWinds.Collector.Service.exe\",\n                  \"SolarwindsDiagnostics.exe\") and\n  (http.request.body.content : \"*/swip/Upload.ashx*\" and http.request.body.content : (\"POST*\", \"PUT*\")) or\n  (http.request.body.content : (\"*/swip/SystemDescription*\", \"*/swip/Events*\") and http.request.body.content : (\"GET*\", \"HEAD*\")) and\n  not http.request.body.content : \"*solarwinds.com*\"\n",
+    "references": [
+      "https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html"
+    ],
+    "risk_score": 73,
+    "rule_id": "22599847-5d13-48cb-8872-5796fee8692b",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Command and Control"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0011",
+          "name": "Command and Control",
+          "reference": "https://attack.mitre.org/tactics/TA0011/"
+        },
+        "technique": [
+          {
+            "id": "T1071",
+            "name": "Application Layer Protocol",
+            "reference": "https://attack.mitre.org/techniques/T1071/",
+            "subtechnique": [
+              {
+                "id": "T1071.001",
+                "name": "Web Protocols",
+                "reference": "https://attack.mitre.org/techniques/T1071/001/"
+              }
+            ]
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0001",
+          "name": "Initial Access",
+          "reference": "https://attack.mitre.org/tactics/TA0001/"
+        },
+        "technique": [
+          {
+            "id": "T1195",
+            "name": "Supply Chain Compromise",
+            "reference": "https://attack.mitre.org/techniques/T1195/",
+            "subtechnique": [
+              {
+                "id": "T1195.002",
+                "name": "Compromise Software Supply Chain",
+                "reference": "https://attack.mitre.org/techniques/T1195/002/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 4,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.11.2",
+          "pre_query": "event.category:network and event.type:protocol and network.protocol:http and process.name:( ConfigurationWizard.exe or NetFlowService.exe or NetflowDatabaseMaintenance.exe or SolarWinds.Administration.exe or SolarWinds.BusinessLayerHost.exe or SolarWinds.BusinessLayerHostx64.exe or SolarWinds.Collector.Service.exe or SolarwindsDiagnostics.exe) and http.request.body.content:(( (*/swip/Upload.ashx* and (POST* or PUT*)) or (*/swip/SystemDescription* and (GET* or HEAD*)) or (*/swip/Events* and (GET* or HEAD*))) and not *solarwinds.com*)",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 3,
+          "updated": "7.12.0",
+          "pre_query": "event.category:network and event.type:protocol and network.protocol:http and process.name:( ConfigurationWizard.exe or NetFlowService.exe or NetflowDatabaseMaintenance.exe or SolarWinds.Administration.exe or SolarWinds.BusinessLayerHost.exe or SolarWinds.BusinessLayerHostx64.exe or SolarWinds.Collector.Service.exe or SolarwindsDiagnostics.exe) and http.request.body.content:(( (*/swip/Upload.ashx* and (POST* or PUT*)) or (*/swip/SystemDescription* and (GET* or HEAD*)) or (*/swip/Events* and (GET* or HEAD*))) and not *solarwinds.com*)",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 4,
+          "updated": "7.13.0",
+          "pre_query": "event.category:network and event.type:protocol and network.protocol:http and process.name:( ConfigurationWizard.exe or NetFlowService.exe or NetflowDatabaseMaintenance.exe or SolarWinds.Administration.exe or SolarWinds.BusinessLayerHost.exe or SolarWinds.BusinessLayerHostx64.exe or SolarWinds.Collector.Service.exe or SolarwindsDiagnostics.exe) and http.request.body.content:(( (*/swip/Upload.ashx* and (POST* or PUT*)) or (*/swip/SystemDescription* and (GET* or HEAD*)) or (*/swip/Events* and (GET* or HEAD*))) and not *solarwinds.com*)",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.13.0",
+    "added": "7.11.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "A scheduled task was created by a Windows script via cscript.exe, wscript.exe or powershell.exe. This can be abused by an adversary to establish persistence.",
+    "false_positives": [
+      "Legitimate scheduled tasks may be created during installation of new software."
+    ],
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Scheduled Task Created by a Windows Script",
+    "note": "## Triage and analysis\n\nDecode the base64 encoded Tasks Actions registry value to investigate the task's configured action.",
+    "query": "sequence by host.id with maxspan = 30s\n  [library where dll.name : \"taskschd.dll\" and process.name : (\"cscript.exe\", \"wscript.exe\", \"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\")]\n  [registry where registry.path : \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Schedule\\\\TaskCache\\\\Tasks\\\\*\\\\Actions\"]\n",
+    "risk_score": 47,
+    "rule_id": "689b9d57-e4d5-4357-ad17-9c334609d79a",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Persistence"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1053",
+            "name": "Scheduled Task/Job",
+            "reference": "https://attack.mitre.org/techniques/T1053/",
+            "subtechnique": [
+              {
+                "id": "T1053.005",
+                "name": "Scheduled Task",
+                "reference": "https://attack.mitre.org/techniques/T1053/005/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "type": "eql",
+    "version": 5,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.12.0",
+          "pre_query": "sequence by host.id with maxspan = 30s\n  [library where file.name : \"taskschd.dll\" and process.name : (\"cscript.exe\", \"wscript.exe\", \"powershell.exe\")]\n  [registry where registry.path : \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Schedule\\\\TaskCache\\\\Tasks\\\\*\\\\Actions\"]\n",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        },
+        {
+          "version": 3,
+          "updated": "7.13.0",
+          "pre_query": "sequence by host.id with maxspan = 30s\n  [library where dll.name : \"taskschd.dll\" and process.name : (\"cscript.exe\", \"wscript.exe\", \"powershell.exe\")]\n  [registry where registry.path : \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Schedule\\\\TaskCache\\\\Tasks\\\\*\\\\Actions\"]\n",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 5,
+          "updated": "7.16.0",
+          "pre_query": "sequence by host.id with maxspan = 30s\n  [library where dll.name : \"taskschd.dll\" and process.name : (\"cscript.exe\", \"wscript.exe\", \"powershell.exe\")]\n  [registry where registry.path : \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Schedule\\\\TaskCache\\\\Tasks\\\\*\\\\Actions\"]\n",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.16.0",
+    "added": "7.11.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Detects the modification of Group Policy Object attributes to execute a scheduled task in the objects controlled by the GPO.",
+    "index": [
+      "winlogbeat-*",
+      "logs-system.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Scheduled Task Execution at Scale via GPO",
+    "note": "## Triage and analysis\n\n### Investigating Scheduled Task Execution at Scale via GPO\n\nGroup Policy Objects can be used by attackers to execute Scheduled Tasks at scale to compromise Objects controlled by a given GPO,\nthis is done by changing the contents of the `<GPOPath>\\Machine\\Preferences\\ScheduledTasks\\ScheduledTasks.xml` file.\n\n#### Possible investigation steps:\n- This attack abuses a legitimate mechanism of the Active Directory, so it is important to determine whether the activity is legitimate\nand the administrator is authorized to perform this operation.\n- Retrieve the contents of the `ScheduledTasks.xml` file, check the `<Command>` and `<Arguments>` XML tags for any potentially malicious\ncommands and binaries.\n- If the action is suspicious for the user, check for any other activities done by the user in the last 48 hours.\n\n### False Positive Analysis\n- Verify if the execution is allowed and done under change management, and if the execution is legitimate.\n\n### Related Rules\n- Group Policy Abuse for Privilege Addition\n- Startup/Logon Script added to Group Policy Object\n\n### Response and Remediation\n- Immediate response should be taken to validate activity, investigate and potentially isolate activity to prevent further\npost-compromise behavior.\n\n## Config\n\nThe 'Audit Detailed File Share' audit policy is required be configured (Success Failure).\nSteps to implement the logging policy with with Advanced Audit Configuration:\n```\nComputer Configuration > \nPolicies > \nWindows Settings > \nSecurity Settings > \nAdvanced Audit Policies Configuration > \nAudit Policies > \nObject Access > \nAudit Detailed File Share (Success,Failure)\n```\n\nThe 'Audit Directory Service Changes' audit policy is required be configured (Success Failure).\nSteps to implement the logging policy with with Advanced Audit Configuration:\n```\nComputer Configuration > \nPolicies > \nWindows Settings > \nSecurity Settings > \nAdvanced Audit Policies Configuration > \nAudit Policies > \nDS Access > \nAudit Directory Service Changes (Success,Failure)\n```\n",
+    "query": "(event.code: \"5136\" and winlog.event_data.AttributeLDAPDisplayName:(\"gPCMachineExtensionNames\" or \"gPCUserExtensionNames\") and \n   winlog.event_data.AttributeValue:(*CAB54552-DEEA-4691-817E-ED4A4D1AFC72* and *AADCED64-746C-4633-A97C-D61349046527*)) \nor\n(event.code: \"5145\" and winlog.event_data.ShareName: \"\\\\\\\\*\\\\SYSVOL\" and winlog.event_data.RelativeTargetName: *ScheduledTasks.xml and\n  (message: WriteData or winlog.event_data.AccessList: *%%4417*))\n",
+    "references": [
+      "https://github.com/atc-project/atc-data/blob/master/docs/Logging_Policies/LP_0025_windows_audit_directory_service_changes.md",
+      "https://github.com/atc-project/atc-data/blob/f2bbb51ecf68e2c9f488e3c70dcdd3df51d2a46b/docs/Logging_Policies/LP_0029_windows_audit_detailed_file_share.md",
+      "https://labs.f-secure.com/tools/sharpgpoabuse",
+      "https://twitter.com/menasec1/status/1106899890377052160",
+      "https://github.com/SigmaHQ/sigma/blob/master/rules/windows/builtin/win_gpo_scheduledtasks.yml"
+    ],
+    "risk_score": 47,
+    "rule_id": "15a8ba77-1c13-4274-88fe-6bd14133861e",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Privilege Escalation",
+      "Active Directory"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0004",
+          "name": "Privilege Escalation",
+          "reference": "https://attack.mitre.org/tactics/TA0004/"
+        },
+        "technique": [
+          {
+            "id": "T1053",
+            "name": "Scheduled Task/Job",
+            "reference": "https://attack.mitre.org/techniques/T1053/",
+            "subtechnique": [
+              {
+                "id": "T1053.005",
+                "name": "Scheduled Task",
+                "reference": "https://attack.mitre.org/techniques/T1053/005/"
+              }
+            ]
+          },
+          {
+            "id": "T1484",
+            "name": "Domain Policy Modification",
+            "reference": "https://attack.mitre.org/techniques/T1484/",
+            "subtechnique": [
+              {
+                "id": "T1484.001",
+                "name": "Group Policy Modification",
+                "reference": "https://attack.mitre.org/techniques/T1484/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 1,
+    "last_update": "8.0.0",
+    "added": "8.0.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies attempts to enable the Windows scheduled tasks AT command via the registry. Attackers may use this method to move laterally or persist locally. The AT command has been deprecated since Windows 8 and Windows Server 2012, but still exists for backwards compatibility.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Scheduled Tasks AT Command Enabled",
+    "query": "registry where \n registry.path : \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Schedule\\\\Configuration\\\\EnableAt\" and registry.data.strings == \"1\"\n",
+    "references": [
+      "https://docs.microsoft.com/en-us/windows/win32/cimwin32prov/win32-scheduledjob"
+    ],
+    "risk_score": 47,
+    "rule_id": "9aa0e1f6-52ce-42e1-abb3-09657cee2698",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1562",
+            "name": "Impair Defenses",
+            "reference": "https://attack.mitre.org/techniques/T1562/",
+            "subtechnique": [
+              {
+                "id": "T1562.001",
+                "name": "Disable or Modify Tools",
+                "reference": "https://attack.mitre.org/techniques/T1562/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 3,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.11.2",
+          "pre_query": "registry where \n registry.path : \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Schedule\\\\Configuration\\\\EnableAt\" and registry.data.strings == \"1\"\n",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 3,
+          "updated": "7.12.0",
+          "pre_query": "registry where \n registry.path : \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Schedule\\\\Configuration\\\\EnableAt\" and registry.data.strings == \"1\"\n",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.12.0",
+    "added": "7.11.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies when a screensaver plist file is modified by an unexpected process. An adversary can maintain persistence on a macOS endpoint by creating a malicious screensaver (.saver) file and configuring the screensaver plist file to execute code each time the screensaver is activated.",
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Screensaver Plist File Modified by Unexpected Process",
+    "note": "## Triage and analysis\n\n- Analyze the plist file modification event to identify whether the change was expected or not\n- Investigate the process that modified the plist file for malicious code or other suspicious behavior\n- Identify if any suspicious or known malicious screensaver (.saver) files were recently written to or modified on the host",
+    "query": "file where event.type != \"deletion\" and\n  file.name: \"com.apple.screensaver.*.plist\" and\n  file.path : (\n    \"/Users/*/Library/Preferences/ByHost/*\",\n    \"/Library/Managed Preferences/*\",\n    \"/System/Library/Preferences/*\"\n    ) and\n  /* Filter OS processes modifying screensaver plist files */\n  not process.executable : (\n    \"/usr/sbin/cfprefsd\",\n    \"/usr/libexec/xpcproxy\",\n    \"/System/Library/CoreServices/ManagedClient.app/Contents/Resources/MCXCompositor\",\n    \"/System/Library/CoreServices/ManagedClient.app/Contents/MacOS/ManagedClient\"\n    )\n",
+    "references": [
+      "https://posts.specterops.io/saving-your-access-d562bf5bf90b",
+      "https://github.com/D00MFist/PersistentJXA"
+    ],
+    "risk_score": 47,
+    "rule_id": "e6e8912f-283f-4d0d-8442-e0dcaf49944b",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "macOS",
+      "Threat Detection",
+      "Persistence"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1546",
+            "name": "Event Triggered Execution",
+            "reference": "https://attack.mitre.org/techniques/T1546/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 1,
+    "last_update": "7.16.0",
+    "added": "7.16.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Windows Credential Manager allows you to create, view, or delete saved credentials for signing into websites, connected applications, and networks. An adversary may abuse this to list or dump credentials stored in the Credential Manager for saved usernames and passwords. This may also be performed in preparation of lateral movement.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Searching for Saved Credentials via VaultCmd",
+    "query": "process where event.type in (\"start\", \"process_started\") and\n  (process.pe.original_file_name:\"vaultcmd.exe\" or process.name:\"vaultcmd.exe\") and\n  process.args:\"/list*\"\n",
+    "references": [
+      "https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16",
+      "https://rastamouse.me/blog/rdp-jump-boxes/"
+    ],
+    "risk_score": 47,
+    "rule_id": "be8afaed-4bcd-4e0a-b5f9-5562003dde81",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Credential Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0006",
+          "name": "Credential Access",
+          "reference": "https://attack.mitre.org/tactics/TA0006/"
+        },
+        "technique": [
+          {
+            "id": "T1003",
+            "name": "OS Credential Dumping",
+            "reference": "https://attack.mitre.org/techniques/T1003/"
+          },
+          {
+            "id": "T1555",
+            "name": "Credentials from Password Stores",
+            "reference": "https://attack.mitre.org/techniques/T1555/",
+            "subtechnique": [
+              {
+                "id": "T1555.004",
+                "name": "Windows Credential Manager",
+                "reference": "https://attack.mitre.org/techniques/T1555/004/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 2,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.16.0",
+          "pre_query": "process where event.type in (\"start\", \"process_started\") and\n  (process.pe.original_file_name:\"vaultcmd.exe\" or process.name:\"vaultcmd.exe\") and\n  process.args:\"/list*\"\n",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.16.0",
+    "added": "7.12.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the use of Windows Management Instrumentation Command (WMIC) to discover certain System Security Settings such as AntiVirus or Host Firewall details.",
+    "from": "now-9m",
+    "index": [
+      "logs-endpoint.events.*",
+      "winlogbeat-*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Security Software Discovery using WMIC",
+    "query": "process where event.type in (\"start\", \"process_started\") and\n   (process.name:\"wmic.exe\" or process.pe.original_file_name:\"wmic.exe\") and\n    process.args:\"/namespace:\\\\\\\\root\\\\SecurityCenter2\" and process.args:\"Get\"\n",
+    "risk_score": 47,
+    "rule_id": "6ea55c81-e2ba-42f2-a134-bccf857ba922",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Discovery"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0007",
+          "name": "Discovery",
+          "reference": "https://attack.mitre.org/tactics/TA0007/"
+        },
+        "technique": [
+          {
+            "id": "T1518",
+            "name": "Software Discovery",
+            "reference": "https://attack.mitre.org/techniques/T1518/",
+            "subtechnique": [
+              {
+                "id": "T1518.001",
+                "name": "Security Software Discovery",
+                "reference": "https://attack.mitre.org/techniques/T1518/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 4,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.11.2",
+          "pre_query": "process where event.type in (\"start\", \"process_started\") and\n   (process.name:\"wmic.exe\" or process.pe.original_file_name:\"wmic.exe\") and\n    process.args:\"/namespace:\\\\\\\\root\\\\SecurityCenter2\" and process.args:\"Get\"\n",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 3,
+          "updated": "7.12.0",
+          "pre_query": "process where event.type in (\"start\", \"process_started\") and\n   (process.name:\"wmic.exe\" or process.pe.original_file_name:\"wmic.exe\") and\n    process.args:\"/namespace:\\\\\\\\root\\\\SecurityCenter2\" and process.args:\"Get\"\n",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 4,
+          "updated": "7.16.0",
+          "pre_query": "process where event.type in (\"start\", \"process_started\") and\n   (process.name:\"wmic.exe\" or process.pe.original_file_name:\"wmic.exe\") and\n    process.args:\"/namespace:\\\\\\\\root\\\\SecurityCenter2\" and process.args:\"Get\"\n",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.16.0",
+    "added": "7.11.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the use of the grep command to discover known third-party macOS and Linux security tools, such as Antivirus or Host Firewall details.",
+    "false_positives": [
+      "Endpoint Security installers, updaters and post installation verification scripts."
+    ],
+    "from": "now-9m",
+    "index": [
+      "logs-endpoint.events.*",
+      "auditbeat-*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Security Software Discovery via Grep",
+    "query": "process where event.type == \"start\" and\nprocess.name : \"grep\" and user.id != \"0\" and\n not process.parent.executable : \"/Library/Application Support/*\" and\n   process.args :\n         (\"Little Snitch*\",\n          \"Avast*\",\n          \"Avira*\",\n          \"ESET*\",\n          \"BlockBlock*\",\n          \"360Sec*\",\n          \"LuLu*\",\n          \"KnockKnock*\",\n          \"kav\",\n          \"KIS\",\n          \"RTProtectionDaemon*\",\n          \"Malware*\",\n          \"VShieldScanner*\",\n          \"WebProtection*\",\n          \"webinspectord*\",\n          \"McAfee*\",\n          \"isecespd*\",\n          \"macmnsvc*\",\n          \"masvc*\",\n          \"kesl*\",\n          \"avscan*\",\n          \"guard*\",\n          \"rtvscand*\",\n          \"symcfgd*\",\n          \"scmdaemon*\",\n          \"symantec*\",\n          \"sophos*\",\n          \"osquery*\",\n          \"elastic-endpoint*\"\n          ) and\n   not (process.args : \"Avast\" and process.args : \"Passwords\")\n",
+    "risk_score": 47,
+    "rule_id": "870aecc0-cea4-4110-af3f-e02e9b373655",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "macOS",
+      "Linux",
+      "Threat Detection",
+      "Discovery"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0007",
+          "name": "Discovery",
+          "reference": "https://attack.mitre.org/tactics/TA0007/"
+        },
+        "technique": [
+          {
+            "id": "T1518",
+            "name": "Software Discovery",
+            "reference": "https://attack.mitre.org/techniques/T1518/",
+            "subtechnique": [
+              {
+                "id": "T1518.001",
+                "name": "Security Software Discovery",
+                "reference": "https://attack.mitre.org/techniques/T1518/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 2,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.13.0",
+          "pre_query": "event.category : process and event.type : (start or process_started) and process.name : grep and process.args : (\"Little Snitch\" or Avast* or Avira* or ESET* or esets_* or BlockBlock or 360* or LuLu or KnockKnock* or kav or KIS or RTProtectionDaemon or Malware* or VShieldScanner or WebProtection or webinspectord or McAfee* or isecespd* or macmnsvc* or masvc or kesl or avscan or guard or rtvscand or symcfgd or scmdaemon or symantec or elastic-endpoint )",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.13.0",
+    "added": "7.12.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the use of a compression utility to collect known files containing sensitive information, such as credentials and system configurations.",
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Sensitive Files Compression",
+    "query": "event.category:process and event.type:start and\n  process.name:(zip or tar or gzip or hdiutil or 7z) and\n  process.args:\n    (\n      /root/.ssh/id_rsa or\n      /root/.ssh/id_rsa.pub or\n      /root/.ssh/id_ed25519 or\n      /root/.ssh/id_ed25519.pub or\n      /root/.ssh/authorized_keys or\n      /root/.ssh/authorized_keys2 or\n      /root/.ssh/known_hosts or\n      /root/.bash_history or\n      /etc/hosts or\n      /home/*/.ssh/id_rsa or\n      /home/*/.ssh/id_rsa.pub or\n      /home/*/.ssh/id_ed25519 or\n      /home/*/.ssh/id_ed25519.pub or\n      /home/*/.ssh/authorized_keys or\n      /home/*/.ssh/authorized_keys2 or\n      /home/*/.ssh/known_hosts or\n      /home/*/.bash_history or\n      /root/.aws/credentials or\n      /root/.aws/config or\n      /home/*/.aws/credentials or\n      /home/*/.aws/config or\n      /root/.docker/config.json or\n      /home/*/.docker/config.json or\n      /etc/group or\n      /etc/passwd or\n      /etc/shadow or\n      /etc/gshadow\n    )\n",
+    "references": [
+      "https://www.trendmicro.com/en_ca/research/20/l/teamtnt-now-deploying-ddos-capable-irc-bot-tntbotinger.html"
+    ],
+    "risk_score": 47,
+    "rule_id": "6b84d470-9036-4cc0-a27c-6d90bbfe81ab",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "Threat Detection",
+      "Collection",
+      "Credential Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0006",
+          "name": "Credential Access",
+          "reference": "https://attack.mitre.org/tactics/TA0006/"
+        },
+        "technique": [
+          {
+            "id": "T1552",
+            "name": "Unsecured Credentials",
+            "reference": "https://attack.mitre.org/techniques/T1552/",
+            "subtechnique": [
+              {
+                "id": "T1552.001",
+                "name": "Credentials In Files",
+                "reference": "https://attack.mitre.org/techniques/T1552/001/"
+              }
+            ]
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0009",
+          "name": "Collection",
+          "reference": "https://attack.mitre.org/tactics/TA0009/"
+        },
+        "technique": [
+          {
+            "id": "T1560",
+            "name": "Archive Collected Data",
+            "reference": "https://attack.mitre.org/techniques/T1560/",
+            "subtechnique": [
+              {
+                "id": "T1560.001",
+                "name": "Archive via Utility",
+                "reference": "https://attack.mitre.org/techniques/T1560/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 1,
+    "last_update": "7.12.0",
+    "added": "7.12.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies use of sc.exe to create, modify, or start services on remote hosts. This could be indicative of adversary lateral movement but will be noisy if commonly done by admins.",
+    "from": "now-9m",
+    "index": [
+      "logs-endpoint.events.*",
+      "winlogbeat-*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Service Command Lateral Movement",
+    "query": "sequence by process.entity_id with maxspan = 1m\n  [process where event.type in (\"start\", \"process_started\") and\n     (process.name : \"sc.exe\" or process.pe.original_file_name : \"sc.exe\") and\n      process.args : \"\\\\\\\\*\" and process.args : (\"binPath=*\", \"binpath=*\") and\n      process.args : (\"create\", \"config\", \"failure\", \"start\")]\n  [network where process.name : \"sc.exe\" and destination.ip != \"127.0.0.1\"]\n",
+    "risk_score": 21,
+    "rule_id": "d61cbcf8-1bc1-4cff-85ba-e7b21c5beedc",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Lateral Movement"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0008",
+          "name": "Lateral Movement",
+          "reference": "https://attack.mitre.org/tactics/TA0008/"
+        },
+        "technique": [
+          {
+            "id": "T1021",
+            "name": "Remote Services",
+            "reference": "https://attack.mitre.org/techniques/T1021/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1543",
+            "name": "Create or Modify System Process",
+            "reference": "https://attack.mitre.org/techniques/T1543/",
+            "subtechnique": [
+              {
+                "id": "T1543.003",
+                "name": "Windows Service",
+                "reference": "https://attack.mitre.org/techniques/T1543/003/"
+              }
+            ]
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0002",
+          "name": "Execution",
+          "reference": "https://attack.mitre.org/tactics/TA0002/"
+        },
+        "technique": [
+          {
+            "id": "T1569",
+            "name": "System Services",
+            "reference": "https://attack.mitre.org/techniques/T1569/",
+            "subtechnique": [
+              {
+                "id": "T1569.002",
+                "name": "Service Execution",
+                "reference": "https://attack.mitre.org/techniques/T1569/002/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "type": "eql",
+    "version": 3,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.11.0",
+          "pre_query": "sequence by process.entity_id with maxspan=1m\n  [process where event.type in (\"start\", \"process_started\") and\n                               /* uncomment once in winlogbeat */\n     (process.name == \"sc.exe\" /* or process.pe.original_file_name == \"sc.exe\" */ ) and\n                                                   /* case insensitive */\n      wildcard(process.args, \"\\\\\\\\*\") and wildcard(process.args, \"binPath=*\", \"binpath=*\") and\n      (process.args : \"create\" or\n       process.args : \"config\" or\n       process.args : \"failure\" or\n       process.args : \"start\")]\n  [network where process.name : \"sc.exe\" and destination.ip != \"127.0.0.1\"]\n",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 3,
+          "updated": "7.12.0",
+          "pre_query": "sequence by process.entity_id with maxspan=1m\n  [process where event.type in (\"start\", \"process_started\") and\n                               /* uncomment once in winlogbeat */\n     (process.name == \"sc.exe\" /* or process.pe.original_file_name == \"sc.exe\" */ ) and\n                                                   /* case insensitive */\n      wildcard(process.args, \"\\\\\\\\*\") and wildcard(process.args, \"binPath=*\", \"binpath=*\") and\n      (process.args : \"create\" or\n       process.args : \"config\" or\n       process.args : \"failure\" or\n       process.args : \"start\")]\n  [network where process.name : \"sc.exe\" and destination.ip != \"127.0.0.1\"]\n",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.12.0",
+    "added": "7.10.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies Service Control (sc.exe) spawning from script interpreter processes to create, modify, or start services. This could be indicative of adversary lateral movement but will be noisy if commonly done by admins.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Service Control Spawned via Script Interpreter",
+    "query": "process where event.type == \"start\" and\n  (process.name : \"sc.exe\" or process.pe.original_file_name == \"sc.exe\") and\n  process.parent.name : (\"cmd.exe\", \"wscript.exe\", \"rundll32.exe\", \"regsvr32.exe\",\n                         \"wmic.exe\", \"mshta.exe\",\"powershell.exe\", \"pwsh.exe\") and\n  process.args:(\"config\", \"create\", \"start\", \"delete\", \"stop\", \"pause\") and\n  /* exclude SYSTEM SID - look for service creations by non-SYSTEM user */\n  not user.id : \"S-1-5-18\"\n",
+    "risk_score": 21,
+    "rule_id": "e8571d5f-bea1-46c2-9f56-998de2d3ed95",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Lateral Movement"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0008",
+          "name": "Lateral Movement",
+          "reference": "https://attack.mitre.org/tactics/TA0008/"
+        },
+        "technique": [
+          {
+            "id": "T1021",
+            "name": "Remote Services",
+            "reference": "https://attack.mitre.org/techniques/T1021/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 9,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.7.0",
+          "pre_query": "event.action:\"Process Create (rule: ProcessCreate)\" and process.name:sc.exe and process.args:(\"create\" or \"config\" or \"failure\" or \"start\")",
+          "doc_text": "Updated query."
+        },
+        {
+          "version": 3,
+          "updated": "7.9.0",
+          "pre_query": "event.action:\"Process Create (rule: ProcessCreate)\" and process.name:sc.exe and process.args:(config or create or failure or start)",
+          "doc_text": "Updated query."
+        },
+        {
+          "version": 4,
+          "updated": "7.9.1",
+          "pre_query": "event.category:process and event.type:(start or process_started) and process.name:sc.exe and process.args:(config or create or failure or start)",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 5,
+          "updated": "7.10.0",
+          "pre_query": "event.category:process and event.type:(start or process_started) and process.name:sc.exe and process.args:(config or create or failure or start)",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 6,
+          "updated": "7.11.0",
+          "pre_query": "event.category:process and event.type:(start or process_started) and process.name:sc.exe and process.args:(config or create or failure or start)",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 7,
+          "updated": "7.11.2",
+          "pre_query": "event.category:process and event.type:(start or process_started) and process.name:sc.exe and process.args:(config or create or failure or start)",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 8,
+          "updated": "7.12.0",
+          "pre_query": "event.category:process and event.type:(start or process_started) and process.name:sc.exe and process.args:(config or create or failure or start)",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 9,
+          "updated": "7.13.0",
+          "pre_query": "event.category:process and event.type:(start or process_started) and process.name:sc.exe and process.args:(config or create or failure or start)",
+          "doc_text": "Updated query.",
+          "pre_name": "Local Service Commands",
+          "duplicate_old_file": "local-service-commands"
+        }
+      ]
+    },
+    "last_update": "7.13.0",
+    "added": "7.6.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "An adversary may add the setuid or setgid bit to a file or directory in order to run a file with the privileges of the owning user or group. An adversary can take advantage of this to either do a shell escape or exploit a vulnerability in an application with the setuid or setgid bit to get code running in a different user\u2019s context. Additionally, adversaries can use this mechanism on their own malware to make sure they're able to execute in elevated contexts in the future.",
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "lucene",
+    "license": "Elastic License v2",
+    "max_signals": 33,
+    "name": "Setuid / Setgid Bit Set via chmod",
+    "query": "event.category:process AND event.type:(start OR process_started) AND\n process.name:chmod AND process.args:(\"+s\" OR \"u+s\" OR /4[0-9]{3}/ OR g+s OR /2[0-9]{3}/) AND\n NOT process.args:\n           (\n             /.*\\/Applications\\/VirtualBox.app\\/.+/ OR\n             /\\/usr\\/local\\/lib\\/python.+/ OR\n             /\\/var\\/folders\\/.+\\/FP.*nstallHelper/ OR\n             /\\/Library\\/Filesystems\\/.+/ OR\n             /\\/usr\\/lib\\/virtualbox\\/.+/ OR\n             /\\/Library\\/Application.*/ OR\n             \"/run/postgresql\" OR\n             \"/var/crash\" OR\n             \"/var/run/postgresql\" OR\n             /\\/usr\\/bin\\/.+/ OR /\\/usr\\/local\\/share\\/.+/ OR\n             /\\/Applications\\/.+/ OR /\\/usr\\/libexec\\/.+/ OR\n             \"/var/metrics\" OR /\\/var\\/lib\\/dpkg\\/.+/ OR\n             /\\/run\\/log\\/journal\\/.*/ OR\n             \\/Users\\/*\\/.minikube\\/bin\\/docker-machine-driver-hyperkit\n           ) AND\n NOT process.parent.executable:\n           (\n             /\\/var\\/lib\\/docker\\/.+/ OR\n             \"/System/Library/PrivateFrameworks/PackageKit.framework/Versions/A/XPCServices/package_script_service.xpc/Contents/MacOS/package_script_service\" OR\n             \"/var/lib/dpkg/info/whoopsie.postinst\"\n           )\n",
+    "risk_score": 21,
+    "rule_id": "8a1b0278-0f9a-487d-96bd-d4833298e87a",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "macOS",
+      "Threat Detection",
+      "Privilege Escalation"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0004",
+          "name": "Privilege Escalation",
+          "reference": "https://attack.mitre.org/tactics/TA0004/"
+        },
+        "technique": [
+          {
+            "id": "T1548",
+            "name": "Abuse Elevation Control Mechanism",
+            "reference": "https://attack.mitre.org/techniques/T1548/",
+            "subtechnique": [
+              {
+                "id": "T1548.001",
+                "name": "Setuid and Setgid",
+                "reference": "https://attack.mitre.org/techniques/T1548/001/"
+              }
+            ]
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": []
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 8,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.9.0",
+          "pre_query": "event.action:(executed OR process_started) AND process.name:chmod AND process.args:(u+s OR /4[0-9]{3}/) AND NOT user.name:root",
+          "doc_text": "Updated query."
+        },
+        {
+          "version": 3,
+          "updated": "7.9.1",
+          "pre_query": "event.category:process AND event.type:(start or process_started) AND process.name:chmod AND process.args:(u+s OR /4[0-9]{3}/) AND NOT user.name:root",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 4,
+          "updated": "7.10.0",
+          "pre_query": "event.category:process AND event.type:(start or process_started) AND process.name:chmod AND process.args:(u+s OR /4[0-9]{3}/) AND NOT user.name:root",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 5,
+          "updated": "7.11.0",
+          "pre_query": "event.category:process AND event.type:(start or process_started) AND process.name:chmod AND process.args:(u+s OR /4[0-9]{3}/) AND NOT user.name:root",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 6,
+          "updated": "7.11.2",
+          "pre_query": "event.category:process AND event.type:(start or process_started) AND process.name:chmod AND process.args:(u+s OR /4[0-9]{3}/) AND NOT user.name:root",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 7,
+          "updated": "7.12.0",
+          "pre_query": "event.category:process AND event.type:(start or process_started) AND process.name:chmod AND process.args:(u+s OR /4[0-9]{3}/) AND NOT user.name:root",
+          "doc_text": "Updated query.",
+          "pre_name": "Setuid Bit Set via chmod",
+          "duplicate_old_file": "setuid-bit-set-via-chmod"
+        },
+        {
+          "version": 8,
+          "updated": "7.13.0",
+          "pre_query": "event.category:process AND event.type:(start OR process_started) AND process.name:chmod AND process.args:(\"+s\" OR \"u+s\" OR /4[0-9]{3}/ OR g+s OR /2[0-9]{3}/)",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.13.0",
+    "added": "7.8.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the execution of the shell process (sh) via scripting (JXA or AppleScript). Adversaries may use the doShellScript functionality in JXA or do shell script in AppleScript to execute system commands.",
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Shell Execution via Apple Scripting",
+    "query": "sequence by host.id with maxspan=5s\n [process where event.type in (\"start\", \"process_started\", \"info\") and process.name == \"osascript\"] by process.pid\n [process where event.type in (\"start\", \"process_started\") and process.name == \"sh\" and process.args == \"-c\"] by process.parent.pid\n",
+    "references": [
+      "https://developer.apple.com/library/archive/technotes/tn2065/_index.html",
+      "https://objectivebythesea.com/v2/talks/OBTS_v2_Thomas.pdf"
+    ],
+    "risk_score": 47,
+    "rule_id": "d461fac0-43e8-49e2-85ea-3a58fe120b4f",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "macOS",
+      "Threat Detection",
+      "Execution"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0002",
+          "name": "Execution",
+          "reference": "https://attack.mitre.org/tactics/TA0002/"
+        },
+        "technique": [
+          {
+            "id": "T1059",
+            "name": "Command and Scripting Interpreter",
+            "reference": "https://attack.mitre.org/techniques/T1059/"
+          }
+        ]
+      }
+    ],
+    "type": "eql",
+    "version": 3,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.12.0",
+          "pre_query": "sequence by host.id with maxspan=5s\n [process where event.type in (\"start\", \"process_started\", \"info\") and process.name == \"osascript\"] by process.pid\n [process where event.type in (\"start\", \"process_started\") and process.name == \"sh\" and process.args == \"-c\"] by process.ppid\n",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 3,
+          "updated": "7.14.0",
+          "pre_query": "sequence by host.id with maxspan=5s\n [process where event.type in (\"start\", \"process_started\", \"info\") and process.name == \"osascript\"] by process.pid\n [process where event.type in (\"start\", \"process_started\") and process.name == \"sh\" and process.args == \"-c\"] by process.ppid\n",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.14.0",
+    "added": "7.11.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies files written to or modified in the startup folder by commonly abused processes. Adversaries may use this technique to maintain persistence.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Shortcut File Written or Modified for Persistence",
+    "query": "file where event.type != \"deletion\" and\n  user.domain != \"NT AUTHORITY\" and\n  file.path : (\"C:\\\\Users\\\\*\\\\AppData\\\\Roaming\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\\\\*\", \n               \"C:\\\\ProgramData\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\StartUp\\\\*\") and\n  process.name : (\"cmd.exe\",\n                  \"powershell.exe\",\n                  \"wmic.exe\",\n                  \"mshta.exe\",\n                  \"pwsh.exe\",\n                  \"cscript.exe\",\n                  \"wscript.exe\",\n                  \"regsvr32.exe\",\n                  \"RegAsm.exe\",\n                  \"rundll32.exe\",\n                  \"EQNEDT32.EXE\",\n                  \"WINWORD.EXE\",\n                  \"EXCEL.EXE\",\n                  \"POWERPNT.EXE\",\n                  \"MSPUB.EXE\",\n                  \"MSACCESS.EXE\",\n                  \"iexplore.exe\",\n                  \"InstallUtil.exe\")\n",
+    "risk_score": 47,
+    "rule_id": "440e2db4-bc7f-4c96-a068-65b78da59bde",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Persistence"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1547",
+            "name": "Boot or Logon Autostart Execution",
+            "reference": "https://attack.mitre.org/techniques/T1547/",
+            "subtechnique": [
+              {
+                "id": "T1547.001",
+                "name": "Registry Run Keys / Startup Folder",
+                "reference": "https://attack.mitre.org/techniques/T1547/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 3,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.11.2",
+          "pre_query": "file where event.type != \"deletion\" and\n  user.domain != \"NT AUTHORITY\" and\n  file.path : (\"C:\\\\Users\\\\*\\\\AppData\\\\Roaming\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\\\\*\", \n               \"C:\\\\ProgramData\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\StartUp\\\\*\") and\n  process.name : (\"cmd.exe\",\n                  \"powershell.exe\",\n                  \"wmic.exe\",\n                  \"mshta.exe\",\n                  \"pwsh.exe\",\n                  \"cscript.exe\",\n                  \"wscript.exe\",\n                  \"regsvr32.exe\",\n                  \"RegAsm.exe\",\n                  \"rundll32.exe\",\n                  \"EQNEDT32.EXE\",\n                  \"WINWORD.EXE\",\n                  \"EXCEL.EXE\",\n                  \"POWERPNT.EXE\",\n                  \"MSPUB.EXE\",\n                  \"MSACCESS.EXE\",\n                  \"iexplore.exe\",\n                  \"InstallUtil.exe\")\n",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 3,
+          "updated": "7.12.0",
+          "pre_query": "file where event.type != \"deletion\" and\n  user.domain != \"NT AUTHORITY\" and\n  file.path : (\"C:\\\\Users\\\\*\\\\AppData\\\\Roaming\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\\\\*\", \n               \"C:\\\\ProgramData\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\StartUp\\\\*\") and\n  process.name : (\"cmd.exe\",\n                  \"powershell.exe\",\n                  \"wmic.exe\",\n                  \"mshta.exe\",\n                  \"pwsh.exe\",\n                  \"cscript.exe\",\n                  \"wscript.exe\",\n                  \"regsvr32.exe\",\n                  \"RegAsm.exe\",\n                  \"rundll32.exe\",\n                  \"EQNEDT32.EXE\",\n                  \"WINWORD.EXE\",\n                  \"EXCEL.EXE\",\n                  \"POWERPNT.EXE\",\n                  \"MSPUB.EXE\",\n                  \"MSACCESS.EXE\",\n                  \"iexplore.exe\",\n                  \"InstallUtil.exe\")\n",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.12.0",
+    "added": "7.11.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies changes to the SoftwareUpdate preferences using the built-in defaults command. Adversaries may abuse this in an attempt to disable security updates.",
+    "false_positives": [
+      "Authorized SoftwareUpdate Settings Changes"
+    ],
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "SoftwareUpdate Preferences Modification",
+    "query": "event.category:process and event.type:(start or process_started) and\n process.name:defaults and \n process.args:(write and \"-bool\" and (com.apple.SoftwareUpdate or /Library/Preferences/com.apple.SoftwareUpdate.plist) and not (TRUE or true))\n",
+    "references": [
+      "https://blog.checkpoint.com/2017/07/13/osxdok-refuses-go-away-money/"
+    ],
+    "risk_score": 47,
+    "rule_id": "f683dcdf-a018-4801-b066-193d4ae6c8e5",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "macOS",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1562",
+            "name": "Impair Defenses",
+            "reference": "https://attack.mitre.org/techniques/T1562/",
+            "subtechnique": [
+              {
+                "id": "T1562.001",
+                "name": "Disable or Modify Tools",
+                "reference": "https://attack.mitre.org/techniques/T1562/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 1,
+    "last_update": "7.12.0",
+    "added": "7.12.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies a SolarWinds binary modifying the start type of a service to be disabled. An adversary may abuse this technique to manipulate relevant security services.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "SolarWinds Process Disabling Services via Registry",
+    "query": "registry where registry.path : \"HKLM\\\\SYSTEM\\\\*ControlSet*\\\\Services\\\\*\\\\Start\" and registry.data.strings == \"4\" and\n process.name : (\n     \"SolarWinds.BusinessLayerHost*.exe\", \n     \"ConfigurationWizard*.exe\", \n     \"NetflowDatabaseMaintenance*.exe\", \n     \"NetFlowService*.exe\", \n     \"SolarWinds.Administration*.exe\", \n     \"SolarWinds.Collector.Service*.exe\" , \n     \"SolarwindsDiagnostics*.exe\")\n",
+    "references": [
+      "https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html"
+    ],
+    "risk_score": 47,
+    "rule_id": "b9960fef-82c6-4816-befa-44745030e917",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1562",
+            "name": "Impair Defenses",
+            "reference": "https://attack.mitre.org/techniques/T1562/",
+            "subtechnique": [
+              {
+                "id": "T1562.001",
+                "name": "Disable or Modify Tools",
+                "reference": "https://attack.mitre.org/techniques/T1562/001/"
+              }
+            ]
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0001",
+          "name": "Initial Access",
+          "reference": "https://attack.mitre.org/tactics/TA0001/"
+        },
+        "technique": [
+          {
+            "id": "T1195",
+            "name": "Supply Chain Compromise",
+            "reference": "https://attack.mitre.org/techniques/T1195/",
+            "subtechnique": [
+              {
+                "id": "T1195.002",
+                "name": "Compromise Software Supply Chain",
+                "reference": "https://attack.mitre.org/techniques/T1195/002/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 3,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.11.2",
+          "pre_query": "registry where registry.path : \"HKLM\\\\SYSTEM\\\\*ControlSet*\\\\Services\\\\*\\\\Start\" and registry.data.strings == \"4\" and\n process.name : (\n     \"SolarWinds.BusinessLayerHost*.exe\", \n     \"ConfigurationWizard*.exe\", \n     \"NetflowDatabaseMaintenance*.exe\", \n     \"NetFlowService*.exe\", \n     \"SolarWinds.Administration*.exe\", \n     \"SolarWinds.Collector.Service*.exe\" , \n     \"SolarwindsDiagnostics*.exe\")\n",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 3,
+          "updated": "7.12.0",
+          "pre_query": "registry where registry.path : \"HKLM\\\\SYSTEM\\\\*ControlSet*\\\\Services\\\\*\\\\Start\" and registry.data.strings == \"4\" and\n process.name : (\n     \"SolarWinds.BusinessLayerHost*.exe\", \n     \"ConfigurationWizard*.exe\", \n     \"NetflowDatabaseMaintenance*.exe\", \n     \"NetFlowService*.exe\", \n     \"SolarWinds.Administration*.exe\", \n     \"SolarWinds.Collector.Service*.exe\" , \n     \"SolarwindsDiagnostics*.exe\")\n",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.12.0",
+    "added": "7.11.0"
+  },
+  {
+    "anomaly_threshold": 50,
+    "author": [
+      "Elastic"
+    ],
+    "description": "A machine learning job detected a significant spike in the rate of a particular error in the CloudTrail messages. Spikes in error messages may accompany attempts at privilege escalation, lateral movement, or discovery.",
+    "false_positives": [
+      "Spikes in error message activity can also be due to bugs in cloud automation scripts or workflows; changes to cloud automation scripts or workflows; adoption of new services; changes in the way services are used; or changes to IAM privileges."
+    ],
+    "from": "now-60m",
+    "interval": "15m",
+    "license": "Elastic License v2",
+    "machine_learning_job_id": "high_distinct_count_error_message",
+    "name": "Spike in AWS Error Messages",
+    "note": "## Config\n\nThe AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\n\n## Triage and analysis\n\n### Investigating Spikes in CloudTrail Errors\n\nCloudTrail logging provides visibility on actions taken within an AWS environment. By monitoring these events and understanding\nwhat is considered normal behavior within an organization, suspicious or malicious activity can be spotted when deviations\nare observed. This example rule triggers from a large spike in the number of CloudTrail log messages that contain a\nparticular error message. The error message in question was associated with the response to an AWS API command or method call,\nthis has the potential to uncover unknown threats or activity.\n\n#### Possible investigation steps:\n- Examine the history of the error. Has it manifested before? If the error, which is visible in the `aws.cloudtrail.error_message` field, only manifested recently, it might be related to recent changes in an automation module or script.\n- Examine the request parameters. These may provide indications as to the nature of the task being performed when the error occurred. Is the error related to unsuccessful attempts to enumerate or access objects, data, or secrets? If so, this can sometimes be a byproduct of discovery, privilege escalation or lateral movement attempts.\n- Consider the user as identified by the `user.name field`. Is this activity part of an expected workflow for the user context? Examine the user identity in the `aws.cloudtrail.user_identity.arn` field and the access key ID in the `aws.cloudtrail.user_identity.access_key_id` field, which can help identify the precise user context. The user agent details in the `user_agent.original` field may also indicate what kind of a client made the request.\n- Consider the source IP address and geolocation for the calling user who issued the command. Do they look normal for the calling user? If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts, or could it be sourcing from an EC2 instance that's not under your control? If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance?\n\n### False Positive Analysis\n- This rule has the possibility to produce false positives based on unexpected activity occurring such as bugs or recent\nchanges to automation modules or scripting.\n- Adoption of new services or implementing new functionality to scripts may generate false positives\n\n### Related Rules\n- Unusual AWS Command for a User\n- Rare AWS Error Code\n\n### Response and Remediation\n- If activity is observed as suspicious or malicious, immediate response should be looked into rotating and deleting AWS IAM access keys\n- Validate if any unauthorized new users were created, remove these accounts and request password resets for other IAM users\n- Look into enabling multi-factor authentication for users\n- Follow security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS\n",
+    "references": [
+      "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"
+    ],
+    "risk_score": 21,
+    "rule_id": "78d3d8d9-b476-451d-a9e0-7a5addd70670",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "AWS",
+      "ML"
+    ],
+    "type": "machine_learning",
+    "version": 7,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.10.0",
+          "pre_query": "N/A",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 3,
+          "updated": "7.12.0",
+          "pre_query": "N/A",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 4,
+          "updated": "7.13.0",
+          "pre_query": "N/A",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 5,
+          "updated": "7.14.0",
+          "pre_query": "N/A",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 6,
+          "updated": "7.15.0",
+          "pre_query": "N/A",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 7,
+          "updated": "7.16.0",
+          "pre_query": "N/A",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.16.0",
+    "added": "7.9.0"
+  },
+  {
+    "anomaly_threshold": 75,
+    "author": [
+      "Elastic"
+    ],
+    "description": "A machine learning job found an unusually large spike in authentication failure events. This can be due to password spraying, user enumeration or brute force activity and may be a precursor to account takeover or credentialed access.",
+    "false_positives": [
+      "A misconfigured service account can trigger this alert. A password change on an account used by an email client can trigger this alert. Security test cycles that include brute force or password spraying activities may trigger this alert."
+    ],
+    "from": "now-30m",
+    "interval": "15m",
+    "license": "Elastic License v2",
+    "machine_learning_job_id": "auth_high_count_logon_fails",
+    "name": "Spike in Failed Logon Events",
+    "references": [
+      "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"
+    ],
+    "risk_score": 21,
+    "rule_id": "99dcf974-6587-4f65-9252-d866a3fdfd9c",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Authentication",
+      "Threat Detection",
+      "ML"
+    ],
+    "type": "machine_learning",
+    "version": 2,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.15.0",
+          "pre_query": "N/A",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.15.0",
+    "added": "7.14.0"
+  },
+  {
+    "anomaly_threshold": 75,
+    "author": [
+      "Elastic"
+    ],
+    "description": "A machine learning job detected an unusually large spike in network traffic that was denied by network access control lists (ACLs) or firewall rules. Such a burst of denied traffic is usually caused by either 1) a mis-configured application or firewall or 2) suspicious or malicious activity. Unsuccessful attempts at network transit, in order to connect to command-and-control (C2), or engage in data exfiltration, may produce a burst of failed connections. This could also be due to unusually large amounts of reconnaissance or enumeration traffic. Denial-of-service attacks or traffic floods may also produce such a surge in traffic.",
+    "false_positives": [
+      "A misconfgured network application or firewall may trigger this alert. Security scans or test cycles may trigger this alert."
+    ],
+    "from": "now-30m",
+    "interval": "15m",
+    "license": "Elastic License v2",
+    "machine_learning_job_id": "high_count_network_denies",
+    "name": "Spike in Firewall Denies",
+    "references": [
+      "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"
+    ],
+    "risk_score": 21,
+    "rule_id": "eaa77d63-9679-4ce3-be25-3ba8b795e5fa",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Network",
+      "Threat Detection",
+      "ML"
+    ],
+    "type": "machine_learning",
+    "version": 2,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.14.0",
+          "pre_query": "N/A",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.14.0",
+    "added": "7.13.0"
+  },
+  {
+    "anomaly_threshold": 75,
+    "author": [
+      "Elastic"
+    ],
+    "description": "A machine learning job found an unusually large spike in successful authentication events. This can be due to password spraying, user enumeration or brute force activity.",
+    "false_positives": [
+      "Build servers and CI systems can sometimes trigger this alert. Security test cycles that include brute force or password spraying activities may trigger this alert."
+    ],
+    "from": "now-30m",
+    "interval": "15m",
+    "license": "Elastic License v2",
+    "machine_learning_job_id": "auth_high_count_logon_events",
+    "name": "Spike in Logon Events",
+    "references": [
+      "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"
+    ],
+    "risk_score": 21,
+    "rule_id": "d7d5c059-c19a-4a96-8ae3-41496ef3bcf9",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Authentication",
+      "Threat Detection",
+      "ML"
+    ],
+    "type": "machine_learning",
+    "version": 1,
+    "last_update": "7.14.0",
+    "added": "7.14.0"
+  },
+  {
+    "anomaly_threshold": 75,
+    "author": [
+      "Elastic"
+    ],
+    "description": "A machine learning job found an unusually large spike in successful authentication events from a particular source IP address. This can be due to password spraying, user enumeration or brute force activity.",
+    "false_positives": [
+      "Build servers and CI systems can sometimes trigger this alert. Security test cycles that include brute force or password spraying activities may trigger this alert."
+    ],
+    "from": "now-30m",
+    "interval": "15m",
+    "license": "Elastic License v2",
+    "machine_learning_job_id": "auth_high_count_logon_events_for_a_source_ip",
+    "name": "Spike in Logon Events from a Source IP",
+    "references": [
+      "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"
+    ],
+    "risk_score": 21,
+    "rule_id": "e26aed74-c816-40d3-a810-48d6fbd8b2fd",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Authentication",
+      "Threat Detection",
+      "ML"
+    ],
+    "type": "machine_learning",
+    "version": 2,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.16.0",
+          "pre_query": "N/A",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.16.0",
+    "added": "7.14.0"
+  },
+  {
+    "anomaly_threshold": 75,
+    "author": [
+      "Elastic"
+    ],
+    "description": "A machine learning job detected an unusually large spike in network traffic. Such a burst of traffic, if not caused by a surge in business activity, can be due to suspicious or malicious activity. Large-scale data exfiltration may produce a burst of network traffic; this could also be due to unusually large amounts of reconnaissance or enumeration traffic. Denial-of-service attacks or traffic floods may also produce such a surge in traffic.",
+    "false_positives": [
+      "Business workflows that occur very occasionally, and involve an unusual surge in network traffic, can trigger this alert. A new business workflow or a surge in business activity may trigger this alert. A misconfigured network application or firewall may trigger this alert."
+    ],
+    "from": "now-30m",
+    "interval": "15m",
+    "license": "Elastic License v2",
+    "machine_learning_job_id": "high_count_network_events",
+    "name": "Spike in Network Traffic",
+    "references": [
+      "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"
+    ],
+    "risk_score": 21,
+    "rule_id": "b240bfb8-26b7-4e5e-924e-218144a3fa71",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Network",
+      "Threat Detection",
+      "ML"
+    ],
+    "type": "machine_learning",
+    "version": 3,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.14.0",
+          "pre_query": "N/A",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 3,
+          "updated": "7.15.0",
+          "pre_query": "N/A",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.15.0",
+    "added": "7.13.0"
+  },
+  {
+    "anomaly_threshold": 75,
+    "author": [
+      "Elastic"
+    ],
+    "description": "A machine learning job detected an unusually large spike in network activity to one destination country in the network logs. This could be due to unusually large amounts of reconnaissance or enumeration traffic. Data exfiltration activity may also produce such a surge in traffic to a destination country which does not normally appear in network traffic or business work-flows. Malware instances and persistence mechanisms may communicate with command-and-control (C2) infrastructure in their country of origin, which may be an unusual destination country for the source network.",
+    "false_positives": [
+      "Business workflows that occur very occasionally, and involve an unusual surge in network traffic to one destination country, can trigger this alert. A new business workflow or a surge in business activity in a particular country may trigger this alert. Business travelers who roam to many countries for brief periods may trigger this alert if they engage in volumetric network activity."
+    ],
+    "from": "now-30m",
+    "interval": "15m",
+    "license": "Elastic License v2",
+    "machine_learning_job_id": "high_count_by_destination_country",
+    "name": "Spike in Network Traffic To a Country",
+    "references": [
+      "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"
+    ],
+    "risk_score": 21,
+    "rule_id": "c7db5533-ca2a-41f6-a8b0-ee98abe0f573",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Network",
+      "Threat Detection",
+      "ML"
+    ],
+    "type": "machine_learning",
+    "version": 2,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.14.0",
+          "pre_query": "N/A",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.14.0",
+    "added": "7.13.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies files written or modified in the startup folder by unsigned processes. Adversaries may abuse this technique to maintain persistence in an environment.",
+    "from": "now-9m",
+    "index": [
+      "logs-endpoint.events.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Startup Folder Persistence via Unsigned Process",
+    "query": "sequence by host.id, process.entity_id with maxspan=5s\n  [process where event.type in (\"start\", \"process_started\") and process.code_signature.trusted == false and\n  /* suspicious paths can be added here  */\n   process.executable : (\"C:\\\\Users\\\\*.exe\", \n                         \"C:\\\\ProgramData\\\\*.exe\", \n                         \"C:\\\\Windows\\\\Temp\\\\*.exe\", \n                         \"C:\\\\Windows\\\\Tasks\\\\*.exe\", \n                         \"C:\\\\Intel\\\\*.exe\", \n                         \"C:\\\\PerfLogs\\\\*.exe\")\n   ]\n   [file where event.type != \"deletion\" and user.domain != \"NT AUTHORITY\" and\n    file.path : (\"C:\\\\Users\\\\*\\\\AppData\\\\Roaming\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\\\\*\", \n                 \"C:\\\\ProgramData\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\StartUp\\\\*\")\n   ]\n",
+    "risk_score": 41,
+    "rule_id": "2fba96c0-ade5-4bce-b92f-a5df2509da3f",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Persistence"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1547",
+            "name": "Boot or Logon Autostart Execution",
+            "reference": "https://attack.mitre.org/techniques/T1547/",
+            "subtechnique": [
+              {
+                "id": "T1547.001",
+                "name": "Registry Run Keys / Startup Folder",
+                "reference": "https://attack.mitre.org/techniques/T1547/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "type": "eql",
+    "version": 2,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.12.0",
+          "pre_query": "sequence by host.id, process.entity_id with maxspan=5s\n  [process where event.type in (\"start\", \"process_started\") and process.code_signature.trusted == false and\n  /* suspicious paths can be added here  */\n   process.executable : (\"C:\\\\Users\\\\*.exe\", \n                         \"C:\\\\ProgramData\\\\*.exe\", \n                         \"C:\\\\Windows\\\\Temp\\\\*.exe\", \n                         \"C:\\\\Windows\\\\Tasks\\\\*.exe\", \n                         \"C:\\\\Intel\\\\*.exe\", \n                         \"C:\\\\PerfLogs\\\\*.exe\")\n   ]\n   [file where event.type != \"deletion\" and user.domain != \"NT AUTHORITY\" and\n    file.path : (\"C:\\\\Users\\\\*\\\\AppData\\\\Roaming\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\\\\*\", \n                 \"C:\\\\ProgramData\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\StartUp\\\\*\")\n   ]\n",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.12.0",
+    "added": "7.11.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies run key or startup key registry modifications. In order to survive reboots and other system interrupts, attackers will modify run keys within the registry or leverage startup folder items as a form of persistence.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Startup or Run Key Registry Modification",
+    "query": "registry where registry.data.strings != null and\n registry.path : (\n     /* Machine Hive */\n     \"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\*\", \n     \"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\*\", \n     \"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnceEx\\\\*\",\n     \"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\\\*\", \n     \"HKLM\\\\Software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\Shell\\\\*\",   \n     /* Users Hive */\n     \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\*\", \n     \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\*\", \n     \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnceEx\\\\*\",\n     \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\\\*\", \n     \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\Shell\\\\*\"\n     ) and\n  /* add common legitimate changes without being too restrictive as this is one of the most abused AESPs */\n  not registry.data.strings : \"ctfmon.exe /n\" and\n  not (registry.value : \"Application Restart #*\" and process.name : \"csrss.exe\") and\n  user.id not in (\"S-1-5-18\", \"S-1-5-19\", \"S-1-5-20\") and\n  not registry.data.strings : (\"?:\\\\Program Files\\\\*.exe\", \"?:\\\\Program Files (x86)\\\\*.exe\") and\n  not process.executable : (\"?:\\\\Windows\\\\System32\\\\msiexec.exe\", \"?:\\\\Windows\\\\SysWOW64\\\\msiexec.exe\") and\n  not (process.name : \"OneDriveSetup.exe\" and\n       registry.value : (\"Delete Cached Standalone Update Binary\", \"Delete Cached Update Binary\", \"amd64\", \"Uninstall *\") and\n       registry.data.strings : \"?:\\\\Windows\\\\system32\\\\cmd.exe /q /c * \\\"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Microsoft\\\\OneDrive\\\\*\\\"\")\n",
+    "risk_score": 21,
+    "rule_id": "97fc44d3-8dae-4019-ae83-298c3015600f",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Persistence"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1547",
+            "name": "Boot or Logon Autostart Execution",
+            "reference": "https://attack.mitre.org/techniques/T1547/",
+            "subtechnique": [
+              {
+                "id": "T1547.001",
+                "name": "Registry Run Keys / Startup Folder",
+                "reference": "https://attack.mitre.org/techniques/T1547/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 4,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.11.2",
+          "pre_query": "/* uncomment length once stable */\nregistry where /* length(registry.data.strings) > 0 and */\n registry.path : (\n     /* Machine Hive */\n     \"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\*\", \n     \"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\*\", \n     \"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnceEx\\\\*\", \n     \"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\User Shell Folders\\\\*\", \n     \"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\Shell Folders\\\\*\", \n     \"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\\\*\", \n     \"HKLM\\\\Software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\Shell\\\\*\",   \n     /* Users Hive */\n     \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\*\", \n     \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\*\", \n     \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnceEx\\\\*\", \n     \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\User Shell Folders\\\\*\", \n     \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\Shell Folders\\\\*\", \n     \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\\\*\", \n     \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\Shell\\\\*\"\n     ) and\n  /* add here common legit changes without making too restrictive as this is one of the most abused AESPs */\n  not registry.data.strings : \"ctfmon.exe /n\" and\n  not (registry.value : \"Application Restart #*\" and process.name : \"csrss.exe\") and\n  user.domain != \"NT AUTHORITY\" and\n  not registry.data.strings : (\"C:\\\\Program Files\\\\*.exe\", \"C:\\\\Program Files (x86)\\\\*.exe\") and\n  not process.executable : (\"C:\\\\Windows\\\\System32\\\\msiexec.exe\", \"C:\\\\Windows\\\\SysWOW64\\\\msiexec.exe\")\n",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 3,
+          "updated": "7.12.0",
+          "pre_query": "/* uncomment length once stable */\nregistry where /* length(registry.data.strings) > 0 and */\n registry.path : (\n     /* Machine Hive */\n     \"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\*\", \n     \"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\*\", \n     \"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnceEx\\\\*\", \n     \"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\User Shell Folders\\\\*\", \n     \"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\Shell Folders\\\\*\", \n     \"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\\\*\", \n     \"HKLM\\\\Software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\Shell\\\\*\",   \n     /* Users Hive */\n     \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\*\", \n     \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\*\", \n     \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnceEx\\\\*\", \n     \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\User Shell Folders\\\\*\", \n     \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\Shell Folders\\\\*\", \n     \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\\\*\", \n     \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\Shell\\\\*\"\n     ) and\n  /* add here common legit changes without making too restrictive as this is one of the most abused AESPs */\n  not registry.data.strings : \"ctfmon.exe /n\" and\n  not (registry.value : \"Application Restart #*\" and process.name : \"csrss.exe\") and\n  user.domain != \"NT AUTHORITY\" and\n  not registry.data.strings : (\"C:\\\\Program Files\\\\*.exe\", \"C:\\\\Program Files (x86)\\\\*.exe\") and\n  not process.executable : (\"C:\\\\Windows\\\\System32\\\\msiexec.exe\", \"C:\\\\Windows\\\\SysWOW64\\\\msiexec.exe\")\n",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 4,
+          "updated": "7.13.0",
+          "pre_query": "/* uncomment length once stable */\nregistry where /* length(registry.data.strings) > 0 and */\n registry.path : (\n     /* Machine Hive */\n     \"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\*\", \n     \"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\*\", \n     \"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnceEx\\\\*\", \n     \"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\User Shell Folders\\\\*\", \n     \"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\Shell Folders\\\\*\", \n     \"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\\\*\", \n     \"HKLM\\\\Software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\Shell\\\\*\",   \n     /* Users Hive */\n     \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\*\", \n     \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\*\", \n     \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnceEx\\\\*\", \n     \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\User Shell Folders\\\\*\", \n     \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\Shell Folders\\\\*\", \n     \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\\\*\", \n     \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\Shell\\\\*\"\n     ) and\n  /* add here common legit changes without making too restrictive as this is one of the most abused AESPs */\n  not registry.data.strings : \"ctfmon.exe /n\" and\n  not (registry.value : \"Application Restart #*\" and process.name : \"csrss.exe\") and\n  user.domain != \"NT AUTHORITY\" and\n  not registry.data.strings : (\"C:\\\\Program Files\\\\*.exe\", \"C:\\\\Program Files (x86)\\\\*.exe\") and\n  not process.executable : (\"C:\\\\Windows\\\\System32\\\\msiexec.exe\", \"C:\\\\Windows\\\\SysWOW64\\\\msiexec.exe\")\n",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.13.0",
+    "added": "7.11.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Detects the modification of Group Policy Objects (GPO) to add a startup/logon script to users or computer objects.",
+    "false_positives": [
+      "Legitimate Administrative Activity"
+    ],
+    "index": [
+      "winlogbeat-*",
+      "logs-system.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Startup/Logon Script added to Group Policy Object",
+    "note": "## Triage and analysis\n\n### Investigating Scheduled Task Execution at Scale via GPO\n\nGroup Policy Objects can be used by attackers as a mechanism for an attacker to instruct an arbitrarily large group of clients to\nexecute specified commands at Startup, Logon, Shutdown, and Logoff. This is done by creating/modifying the `scripts.ini` or \n`psscripts.ini` files. The scripts are stored in the following path: `<GPOPath>\\Machine\\Scripts\\`, `<GPOPath>\\User\\Scripts\\`\n\n#### Possible investigation steps:\n- This attack abuses a legitimate mechanism of the Active Directory, so it is important to determine whether the activity is legitimate\nand the administrator is authorized to perform this operation.\n- Retrieve the contents of the script file, check for any potentially malicious commands and binaries.\n- If the action is suspicious for the user, check for any other activities done by the user in the last 48 hours.\n\n### False Positive Analysis\n- Verify if the execution is allowed and done under change management, and legitimate.\n\n### Related Rules\n- Group Policy Abuse for Privilege Addition - b9554892-5e0e-424b-83a0-5aef95aa43bf\n- Scheduled Task Execution at Scale via GPO - 15a8ba77-1c13-4274-88fe-6bd14133861e\n\n### Response and Remediation\n- Immediate response should be taken to validate activity, investigate and potentially isolate activity to prevent further\npost-compromise behavior.\n\n## Config\n\nThe 'Audit Detailed File Share' audit policy is required be configured (Success Failure).\nSteps to implement the logging policy with with Advanced Audit Configuration:\n```\nComputer Configuration > \nPolicies > \nWindows Settings > \nSecurity Settings > \nAdvanced Audit Policies Configuration > \nAudit Policies > \nObject Access > \nAudit Detailed File Share (Success,Failure)\n```\n\nThe 'Audit Directory Service Changes' audit policy is required be configured (Success Failure).\nSteps to implement the logging policy with with Advanced Audit Configuration:\n```\nComputer Configuration > \nPolicies > \nWindows Settings > \nSecurity Settings > \nAdvanced Audit Policies Configuration > \nAudit Policies > \nDS Access > \nAudit Directory Service Changes (Success,Failure)\n```\n",
+    "query": "(\n event.code:5136 and winlog.event_data.AttributeLDAPDisplayName:(gPCMachineExtensionNames or gPCUserExtensionNames) and\n   winlog.event_data.AttributeValue:(*42B5FAAE-6536-11D2-AE5A-0000F87571E3* and\n                                      (*40B66650-4972-11D1-A7CA-0000F87571E3* or *40B6664F-4972-11D1-A7CA-0000F87571E3*))\n)\nor\n(\n event.code:5145 and winlog.event_data.ShareName:\\\\\\\\*\\\\SYSVOL and\n   winlog.event_data.RelativeTargetName:(*\\\\scripts.ini or *\\\\psscripts.ini) and\n   (message:WriteData or winlog.event_data.AccessList:*%%4417*)\n)\n",
+    "references": [
+      "https://github.com/atc-project/atc-data/blob/master/docs/Logging_Policies/LP_0025_windows_audit_directory_service_changes.md",
+      "https://github.com/atc-project/atc-data/blob/f2bbb51ecf68e2c9f488e3c70dcdd3df51d2a46b/docs/Logging_Policies/LP_0029_windows_audit_detailed_file_share.md",
+      "https://labs.f-secure.com/tools/sharpgpoabuse"
+    ],
+    "risk_score": 47,
+    "rule_id": "16fac1a1-21ee-4ca6-b720-458e3855d046",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Privilege Escalation",
+      "Active Directory"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0004",
+          "name": "Privilege Escalation",
+          "reference": "https://attack.mitre.org/tactics/TA0004/"
+        },
+        "technique": [
+          {
+            "id": "T1547",
+            "name": "Boot or Logon Autostart Execution",
+            "reference": "https://attack.mitre.org/techniques/T1547/"
+          },
+          {
+            "id": "T1484",
+            "name": "Domain Policy Modification",
+            "reference": "https://attack.mitre.org/techniques/T1484/",
+            "subtechnique": [
+              {
+                "id": "T1484.001",
+                "name": "Group Policy Modification",
+                "reference": "https://attack.mitre.org/techniques/T1484/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 1,
+    "last_update": "8.0.0",
+    "added": "8.0.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Strace runs in a privileged context and can be used to escape restrictive environments by instantiating a shell in order to elevate privileges or move laterally.",
+    "false_positives": [
+      "Strace is a dual-use tool that can be used for benign or malicious activity. Some normal use of this command may originate from developers or SREs engaged in debugging or system call tracing."
+    ],
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Strace Process Activity",
+    "query": "event.category:process and event.type:(start or process_started) and process.name:strace\n",
+    "references": [
+      "https://en.wikipedia.org/wiki/Strace"
+    ],
+    "risk_score": 21,
+    "rule_id": "d6450d4e-81c6-46a3-bd94-079886318ed5",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "Threat Detection"
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 7,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.7.0",
+          "pre_query": "process.name: strace and event.action:executed",
+          "doc_text": "Updated query."
+        },
+        {
+          "version": 3,
+          "updated": "7.9.0",
+          "pre_query": "process.name:strace and event.action:executed",
+          "doc_text": "Updated query."
+        },
+        {
+          "version": 4,
+          "updated": "7.9.1",
+          "pre_query": "event.category:process and event.type:(start or process_started) and process.name:strace",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 5,
+          "updated": "7.10.0",
+          "pre_query": "event.category:process and event.type:(start or process_started) and process.name:strace",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 6,
+          "updated": "7.11.2",
+          "pre_query": "event.category:process and event.type:(start or process_started) and process.name:strace",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 7,
+          "updated": "7.12.0",
+          "pre_query": "event.category:process and event.type:(start or process_started) and process.name:strace",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.12.0",
+    "added": "7.6.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Adversaries may create or modify the Sublime application plugins or scripts to execute a malicious payload each time the Sublime application is started.",
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Sublime Plugin or Application Script Modification",
+    "query": "file where event.type in (\"change\", \"creation\") and file.extension : \"py\" and\n  file.path : \n    (\n      \"/Users/*/Library/Application Support/Sublime Text*/Packages/*.py\", \n      \"/Applications/Sublime Text.app/Contents/MacOS/sublime.py\"\n    ) and\n  not process.executable : \n    (\n      \"/Applications/Sublime Text*.app/Contents/MacOS/Sublime Text*\", \n      \"/usr/local/Cellar/git/*/bin/git\", \n      \"/usr/libexec/xpcproxy\", \n      \"/System/Library/PrivateFrameworks/DesktopServicesPriv.framework/Versions/A/Resources/DesktopServicesHelper\", \n      \"/Applications/Sublime Text.app/Contents/MacOS/plugin_host\"\n    )\n",
+    "references": [
+      "https://posts.specterops.io/persistent-jxa-66e1c3cd1cf5"
+    ],
+    "risk_score": 21,
+    "rule_id": "88817a33-60d3-411f-ba79-7c905d865b2a",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "macOS",
+      "Threat Detection",
+      "Persistence"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1554",
+            "name": "Compromise Client Software Binary",
+            "reference": "https://attack.mitre.org/techniques/T1554/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 1,
+    "last_update": "7.12.0",
+    "added": "7.12.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the attempted use of a heap-based buffer overflow vulnerability for the Sudo binary in Unix-like systems (CVE-2021-3156). Successful exploitation allows an unprivileged user to escalate to the root user.",
+    "false_positives": [
+      "This rule could generate false positives if the process arguments leveraged by the exploit are shared by custom scripts using the Sudo or Sudoedit binaries. Only Sudo versions 1.8.2 through 1.8.31p2 and 1.9.0 through 1.9.5p1 are affected; if those versions are not present on the endpoint, this could be a false positive."
+    ],
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Sudo Heap-Based Buffer Overflow Attempt",
+    "query": "event.category:process and event.type:start and\n  process.name:(sudo or sudoedit) and\n  process.args:(*\\\\ and (\"-i\" or \"-s\"))\n",
+    "references": [
+      "https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-3156",
+      "https://blog.qualys.com/vulnerabilities-research/2021/01/26/cve-2021-3156-heap-based-buffer-overflow-in-sudo-baron-samedit",
+      "https://www.bleepingcomputer.com/news/security/latest-macos-big-sur-also-has-sudo-root-privilege-escalation-flaw",
+      "https://www.sudo.ws/alerts/unescape_overflow.html"
+    ],
+    "risk_score": 73,
+    "rule_id": "f37f3054-d40b-49ac-aa9b-a786c74c58b8",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "macOS",
+      "Threat Detection",
+      "Privilege Escalation"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0004",
+          "name": "Privilege Escalation",
+          "reference": "https://attack.mitre.org/tactics/TA0004/"
+        },
+        "technique": [
+          {
+            "id": "T1068",
+            "name": "Exploitation for Privilege Escalation",
+            "reference": "https://attack.mitre.org/techniques/T1068/"
+          }
+        ]
+      }
+    ],
+    "threshold": {
+      "field": [
+        "host.hostname"
+      ],
+      "value": 100
+    },
+    "type": "threshold",
+    "version": 1,
+    "last_update": "7.12.0",
+    "added": "7.12.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "A sudoers file specifies the commands that users or groups can run and from which terminals. Adversaries can take advantage of these configurations to execute commands as other users or spawn processes with higher privileges.",
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Sudoers File Modification",
+    "query": "event.category:file and event.type:change and file.path:(/etc/sudoers* or /private/etc/sudoers*)\n",
+    "risk_score": 47,
+    "rule_id": "931e25a5-0f5e-4ae0-ba0d-9e94eff7e3a4",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "macOS",
+      "Threat Detection",
+      "Privilege Escalation"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0004",
+          "name": "Privilege Escalation",
+          "reference": "https://attack.mitre.org/tactics/TA0004/"
+        },
+        "technique": [
+          {
+            "id": "T1548",
+            "name": "Abuse Elevation Control Mechanism",
+            "reference": "https://attack.mitre.org/techniques/T1548/",
+            "subtechnique": [
+              {
+                "id": "T1548.003",
+                "name": "Sudo and Sudo Caching",
+                "reference": "https://attack.mitre.org/techniques/T1548/003/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 7,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.9.0",
+          "pre_query": "event.module:file_integrity and event.action:updated and file.path:/etc/sudoers",
+          "doc_text": "Updated query."
+        },
+        {
+          "version": 3,
+          "updated": "7.9.1",
+          "pre_query": "event.category:file and event.type:change and file.path:/etc/sudoers",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 4,
+          "updated": "7.10.0",
+          "pre_query": "event.category:file and event.type:change and file.path:/etc/sudoers",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 5,
+          "updated": "7.11.0",
+          "pre_query": "event.category:file and event.type:change and file.path:/etc/sudoers",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 6,
+          "updated": "7.11.2",
+          "pre_query": "event.category:file and event.type:change and file.path:/etc/sudoers",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 7,
+          "updated": "7.12.0",
+          "pre_query": "event.category:file and event.type:change and file.path:/etc/sudoers",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.12.0",
+    "added": "7.8.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies suspicious .NET code execution. connections.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Suspicious .NET Code Compilation",
+    "query": "process where event.type in (\"start\", \"process_started\") and\n  process.name : (\"csc.exe\", \"vbc.exe\") and\n  process.parent.name : (\"wscript.exe\", \"mshta.exe\", \"cscript.exe\", \"wmic.exe\", \"svchost.exe\", \"rundll32.exe\", \"cmstp.exe\", \"regsvr32.exe\")\n",
+    "risk_score": 47,
+    "rule_id": "201200f1-a99b-43fb-88ed-f65a45c4972c",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1027",
+            "name": "Obfuscated Files or Information",
+            "reference": "https://attack.mitre.org/techniques/T1027/",
+            "subtechnique": [
+              {
+                "id": "T1027.004",
+                "name": "Compile After Delivery",
+                "reference": "https://attack.mitre.org/techniques/T1027/004/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 5,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.11.0",
+          "pre_query": "event.category:process and event.type:(start or process_started) and process.name:(csc.exe or vbc.exe) and process.parent.name:(wscript.exe or mshta.exe or wscript.exe or wmic.exe or svchost.exe or rundll32.exe or cmstp.exe or regsvr32.exe)",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        },
+        {
+          "version": 3,
+          "updated": "7.11.2",
+          "pre_query": "process where event.type in (\"start\", \"process_started\") and\n  process.name : (\"csc.exe\", \"vbc.exe\") and\n  process.parent.name : (\"wscript.exe\", \"mshta.exe\", \"cscript.exe\", \"wmic.exe\", \"svchost.exe\", \"rundll32.exe\", \"cmstp.exe\", \"regsvr32.exe\")\n",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 4,
+          "updated": "7.12.0",
+          "pre_query": "process where event.type in (\"start\", \"process_started\") and\n  process.name : (\"csc.exe\", \"vbc.exe\") and\n  process.parent.name : (\"wscript.exe\", \"mshta.exe\", \"cscript.exe\", \"wmic.exe\", \"svchost.exe\", \"rundll32.exe\", \"cmstp.exe\", \"regsvr32.exe\")\n",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 5,
+          "updated": "7.16.0",
+          "pre_query": "process where event.type in (\"start\", \"process_started\") and\n  process.name : (\"csc.exe\", \"vbc.exe\") and\n  process.parent.name : (\"wscript.exe\", \"mshta.exe\", \"cscript.exe\", \"wmic.exe\", \"svchost.exe\", \"rundll32.exe\", \"cmstp.exe\", \"regsvr32.exe\")\n",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.16.0",
+    "added": "7.10.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "This rule detects the use of Reflection.Assembly to load PEs and DLLs in memory in Powershell Scripts. Attackers use this method to load executables and DLLs without writing to the disk, bypassing security solutions.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-windows.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Suspicious .NET Reflection via PowerShell",
+    "query": "event.category:process and \n  powershell.file.script_block_text : (\n    \"[System.Reflection.Assembly]::Load\" or\n    \"[Reflection.Assembly]::Load\"\n  )\n",
+    "references": [
+      "https://docs.microsoft.com/en-us/dotnet/api/system.reflection.assembly.load"
+    ],
+    "risk_score": 73,
+    "rule_id": "e26f042e-c590-4e82-8e05-41e81bd822ad",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1055",
+            "name": "Process Injection",
+            "reference": "https://attack.mitre.org/techniques/T1055/",
+            "subtechnique": [
+              {
+                "id": "T1055.001",
+                "name": "Dynamic-link Library Injection",
+                "reference": "https://attack.mitre.org/techniques/T1055/001/"
+              },
+              {
+                "id": "T1055.002",
+                "name": "Portable Executable Injection",
+                "reference": "https://attack.mitre.org/techniques/T1055/002/"
+              }
+            ]
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0002",
+          "name": "Execution",
+          "reference": "https://attack.mitre.org/tactics/TA0002/"
+        },
+        "technique": [
+          {
+            "id": "T1059",
+            "name": "Command and Scripting Interpreter",
+            "reference": "https://attack.mitre.org/techniques/T1059/",
+            "subtechnique": [
+              {
+                "id": "T1059.001",
+                "name": "PowerShell",
+                "reference": "https://attack.mitre.org/techniques/T1059/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 1,
+    "last_update": "8.0.0",
+    "added": "8.0.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Detects when a user reports suspicious activity for their Okta account. These events should be investigated, as they can help security teams identify when an adversary is attempting to gain access to their network.",
+    "false_positives": [
+      "A user may report suspicious activity on their Okta account in error."
+    ],
+    "index": [
+      "filebeat-*",
+      "logs-okta*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Suspicious Activity Reported by Okta User",
+    "note": "## Config\n\nThe Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:okta.system and event.action:user.account.report_suspicious_activity_by_enduser\n",
+    "references": [
+      "https://developer.okta.com/docs/reference/api/system-log/",
+      "https://developer.okta.com/docs/reference/api/event-types/"
+    ],
+    "risk_score": 47,
+    "rule_id": "f994964f-6fce-4d75-8e79-e16ccc412588",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Identity",
+      "Okta",
+      "Continuous Monitoring",
+      "SecOps",
+      "Monitoring"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0001",
+          "name": "Initial Access",
+          "reference": "https://attack.mitre.org/tactics/TA0001/"
+        },
+        "technique": [
+          {
+            "id": "T1078",
+            "name": "Valid Accounts",
+            "reference": "https://attack.mitre.org/techniques/T1078/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1078",
+            "name": "Valid Accounts",
+            "reference": "https://attack.mitre.org/techniques/T1078/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0004",
+          "name": "Privilege Escalation",
+          "reference": "https://attack.mitre.org/tactics/TA0004/"
+        },
+        "technique": [
+          {
+            "id": "T1078",
+            "name": "Valid Accounts",
+            "reference": "https://attack.mitre.org/techniques/T1078/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1078",
+            "name": "Valid Accounts",
+            "reference": "https://attack.mitre.org/techniques/T1078/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 6,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.10.0",
+          "pre_query": "event.module:okta and event.dataset:okta.system and event.action:user.account.report_suspicious_activity_by_enduser",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        },
+        {
+          "version": 3,
+          "updated": "7.11.0",
+          "pre_query": "event.dataset:okta.system and event.action:user.account.report_suspicious_activity_by_enduser",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 4,
+          "updated": "7.11.2",
+          "pre_query": "event.dataset:okta.system and event.action:user.account.report_suspicious_activity_by_enduser",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 5,
+          "updated": "7.12.0",
+          "pre_query": "event.dataset:okta.system and event.action:user.account.report_suspicious_activity_by_enduser",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 6,
+          "updated": "7.13.0",
+          "pre_query": "event.dataset:okta.system and event.action:user.account.report_suspicious_activity_by_enduser",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.13.0",
+    "added": "7.9.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the execution of the Automator Workflows process followed by a network connection from it's XPC service. Adversaries may drop a custom workflow template that hosts malicious JavaScript for Automation (JXA) code as an alternative to using osascript.",
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Suspicious Automator Workflows Execution",
+    "query": "sequence by host.id with maxspan=30s\n [process where event.type in (\"start\", \"process_started\") and process.name == \"automator\"]\n [network where process.name:\"com.apple.automator.runner\"]\n",
+    "references": [
+      "https://posts.specterops.io/persistent-jxa-66e1c3cd1cf5"
+    ],
+    "risk_score": 47,
+    "rule_id": "5d9f8cfc-0d03-443e-a167-2b0597ce0965",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "macOS",
+      "Threat Detection",
+      "Execution"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0002",
+          "name": "Execution",
+          "reference": "https://attack.mitre.org/tactics/TA0002/"
+        },
+        "technique": [
+          {
+            "id": "T1059",
+            "name": "Command and Scripting Interpreter",
+            "reference": "https://attack.mitre.org/techniques/T1059/"
+          }
+        ]
+      }
+    ],
+    "type": "eql",
+    "version": 1,
+    "last_update": "7.12.0",
+    "added": "7.12.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the execution of a suspicious browser child process. Adversaries may gain access to a system through a user visiting a website over the normal course of browsing. With this technique, the user's web browser is typically targeted for exploitation.",
+    "from": "now-9m",
+    "index": [
+      "logs-endpoint.events.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Suspicious Browser Child Process",
+    "query": "process where event.type in (\"start\", \"process_started\") and\n  process.parent.name : (\"Google Chrome\", \"Google Chrome Helper*\", \"firefox\", \"Opera\", \"Safari\", \"com.apple.WebKit.WebContent\", \"Microsoft Edge\") and\n  process.name : (\"sh\", \"bash\", \"dash\", \"ksh\", \"tcsh\", \"zsh\", \"curl\", \"wget\", \"python*\", \"perl*\", \"php*\", \"osascript\", \"pwsh\") and \n  process.command_line != null and \n  not process.args : \n    ( \n      \"/Library/Application Support/Microsoft/MAU*/Microsoft AutoUpdate.app/Contents/MacOS/msupdate\", \n      \"hw.model\", \n      \"IOPlatformExpertDevice\", \n      \"/Volumes/Google Chrome/Google Chrome.app/Contents/Frameworks/*/Resources/install.sh\",\n      \"--defaults-torrc\", \n      \"Chrome.app\", \n      \"Framework.framework/Versions/*/Resources/keystone_promote_preflight.sh\", \n      \"/Users/*/Library/Application Support/Google/Chrome/recovery/*/ChromeRecovery\", \n      \"$DISPLAY\", \n      \"GIO_LAUNCHED_DESKTOP_FILE_PID=$$\"\n    )\n",
+    "references": [
+      "https://objective-see.com/blog/blog_0x43.html",
+      "https://fr.slideshare.net/codeblue_jp/cb19-recent-apt-attack-on-crypto-exchange-employees-by-heungsoo-kang"
+    ],
+    "risk_score": 73,
+    "rule_id": "080bc66a-5d56-4d1f-8071-817671716db9",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "macOS",
+      "Threat Detection",
+      "Initial Access",
+      "Execution"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0002",
+          "name": "Execution",
+          "reference": "https://attack.mitre.org/tactics/TA0002/"
+        },
+        "technique": [
+          {
+            "id": "T1203",
+            "name": "Exploitation for Client Execution",
+            "reference": "https://attack.mitre.org/techniques/T1203/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0001",
+          "name": "Initial Access",
+          "reference": "https://attack.mitre.org/tactics/TA0001/"
+        },
+        "technique": [
+          {
+            "id": "T1189",
+            "name": "Drive-by Compromise",
+            "reference": "https://attack.mitre.org/techniques/T1189/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 1,
+    "last_update": "7.12.0",
+    "added": "7.12.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies suspicious modifications of the calendar file by an unusual process. Adversaries may create a custom calendar notification procedure to execute a malicious program at a recurring interval to establish persistence.",
+    "false_positives": [
+      "Trusted applications for managing calendars and reminders."
+    ],
+    "from": "now-9m",
+    "index": [
+      "logs-endpoint.events.*",
+      "auditbeat-*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Suspicious Calendar File Modification",
+    "query": "event.category:file and event.action:modification and\n  file.path:/Users/*/Library/Calendars/*.calendar/Events/*.ics and\n  process.executable:\n  (* and not \n    (\n      /System/Library/* or \n      /System/Applications/Calendar.app/Contents/MacOS/* or \n      /usr/libexec/xpcproxy or \n      /sbin/launchd or \n      /Applications/*\n    )\n  )\n",
+    "references": [
+      "https://labs.f-secure.com/blog/operationalising-calendar-alerts-persistence-on-macos",
+      "https://github.com/FSecureLABS/CalendarPersist",
+      "https://github.com/D00MFist/PersistentJXA/blob/master/CalendarPersist.js"
+    ],
+    "risk_score": 47,
+    "rule_id": "cb71aa62-55c8-42f0-b0dd-afb0bb0b1f51",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "macOS",
+      "Threat Detection",
+      "Persistence"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1546",
+            "name": "Event Triggered Execution",
+            "reference": "https://attack.mitre.org/techniques/T1546/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 1,
+    "last_update": "7.12.0",
+    "added": "7.12.0"
+  },
+  {
+    "author": [
+      "Elastic",
+      "Austin Songer"
+    ],
+    "description": "Identifies suspicious commands being used with certutil.exe. CertUtil is a native Windows component which is part of Certificate Services. CertUtil is often abused by attackers to live off the land for stealthier command and control or data exfiltration.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Suspicious CertUtil Commands",
+    "query": "process where event.type == \"start\" and\n  (process.name : \"certutil.exe\" or process.pe.original_file_name == \"CertUtil.exe\") and \n  process.args : (\"?decode\", \"?encode\", \"?urlcache\", \"?verifyctl\", \"?encodehex\", \"?decodehex\", \"?exportPFX\")\n",
+    "references": [
+      "https://twitter.com/Moriarty_Meng/status/984380793383370752",
+      "https://twitter.com/egre55/status/1087685529016193025",
+      "https://www.sysadmins.lv/blog-en/certutil-tips-and-tricks-working-with-x509-file-format.aspx",
+      "https://docs.microsoft.com/en-us/archive/blogs/pki/basic-crl-checking-with-certutil"
+    ],
+    "risk_score": 47,
+    "rule_id": "fd70c98a-c410-42dc-a2e3-761c71848acf",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1140",
+            "name": "Deobfuscate/Decode Files or Information",
+            "reference": "https://attack.mitre.org/techniques/T1140/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 10,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.7.0",
+          "pre_query": "event.action:\"Process Create (rule: ProcessCreate)\" and process.name:\"certutil.exe\" and process.args:(\"-encode\" or \"/encode\" or \"-decode\" or \"/decode\")",
+          "doc_text": "Updated query."
+        },
+        {
+          "version": 3,
+          "updated": "7.9.0",
+          "pre_query": "event.action:\"Process Create (rule: ProcessCreate)\" and process.name:certutil.exe and process.args:(-decode or -encode or /decode or /encode)",
+          "doc_text": "Updated query."
+        },
+        {
+          "version": 4,
+          "updated": "7.9.1",
+          "pre_query": "event.category:process and event.type:(start or process_started) and process.name:certutil.exe and process.args:(-decode or -encode or /decode or /encode)",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 5,
+          "updated": "7.10.0",
+          "pre_query": "event.category:process and event.type:(start or process_started) and process.name:certutil.exe and process.args:(-decode or -encode or /decode or /encode)",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 6,
+          "updated": "7.11.2",
+          "pre_query": "event.category:process and event.type:(start or process_started) and process.name:certutil.exe and process.args:(-decode or -encode or /decode or /encode)",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 7,
+          "updated": "7.12.0",
+          "pre_query": "event.category:process and event.type:(start or process_started) and process.name:certutil.exe and process.args:(-decode or -encode or /decode or /encode)",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 8,
+          "updated": "7.13.0",
+          "pre_query": "event.category:process and event.type:(start or process_started) and process.name:certutil.exe and process.args:(-decode or -encode or /decode or /encode)",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        },
+        {
+          "version": 9,
+          "updated": "7.14.0",
+          "pre_query": "process where event.type == \"start\" and\n  (process.name : \"certutil.exe\" or process.pe.original_file_name == \"CertUtil.exe\") and \n  process.args : (\"?decode\", \"?encode\")\n",
+          "doc_text": "Updated query.",
+          "pre_name": "Encoding or Decoding Files via CertUtil",
+          "duplicate_old_file": "encoding-or-decoding-files-via-certutil"
+        },
+        {
+          "version": 10,
+          "updated": "8.0.0",
+          "pre_query": "process where event.type == \"start\" and\n  (process.name : \"certutil.exe\" or process.pe.original_file_name == \"CertUtil.exe\") and \n  process.args : (\"?decode\", \"?encode\", \"?urlcache\", \"?verifyctl\", \"?encodehex\", \"?decodehex\")\n",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "8.0.0",
+    "added": "7.6.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Detects attempts to exploit privilege escalation vulnerabilities related to the Adobe Acrobat Reader PrivilegedHelperTool responsible for installing updates. For more information, refer to CVE-2020-9615, CVE-2020-9614 and CVE-2020-9613 and verify that the impacted system is patched.",
+    "false_positives": [
+      "Trusted system or Adobe Acrobat Related processes."
+    ],
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Suspicious Child Process of Adobe Acrobat Reader Update Service",
+    "query": "event.category:process and event.type:(start or process_started) and\n  process.parent.name:com.adobe.ARMDC.SMJobBlessHelper and\n  user.name:root and\n  not process.executable: (/Library/PrivilegedHelperTools/com.adobe.ARMDC.SMJobBlessHelper or\n                           /usr/bin/codesign or\n                           /private/var/folders/zz/*/T/download/ARMDCHammer or\n                           /usr/sbin/pkgutil or\n                           /usr/bin/shasum or\n                           /usr/bin/perl* or\n                           /usr/sbin/spctl or\n                           /usr/sbin/installer)\n",
+    "references": [
+      "https://rekken.github.io/2020/05/14/Security-Flaws-in-Adobe-Acrobat-Reader-Allow-Malicious-Program-to-Gain-Root-on-macOS-Silently/"
+    ],
+    "risk_score": 73,
+    "rule_id": "f85ce03f-d8a8-4c83-acdc-5c8cd0592be7",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "macOS",
+      "Threat Detection",
+      "Privilege Escalation"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0004",
+          "name": "Privilege Escalation",
+          "reference": "https://attack.mitre.org/tactics/TA0004/"
+        },
+        "technique": [
+          {
+            "id": "T1068",
+            "name": "Exploitation for Privilege Escalation",
+            "reference": "https://attack.mitre.org/techniques/T1068/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 1,
+    "last_update": "7.12.0",
+    "added": "7.12.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies suspicious command execution (cmd) via Windows Management Instrumentation (WMI) on a remote host. This could be indicative of adversary lateral movement.",
+    "from": "now-9m",
+    "index": [
+      "logs-endpoint.events.*",
+      "winlogbeat-*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Suspicious Cmd Execution via WMI",
+    "query": "process where event.type in (\"start\", \"process_started\") and\n process.parent.name : \"WmiPrvSE.exe\" and process.name : \"cmd.exe\" and\n process.args : \"\\\\\\\\127.0.0.1\\\\*\" and process.args : (\"2>&1\", \"1>\")\n",
+    "risk_score": 47,
+    "rule_id": "12f07955-1674-44f7-86b5-c35da0a6f41a",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Execution"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0002",
+          "name": "Execution",
+          "reference": "https://attack.mitre.org/tactics/TA0002/"
+        },
+        "technique": [
+          {
+            "id": "T1047",
+            "name": "Windows Management Instrumentation",
+            "reference": "https://attack.mitre.org/techniques/T1047/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 3,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.11.2",
+          "pre_query": "process where event.type in (\"start\", \"process_started\") and\n process.parent.name == \"WmiPrvSE.exe\" and process.name == \"cmd.exe\" and\n wildcard(process.args, \"\\\\\\\\127.0.0.1\\\\*\") and process.args in (\"2>&1\", \"1>\")\n",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 3,
+          "updated": "7.12.0",
+          "pre_query": "process where event.type in (\"start\", \"process_started\") and\n process.parent.name == \"WmiPrvSE.exe\" and process.name == \"cmd.exe\" and\n wildcard(process.args, \"\\\\\\\\127.0.0.1\\\\*\") and process.args in (\"2>&1\", \"1>\")\n",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.12.0",
+    "added": "7.11.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the loading of a non Microsoft signed DLL that is missing on a default Windows install (phantom DLL) or one that can be loaded from a different location by a native Windows process. This may be abused to persist or elevate privileges via privileged file write vulnerabilities.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Suspicious DLL Loaded for Persistence or Privilege Escalation",
+    "query": "library where dll.name :\n  (\n  \"wlbsctrl.dll\",\n  \"wbemcomn.dll\",\n  \"WptsExtensions.dll\",\n  \"Tsmsisrv.dll\",\n  \"TSVIPSrv.dll\",\n  \"Msfte.dll\",\n  \"wow64log.dll\",\n  \"WindowsCoreDeviceInfo.dll\",\n  \"Ualapi.dll\",\n  \"wlanhlp.dll\",\n  \"phoneinfo.dll\",\n  \"EdgeGdi.dll\",\n  \"cdpsgshims.dll\",\n  \"windowsperformancerecordercontrol.dll\",\n  \"diagtrack_win.dll\"\n  ) and \nnot (dll.code_signature.subject_name : (\"Microsoft Windows\", \"Microsoft Corporation\") and dll.code_signature.status : \"trusted\")\n",
+    "references": [
+      "https://itm4n.github.io/windows-dll-hijacking-clarified/",
+      "http://remoteawesomethoughts.blogspot.com/2019/05/windows-10-task-schedulerservice.html",
+      "https://googleprojectzero.blogspot.com/2018/04/windows-exploitation-tricks-exploiting.html",
+      "https://shellz.club/edgegdi-dll-for-persistence-and-lateral-movement/",
+      "https://windows-internals.com/faxing-your-way-to-system/",
+      "http://waleedassar.blogspot.com/2013/01/wow64logdll.html"
+    ],
+    "risk_score": 73,
+    "rule_id": "bfeaf89b-a2a7-48a3-817f-e41829dc61ee",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Persistence",
+      "Privilege Escalation"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0004",
+          "name": "Privilege Escalation",
+          "reference": "https://attack.mitre.org/tactics/TA0004/"
+        },
+        "technique": [
+          {
+            "id": "T1574",
+            "name": "Hijack Execution Flow",
+            "reference": "https://attack.mitre.org/techniques/T1574/",
+            "subtechnique": [
+              {
+                "id": "T1574.002",
+                "name": "DLL Side-Loading",
+                "reference": "https://attack.mitre.org/techniques/T1574/002/"
+              }
+            ]
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1574",
+            "name": "Hijack Execution Flow",
+            "reference": "https://attack.mitre.org/techniques/T1574/",
+            "subtechnique": [
+              {
+                "id": "T1574.001",
+                "name": "DLL Search Order Hijacking",
+                "reference": "https://attack.mitre.org/techniques/T1574/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 2,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.14.0",
+          "pre_query": "library where dll.name :\n  (\n  \"wlbsctrl.dll\",\n  \"wbemcomn.dll\",\n  \"WptsExtensions.dll\",\n  \"Tsmsisrv.dll\",\n  \"TSVIPSrv.dll\",\n  \"Msfte.dll\",\n  \"wow64log.dll\",\n  \"WindowsCoreDeviceInfo.dll\",\n  \"Ualapi.dll\",\n  \"wlanhlp.dll\",\n  \"phoneinfo.dll\",\n  \"EdgeGdi.dll\",\n  \"cdpsgshims.dll\",\n  \"windowsperformancerecordercontrol.dll\",\n  \"diagtrack_win.dll\"\n  ) and \nnot (dll.code_signature.subject_name : \"Microsoft Windows\" and dll.code_signature.status : \"trusted\")\n",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.14.0",
+    "added": "7.12.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the execution of a suspicious child process of the Event Monitor Daemon (emond). Adversaries may abuse this service by writing a rule to execute commands when a defined event occurs, such as system start up or user authentication.",
+    "from": "now-9m",
+    "index": [
+      "logs-endpoint.events.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Suspicious Emond Child Process",
+    "query": "process where event.type in (\"start\", \"process_started\") and\n process.parent.name : \"emond\" and\n process.name : (\n   \"bash\",\n   \"dash\",\n   \"sh\",\n   \"tcsh\",\n   \"csh\",\n   \"zsh\",\n   \"ksh\",\n   \"fish\",\n   \"Python\",\n   \"python*\",\n   \"perl*\",\n   \"php*\",\n   \"osascript\",\n   \"pwsh\",\n   \"curl\",\n   \"wget\",\n   \"cp\",\n   \"mv\",\n   \"touch\",\n   \"echo\",\n   \"base64\",\n   \"launchctl\")\n",
+    "references": [
+      "https://www.xorrior.com/emond-persistence/"
+    ],
+    "risk_score": 47,
+    "rule_id": "3e3d15c6-1509-479a-b125-21718372157e",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "macOS",
+      "Threat Detection",
+      "Persistence"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1546",
+            "name": "Event Triggered Execution",
+            "reference": "https://attack.mitre.org/techniques/T1546/",
+            "subtechnique": [
+              {
+                "id": "T1546.014",
+                "name": "Emond",
+                "reference": "https://attack.mitre.org/techniques/T1546/014/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 1,
+    "last_update": "7.12.0",
+    "added": "7.12.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "A suspicious Endpoint Security parent process was detected. This may indicate a process hollowing or other form of code injection.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Suspicious Endpoint Security Parent Process",
+    "query": "process where event.type in (\"start\", \"process_started\", \"info\") and\n process.name : (\"esensor.exe\", \"elastic-endpoint.exe\") and\n process.parent.executable != null and\n  /* add FPs here */\n not process.parent.executable : (\"C:\\\\Program Files\\\\Elastic\\\\*\", \n                                  \"C:\\\\Windows\\\\System32\\\\services.exe\", \n                                  \"C:\\\\Windows\\\\System32\\\\WerFault*.exe\", \n                                  \"C:\\\\Windows\\\\System32\\\\wermgr.exe\")\n",
+    "risk_score": 47,
+    "rule_id": "b41a13c6-ba45-4bab-a534-df53d0cfed6a",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1036",
+            "name": "Masquerading",
+            "reference": "https://attack.mitre.org/techniques/T1036/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 4,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.11.0",
+          "pre_query": "event.category:process and event.type:(start or process_started) and process.name:(esensor.exe or \"elastic-endpoint.exe\" or \"elastic-agent.exe\") and not process.parent.executable:\"C:\\Windows\\System32\\services.exe\"",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        },
+        {
+          "version": 3,
+          "updated": "7.11.2",
+          "pre_query": "process where event.type in (\"start\", \"process_started\", \"info\") and\n process.name : (\"esensor.exe\", \"elastic-endpoint.exe\") and\n process.parent.executable != null and\n  /* add FPs here */\n not process.parent.executable : (\"C:\\\\Program Files\\\\Elastic\\\\*\", \n                                  \"C:\\\\Windows\\\\System32\\\\services.exe\", \n                                  \"C:\\\\Windows\\\\System32\\\\WerFault*.exe\", \n                                  \"C:\\\\Windows\\\\System32\\\\wermgr.exe\")\n",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 4,
+          "updated": "7.12.0",
+          "pre_query": "process where event.type in (\"start\", \"process_started\", \"info\") and\n process.name : (\"esensor.exe\", \"elastic-endpoint.exe\") and\n process.parent.executable != null and\n  /* add FPs here */\n not process.parent.executable : (\"C:\\\\Program Files\\\\Elastic\\\\*\", \n                                  \"C:\\\\Windows\\\\System32\\\\services.exe\", \n                                  \"C:\\\\Windows\\\\System32\\\\WerFault*.exe\", \n                                  \"C:\\\\Windows\\\\System32\\\\wermgr.exe\")\n",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.12.0",
+    "added": "7.10.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies process execution with a single character process name. This is often done by adversaries while staging or executing temporary utilities.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Suspicious Execution - Short Program Name",
+    "query": "process where event.type in (\"start\", \"process_started\") and length(process.name) > 0 and\n length(process.name) == 5 and host.os.name == \"Windows\" and length(process.pe.original_file_name) > 5\n",
+    "risk_score": 47,
+    "rule_id": "17c7f6a5-5bc9-4e1f-92bf-13632d24384d",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Execution"
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 3,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.11.2",
+          "pre_query": "process where event.type in (\"start\", \"process_started\") and length(process.name) > 0 and\n length(process.name) == 5 and host.os.name == \"Windows\" and length(process.pe.original_file_name) > 5\n",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 3,
+          "updated": "7.12.0",
+          "pre_query": "process where event.type in (\"start\", \"process_started\") and length(process.name) > 0 and\n length(process.name) == 5 and host.os.name == \"Windows\" and length(process.pe.original_file_name) > 5\n",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.12.0",
+    "added": "7.11.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies when a script interpreter or signed binary is launched via a non-standard working directory. An attacker may use this technique to evade defenses.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Suspicious Execution from a Mounted Device",
+    "query": "process where event.type == \"start\" and process.executable : \"C:\\\\*\" and\n  (process.working_directory : \"?:\\\\\" and not process.working_directory: \"C:\\\\\") and\n  process.parent.name : \"explorer.exe\" and\n  process.name : (\"rundll32.exe\", \"mshta.exe\", \"powershell.exe\", \"pwsh.exe\", \"cmd.exe\", \"regsvr32.exe\",\n                  \"cscript.exe\", \"wscript.exe\")\n",
+    "references": [
+      "https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/",
+      "https://www.volexity.com/blog/2021/05/27/suspected-apt29-operation-launches-election-fraud-themed-phishing-campaigns/"
+    ],
+    "risk_score": 47,
+    "rule_id": "8a1d4831-3ce6-4859-9891-28931fa6101d",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1218",
+            "name": "Signed Binary Proxy Execution",
+            "reference": "https://attack.mitre.org/techniques/T1218/",
+            "subtechnique": [
+              {
+                "id": "T1218.011",
+                "name": "Rundll32",
+                "reference": "https://attack.mitre.org/techniques/T1218/011/"
+              },
+              {
+                "id": "T1218.005",
+                "name": "Mshta",
+                "reference": "https://attack.mitre.org/techniques/T1218/005/"
+              },
+              {
+                "id": "T1218.010",
+                "name": "Regsvr32",
+                "reference": "https://attack.mitre.org/techniques/T1218/010/"
+              }
+            ]
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0002",
+          "name": "Execution",
+          "reference": "https://attack.mitre.org/tactics/TA0002/"
+        },
+        "technique": [
+          {
+            "id": "T1059",
+            "name": "Command and Scripting Interpreter",
+            "reference": "https://attack.mitre.org/techniques/T1059/",
+            "subtechnique": [
+              {
+                "id": "T1059.001",
+                "name": "PowerShell",
+                "reference": "https://attack.mitre.org/techniques/T1059/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 1,
+    "last_update": "7.14.0",
+    "added": "7.14.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies execution of a suspicious program via scheduled tasks by looking at process lineage and command line usage.",
+    "false_positives": [
+      "Legitimate scheduled tasks running third party software."
+    ],
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Suspicious Execution via Scheduled Task",
+    "query": "process where event.type == \"start\" and\n    /* Schedule service cmdline on Win10+ */\n    process.parent.name : \"svchost.exe\" and process.parent.args : \"Schedule\" and\n    /* add suspicious programs here */\n    process.pe.original_file_name in\n                                (\n                                  \"cscript.exe\",\n                                  \"wscript.exe\",\n                                  \"PowerShell.EXE\",\n                                  \"Cmd.Exe\",\n                                  \"MSHTA.EXE\",\n                                  \"RUNDLL32.EXE\",\n                                  \"REGSVR32.EXE\",\n                                  \"MSBuild.exe\",\n                                  \"InstallUtil.exe\",\n                                  \"RegAsm.exe\",\n                                  \"RegSvcs.exe\",\n                                  \"msxsl.exe\",\n                                  \"CONTROL.EXE\",\n                                  \"EXPLORER.EXE\",\n                                  \"Microsoft.Workflow.Compiler.exe\",\n                                  \"msiexec.exe\"\n                                  ) and\n    /* add suspicious paths here */\n    process.args : (\n       \"C:\\\\Users\\\\*\",\n       \"C:\\\\ProgramData\\\\*\", \n       \"C:\\\\Windows\\\\Temp\\\\*\", \n       \"C:\\\\Windows\\\\Tasks\\\\*\", \n       \"C:\\\\PerfLogs\\\\*\", \n       \"C:\\\\Intel\\\\*\", \n       \"C:\\\\Windows\\\\Debug\\\\*\", \n       \"C:\\\\HP\\\\*\")\n",
+    "risk_score": 47,
+    "rule_id": "5d1d6907-0747-4d5d-9b24-e4a18853dc0a",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Persistence"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1053",
+            "name": "Scheduled Task/Job",
+            "reference": "https://attack.mitre.org/techniques/T1053/",
+            "subtechnique": [
+              {
+                "id": "T1053.005",
+                "name": "Scheduled Task",
+                "reference": "https://attack.mitre.org/techniques/T1053/005/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 4,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.11.2",
+          "pre_query": "process where event.type == \"start\" and\n    /* Schedule service cmdline on Win10+ */\n    process.parent.name : \"svchost.exe\" and process.parent.args : \"Schedule\" and\n    /* add suspicious programs here */\n    process.pe.original_file_name in\n                                (\n                                  \"cscript.exe\",\n                                  \"wscript.exe\",\n                                  \"PowerShell.EXE\",\n                                  \"Cmd.Exe\",\n                                  \"MSHTA.EXE\",\n                                  \"RUNDLL32.EXE\",\n                                  \"REGSVR32.EXE\",\n                                  \"MSBuild.exe\",\n                                  \"InstallUtil.exe\",\n                                  \"RegAsm.exe\",\n                                  \"RegSvcs.exe\",\n                                  \"msxsl.exe\",\n                                  \"CONTROL.EXE\",\n                                  \"EXPLORER.EXE\",\n                                  \"Microsoft.Workflow.Compiler.exe\",\n                                  \"msiexec.exe\"\n                                  ) and\n    /* add suspicious paths here */\n    process.args : (\n       \"C:\\\\Users\\\\*\",\n       \"C:\\\\ProgramData\\\\*\", \n       \"C:\\\\Windows\\\\Temp\\\\*\", \n       \"C:\\\\Windows\\\\Tasks\\\\*\", \n       \"C:\\\\PerfLogs\\\\*\", \n       \"C:\\\\Intel\\\\*\", \n       \"C:\\\\Windows\\\\Debug\\\\*\", \n       \"C:\\\\HP\\\\*\")\n",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 3,
+          "updated": "7.12.0",
+          "pre_query": "process where event.type == \"start\" and\n    /* Schedule service cmdline on Win10+ */\n    process.parent.name : \"svchost.exe\" and process.parent.args : \"Schedule\" and\n    /* add suspicious programs here */\n    process.pe.original_file_name in\n                                (\n                                  \"cscript.exe\",\n                                  \"wscript.exe\",\n                                  \"PowerShell.EXE\",\n                                  \"Cmd.Exe\",\n                                  \"MSHTA.EXE\",\n                                  \"RUNDLL32.EXE\",\n                                  \"REGSVR32.EXE\",\n                                  \"MSBuild.exe\",\n                                  \"InstallUtil.exe\",\n                                  \"RegAsm.exe\",\n                                  \"RegSvcs.exe\",\n                                  \"msxsl.exe\",\n                                  \"CONTROL.EXE\",\n                                  \"EXPLORER.EXE\",\n                                  \"Microsoft.Workflow.Compiler.exe\",\n                                  \"msiexec.exe\"\n                                  ) and\n    /* add suspicious paths here */\n    process.args : (\n       \"C:\\\\Users\\\\*\",\n       \"C:\\\\ProgramData\\\\*\", \n       \"C:\\\\Windows\\\\Temp\\\\*\", \n       \"C:\\\\Windows\\\\Tasks\\\\*\", \n       \"C:\\\\PerfLogs\\\\*\", \n       \"C:\\\\Intel\\\\*\", \n       \"C:\\\\Windows\\\\Debug\\\\*\", \n       \"C:\\\\HP\\\\*\")\n",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 4,
+          "updated": "7.16.0",
+          "pre_query": "process where event.type == \"start\" and\n    /* Schedule service cmdline on Win10+ */\n    process.parent.name : \"svchost.exe\" and process.parent.args : \"Schedule\" and\n    /* add suspicious programs here */\n    process.pe.original_file_name in\n                                (\n                                  \"cscript.exe\",\n                                  \"wscript.exe\",\n                                  \"PowerShell.EXE\",\n                                  \"Cmd.Exe\",\n                                  \"MSHTA.EXE\",\n                                  \"RUNDLL32.EXE\",\n                                  \"REGSVR32.EXE\",\n                                  \"MSBuild.exe\",\n                                  \"InstallUtil.exe\",\n                                  \"RegAsm.exe\",\n                                  \"RegSvcs.exe\",\n                                  \"msxsl.exe\",\n                                  \"CONTROL.EXE\",\n                                  \"EXPLORER.EXE\",\n                                  \"Microsoft.Workflow.Compiler.exe\",\n                                  \"msiexec.exe\"\n                                  ) and\n    /* add suspicious paths here */\n    process.args : (\n       \"C:\\\\Users\\\\*\",\n       \"C:\\\\ProgramData\\\\*\", \n       \"C:\\\\Windows\\\\Temp\\\\*\", \n       \"C:\\\\Windows\\\\Tasks\\\\*\", \n       \"C:\\\\PerfLogs\\\\*\", \n       \"C:\\\\Intel\\\\*\", \n       \"C:\\\\Windows\\\\Debug\\\\*\", \n       \"C:\\\\HP\\\\*\")\n",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.16.0",
+    "added": "7.11.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies a suspicious Windows explorer child process. Explorer.exe can be abused to launch malicious scripts or executables from a trusted parent process.",
+    "from": "now-9m",
+    "index": [
+      "logs-endpoint.events.*",
+      "winlogbeat-*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Suspicious Explorer Child Process",
+    "query": "process where event.type in (\"start\", \"process_started\") and\n  (\n   process.name : (\"cscript.exe\", \"wscript.exe\", \"powershell.exe\", \"rundll32.exe\", \"cmd.exe\", \"mshta.exe\", \"regsvr32.exe\") or\n   process.pe.original_file_name in (\"cscript.exe\", \"wscript.exe\", \"PowerShell.EXE\", \"RUNDLL32.EXE\", \"Cmd.Exe\", \"MSHTA.EXE\", \"REGSVR32.EXE\")\n  ) and\n  /* Explorer started via DCOM */\n  process.parent.name : \"explorer.exe\" and process.parent.args : \"-Embedding\" and\n  not process.parent.args:\n          (\n            /* Noisy CLSID_SeparateSingleProcessExplorerHost Explorer COM Class IDs   */\n            \"/factory,{5BD95610-9434-43C2-886C-57852CC8A120}\",\n            \"/factory,{ceff45ee-c862-41de-aee2-a022c81eda92}\"\n          )\n",
+    "risk_score": 47,
+    "rule_id": "9a5b4e31-6cde-4295-9ff7-6be1b8567e1b",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Initial Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0001",
+          "name": "Initial Access",
+          "reference": "https://attack.mitre.org/tactics/TA0001/"
+        },
+        "technique": [
+          {
+            "id": "T1566",
+            "name": "Phishing",
+            "reference": "https://attack.mitre.org/techniques/T1566/",
+            "subtechnique": [
+              {
+                "id": "T1566.001",
+                "name": "Spearphishing Attachment",
+                "reference": "https://attack.mitre.org/techniques/T1566/001/"
+              },
+              {
+                "id": "T1566.002",
+                "name": "Spearphishing Link",
+                "reference": "https://attack.mitre.org/techniques/T1566/002/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 4,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.11.2",
+          "pre_query": "process where event.type in (\"start\", \"process_started\") and\n  process.name : (\"cscript.exe\", \"wscript.exe\", \"powershell.exe\", \"rundll32.exe\", \"cmd.exe\", \"mshta.exe\", \"regsvr32.exe\") and\n  /* Explorer started via DCOM */\n  process.parent.name : \"explorer.exe\" and process.parent.args : \"-Embedding\"\n",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 3,
+          "updated": "7.12.0",
+          "pre_query": "process where event.type in (\"start\", \"process_started\") and\n  process.name : (\"cscript.exe\", \"wscript.exe\", \"powershell.exe\", \"rundll32.exe\", \"cmd.exe\", \"mshta.exe\", \"regsvr32.exe\") and\n  /* Explorer started via DCOM */\n  process.parent.name : \"explorer.exe\" and process.parent.args : \"-Embedding\"\n",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 4,
+          "updated": "7.13.0",
+          "pre_query": "process where event.type in (\"start\", \"process_started\") and\n  process.name : (\"cscript.exe\", \"wscript.exe\", \"powershell.exe\", \"rundll32.exe\", \"cmd.exe\", \"mshta.exe\", \"regsvr32.exe\") and\n  /* Explorer started via DCOM */\n  process.parent.name : \"explorer.exe\" and process.parent.args : \"-Embedding\"\n",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.13.0",
+    "added": "7.11.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the execution of a launchd child process with a hidden file. An adversary can establish persistence by installing a new logon item, launch agent, or daemon that executes upon login.",
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Suspicious Hidden Child Process of Launchd",
+    "query": "event.category:process and event.type:(start or process_started) and\n process.name:.* and process.parent.executable:/sbin/launchd\n",
+    "references": [
+      "https://objective-see.com/blog/blog_0x61.html",
+      "https://www.intezer.com/blog/research/operation-electrorat-attacker-creates-fake-companies-to-drain-your-crypto-wallets/",
+      "https://developer.apple.com/library/archive/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/CreatingLaunchdJobs.html"
+    ],
+    "risk_score": 47,
+    "rule_id": "083fa162-e790-4d85-9aeb-4fea04188adb",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "macOS",
+      "Threat Detection",
+      "Persistence",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1543",
+            "name": "Create or Modify System Process",
+            "reference": "https://attack.mitre.org/techniques/T1543/",
+            "subtechnique": [
+              {
+                "id": "T1543.001",
+                "name": "Launch Agent",
+                "reference": "https://attack.mitre.org/techniques/T1543/001/"
+              }
+            ]
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1564",
+            "name": "Hide Artifacts",
+            "reference": "https://attack.mitre.org/techniques/T1564/",
+            "subtechnique": [
+              {
+                "id": "T1564.001",
+                "name": "Hidden Files and Directories",
+                "reference": "https://attack.mitre.org/techniques/T1564/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 1,
+    "last_update": "7.12.0",
+    "added": "7.12.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies a suspicious image load (taskschd.dll) from Microsoft Office processes. This behavior may indicate adversarial activity where a scheduled task is configured via Windows Component Object Model (COM). This technique can be used to configure persistence and evade monitoring by avoiding the usage of the traditional Windows binary (schtasks.exe) used to manage scheduled tasks.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Suspicious Image Load (taskschd.dll) from MS Office",
+    "query": "library where process.name : (\"WINWORD.EXE\", \"EXCEL.EXE\", \"POWERPNT.EXE\", \"MSPUB.EXE\", \"MSACCESS.EXE\") and\n  event.action : \"load\" and\n  event.category : \"library\" and\n  dll.name : \"taskschd.dll\"\n",
+    "references": [
+      "https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16",
+      "https://www.clearskysec.com/wp-content/uploads/2020/10/Operation-Quicksand.pdf"
+    ],
+    "risk_score": 21,
+    "rule_id": "baa5d22c-5e1c-4f33-bfc9-efa73bb53022",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Persistence"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1053",
+            "name": "Scheduled Task/Job",
+            "reference": "https://attack.mitre.org/techniques/T1053/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 3,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.11.2",
+          "pre_query": "library where process.name in (\"WINWORD.EXE\", \"EXCEL.EXE\", \"POWERPNT.EXE\", \"MSPUB.EXE\", \"MSACCESS.EXE\") and\n  event.action == \"load\" and\n  event.category == \"library\" and\n  file.name == \"taskschd.dll\"\n",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 3,
+          "updated": "7.12.0",
+          "pre_query": "library where process.name in (\"WINWORD.EXE\", \"EXCEL.EXE\", \"POWERPNT.EXE\", \"MSPUB.EXE\", \"MSACCESS.EXE\") and\n  event.action == \"load\" and\n  event.category == \"library\" and\n  file.name == \"taskschd.dll\"\n",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.12.0",
+    "added": "7.11.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the creation of a suspicious ImagePath value. This could be an indication of an adversary attempting to stealthily persist or escalate privileges through abnormal service creation.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Suspicious ImagePath Service Creation",
+    "query": "registry where registry.path : \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Services\\\\*\\\\ImagePath\" and\n /* add suspicious registry ImagePath values here */\n registry.data.strings : (\"%COMSPEC%*\", \"*\\\\.\\\\pipe\\\\*\")\n",
+    "risk_score": 73,
+    "rule_id": "36a8e048-d888-4f61-a8b9-0f9e2e40f317",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Persistence"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1543",
+            "name": "Create or Modify System Process",
+            "reference": "https://attack.mitre.org/techniques/T1543/",
+            "subtechnique": [
+              {
+                "id": "T1543.003",
+                "name": "Windows Service",
+                "reference": "https://attack.mitre.org/techniques/T1543/003/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 3,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.11.2",
+          "pre_query": "registry where registry.path : \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Services\\\\*\\\\ImagePath\" and\n /* add suspicious registry ImagePath values here */\n registry.data.strings : (\"%COMSPEC%*\", \"*\\\\.\\\\pipe\\\\*\")\n",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 3,
+          "updated": "7.12.0",
+          "pre_query": "registry where registry.path : \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Services\\\\*\\\\ImagePath\" and\n /* add suspicious registry ImagePath values here */\n registry.data.strings : (\"%COMSPEC%*\", \"*\\\\.\\\\pipe\\\\*\")\n",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.12.0",
+    "added": "7.11.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies suspicious child processes of the Java interpreter process. This may indicate an attempt to execute a malicious JAR file or an exploitation attempt via a JAVA specific vulnerability.",
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Suspicious JAVA Child Process",
+    "query": "process where event.type in (\"start\", \"process_started\") and\n  process.parent.name : \"java\" and\n  process.name : (\"sh\", \"bash\", \"dash\", \"ksh\", \"tcsh\", \"zsh\", \"curl\", \"wget\")\n",
+    "references": [
+      "https://www.lunasec.io/docs/blog/log4j-zero-day/",
+      "https://github.com/christophetd/log4shell-vulnerable-app",
+      "https://www.blackhat.com/docs/us-16/materials/us-16-Munoz-A-Journey-From-JNDI-LDAP-Manipulation-To-RCE.pdf"
+    ],
+    "risk_score": 47,
+    "rule_id": "8acb7614-1d92-4359-bfcf-478b6d9de150",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "macOS",
+      "Threat Detection",
+      "Execution"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0002",
+          "name": "Execution",
+          "reference": "https://attack.mitre.org/tactics/TA0002/"
+        },
+        "technique": [
+          {
+            "id": "T1059",
+            "name": "Command and Scripting Interpreter",
+            "reference": "https://attack.mitre.org/techniques/T1059/",
+            "subtechnique": [
+              {
+                "id": "T1059.007",
+                "name": "JavaScript",
+                "reference": "https://attack.mitre.org/techniques/T1059/007/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 3,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.15.0",
+          "pre_query": "process where event.type in (\"start\", \"process_started\") and\n  process.parent.name : \"java\" and\n  process.name : (\"sh\", \"bash\", \"dash\", \"ksh\", \"tcsh\", \"zsh\", \"curl\", \"wget\") and\n  process.args : \"-jar\" and process.args : \"*.jar\" and\n  /* Add any FP's here */\n  not process.executable : (\"/Users/*/.sdkman/*\", \"/Library/Java/JavaVirtualMachines/*\") and\n  not process.args : (\"/usr/local/*\", \"/Users/*/github.com/*\", \"/Users/*/src/*\")\n",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 3,
+          "updated": "8.0.0",
+          "pre_query": "process where event.type in (\"start\", \"process_started\") and\n  process.parent.name : \"java\" and\n  process.name : (\"sh\", \"bash\", \"dash\", \"ksh\", \"tcsh\", \"zsh\", \"curl\", \"wget\") and\n  process.args : \"-jar\" and process.args : \"*.jar\" and\n  /* Add any FP's here */\n  not process.executable : (\"/Users/*/.sdkman/*\", \"/Library/Java/JavaVirtualMachines/*\") and\n  not process.args : (\"/usr/local/*\", \"/Users/*/github.com/*\", \"/Users/*/src/*\")\n",
+          "doc_text": "Updated query.",
+          "pre_name": "Suspicious JAR Child Process",
+          "duplicate_old_file": "suspicious-jar-child-process"
+        }
+      ]
+    },
+    "last_update": "8.0.0",
+    "added": "7.12.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies suspicious child processes of frequently targeted Microsoft Office applications (Word, PowerPoint, Excel). These child processes are often launched during exploitation of Office applications or from documents with malicious macros.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Suspicious MS Office Child Process",
+    "query": "process where event.type in (\"start\", \"process_started\") and\n  process.parent.name : (\"eqnedt32.exe\", \"excel.exe\", \"fltldr.exe\", \"msaccess.exe\", \"mspub.exe\", \"powerpnt.exe\", \"winword.exe\") and\n  process.name : (\"Microsoft.Workflow.Compiler.exe\", \"arp.exe\", \"atbroker.exe\", \"bginfo.exe\", \"bitsadmin.exe\", \"cdb.exe\", \"certutil.exe\",\n                \"cmd.exe\", \"cmstp.exe\", \"control.exe\", \"cscript.exe\", \"csi.exe\", \"dnx.exe\", \"dsget.exe\", \"dsquery.exe\", \"forfiles.exe\", \n                \"fsi.exe\", \"ftp.exe\", \"gpresult.exe\", \"hostname.exe\", \"ieexec.exe\", \"iexpress.exe\", \"installutil.exe\", \"ipconfig.exe\", \n                \"mshta.exe\", \"msxsl.exe\", \"nbtstat.exe\", \"net.exe\", \"net1.exe\", \"netsh.exe\", \"netstat.exe\", \"nltest.exe\", \"odbcconf.exe\", \n                \"ping.exe\", \"powershell.exe\", \"pwsh.exe\", \"qprocess.exe\", \"quser.exe\", \"qwinsta.exe\", \"rcsi.exe\", \"reg.exe\", \"regasm.exe\", \n                \"regsvcs.exe\", \"regsvr32.exe\", \"sc.exe\", \"schtasks.exe\", \"systeminfo.exe\", \"tasklist.exe\", \"tracert.exe\", \"whoami.exe\",\n                \"wmic.exe\", \"wscript.exe\", \"xwizard.exe\", \"explorer.exe\", \"rundll32.exe\", \"hh.exe\")\n",
+    "risk_score": 47,
+    "rule_id": "a624863f-a70d-417f-a7d2-7a404638d47f",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Initial Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0001",
+          "name": "Initial Access",
+          "reference": "https://attack.mitre.org/tactics/TA0001/"
+        },
+        "technique": [
+          {
+            "id": "T1566",
+            "name": "Phishing",
+            "reference": "https://attack.mitre.org/techniques/T1566/",
+            "subtechnique": [
+              {
+                "id": "T1566.001",
+                "name": "Spearphishing Attachment",
+                "reference": "https://attack.mitre.org/techniques/T1566/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 9,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.7.0",
+          "pre_query": "event.action:\"Process Create (rule: ProcessCreate)\" and process.parent.name:(\"winword.exe\" or \"excel.exe\" or \"powerpnt.exe\" or \"eqnedt32.exe\" or \"fltldr.exe\" or \"mspub.exe\" or \"msaccess.exe\") and process.name:(\"arp.exe\" or \"dsquery.exe\" or \"dsget.exe\" or \"gpresult.exe\" or \"hostname.exe\" or \"ipconfig.exe\" or \"nbtstat.exe\" or \"net.exe\" or \"net1.exe\" or \"netsh.exe\" or \"netstat.exe\" or \"nltest.exe\" or \"ping.exe\" or \"qprocess.exe\" or \"quser.exe\" or \"qwinsta.exe\" or \"reg.exe\" or \"sc.exe\" or \"systeminfo.exe\" or \"tasklist.exe\" or \"tracert.exe\" or \"whoami.exe\" or \"bginfo.exe\" or \"cdb.exe\" or \"cmstp.exe\" or \"csi.exe\" or \"dnx.exe\" or \"fsi.exe\" or \"ieexec.exe\" or \"iexpress.exe\" or \"installutil.exe\" or \"Microsoft.Workflow.Compiler.exe\" or \"msbuild.exe\" or \"mshta.exe\" or \"msxsl.exe\" or \"odbcconf.exe\" or \"rcsi.exe\" or \"regsvr32.exe\" or \"xwizard.exe\" or \"atbroker.exe\" or \"forfiles.exe\" or \"schtasks.exe\" or \"regasm.exe\" or \"regsvcs.exe\" or \"cmd.exe\" or \"cscript.exe\" or \"powershell.exe\" or \"pwsh.exe\" or \"wmic.exe\" or \"wscript.exe\" or \"bitsadmin.exe\" or \"certutil.exe\" or \"ftp.exe\") ",
+          "doc_text": "Updated query."
+        },
+        {
+          "version": 3,
+          "updated": "7.9.0",
+          "pre_query": "event.action:\"Process Create (rule: ProcessCreate)\" and process.parent.name:(eqnedt32.exe or excel.exe or fltldr.exe or msaccess.exe or mspub.exe or powerpnt.exe or winword.exe) and process.name:(Microsoft.Workflow.Compiler.exe or arp.exe or atbroker.exe or bginfo.exe or bitsadmin.exe or cdb.exe or certutil.exe or cmd.exe or cmstp.exe or cscript.exe or csi.exe or dnx.exe or dsget.exe or dsquery.exe or forfiles.exe or fsi.exe or ftp.exe or gpresult.exe or hostname.exe or ieexec.exe or iexpress.exe or installutil.exe or ipconfig.exe or mshta.exe or msxsl.exe or nbtstat.exe or net.exe or net1.exe or netsh.exe or netstat.exe or nltest.exe or odbcconf.exe or ping.exe or powershell.exe or pwsh.exe or qprocess.exe or quser.exe or qwinsta.exe or rcsi.exe or reg.exe or regasm.exe or regsvcs.exe or regsvr32.exe or sc.exe or schtasks.exe or systeminfo.exe or tasklist.exe or tracert.exe or whoami.exe or wmic.exe or wscript.exe or xwizard.exe)",
+          "doc_text": "Updated query."
+        },
+        {
+          "version": 4,
+          "updated": "7.9.1",
+          "pre_query": "event.category:process and event.type:(start or process_started) and process.parent.name:(eqnedt32.exe or excel.exe or fltldr.exe or msaccess.exe or mspub.exe or powerpnt.exe or winword.exe) and process.name:(Microsoft.Workflow.Compiler.exe or arp.exe or atbroker.exe or bginfo.exe or bitsadmin.exe or cdb.exe or certutil.exe or cmd.exe or cmstp.exe or cscript.exe or csi.exe or dnx.exe or dsget.exe or dsquery.exe or forfiles.exe or fsi.exe or ftp.exe or gpresult.exe or hostname.exe or ieexec.exe or iexpress.exe or installutil.exe or ipconfig.exe or mshta.exe or msxsl.exe or nbtstat.exe or net.exe or net1.exe or netsh.exe or netstat.exe or nltest.exe or odbcconf.exe or ping.exe or powershell.exe or pwsh.exe or qprocess.exe or quser.exe or qwinsta.exe or rcsi.exe or reg.exe or regasm.exe or regsvcs.exe or regsvr32.exe or sc.exe or schtasks.exe or systeminfo.exe or tasklist.exe or tracert.exe or whoami.exe or wmic.exe or wscript.exe or xwizard.exe)",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 5,
+          "updated": "7.10.0",
+          "pre_query": "event.category:process and event.type:(start or process_started) and process.parent.name:(eqnedt32.exe or excel.exe or fltldr.exe or msaccess.exe or mspub.exe or powerpnt.exe or winword.exe) and process.name:(Microsoft.Workflow.Compiler.exe or arp.exe or atbroker.exe or bginfo.exe or bitsadmin.exe or cdb.exe or certutil.exe or cmd.exe or cmstp.exe or cscript.exe or csi.exe or dnx.exe or dsget.exe or dsquery.exe or forfiles.exe or fsi.exe or ftp.exe or gpresult.exe or hostname.exe or ieexec.exe or iexpress.exe or installutil.exe or ipconfig.exe or mshta.exe or msxsl.exe or nbtstat.exe or net.exe or net1.exe or netsh.exe or netstat.exe or nltest.exe or odbcconf.exe or ping.exe or powershell.exe or pwsh.exe or qprocess.exe or quser.exe or qwinsta.exe or rcsi.exe or reg.exe or regasm.exe or regsvcs.exe or regsvr32.exe or sc.exe or schtasks.exe or systeminfo.exe or tasklist.exe or tracert.exe or whoami.exe or wmic.exe or wscript.exe or xwizard.exe)",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 6,
+          "updated": "7.11.0",
+          "pre_query": "event.category:process and event.type:(start or process_started) and process.parent.name:(eqnedt32.exe or excel.exe or fltldr.exe or msaccess.exe or mspub.exe or powerpnt.exe or winword.exe) and process.name:(Microsoft.Workflow.Compiler.exe or arp.exe or atbroker.exe or bginfo.exe or bitsadmin.exe or cdb.exe or certutil.exe or cmd.exe or cmstp.exe or cscript.exe or csi.exe or dnx.exe or dsget.exe or dsquery.exe or forfiles.exe or fsi.exe or ftp.exe or gpresult.exe or hostname.exe or ieexec.exe or iexpress.exe or installutil.exe or ipconfig.exe or mshta.exe or msxsl.exe or nbtstat.exe or net.exe or net1.exe or netsh.exe or netstat.exe or nltest.exe or odbcconf.exe or ping.exe or powershell.exe or pwsh.exe or qprocess.exe or quser.exe or qwinsta.exe or rcsi.exe or reg.exe or regasm.exe or regsvcs.exe or regsvr32.exe or sc.exe or schtasks.exe or systeminfo.exe or tasklist.exe or tracert.exe or whoami.exe or wmic.exe or wscript.exe or xwizard.exe)",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        },
+        {
+          "version": 7,
+          "updated": "7.11.2",
+          "pre_query": "process where event.type in (\"start\", \"process_started\") and\n  process.parent.name : (\"eqnedt32.exe\", \"excel.exe\", \"fltldr.exe\", \"msaccess.exe\", \"mspub.exe\", \"powerpnt.exe\", \"winword.exe\") and\n  process.name : (\"Microsoft.Workflow.Compiler.exe\", \"arp.exe\", \"atbroker.exe\", \"bginfo.exe\", \"bitsadmin.exe\", \"cdb.exe\", \"certutil.exe\",\n                \"cmd.exe\", \"cmstp.exe\", \"cscript.exe\", \"csi.exe\", \"dnx.exe\", \"dsget.exe\", \"dsquery.exe\", \"forfiles.exe\", \"fsi.exe\",\n                \"ftp.exe\", \"gpresult.exe\", \"hostname.exe\", \"ieexec.exe\", \"iexpress.exe\", \"installutil.exe\", \"ipconfig.exe\", \"mshta.exe\",\n                \"msxsl.exe\", \"nbtstat.exe\", \"net.exe\", \"net1.exe\", \"netsh.exe\", \"netstat.exe\", \"nltest.exe\", \"odbcconf.exe\", \"ping.exe\",\n                \"powershell.exe\", \"pwsh.exe\", \"qprocess.exe\", \"quser.exe\", \"qwinsta.exe\", \"rcsi.exe\", \"reg.exe\", \"regasm.exe\", \"regsvcs.exe\",\n                \"regsvr32.exe\", \"sc.exe\", \"schtasks.exe\", \"systeminfo.exe\", \"tasklist.exe\", \"tracert.exe\", \"whoami.exe\",\n                \"wmic.exe\", \"wscript.exe\", \"xwizard.exe\", \"explorer.exe\", \"rundll32.exe\", \"hh.exe\")\n",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 8,
+          "updated": "7.12.0",
+          "pre_query": "process where event.type in (\"start\", \"process_started\") and\n  process.parent.name : (\"eqnedt32.exe\", \"excel.exe\", \"fltldr.exe\", \"msaccess.exe\", \"mspub.exe\", \"powerpnt.exe\", \"winword.exe\") and\n  process.name : (\"Microsoft.Workflow.Compiler.exe\", \"arp.exe\", \"atbroker.exe\", \"bginfo.exe\", \"bitsadmin.exe\", \"cdb.exe\", \"certutil.exe\",\n                \"cmd.exe\", \"cmstp.exe\", \"cscript.exe\", \"csi.exe\", \"dnx.exe\", \"dsget.exe\", \"dsquery.exe\", \"forfiles.exe\", \"fsi.exe\",\n                \"ftp.exe\", \"gpresult.exe\", \"hostname.exe\", \"ieexec.exe\", \"iexpress.exe\", \"installutil.exe\", \"ipconfig.exe\", \"mshta.exe\",\n                \"msxsl.exe\", \"nbtstat.exe\", \"net.exe\", \"net1.exe\", \"netsh.exe\", \"netstat.exe\", \"nltest.exe\", \"odbcconf.exe\", \"ping.exe\",\n                \"powershell.exe\", \"pwsh.exe\", \"qprocess.exe\", \"quser.exe\", \"qwinsta.exe\", \"rcsi.exe\", \"reg.exe\", \"regasm.exe\", \"regsvcs.exe\",\n                \"regsvr32.exe\", \"sc.exe\", \"schtasks.exe\", \"systeminfo.exe\", \"tasklist.exe\", \"tracert.exe\", \"whoami.exe\",\n                \"wmic.exe\", \"wscript.exe\", \"xwizard.exe\", \"explorer.exe\", \"rundll32.exe\", \"hh.exe\")\n",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 9,
+          "updated": "7.16.0",
+          "pre_query": "process where event.type in (\"start\", \"process_started\") and\n  process.parent.name : (\"eqnedt32.exe\", \"excel.exe\", \"fltldr.exe\", \"msaccess.exe\", \"mspub.exe\", \"powerpnt.exe\", \"winword.exe\") and\n  process.name : (\"Microsoft.Workflow.Compiler.exe\", \"arp.exe\", \"atbroker.exe\", \"bginfo.exe\", \"bitsadmin.exe\", \"cdb.exe\", \"certutil.exe\",\n                \"cmd.exe\", \"cmstp.exe\", \"cscript.exe\", \"csi.exe\", \"dnx.exe\", \"dsget.exe\", \"dsquery.exe\", \"forfiles.exe\", \"fsi.exe\",\n                \"ftp.exe\", \"gpresult.exe\", \"hostname.exe\", \"ieexec.exe\", \"iexpress.exe\", \"installutil.exe\", \"ipconfig.exe\", \"mshta.exe\",\n                \"msxsl.exe\", \"nbtstat.exe\", \"net.exe\", \"net1.exe\", \"netsh.exe\", \"netstat.exe\", \"nltest.exe\", \"odbcconf.exe\", \"ping.exe\",\n                \"powershell.exe\", \"pwsh.exe\", \"qprocess.exe\", \"quser.exe\", \"qwinsta.exe\", \"rcsi.exe\", \"reg.exe\", \"regasm.exe\", \"regsvcs.exe\",\n                \"regsvr32.exe\", \"sc.exe\", \"schtasks.exe\", \"systeminfo.exe\", \"tasklist.exe\", \"tracert.exe\", \"whoami.exe\",\n                \"wmic.exe\", \"wscript.exe\", \"xwizard.exe\", \"explorer.exe\", \"rundll32.exe\", \"hh.exe\")\n",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.16.0",
+    "added": "7.6.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies suspicious child processes of Microsoft Outlook. These child processes are often associated with spear phishing activity.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Suspicious MS Outlook Child Process",
+    "query": "process where event.type in (\"start\", \"process_started\") and\n  process.parent.name : \"outlook.exe\" and\n  process.name : (\"Microsoft.Workflow.Compiler.exe\", \"arp.exe\", \"atbroker.exe\", \"bginfo.exe\", \"bitsadmin.exe\",\n                  \"cdb.exe\", \"certutil.exe\", \"cmd.exe\", \"cmstp.exe\", \"cscript.exe\", \"csi.exe\", \"dnx.exe\", \"dsget.exe\",\n                  \"dsquery.exe\", \"forfiles.exe\", \"fsi.exe\", \"ftp.exe\", \"gpresult.exe\", \"hostname.exe\", \"ieexec.exe\",\n                  \"iexpress.exe\", \"installutil.exe\", \"ipconfig.exe\", \"mshta.exe\", \"msxsl.exe\", \"nbtstat.exe\", \"net.exe\",\n                  \"net1.exe\", \"netsh.exe\", \"netstat.exe\", \"nltest.exe\", \"odbcconf.exe\", \"ping.exe\", \"powershell.exe\",\n                  \"pwsh.exe\", \"qprocess.exe\", \"quser.exe\", \"qwinsta.exe\", \"rcsi.exe\", \"reg.exe\", \"regasm.exe\",\n                  \"regsvcs.exe\", \"regsvr32.exe\", \"sc.exe\", \"schtasks.exe\", \"systeminfo.exe\", \"tasklist.exe\",\n                  \"tracert.exe\", \"whoami.exe\", \"wmic.exe\", \"wscript.exe\", \"xwizard.exe\")\n",
+    "risk_score": 21,
+    "rule_id": "32f4675e-6c49-4ace-80f9-97c9259dca2e",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Initial Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0001",
+          "name": "Initial Access",
+          "reference": "https://attack.mitre.org/tactics/TA0001/"
+        },
+        "technique": [
+          {
+            "id": "T1566",
+            "name": "Phishing",
+            "reference": "https://attack.mitre.org/techniques/T1566/",
+            "subtechnique": [
+              {
+                "id": "T1566.001",
+                "name": "Spearphishing Attachment",
+                "reference": "https://attack.mitre.org/techniques/T1566/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 9,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.7.0",
+          "pre_query": "event.action:\"Process Create (rule: ProcessCreate)\" and process.parent.name:\"outlook.exe\" and process.name:(\"arp.exe\" or \"dsquery.exe\" or \"dsget.exe\" or \"gpresult.exe\" or \"hostname.exe\" or \"ipconfig.exe\" or \"nbtstat.exe\" or \"net.exe\" or \"net1.exe\" or \"netsh.exe\" or \"netstat.exe\" or \"nltest.exe\" or \"ping.exe\" or \"qprocess.exe\" or \"quser.exe\" or \"qwinsta.exe\" or \"reg.exe\" or \"sc.exe\" or \"systeminfo.exe\" or \"tasklist.exe\" or \"tracert.exe\" or \"whoami.exe\" or \"bginfo.exe\" or \"cdb.exe\" or \"cmstp.exe\" or \"csi.exe\" or \"dnx.exe\" or \"fsi.exe\" or \"ieexec.exe\" or \"iexpress.exe\" or \"installutil.exe\" or \"Microsoft.Workflow.Compiler.exe\" or \"msbuild.exe\" or \"mshta.exe\" or \"msxsl.exe\" or \"odbcconf.exe\" or \"rcsi.exe\" or \"regsvr32.exe\" or \"xwizard.exe\" or \"atbroker.exe\" or \"forfiles.exe\" or \"schtasks.exe\" or \"regasm.exe\" or \"regsvcs.exe\" or \"cmd.exe\" or \"cscript.exe\" or \"powershell.exe\" or \"pwsh.exe\" or \"wmic.exe\" or \"wscript.exe\" or \"bitsadmin.exe\" or \"certutil.exe\" or \"ftp.exe\") ",
+          "doc_text": "Updated query."
+        },
+        {
+          "version": 3,
+          "updated": "7.9.0",
+          "pre_query": "event.action:\"Process Create (rule: ProcessCreate)\" and process.parent.name:outlook.exe and process.name:(Microsoft.Workflow.Compiler.exe or arp.exe or atbroker.exe or bginfo.exe or bitsadmin.exe or cdb.exe or certutil.exe or cmd.exe or cmstp.exe or cscript.exe or csi.exe or dnx.exe or dsget.exe or dsquery.exe or forfiles.exe or fsi.exe or ftp.exe or gpresult.exe or hostname.exe or ieexec.exe or iexpress.exe or installutil.exe or ipconfig.exe or mshta.exe or msxsl.exe or nbtstat.exe or net.exe or net1.exe or netsh.exe or netstat.exe or nltest.exe or odbcconf.exe or ping.exe or powershell.exe or pwsh.exe or qprocess.exe or quser.exe or qwinsta.exe or rcsi.exe or reg.exe or regasm.exe or regsvcs.exe or regsvr32.exe or sc.exe or schtasks.exe or systeminfo.exe or tasklist.exe or tracert.exe or whoami.exe or wmic.exe or wscript.exe or xwizard.exe)",
+          "doc_text": "Updated query."
+        },
+        {
+          "version": 4,
+          "updated": "7.9.1",
+          "pre_query": "event.category:process and event.type:(start or process_started) and process.parent.name:outlook.exe and process.name:(Microsoft.Workflow.Compiler.exe or arp.exe or atbroker.exe or  bginfo.exe or bitsadmin.exe or cdb.exe or certutil.exe or cmd.exe or cmstp.exe or cscript.exe or csi.exe or dnx.exe or dsget.exe or dsquery.exe or forfiles.exe or fsi.exe or ftp.exe or gpresult.exe or hostname.exe or ieexec.exe or iexpress.exe or installutil.exe or ipconfig.exe or mshta.exe or msxsl.exe or nbtstat.exe or net.exe or net1.exe or netsh.exe or netstat.exe or nltest.exe or odbcconf.exe or ping.exe or powershell.exe or pwsh.exe or qprocess.exe or quser.exe or qwinsta.exe or rcsi.exe or reg.exe or regasm.exe or regsvcs.exe or regsvr32.exe or sc.exe or schtasks.exe or systeminfo.exe or tasklist.exe or tracert.exe or whoami.exe or wmic.exe or wscript.exe or xwizard.exe)",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 5,
+          "updated": "7.10.0",
+          "pre_query": "event.category:process and event.type:(start or process_started) and process.parent.name:outlook.exe and process.name:(Microsoft.Workflow.Compiler.exe or arp.exe or atbroker.exe or  bginfo.exe or bitsadmin.exe or cdb.exe or certutil.exe or cmd.exe or cmstp.exe or cscript.exe or csi.exe or dnx.exe or dsget.exe or dsquery.exe or forfiles.exe or fsi.exe or ftp.exe or gpresult.exe or hostname.exe or ieexec.exe or iexpress.exe or installutil.exe or ipconfig.exe or mshta.exe or msxsl.exe or nbtstat.exe or net.exe or net1.exe or netsh.exe or netstat.exe or nltest.exe or odbcconf.exe or ping.exe or powershell.exe or pwsh.exe or qprocess.exe or quser.exe or qwinsta.exe or rcsi.exe or reg.exe or regasm.exe or regsvcs.exe or regsvr32.exe or sc.exe or schtasks.exe or systeminfo.exe or tasklist.exe or tracert.exe or whoami.exe or wmic.exe or wscript.exe or xwizard.exe)",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 6,
+          "updated": "7.11.0",
+          "pre_query": "event.category:process and event.type:(start or process_started) and process.parent.name:outlook.exe and process.name:(Microsoft.Workflow.Compiler.exe or arp.exe or atbroker.exe or  bginfo.exe or bitsadmin.exe or cdb.exe or certutil.exe or cmd.exe or cmstp.exe or cscript.exe or csi.exe or dnx.exe or dsget.exe or dsquery.exe or forfiles.exe or fsi.exe or ftp.exe or gpresult.exe or hostname.exe or ieexec.exe or iexpress.exe or installutil.exe or ipconfig.exe or mshta.exe or msxsl.exe or nbtstat.exe or net.exe or net1.exe or netsh.exe or netstat.exe or nltest.exe or odbcconf.exe or ping.exe or powershell.exe or pwsh.exe or qprocess.exe or quser.exe or qwinsta.exe or rcsi.exe or reg.exe or regasm.exe or regsvcs.exe or regsvr32.exe or sc.exe or schtasks.exe or systeminfo.exe or tasklist.exe or tracert.exe or whoami.exe or wmic.exe or wscript.exe or xwizard.exe)",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 7,
+          "updated": "7.11.2",
+          "pre_query": "event.category:process and event.type:(start or process_started) and process.parent.name:outlook.exe and process.name:(Microsoft.Workflow.Compiler.exe or arp.exe or atbroker.exe or  bginfo.exe or bitsadmin.exe or cdb.exe or certutil.exe or cmd.exe or cmstp.exe or cscript.exe or csi.exe or dnx.exe or dsget.exe or dsquery.exe or forfiles.exe or fsi.exe or ftp.exe or gpresult.exe or hostname.exe or ieexec.exe or iexpress.exe or installutil.exe or ipconfig.exe or mshta.exe or msxsl.exe or nbtstat.exe or net.exe or net1.exe or netsh.exe or netstat.exe or nltest.exe or odbcconf.exe or ping.exe or powershell.exe or pwsh.exe or qprocess.exe or quser.exe or qwinsta.exe or rcsi.exe or reg.exe or regasm.exe or regsvcs.exe or regsvr32.exe or sc.exe or schtasks.exe or systeminfo.exe or tasklist.exe or tracert.exe or whoami.exe or wmic.exe or wscript.exe or xwizard.exe)",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 8,
+          "updated": "7.12.0",
+          "pre_query": "event.category:process and event.type:(start or process_started) and process.parent.name:outlook.exe and process.name:(Microsoft.Workflow.Compiler.exe or arp.exe or atbroker.exe or  bginfo.exe or bitsadmin.exe or cdb.exe or certutil.exe or cmd.exe or cmstp.exe or cscript.exe or csi.exe or dnx.exe or dsget.exe or dsquery.exe or forfiles.exe or fsi.exe or ftp.exe or gpresult.exe or hostname.exe or ieexec.exe or iexpress.exe or installutil.exe or ipconfig.exe or mshta.exe or msxsl.exe or nbtstat.exe or net.exe or net1.exe or netsh.exe or netstat.exe or nltest.exe or odbcconf.exe or ping.exe or powershell.exe or pwsh.exe or qprocess.exe or quser.exe or qwinsta.exe or rcsi.exe or reg.exe or regasm.exe or regsvcs.exe or regsvr32.exe or sc.exe or schtasks.exe or systeminfo.exe or tasklist.exe or tracert.exe or whoami.exe or wmic.exe or wscript.exe or xwizard.exe)",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 9,
+          "updated": "7.13.0",
+          "pre_query": "event.category:process and event.type:(start or process_started) and process.parent.name:outlook.exe and process.name:(Microsoft.Workflow.Compiler.exe or arp.exe or atbroker.exe or  bginfo.exe or bitsadmin.exe or cdb.exe or certutil.exe or cmd.exe or cmstp.exe or cscript.exe or csi.exe or dnx.exe or dsget.exe or dsquery.exe or forfiles.exe or fsi.exe or ftp.exe or gpresult.exe or hostname.exe or ieexec.exe or iexpress.exe or installutil.exe or ipconfig.exe or mshta.exe or msxsl.exe or nbtstat.exe or net.exe or net1.exe or netsh.exe or netstat.exe or nltest.exe or odbcconf.exe or ping.exe or powershell.exe or pwsh.exe or qprocess.exe or quser.exe or qwinsta.exe or rcsi.exe or reg.exe or regasm.exe or regsvcs.exe or regsvr32.exe or sc.exe or schtasks.exe or systeminfo.exe or tasklist.exe or tracert.exe or whoami.exe or wmic.exe or wscript.exe or xwizard.exe)",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.13.0",
+    "added": "7.6.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies a suspicious managed code hosting process which could indicate code injection or other form of suspicious code execution.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Suspicious Managed Code Hosting Process",
+    "query": "sequence by process.entity_id with maxspan=5m\n [process where event.type == \"start\" and \n  process.name : (\"wscript.exe\", \"cscript.exe\", \"mshta.exe\", \"wmic.exe\", \"regsvr32.exe\", \"svchost.exe\", \"dllhost.exe\", \"cmstp.exe\")]\n [file where event.type != \"deletion\" and\n  file.name : (\"wscript.exe.log\",\n               \"cscript.exe\",\n               \"mshta.exe.log\",\n               \"wmic.exe.log\",\n               \"svchost.exe.log\",\n               \"dllhost.exe.log\",\n               \"cmstp.exe.log\",\n               \"regsvr32.exe.log\")]\n",
+    "references": [
+      "https://blog.menasec.net/2019/07/interesting-difr-traces-of-net-clr.html"
+    ],
+    "risk_score": 73,
+    "rule_id": "acf738b5-b5b2-4acc-bad9-1e18ee234f40",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1055",
+            "name": "Process Injection",
+            "reference": "https://attack.mitre.org/techniques/T1055/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 4,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.11.2",
+          "pre_query": "event.category:file and not event.type:deletion and file.name:(wscript.exe.log or mshta.exe.log or wscript.exe.log or wmic.exe.log or svchost.exe.log or dllhost.exe.log or cmstp.exe.log or regsvr32.exe.log)",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 3,
+          "updated": "7.12.0",
+          "pre_query": "event.category:file and not event.type:deletion and file.name:(wscript.exe.log or mshta.exe.log or wscript.exe.log or wmic.exe.log or svchost.exe.log or dllhost.exe.log or cmstp.exe.log or regsvr32.exe.log)",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 4,
+          "updated": "7.13.0",
+          "pre_query": "event.category:file and not event.type:deletion and file.name:(wscript.exe.log or mshta.exe.log or wscript.exe.log or wmic.exe.log or svchost.exe.log or dllhost.exe.log or cmstp.exe.log or regsvr32.exe.log)",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.13.0",
+    "added": "7.10.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies suspicious child processes of PDF reader applications. These child processes are often launched via exploitation of PDF applications or social engineering.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Suspicious PDF Reader Child Process",
+    "query": "process where event.type in (\"start\", \"process_started\") and\n  process.parent.name : (\"AcroRd32.exe\",\n                         \"Acrobat.exe\",\n                         \"FoxitPhantomPDF.exe\",\n                         \"FoxitReader.exe\") and\n  process.name : (\"arp.exe\", \"dsquery.exe\", \"dsget.exe\", \"gpresult.exe\", \"hostname.exe\", \"ipconfig.exe\", \"nbtstat.exe\",\n                  \"net.exe\", \"net1.exe\", \"netsh.exe\", \"netstat.exe\", \"nltest.exe\", \"ping.exe\", \"qprocess.exe\",\n                  \"quser.exe\", \"qwinsta.exe\", \"reg.exe\", \"sc.exe\", \"systeminfo.exe\", \"tasklist.exe\", \"tracert.exe\",\n                  \"whoami.exe\", \"bginfo.exe\", \"cdb.exe\", \"cmstp.exe\", \"csi.exe\", \"dnx.exe\", \"fsi.exe\", \"ieexec.exe\",\n                  \"iexpress.exe\", \"installutil.exe\", \"Microsoft.Workflow.Compiler.exe\", \"msbuild.exe\", \"mshta.exe\",\n                  \"msxsl.exe\", \"odbcconf.exe\", \"rcsi.exe\", \"regsvr32.exe\", \"xwizard.exe\", \"atbroker.exe\",\n                  \"forfiles.exe\", \"schtasks.exe\", \"regasm.exe\", \"regsvcs.exe\", \"cmd.exe\", \"cscript.exe\",\n                  \"powershell.exe\", \"pwsh.exe\", \"wmic.exe\", \"wscript.exe\", \"bitsadmin.exe\", \"certutil.exe\", \"ftp.exe\")\n",
+    "risk_score": 21,
+    "rule_id": "53a26770-9cbd-40c5-8b57-61d01a325e14",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Execution"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0002",
+          "name": "Execution",
+          "reference": "https://attack.mitre.org/tactics/TA0002/"
+        },
+        "technique": [
+          {
+            "id": "T1204",
+            "name": "User Execution",
+            "reference": "https://attack.mitre.org/techniques/T1204/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 7,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.9.0",
+          "pre_query": "event.action:\"Process Create (rule: ProcessCreate)\" and process.parent.name:(AcroRd32.exe or Acrobat.exe or FoxitPhantomPDF.exe or FoxitReader.exe) and process.name:(arp.exe or dsquery.exe or dsget.exe or gpresult.exe or hostname.exe or ipconfig.exe or nbtstat.exe or net.exe or net1.exe or netsh.exe or netstat.exe or nltest.exe or ping.exe or qprocess.exe or quser.exe or qwinsta.exe or reg.exe or sc.exe or systeminfo.exe or tasklist.exe or tracert.exe or whoami.exe or bginfo.exe or cdb.exe or cmstp.exe or csi.exe or dnx.exe or fsi.exe or ieexec.exe or iexpress.exe or installutil.exe or Microsoft.Workflow.Compiler.exe or msbuild.exe or mshta.exe or msxsl.exe or odbcconf.exe or rcsi.exe or regsvr32.exe or xwizard.exe or atbroker.exe or forfiles.exe or schtasks.exe or regasm.exe or regsvcs.exe or cmd.exe or cscript.exe or powershell.exe or pwsh.exe or wmic.exe or wscript.exe or bitsadmin.exe or certutil.exe or ftp.exe)",
+          "doc_text": "Updated query."
+        },
+        {
+          "version": 3,
+          "updated": "7.9.1",
+          "pre_query": "event.category:process and event.type:(start or process_started) and process.parent.name:(AcroRd32.exe or Acrobat.exe or FoxitPhantomPDF.exe or FoxitReader.exe) and process.name:(arp.exe or dsquery.exe or dsget.exe or gpresult.exe or hostname.exe or ipconfig.exe or nbtstat.exe or net.exe or net1.exe or netsh.exe or netstat.exe or nltest.exe or ping.exe or qprocess.exe or quser.exe or qwinsta.exe or reg.exe or sc.exe or systeminfo.exe or tasklist.exe or tracert.exe or whoami.exe or bginfo.exe or cdb.exe or cmstp.exe or csi.exe or dnx.exe or fsi.exe or ieexec.exe or iexpress.exe or installutil.exe or Microsoft.Workflow.Compiler.exe or msbuild.exe or mshta.exe or msxsl.exe or odbcconf.exe or rcsi.exe or regsvr32.exe or xwizard.exe or atbroker.exe or forfiles.exe or schtasks.exe or regasm.exe or regsvcs.exe or cmd.exe or cscript.exe or powershell.exe or pwsh.exe or wmic.exe or wscript.exe or bitsadmin.exe or certutil.exe or ftp.exe)",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 4,
+          "updated": "7.10.0",
+          "pre_query": "event.category:process and event.type:(start or process_started) and process.parent.name:(AcroRd32.exe or Acrobat.exe or FoxitPhantomPDF.exe or FoxitReader.exe) and process.name:(arp.exe or dsquery.exe or dsget.exe or gpresult.exe or hostname.exe or ipconfig.exe or nbtstat.exe or net.exe or net1.exe or netsh.exe or netstat.exe or nltest.exe or ping.exe or qprocess.exe or quser.exe or qwinsta.exe or reg.exe or sc.exe or systeminfo.exe or tasklist.exe or tracert.exe or whoami.exe or bginfo.exe or cdb.exe or cmstp.exe or csi.exe or dnx.exe or fsi.exe or ieexec.exe or iexpress.exe or installutil.exe or Microsoft.Workflow.Compiler.exe or msbuild.exe or mshta.exe or msxsl.exe or odbcconf.exe or rcsi.exe or regsvr32.exe or xwizard.exe or atbroker.exe or forfiles.exe or schtasks.exe or regasm.exe or regsvcs.exe or cmd.exe or cscript.exe or powershell.exe or pwsh.exe or wmic.exe or wscript.exe or bitsadmin.exe or certutil.exe or ftp.exe)",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 5,
+          "updated": "7.11.2",
+          "pre_query": "event.category:process and event.type:(start or process_started) and process.parent.name:(AcroRd32.exe or Acrobat.exe or FoxitPhantomPDF.exe or FoxitReader.exe) and process.name:(arp.exe or dsquery.exe or dsget.exe or gpresult.exe or hostname.exe or ipconfig.exe or nbtstat.exe or net.exe or net1.exe or netsh.exe or netstat.exe or nltest.exe or ping.exe or qprocess.exe or quser.exe or qwinsta.exe or reg.exe or sc.exe or systeminfo.exe or tasklist.exe or tracert.exe or whoami.exe or bginfo.exe or cdb.exe or cmstp.exe or csi.exe or dnx.exe or fsi.exe or ieexec.exe or iexpress.exe or installutil.exe or Microsoft.Workflow.Compiler.exe or msbuild.exe or mshta.exe or msxsl.exe or odbcconf.exe or rcsi.exe or regsvr32.exe or xwizard.exe or atbroker.exe or forfiles.exe or schtasks.exe or regasm.exe or regsvcs.exe or cmd.exe or cscript.exe or powershell.exe or pwsh.exe or wmic.exe or wscript.exe or bitsadmin.exe or certutil.exe or ftp.exe)",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 6,
+          "updated": "7.12.0",
+          "pre_query": "event.category:process and event.type:(start or process_started) and process.parent.name:(AcroRd32.exe or Acrobat.exe or FoxitPhantomPDF.exe or FoxitReader.exe) and process.name:(arp.exe or dsquery.exe or dsget.exe or gpresult.exe or hostname.exe or ipconfig.exe or nbtstat.exe or net.exe or net1.exe or netsh.exe or netstat.exe or nltest.exe or ping.exe or qprocess.exe or quser.exe or qwinsta.exe or reg.exe or sc.exe or systeminfo.exe or tasklist.exe or tracert.exe or whoami.exe or bginfo.exe or cdb.exe or cmstp.exe or csi.exe or dnx.exe or fsi.exe or ieexec.exe or iexpress.exe or installutil.exe or Microsoft.Workflow.Compiler.exe or msbuild.exe or mshta.exe or msxsl.exe or odbcconf.exe or rcsi.exe or regsvr32.exe or xwizard.exe or atbroker.exe or forfiles.exe or schtasks.exe or regasm.exe or regsvcs.exe or cmd.exe or cscript.exe or powershell.exe or pwsh.exe or wmic.exe or wscript.exe or bitsadmin.exe or certutil.exe or ftp.exe)",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 7,
+          "updated": "7.13.0",
+          "pre_query": "event.category:process and event.type:(start or process_started) and process.parent.name:(AcroRd32.exe or Acrobat.exe or FoxitPhantomPDF.exe or FoxitReader.exe) and process.name:(arp.exe or dsquery.exe or dsget.exe or gpresult.exe or hostname.exe or ipconfig.exe or nbtstat.exe or net.exe or net1.exe or netsh.exe or netstat.exe or nltest.exe or ping.exe or qprocess.exe or quser.exe or qwinsta.exe or reg.exe or sc.exe or systeminfo.exe or tasklist.exe or tracert.exe or whoami.exe or bginfo.exe or cdb.exe or cmstp.exe or csi.exe or dnx.exe or fsi.exe or ieexec.exe or iexpress.exe or installutil.exe or Microsoft.Workflow.Compiler.exe or msbuild.exe or mshta.exe or msxsl.exe or odbcconf.exe or rcsi.exe or regsvr32.exe or xwizard.exe or atbroker.exe or forfiles.exe or schtasks.exe or regasm.exe or regsvcs.exe or cmd.exe or cscript.exe or powershell.exe or pwsh.exe or wmic.exe or wscript.exe or bitsadmin.exe or certutil.exe or ftp.exe)",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.13.0",
+    "added": "7.7.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Detects the presence of portable executables (PE) in a PowerShell script by looking for its encoded header. Attackers embed PEs into PowerShell scripts for injecting them into the memory, avoiding defenses by not writing to disk.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-windows.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Suspicious Portable Executable Encoded in Powershell Script",
+    "note": "## Triage and analysis.\n\n### Investigating Suspicious Portable Executable Encoded in Powershell Script\n\nPowerShell is one of the main tools used by system administrators for automation, report routines, and other tasks.\n\nAttackers can abuse PowerShell In-Memory capabilities to inject executables into memory without touching the disk, bypassing\nAntiVirus software. These executables are generally base64 encoded.\n\n#### Possible investigation steps:\n\n- Examine script content that triggered the detection. \n- Investigate script execution chain (parent process tree).\n- Inspect any file or network events from the suspicious powershell host process instance.\n- If the action is suspicious for the user, check for any other activities done by the user in the last 48 hours.\n\n### False Positive Analysis\n\n- Verify whether the script content is malicious/harmful.\n\n### Related Rules\n\n- PowerShell Reflection Assembly Load - e26f042e-c590-4e82-8e05-41e81bd822ad\n- PowerShell Suspicious Payload Encoded and Compressed - 81fe9dc6-a2d7-4192-a2d8-eed98afc766a\n- PowerShell PSReflect Script - 56f2e9b5-4803-4e44-a0a4-a52dc79d57fe\n\n### Response and Remediation\n\n- Immediate response should be taken to validate, investigate, and potentially contain the activity to prevent further\npost-compromise behavior.\n\n## Config\n\nThe 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration > \nAdministrative Templates > \nWindows PowerShell > \nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```\n",
+    "query": "event.category:process and \n  powershell.file.script_block_text : (\n    TVqQAAMAAAAEAAAA\n  )\n",
+    "references": [
+      "https://github.com/atc-project/atc-data/blob/master/docs/Logging_Policies/LP_0109_windows_powershell_script_block_log.md"
+    ],
+    "risk_score": 47,
+    "rule_id": "ad84d445-b1ce-4377-82d9-7c633f28bf9a",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Execution"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0002",
+          "name": "Execution",
+          "reference": "https://attack.mitre.org/tactics/TA0002/"
+        },
+        "technique": [
+          {
+            "id": "T1059",
+            "name": "Command and Scripting Interpreter",
+            "reference": "https://attack.mitre.org/techniques/T1059/",
+            "subtechnique": [
+              {
+                "id": "T1059.001",
+                "name": "PowerShell",
+                "reference": "https://attack.mitre.org/techniques/T1059/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 3,
+    "last_update": "8.0.0",
+    "changelog": {
+      "changes": [
+        {
+          "version": 3,
+          "updated": "8.0.0",
+          "pre_query": "event.code:\"4104\" and \n  powershell.file.script_block_text : (\n    TVqQAAMAAAAEAAAA\n  )\n",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        }
+      ]
+    },
+    "added": "7.16.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the PowerShell engine being invoked by unexpected processes. Rather than executing PowerShell functionality with powershell.exe, some attackers do this to operate more stealthily.",
+    "from": "now-9m",
+    "index": [
+      "logs-endpoint.events.*",
+      "winlogbeat-*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Suspicious PowerShell Engine ImageLoad",
+    "query": "library where dll.name : (\"System.Management.Automation.ni.dll\", \"System.Management.Automation.dll\") and\n/* add false positives relevant to your environment here */\nnot process.executable : (\"C:\\\\Windows\\\\System32\\\\RemoteFXvGPUDisablement.exe\", \"C:\\\\Windows\\\\System32\\\\sdiagnhost.exe\") and\nnot process.executable regex~ \"\"\"C:\\\\Program Files( \\(x86\\))?\\\\*\\.exe\"\"\" and\n  not process.name :\n  (\n    \"Altaro.SubAgent.exe\",\n    \"AppV_Manage.exe\",\n    \"azureadconnect.exe\",\n    \"CcmExec.exe\",\n    \"configsyncrun.exe\",\n    \"choco.exe\",\n    \"ctxappvservice.exe\",\n    \"DVLS.Console.exe\",\n    \"edgetransport.exe\",\n    \"exsetup.exe\",\n    \"forefrontactivedirectoryconnector.exe\",\n    \"InstallUtil.exe\",\n    \"JenkinsOnDesktop.exe\",\n    \"Microsoft.EnterpriseManagement.ServiceManager.UI.Console.exe\",\n    \"mmc.exe\",\n    \"mscorsvw.exe\",\n    \"msexchangedelivery.exe\",\n    \"msexchangefrontendtransport.exe\",\n    \"msexchangehmworker.exe\",\n    \"msexchangesubmission.exe\",\n    \"msiexec.exe\",\n    \"MsiExec.exe\",\n    \"noderunner.exe\",\n    \"NServiceBus.Host.exe\",\n    \"NServiceBus.Host32.exe\",\n    \"NServiceBus.Hosting.Azure.HostProcess.exe\",\n    \"OuiGui.WPF.exe\",\n    \"powershell.exe\",\n    \"powershell_ise.exe\",\n    \"pwsh.exe\",\n    \"SCCMCliCtrWPF.exe\",\n    \"ScriptEditor.exe\",\n    \"ScriptRunner.exe\",\n    \"sdiagnhost.exe\",\n    \"servermanager.exe\",\n    \"setup100.exe\",\n    \"ServiceHub.VSDetouredHost.exe\",\n    \"SPCAF.Client.exe\",\n    \"SPCAF.SettingsEditor.exe\",\n    \"SQLPS.exe\",\n    \"telemetryservice.exe\",\n    \"UMWorkerProcess.exe\",\n    \"w3wp.exe\",\n    \"wsmprovhost.exe\"\n  )\n",
+    "risk_score": 47,
+    "rule_id": "852c1f19-68e8-43a6-9dce-340771fe1be3",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Execution"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0002",
+          "name": "Execution",
+          "reference": "https://attack.mitre.org/tactics/TA0002/"
+        },
+        "technique": [
+          {
+            "id": "T1059",
+            "name": "Command and Scripting Interpreter",
+            "reference": "https://attack.mitre.org/techniques/T1059/",
+            "subtechnique": [
+              {
+                "id": "T1059.001",
+                "name": "PowerShell",
+                "reference": "https://attack.mitre.org/techniques/T1059/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 4,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.11.2",
+          "pre_query": "library where file.name : (\"System.Management.Automation.ni.dll\", \"System.Management.Automation.dll\") and\n/* add false positives relevant to your environment here */\nnot process.executable : (\"C:\\\\Windows\\\\System32\\\\RemoteFXvGPUDisablement.exe\", \"C:\\\\Windows\\\\System32\\\\sdiagnhost.exe\", \"C:\\\\Program Files*\\\\*.exe\") and\n  not process.name : (\n  \"Altaro.SubAgent.exe\",\n  \"AppV_Manage.exe\",\n  \"azureadconnect.exe\",\n  \"CcmExec.exe\",\n  \"configsyncrun.exe\",\n  \"choco.exe\",\n  \"ctxappvservice.exe\",\n  \"DVLS.Console.exe\",\n  \"edgetransport.exe\",\n  \"exsetup.exe\",\n  \"forefrontactivedirectoryconnector.exe\",\n  \"InstallUtil.exe\",\n  \"JenkinsOnDesktop.exe\",\n  \"Microsoft.EnterpriseManagement.ServiceManager.UI.Console.exe\",\n  \"mmc.exe\",\n  \"mscorsvw.exe\",\n  \"msexchangedelivery.exe\",\n  \"msexchangefrontendtransport.exe\",\n  \"msexchangehmworker.exe\",\n  \"msexchangesubmission.exe\",\n  \"msiexec.exe\",\n  \"MsiExec.exe\",\n  \"noderunner.exe\",\n  \"NServiceBus.Host.exe\",\n  \"NServiceBus.Host32.exe\",\n  \"NServiceBus.Hosting.Azure.HostProcess.exe\",\n  \"OuiGui.WPF.exe\",\n  \"powershell.exe\",\n  \"powershell_ise.exe\",\n  \"pwsh.exe\",\n  \"SCCMCliCtrWPF.exe\",\n  \"ScriptEditor.exe\",\n  \"ScriptRunner.exe\",\n  \"sdiagnhost.exe\",\n  \"servermanager.exe\",\n  \"setup100.exe\",\n  \"ServiceHub.VSDetouredHost.exe\",\n  \"SPCAF.Client.exe\",\n  \"SPCAF.SettingsEditor.exe\",\n  \"SQLPS.exe\",\n  \"telemetryservice.exe\",\n  \"UMWorkerProcess.exe\",\n  \"w3wp.exe\",\n  \"wsmprovhost.exe\"\n )\n",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 3,
+          "updated": "7.12.0",
+          "pre_query": "library where file.name : (\"System.Management.Automation.ni.dll\", \"System.Management.Automation.dll\") and\n/* add false positives relevant to your environment here */\nnot process.executable : (\"C:\\\\Windows\\\\System32\\\\RemoteFXvGPUDisablement.exe\", \"C:\\\\Windows\\\\System32\\\\sdiagnhost.exe\", \"C:\\\\Program Files*\\\\*.exe\") and\n  not process.name : (\n  \"Altaro.SubAgent.exe\",\n  \"AppV_Manage.exe\",\n  \"azureadconnect.exe\",\n  \"CcmExec.exe\",\n  \"configsyncrun.exe\",\n  \"choco.exe\",\n  \"ctxappvservice.exe\",\n  \"DVLS.Console.exe\",\n  \"edgetransport.exe\",\n  \"exsetup.exe\",\n  \"forefrontactivedirectoryconnector.exe\",\n  \"InstallUtil.exe\",\n  \"JenkinsOnDesktop.exe\",\n  \"Microsoft.EnterpriseManagement.ServiceManager.UI.Console.exe\",\n  \"mmc.exe\",\n  \"mscorsvw.exe\",\n  \"msexchangedelivery.exe\",\n  \"msexchangefrontendtransport.exe\",\n  \"msexchangehmworker.exe\",\n  \"msexchangesubmission.exe\",\n  \"msiexec.exe\",\n  \"MsiExec.exe\",\n  \"noderunner.exe\",\n  \"NServiceBus.Host.exe\",\n  \"NServiceBus.Host32.exe\",\n  \"NServiceBus.Hosting.Azure.HostProcess.exe\",\n  \"OuiGui.WPF.exe\",\n  \"powershell.exe\",\n  \"powershell_ise.exe\",\n  \"pwsh.exe\",\n  \"SCCMCliCtrWPF.exe\",\n  \"ScriptEditor.exe\",\n  \"ScriptRunner.exe\",\n  \"sdiagnhost.exe\",\n  \"servermanager.exe\",\n  \"setup100.exe\",\n  \"ServiceHub.VSDetouredHost.exe\",\n  \"SPCAF.Client.exe\",\n  \"SPCAF.SettingsEditor.exe\",\n  \"SQLPS.exe\",\n  \"telemetryservice.exe\",\n  \"UMWorkerProcess.exe\",\n  \"w3wp.exe\",\n  \"wsmprovhost.exe\"\n )\n",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        },
+        {
+          "version": 4,
+          "updated": "7.14.0",
+          "pre_query": "library where dll.name : (\"System.Management.Automation.ni.dll\", \"System.Management.Automation.dll\") and\n/* add false positives relevant to your environment here */\nnot process.executable : (\"C:\\\\Windows\\\\System32\\\\RemoteFXvGPUDisablement.exe\", \"C:\\\\Windows\\\\System32\\\\sdiagnhost.exe\", \"C:\\\\Program Files*\\\\*.exe\") and\n  not process.name :\n  (\n    \"Altaro.SubAgent.exe\",\n    \"AppV_Manage.exe\",\n    \"azureadconnect.exe\",\n    \"CcmExec.exe\",\n    \"configsyncrun.exe\",\n    \"choco.exe\",\n    \"ctxappvservice.exe\",\n    \"DVLS.Console.exe\",\n    \"edgetransport.exe\",\n    \"exsetup.exe\",\n    \"forefrontactivedirectoryconnector.exe\",\n    \"InstallUtil.exe\",\n    \"JenkinsOnDesktop.exe\",\n    \"Microsoft.EnterpriseManagement.ServiceManager.UI.Console.exe\",\n    \"mmc.exe\",\n    \"mscorsvw.exe\",\n    \"msexchangedelivery.exe\",\n    \"msexchangefrontendtransport.exe\",\n    \"msexchangehmworker.exe\",\n    \"msexchangesubmission.exe\",\n    \"msiexec.exe\",\n    \"MsiExec.exe\",\n    \"noderunner.exe\",\n    \"NServiceBus.Host.exe\",\n    \"NServiceBus.Host32.exe\",\n    \"NServiceBus.Hosting.Azure.HostProcess.exe\",\n    \"OuiGui.WPF.exe\",\n    \"powershell.exe\",\n    \"powershell_ise.exe\",\n    \"pwsh.exe\",\n    \"SCCMCliCtrWPF.exe\",\n    \"ScriptEditor.exe\",\n    \"ScriptRunner.exe\",\n    \"sdiagnhost.exe\",\n    \"servermanager.exe\",\n    \"setup100.exe\",\n    \"ServiceHub.VSDetouredHost.exe\",\n    \"SPCAF.Client.exe\",\n    \"SPCAF.SettingsEditor.exe\",\n    \"SQLPS.exe\",\n    \"telemetryservice.exe\",\n    \"UMWorkerProcess.exe\",\n    \"w3wp.exe\",\n    \"wsmprovhost.exe\"\n  )\n",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.14.0",
+    "added": "7.11.0"
+  },
+  {
+    "anomaly_threshold": 50,
+    "author": [
+      "Elastic"
+    ],
+    "description": "A machine learning job detected a PowerShell script with unusual data characteristics, such as obfuscation, that may be a characteristic of malicious PowerShell script text blocks.",
+    "false_positives": [
+      "Certain kinds of security testing may trigger this alert. PowerShell scripts that use high levels of obfuscation or have unusual script block payloads may trigger this alert."
+    ],
+    "from": "now-45m",
+    "interval": "15m",
+    "license": "Elastic License v2",
+    "machine_learning_job_id": "windows_anomalous_script",
+    "name": "Suspicious Powershell Script",
+    "references": [
+      "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"
+    ],
+    "risk_score": 21,
+    "rule_id": "1781d055-5c66-4adf-9d60-fc0fa58337b6",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "ML"
+    ],
+    "type": "machine_learning",
+    "version": 4,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.9.0",
+          "pre_query": "N/A",
+          "doc_text": "Formatting only"
+        },
+        {
+          "version": 3,
+          "updated": "7.10.0",
+          "pre_query": "N/A",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 4,
+          "updated": "7.12.0",
+          "pre_query": "N/A",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.12.0",
+    "added": "7.7.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Detects deletion of print driver files by an unusual process. This may indicate a clean up attempt post successful privilege escalation via Print Spooler service related vulnerabilities.",
+    "false_positives": [
+      "Uninstall or manual deletion of a legitimate printing driver files. Verify the printer file metadata such as manufacturer and signature information."
+    ],
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Suspicious Print Spooler File Deletion",
+    "query": "file where event.type : \"deletion\" and\n not process.name : (\"spoolsv.exe\", \"dllhost.exe\", \"explorer.exe\") and\n file.path : \"?:\\\\Windows\\\\System32\\\\spool\\\\drivers\\\\x64\\\\3\\\\*.dll\"\n",
+    "references": [
+      "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527",
+      "https://github.com/afwu/PrintNightmare"
+    ],
+    "risk_score": 47,
+    "rule_id": "c4818812-d44f-47be-aaef-4cfb2f9cc799",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Privilege Escalation"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0004",
+          "name": "Privilege Escalation",
+          "reference": "https://attack.mitre.org/tactics/TA0004/"
+        },
+        "technique": [
+          {
+            "id": "T1068",
+            "name": "Exploitation for Privilege Escalation",
+            "reference": "https://attack.mitre.org/techniques/T1068/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 1,
+    "last_update": "7.14.0",
+    "added": "7.14.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Detects attempts to exploit a privilege escalation vulnerability (CVE-2020-1030) related to the print spooler service. Exploitation involves chaining multiple primitives to load an arbitrary DLL into the print spooler process running as SYSTEM.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Suspicious Print Spooler Point and Print DLL",
+    "query": "sequence by host.id with maxspan=30s\n[registry where\n registry.path : \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Print\\\\Printers\\\\*\\\\SpoolDirectory\" and\n registry.data.strings : \"C:\\\\Windows\\\\System32\\\\spool\\\\drivers\\\\x64\\\\4\"]\n[registry where\n registry.path : \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Print\\\\Printers\\\\*\\\\CopyFiles\\\\Payload\\\\Module\" and\n registry.data.strings : \"C:\\\\Windows\\\\System32\\\\spool\\\\drivers\\\\x64\\\\4\\\\*\"]\n",
+    "references": [
+      "https://www.accenture.com/us-en/blogs/cyber-defense/discovering-exploiting-shutting-down-dangerous-windows-print-spooler-vulnerability",
+      "https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES/blob/master/Privilege%20Escalation/privesc_sysmon_cve_20201030_spooler.evtx",
+      "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2020-1030"
+    ],
+    "risk_score": 73,
+    "rule_id": "bd7eefee-f671-494e-98df-f01daf9e5f17",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Privilege Escalation"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0004",
+          "name": "Privilege Escalation",
+          "reference": "https://attack.mitre.org/tactics/TA0004/"
+        },
+        "technique": [
+          {
+            "id": "T1068",
+            "name": "Exploitation for Privilege Escalation",
+            "reference": "https://attack.mitre.org/techniques/T1068/"
+          }
+        ]
+      }
+    ],
+    "type": "eql",
+    "version": 2,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.12.0",
+          "pre_query": "sequence by host.id with maxspan=30s\n[registry where\n registry.path : \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Print\\\\Printers\\\\*\\\\SpoolDirectory\" and\n registry.data.strings : \"C:\\\\Windows\\\\System32\\\\spool\\\\drivers\\\\x64\\\\4\"]\n[registry where\n registry.path : \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Print\\\\Printers\\\\*\\\\CopyFiles\\\\Payload\\\\Module\" and\n registry.data.strings : \"C:\\\\Windows\\\\System32\\\\spool\\\\drivers\\\\x64\\\\4\\\\*\"]\n",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.12.0",
+    "added": "7.11.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Detects attempts to exploit privilege escalation vulnerabilities related to the Print Spooler service including CVE-2020-1048 and CVE-2020-1337. .",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Suspicious PrintSpooler SPL File Created",
+    "note": "## Threat intel\n\nRefer to CVEs, CVE-2020-1048 and CVE-2020-1337 for further information on the vulnerability and exploit. Verify that the relevant system is patched.",
+    "query": "file where event.type != \"deletion\" and\n  file.extension : \"spl\" and\n  file.path : \"?:\\\\Windows\\\\System32\\\\spool\\\\PRINTERS\\\\*\" and\n  not process.name : (\"spoolsv.exe\",\n                      \"printfilterpipelinesvc.exe\",\n                      \"PrintIsolationHost.exe\",\n                      \"splwow64.exe\",\n                      \"msiexec.exe\",\n                      \"poqexec.exe\")\n",
+    "references": [
+      "https://safebreach.com/Post/How-we-bypassed-CVE-2020-1048-Patch-and-got-CVE-2020-1337"
+    ],
+    "risk_score": 73,
+    "rule_id": "a7ccae7b-9d2c-44b2-a061-98e5946971fa",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Privilege Escalation"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0004",
+          "name": "Privilege Escalation",
+          "reference": "https://attack.mitre.org/tactics/TA0004/"
+        },
+        "technique": [
+          {
+            "id": "T1068",
+            "name": "Exploitation for Privilege Escalation",
+            "reference": "https://attack.mitre.org/techniques/T1068/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 4,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.11.2",
+          "pre_query": "event.category:file and not event.type:deletion and file.extension:(spl or SPL) and file.path:C\\:\\\\Windows\\\\System32\\\\spool\\\\PRINTERS\\\\* and not process.name:(spoolsv.exe or printfilterpipelinesvc.exe or PrintIsolationHost.exe or splwow64.exe or msiexec.exe or poqexec.exe)",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 3,
+          "updated": "7.12.0",
+          "pre_query": "event.category:file and not event.type:deletion and file.extension:(spl or SPL) and file.path:C\\:\\\\Windows\\\\System32\\\\spool\\\\PRINTERS\\\\* and not process.name:(spoolsv.exe or printfilterpipelinesvc.exe or PrintIsolationHost.exe or splwow64.exe or msiexec.exe or poqexec.exe)",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 4,
+          "updated": "7.13.0",
+          "pre_query": "event.category:file and not event.type:deletion and file.extension:(spl or SPL) and file.path:C\\:\\\\Windows\\\\System32\\\\spool\\\\PRINTERS\\\\* and not process.name:(spoolsv.exe or printfilterpipelinesvc.exe or PrintIsolationHost.exe or splwow64.exe or msiexec.exe or poqexec.exe)",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.13.0",
+    "added": "7.10.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Detects attempts to exploit privilege escalation vulnerabilities related to the Print Spooler service. For more information refer to the following CVE's - CVE-2020-1048, CVE-2020-1337 and CVE-2020-1300 and verify that the impacted system is patched.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Suspicious PrintSpooler Service Executable File Creation",
+    "query": "file where event.type != \"deletion\" and process.name : \"spoolsv.exe\" and\n  file.extension : (\"exe\", \"dll\") and\n  not file.path : (\"?:\\\\Windows\\\\System32\\\\spool\\\\*\", \"?:\\\\Windows\\\\Temp\\\\*\", \"?:\\\\Users\\\\*\")\n",
+    "references": [
+      "https://voidsec.com/cve-2020-1337-printdemon-is-dead-long-live-printdemon/",
+      "https://www.thezdi.com/blog/2020/7/8/cve-2020-1300-remote-code-execution-through-microsoft-windows-cab-files"
+    ],
+    "risk_score": 73,
+    "rule_id": "5bb4a95d-5a08-48eb-80db-4c3a63ec78a8",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Privilege Escalation"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0004",
+          "name": "Privilege Escalation",
+          "reference": "https://attack.mitre.org/tactics/TA0004/"
+        },
+        "technique": [
+          {
+            "id": "T1068",
+            "name": "Exploitation for Privilege Escalation",
+            "reference": "https://attack.mitre.org/techniques/T1068/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 4,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.11.2",
+          "pre_query": "event.category:file and not event.type:deletion and process.name:spoolsv.exe and file.extension:(exe or dll) and not file.path:(C\\:\\\\Windows\\\\System32\\\\spool\\\\* or C\\:\\\\Windows\\\\Temp\\\\* or C\\:\\\\Users\\\\*)",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 3,
+          "updated": "7.12.0",
+          "pre_query": "event.category:file and not event.type:deletion and process.name:spoolsv.exe and file.extension:(exe or dll) and not file.path:(C\\:\\\\Windows\\\\System32\\\\spool\\\\* or C\\:\\\\Windows\\\\Temp\\\\* or C\\:\\\\Users\\\\*)",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 4,
+          "updated": "7.13.0",
+          "pre_query": "event.category:file and not event.type:deletion and process.name:spoolsv.exe and file.extension:(exe or dll) and not file.path:(C\\:\\\\Windows\\\\System32\\\\spool\\\\* or C\\:\\\\Windows\\\\Temp\\\\* or C\\:\\\\Users\\\\*)",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.13.0",
+    "added": "7.10.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies suspicious process access events from an unknown memory region. Endpoint security solutions usually hook userland Windows APIs in order to decide if the code that is being executed is malicious or not. It's possible to bypass hooked functions by writing malicious functions that call syscalls directly.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Suspicious Process Access via Direct System Call",
+    "query": "process where event.code == \"10\" and\n length(winlog.event_data.CallTrace) > 0 and\n \n /* Sysmon CallTrace starting with unknown memory module instead of ntdll which host Windows NT Syscalls */\n not winlog.event_data.CallTrace : (\"?:\\\\WINDOWS\\\\SYSTEM32\\\\ntdll.dll*\", \"?:\\\\WINDOWS\\\\SysWOW64\\\\ntdll.dll*\")\n",
+    "references": [
+      "https://twitter.com/SBousseaden/status/1278013896440324096",
+      "https://www.ired.team/offensive-security/defense-evasion/using-syscalls-directly-from-visual-studio-to-bypass-avs-edrs"
+    ],
+    "risk_score": 73,
+    "rule_id": "2dd480be-1263-4d9c-8672-172928f6789a",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1055",
+            "name": "Process Injection",
+            "reference": "https://attack.mitre.org/techniques/T1055/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 2,
+    "last_update": "8.0.0",
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "8.0.0",
+          "pre_query": "process where event.code == \"10\" and\n length(winlog.event_data.CallTrace) > 0 and\n \n /* Sysmon CallTrace starting with unknown memory module instead of ntdll which host Windows NT Syscalls */\n not winlog.event_data.CallTrace : (\"?:\\\\WINDOWS\\\\SYSTEM32\\\\ntdll.dll*\", \"?:\\\\WINDOWS\\\\SysWOW64\\\\ntdll.dll*\")\n",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "added": "7.16.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies when a process is created and immediately accessed from an unknown memory code region and by the same parent process. This may indicate a code injection or hollowing attempt.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Suspicious Process Creation CallTrace",
+    "query": "sequence by host.id with maxspan=1m\n  [process where event.code == \"1\" and\n   /* sysmon process creation */\n   process.parent.name : (\"winword.exe\", \"excel.exe\", \"outlook.exe\", \"powerpnt.exe\", \"eqnedt32.exe\",\n                          \"fltldr.exe\", \"mspub.exe\", \"msaccess.exe\", \"powershell.exe\", \"pwsh.exe\",\n                          \"cscript.exe\", \"wscript.exe\", \"rundll32.exe\", \"regsvr32.exe\", \"mshta.exe\",\n                          \"wmic.exe\", \"cmstp.exe\", \"msxsl.exe\")] by process.parent.entity_id, process.entity_id\n  [process where event.code == \"10\" and\n   /* Sysmon process access event from unknown module */\n   winlog.event_data.CallTrace : \"*UNKNOWN*\"] by process.entity_id, winlog.event_data.TargetProcessGUID\n",
+    "risk_score": 43,
+    "rule_id": "3ed032b2-45d8-4406-bc79-7ad1eabb2c72",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1055",
+            "name": "Process Injection",
+            "reference": "https://attack.mitre.org/techniques/T1055/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 1,
+    "last_update": "8.0.0",
+    "added": "8.0.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies suspicious psexec activity which is executing from the psexec service that has been renamed, possibly to evade detection.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Suspicious Process Execution via Renamed PsExec Executable",
+    "query": "process where event.type in (\"start\", \"process_started\", \"info\") and\n  process.pe.original_file_name : \"psexesvc.exe\" and not process.name : \"PSEXESVC.exe\"\n",
+    "risk_score": 47,
+    "rule_id": "e2f9fdf5-8076-45ad-9427-41e0e03dc9c2",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Execution"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0002",
+          "name": "Execution",
+          "reference": "https://attack.mitre.org/tactics/TA0002/"
+        },
+        "technique": [
+          {
+            "id": "T1569",
+            "name": "System Services",
+            "reference": "https://attack.mitre.org/techniques/T1569/",
+            "subtechnique": [
+              {
+                "id": "T1569.002",
+                "name": "Service Execution",
+                "reference": "https://attack.mitre.org/techniques/T1569/002/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 4,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.11.0",
+          "pre_query": "event.category:process and event.type:(start or process_started) and (process.pe.original_file_name:(psexesvc.exe or PSEXESVC.exe) or winlog.event_data.OriginalFileName:(psexesvc.exe or PSEXESVC.exe)) and process.parent.name:services.exe and not process.name:(psexesvc.exe or PSEXESVC.exe)",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        },
+        {
+          "version": 3,
+          "updated": "7.11.2",
+          "pre_query": "process where event.type in (\"start\", \"process_started\", \"info\") and\n  process.pe.original_file_name : \"psexesvc.exe\" and not process.name : \"PSEXESVC.exe\"\n",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 4,
+          "updated": "7.12.0",
+          "pre_query": "process where event.type in (\"start\", \"process_started\", \"info\") and\n  process.pe.original_file_name : \"psexesvc.exe\" and not process.name : \"PSEXESVC.exe\"\n",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.12.0",
+    "added": "7.10.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies a suspicious Conhost child process which may be an indication of code injection activity.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Suspicious Process from Conhost",
+    "query": "process where event.type in (\"start\", \"process_started\") and\n  process.parent.name : \"conhost.exe\" and\n  not process.executable : (\"?:\\\\Windows\\\\splwow64.exe\", \"?:\\\\Windows\\\\System32\\\\WerFault.exe\", \"?:\\\\Windows\\\\System32\\\\conhost.exe\")\n",
+    "references": [
+      "https://modexp.wordpress.com/2018/09/12/process-injection-user-data/",
+      "https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES/blob/master/Defense%20Evasion/evasion_codeinj_odzhan_conhost_sysmon_10_1.evtx"
+    ],
+    "risk_score": 73,
+    "rule_id": "28896382-7d4f-4d50-9b72-67091901fd26",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1055",
+            "name": "Process Injection",
+            "reference": "https://attack.mitre.org/techniques/T1055/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 4,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.11.2",
+          "pre_query": "event.category:process and event.type:(start or process_started) and process.parent.name:conhost.exe",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 3,
+          "updated": "7.12.0",
+          "pre_query": "event.category:process and event.type:(start or process_started) and process.parent.name:conhost.exe",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        },
+        {
+          "version": 4,
+          "updated": "7.13.0",
+          "pre_query": "event.category:process and event.type:(start or process_started) and process.parent.name:conhost.exe and not process.executable:(\"C:\\Windows\\splwow64.exe\" or \"C:\\Windows\\System32\\WerFault.exe\" or \"C:\\\\Windows\\System32\\conhost.exe\")",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.13.0",
+    "added": "7.10.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies suspicious Image Loading of the Remote Desktop Services ActiveX Client (mstscax), this may indicate the presence of RDP lateral movement capability.",
+    "from": "now-9m",
+    "index": [
+      "logs-endpoint.events.*",
+      "winlogbeat-*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Suspicious RDP ActiveX Client Loaded",
+    "query": "library where dll.name : \"mstscax.dll\" and\n   /* depending on noise in your env add here extra paths  */\n  process.executable :\n    (\n    \"C:\\\\Windows\\\\*\",\n    \"C:\\\\Users\\\\Public\\\\*\",\n    \"C:\\\\Users\\\\Default\\\\*\",\n    \"C:\\\\Intel\\\\*\",\n    \"C:\\\\PerfLogs\\\\*\",\n    \"C:\\\\ProgramData\\\\*\",\n    \"\\\\Device\\\\Mup\\\\*\",\n    \"\\\\\\\\*\"\n    ) and\n    /* add here FPs */\n  not process.executable : (\"C:\\\\Windows\\\\System32\\\\mstsc.exe\", \"C:\\\\Windows\\\\SysWOW64\\\\mstsc.exe\")\n",
+    "references": [
+      "https://posts.specterops.io/revisiting-remote-desktop-lateral-movement-8fb905cb46c3"
+    ],
+    "risk_score": 47,
+    "rule_id": "71c5cb27-eca5-4151-bb47-64bc3f883270",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Lateral Movement"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0008",
+          "name": "Lateral Movement",
+          "reference": "https://attack.mitre.org/tactics/TA0008/"
+        },
+        "technique": [
+          {
+            "id": "T1021",
+            "name": "Remote Services",
+            "reference": "https://attack.mitre.org/techniques/T1021/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 3,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.11.2",
+          "pre_query": "library where file.name == \"mstscax.dll\" and\n   /* depending on noise in your env add here extra paths  */\n   wildcard(process.executable, \"C:\\\\Windows\\\\*\",\n                                \"C:\\\\Users\\\\Public\\\\*\",\n                                \"C:\\\\Users\\\\Default\\\\*\",\n                                \"C:\\\\Intel\\\\*\",\n                                \"C:\\\\PerfLogs\\\\*\",\n                                \"C:\\\\ProgramData\\\\*\",\n                                \"\\\\Device\\\\Mup\\\\*\",\n                                \"\\\\\\\\*\") and\n    /* add here FPs */\n   not process.executable in (\"C:\\\\Windows\\\\System32\\\\mstsc.exe\", \"C:\\\\Windows\\\\SysWOW64\\\\mstsc.exe\")\n",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 3,
+          "updated": "7.12.0",
+          "pre_query": "library where file.name == \"mstscax.dll\" and\n   /* depending on noise in your env add here extra paths  */\n   wildcard(process.executable, \"C:\\\\Windows\\\\*\",\n                                \"C:\\\\Users\\\\Public\\\\*\",\n                                \"C:\\\\Users\\\\Default\\\\*\",\n                                \"C:\\\\Intel\\\\*\",\n                                \"C:\\\\PerfLogs\\\\*\",\n                                \"C:\\\\ProgramData\\\\*\",\n                                \"\\\\Device\\\\Mup\\\\*\",\n                                \"\\\\\\\\*\") and\n    /* add here FPs */\n   not process.executable in (\"C:\\\\Windows\\\\System32\\\\mstsc.exe\", \"C:\\\\Windows\\\\SysWOW64\\\\mstsc.exe\")\n",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.12.0",
+    "added": "7.11.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies scrobj.dll loaded into unusual Microsoft processes. This usually means a malicious scriptlet is being executed in the target process.",
+    "from": "now-9m",
+    "index": [
+      "logs-endpoint.events.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Suspicious Script Object Execution",
+    "query": "sequence by process.entity_id with maxspan=2m\n  [process where event.type == \"start\" \n   and (process.code_signature.subject_name in (\"Microsoft Corporation\", \"Microsoft Windows\") and \n   process.code_signature.trusted == true) and\n     not process.executable : (\n       \"?:\\\\Windows\\\\System32\\\\cscript.exe\",\n       \"?:\\\\Windows\\\\SysWOW64\\\\cscript.exe\",\n       \"?:\\\\Program Files (x86)\\\\Internet Explorer\\\\iexplore.exe\",\n       \"?:\\\\Program Files\\\\Internet Explorer\\\\iexplore.exe\",\n       \"?:\\\\Windows\\\\SystemApps\\\\Microsoft.MicrosoftEdge_*\\\\MicrosoftEdge.exe\",\n       \"?:\\\\Windows\\\\system32\\\\msiexec.exe\",\n       \"?:\\\\Windows\\\\SysWOW64\\\\msiexec.exe\",\n       \"?:\\\\Windows\\\\System32\\\\smartscreen.exe\",\n       \"?:\\\\Windows\\\\system32\\\\taskhostw.exe\",\n       \"?:\\\\windows\\\\system32\\\\inetsrv\\\\w3wp.exe\",\n       \"?:\\\\windows\\\\SysWOW64\\\\inetsrv\\\\w3wp.exe\",\n       \"?:\\\\Windows\\\\system32\\\\wscript.exe\",\n       \"?:\\\\Windows\\\\SysWOW64\\\\wscript.exe\",\n       \"?:\\\\Windows\\\\system32\\\\mobsync.exe\",\n       \"?:\\\\Windows\\\\SysWOW64\\\\mobsync.exe\",\n       \"?:\\\\Windows\\\\System32\\\\cmd.exe\",\n       \"?:\\\\Windows\\\\SysWOW64\\\\cmd.exe\")]\n  [library where event.type == \"start\" and dll.name : \"scrobj.dll\"]\n",
+    "risk_score": 47,
+    "rule_id": "4ed678a9-3a4f-41fb-9fea-f85a6e0a0dff",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1218",
+            "name": "Signed Binary Proxy Execution",
+            "reference": "https://attack.mitre.org/techniques/T1218/"
+          }
+        ]
+      }
+    ],
+    "type": "eql",
+    "version": 4,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.11.0",
+          "pre_query": "/* add winlogbeat-* when process.code_signature.* fields are populated */\n\nsequence by process.entity_id with maxspan=2m\n  [process where event.type in (\"start\", \"process_started\") and\n     /* uncomment once in winlogbeat */\n     /* process.code_signature.subject_name == \"Microsoft Corporation\" and process.code_signature.trusted == true and */\n     not (process.name : \"cscript.exe\" or\n          process.name : \"iexplore.exe\" or\n          process.name : \"MicrosoftEdge.exe\" or\n          process.name : \"msiexec.exe\" or\n          process.name : \"smartscreen.exe\" or\n          process.name : \"taskhostw.exe\" or\n          process.name : \"w3wp.exe\" or\n          process.name : \"wscript.exe\")]\n  [library where event.type == \"start\" and file.name : \"scrobj.dll\"]\n",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 3,
+          "updated": "7.12.0",
+          "pre_query": "/* add winlogbeat-* when process.code_signature.* fields are populated */\n\nsequence by process.entity_id with maxspan=2m\n  [process where event.type in (\"start\", \"process_started\") and\n     /* uncomment once in winlogbeat */\n     /* process.code_signature.subject_name == \"Microsoft Corporation\" and process.code_signature.trusted == true and */\n     not (process.name : \"cscript.exe\" or\n          process.name : \"iexplore.exe\" or\n          process.name : \"MicrosoftEdge.exe\" or\n          process.name : \"msiexec.exe\" or\n          process.name : \"smartscreen.exe\" or\n          process.name : \"taskhostw.exe\" or\n          process.name : \"w3wp.exe\" or\n          process.name : \"wscript.exe\")]\n  [library where event.type == \"start\" and file.name : \"scrobj.dll\"]\n",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        },
+        {
+          "version": 4,
+          "updated": "7.13.0",
+          "pre_query": "/* add winlogbeat-* when process.code_signature.* fields are populated */\n\nsequence by process.entity_id with maxspan = 2m\n  [process where event.type in (\"start\", \"process_started\") and\n     /* uncomment once in winlogbeat */\n     /* process.code_signature.subject_name : \"Microsoft Corporation\" and process.code_signature.trusted : true and */\n     not process.name : (\n       \"cscript.exe\",\n       \"iexplore.exe\",\n       \"MicrosoftEdge.exe\",\n       \"msiexec.exe\",\n       \"smartscreen.exe\",\n       \"taskhostw.exe\",\n       \"w3wp.exe\",\n       \"wscript.exe\")]\n  [library where event.type == \"start\" and dll.name : \"scrobj.dll\"]\n",
+          "doc_text": "Updated query.",
+          "pre_name": "Windows Suspicious Script Object Execution",
+          "duplicate_old_file": "windows-suspicious-script-object-execution"
+        }
+      ]
+    },
+    "last_update": "7.13.0",
+    "added": "7.10.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "A suspicious SolarWinds child process was detected, which may indicate an attempt to execute malicious programs.",
+    "false_positives": [
+      "Trusted SolarWinds child processes, verify process details such as network connections and file writes."
+    ],
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Suspicious SolarWinds Child Process",
+    "query": "process where event.type in (\"start\", \"process_started\") and\n process.parent.name: (\"SolarWinds.BusinessLayerHost.exe\", \"SolarWinds.BusinessLayerHostx64.exe\") and\n not process.name : (\n        \"APMServiceControl*.exe\",\n        \"ExportToPDFCmd*.Exe\",\n        \"SolarWinds.Credentials.Orion.WebApi*.exe\",\n        \"SolarWinds.Orion.Topology.Calculator*.exe\",\n        \"Database-Maint.exe\",\n        \"SolarWinds.Orion.ApiPoller.Service.exe\",\n        \"WerFault.exe\",\n        \"WerMgr.exe\")\n",
+    "references": [
+      "https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html",
+      "https://github.com/fireeye/sunburst_countermeasures/blob/main/rules/SUNBURST/hxioc/SOLARWINDS%20SUSPICIOUS%20CHILD%20PROCESSES%20(METHODOLOGY).ioc"
+    ],
+    "risk_score": 47,
+    "rule_id": "93b22c0a-06a0-4131-b830-b10d5e166ff4",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Execution"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0002",
+          "name": "Execution",
+          "reference": "https://attack.mitre.org/tactics/TA0002/"
+        },
+        "technique": [
+          {
+            "id": "T1106",
+            "name": "Native API",
+            "reference": "https://attack.mitre.org/techniques/T1106/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0001",
+          "name": "Initial Access",
+          "reference": "https://attack.mitre.org/tactics/TA0001/"
+        },
+        "technique": [
+          {
+            "id": "T1195",
+            "name": "Supply Chain Compromise",
+            "reference": "https://attack.mitre.org/techniques/T1195/",
+            "subtechnique": [
+              {
+                "id": "T1195.002",
+                "name": "Compromise Software Supply Chain",
+                "reference": "https://attack.mitre.org/techniques/T1195/002/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 3,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.11.2",
+          "pre_query": "process where event.type in (\"start\", \"process_started\") and\n process.parent.name: (\"SolarWinds.BusinessLayerHost.exe\", \"SolarWinds.BusinessLayerHostx64.exe\") and\n not process.name : (\n        \"APMServiceControl*.exe\",\n        \"ExportToPDFCmd*.Exe\",\n        \"SolarWinds.Credentials.Orion.WebApi*.exe\",\n        \"SolarWinds.Orion.Topology.Calculator*.exe\",\n        \"Database-Maint.exe\",\n        \"SolarWinds.Orion.ApiPoller.Service.exe\",\n        \"WerFault.exe\",\n        \"WerMgr.exe\")\n",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 3,
+          "updated": "7.12.0",
+          "pre_query": "process where event.type in (\"start\", \"process_started\") and\n process.parent.name: (\"SolarWinds.BusinessLayerHost.exe\", \"SolarWinds.BusinessLayerHostx64.exe\") and\n not process.name : (\n        \"APMServiceControl*.exe\",\n        \"ExportToPDFCmd*.Exe\",\n        \"SolarWinds.Credentials.Orion.WebApi*.exe\",\n        \"SolarWinds.Orion.Topology.Calculator*.exe\",\n        \"Database-Maint.exe\",\n        \"SolarWinds.Orion.ApiPoller.Service.exe\",\n        \"WerFault.exe\",\n        \"WerMgr.exe\")\n",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.12.0",
+    "added": "7.11.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies suspicious startup shell folder modifications to change the default Startup directory in order to bypass detections monitoring file creation in the Windows Startup folder.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Suspicious Startup Shell Folder Modification",
+    "note": "## Triage and analysis\n\n### Investigating Suspicious Startup Shell Activity\n\nTechniques used within malware and by adversaries often leverage the Windows registry to store malicious programs for\npersistence. Startup shell folders are often targeted as they are not as prevalent as normal Startup folder paths so this\nbehavior may evade existing AV/EDR solutions. Another preference is that these programs might run with higher privileges\nwhich can be ideal for an attacker.\n\n#### Possible investigation steps:\n- Review the source process and related file tied to the Windows Registry entry\n- Validate the activity is not related to planned patches, updates, network administrator activity or legitimate software\ninstallations\n- Determine if activity is unique by validating if other machines in same organization have similar entry\n\n### False Positive Analysis\n- There is a high possibility of benign legitimate programs being added to Shell folders. This activity could be based\non new software installations, patches, or any kind of network administrator related activity. Before entering further\ninvestigation, this activity should be validated that is it not related to benign activity\n\n### Related Rules\n- Startup or Run Key Registry Modification\n- Persistent Scripts in the Startup Directory\n\n### Response and Remediation\n- Activity should first be validated as a true positive event if so then immediate response should be taken to review,\ninvestigate and potentially isolate activity to prevent further post-compromise behavior\n- The respective binary or program tied to this persistence method should be further analyzed and reviewed to understand\nit's behavior and capabilities\n- Since this activity is considered post-exploitation behavior, it's important to understand how the behavior was first\ninitialized such as through a macro-enabled document that was attached in a phishing email. By understanding the source\nof the attack, this information can then be used to search for similar indicators on other machines in the same environment.\n",
+    "query": "registry where\n registry.path : (\n     \"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\User Shell Folders\\\\Common Startup\",\n     \"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\Shell Folders\\\\Common Startup\",\n     \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\User Shell Folders\\\\Startup\",\n     \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\Shell Folders\\\\Startup\"\n     ) and\n  registry.data.strings != null and\n  /* Normal Startup Folder Paths */\n  not registry.data.strings : (\n           \"C:\\\\ProgramData\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\",\n           \"%ProgramData%\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\",\n           \"%USERPROFILE%\\\\AppData\\\\Roaming\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\",\n           \"C:\\\\Users\\\\*\\\\AppData\\\\Roaming\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\"\n           )\n",
+    "risk_score": 73,
+    "rule_id": "c8b150f0-0164-475b-a75e-74b47800a9ff",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Persistence"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1547",
+            "name": "Boot or Logon Autostart Execution",
+            "reference": "https://attack.mitre.org/techniques/T1547/",
+            "subtechnique": [
+              {
+                "id": "T1547.001",
+                "name": "Registry Run Keys / Startup Folder",
+                "reference": "https://attack.mitre.org/techniques/T1547/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 2,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.16.0",
+          "pre_query": "registry where\n registry.path : (\n     \"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\User Shell Folders\\\\Common Startup\",\n     \"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\Shell Folders\\\\Common Startup\",\n     \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\User Shell Folders\\\\Startup\",\n     \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\Shell Folders\\\\Startup\"\n     ) and\n  registry.data.strings != null and\n  /* Normal Startup Folder Paths */\n  not registry.data.strings : (\n           \"C:\\\\ProgramData\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\",\n           \"%ProgramData%\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\",\n           \"%USERPROFILE%\\\\AppData\\\\Roaming\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\",\n           \"C:\\\\Users\\\\*\\\\AppData\\\\Roaming\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\"\n           )\n",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.16.0",
+    "added": "7.13.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies a suspicious image load (wmiutils.dll) from Microsoft Office processes. This behavior may indicate adversarial activity where child processes are spawned via Windows Management Instrumentation (WMI). This technique can be used to execute code and evade traditional parent/child processes spawned from Microsoft Office products.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Suspicious WMI Image Load from MS Office",
+    "query": "library where process.name : (\"WINWORD.EXE\", \"EXCEL.EXE\", \"POWERPNT.EXE\", \"MSPUB.EXE\", \"MSACCESS.EXE\") and\n  event.action : \"load\" and\n  event.category : \"library\" and\n  dll.name : \"wmiutils.dll\"\n",
+    "references": [
+      "https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16"
+    ],
+    "risk_score": 21,
+    "rule_id": "891cb88e-441a-4c3e-be2d-120d99fe7b0d",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Execution"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0002",
+          "name": "Execution",
+          "reference": "https://attack.mitre.org/tactics/TA0002/"
+        },
+        "technique": [
+          {
+            "id": "T1047",
+            "name": "Windows Management Instrumentation",
+            "reference": "https://attack.mitre.org/techniques/T1047/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 4,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.11.2",
+          "pre_query": "library where process.name in (\"WINWORD.EXE\", \"EXCEL.EXE\", \"POWERPNT.EXE\", \"MSPUB.EXE\", \"MSACCESS.EXE\") and\n  event.action == \"load\" and\n  event.category == \"library\" and\n  file.name == \"wmiutils.dll\"\n",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 3,
+          "updated": "7.12.0",
+          "pre_query": "library where process.name in (\"WINWORD.EXE\", \"EXCEL.EXE\", \"POWERPNT.EXE\", \"MSPUB.EXE\", \"MSACCESS.EXE\") and\n  event.action == \"load\" and\n  event.category == \"library\" and\n  file.name == \"wmiutils.dll\"\n",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        },
+        {
+          "version": 4,
+          "updated": "7.15.0",
+          "pre_query": "library where process.name : (\"WINWORD.EXE\", \"EXCEL.EXE\", \"POWERPNT.EXE\", \"MSPUB.EXE\", \"MSACCESS.EXE\") and\n  event.action : \"load\" and\n  event.category : \"library\" and\n  dll.name : \"wmiutils.dll\"\n",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.15.0",
+    "added": "7.11.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies WMIC whitelisting bypass techniques by alerting on suspicious execution of scripts. When WMIC loads scripting libraries it may be indicative of a whitelist bypass.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Suspicious WMIC XSL Script Execution",
+    "query": "sequence by process.entity_id with maxspan = 2m\n[process where event.type in (\"start\", \"process_started\") and\n   (process.name : \"WMIC.exe\" or process.pe.original_file_name : \"wmic.exe\") and\n   process.args : (\"format*:*\", \"/format*:*\", \"*-format*:*\") and\n   not process.command_line : \"* /format:table *\"]\n[library where event.type == \"start\" and dll.name : (\"jscript.dll\", \"vbscript.dll\")]\n",
+    "risk_score": 21,
+    "rule_id": "7f370d54-c0eb-4270-ac5a-9a6020585dc6",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1220",
+            "name": "XSL Script Processing",
+            "reference": "https://attack.mitre.org/techniques/T1220/"
+          }
+        ]
+      }
+    ],
+    "type": "eql",
+    "version": 2,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.12.0",
+          "pre_query": "sequence by process.entity_id with maxspan=2m\n[process where event.type in (\"start\", \"process_started\") and\n   (process.name : \"WMIC.exe\" or process.pe.original_file_name == \"wmic.exe\") and\n   wildcard(process.args, \"format*:*\", \"/format*:*\", \"*-format*:*\") and\n   not wildcard(process.command_line, \"* /format:table *\")]\n[library where event.type == \"start\" and file.name in (\"jscript.dll\", \"vbscript.dll\")]\n",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.12.0",
+    "added": "7.10.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "A suspicious WerFault child process was detected, which may indicate an attempt to run unnoticed. Verify process details such as command line, network connections, file writes and parent process details as well.",
+    "false_positives": [
+      "Custom Windows error reporting debugger or applications restarted by WerFault after a crash."
+    ],
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Suspicious WerFault Child Process",
+    "query": "process where event.type in (\"start\", \"process_started\") and\n  process.parent.name : \"WerFault.exe\" and\n  not process.name : (\"cofire.exe\",\n                      \"psr.exe\",\n                      \"VsJITDebugger.exe\",\n                      \"TTTracer.exe\",\n                      \"rundll32.exe\",\n                      \"LogiOptionsMgr.exe\") and\n  not process.args : (\"/LOADSAVEDWINDOWS\",\n                      \"/restore\",\n                      \"RestartByRestartManager*\",\n                      \"--restarted\",\n                      \"createdump\",\n                      \"dontsend\",\n                      \"/watson\")\n",
+    "references": [
+      "https://www.hexacorn.com/blog/2019/09/19/silentprocessexit-quick-look-under-the-hood/",
+      "https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES/blob/master/Persistence/persistence_SilentProcessExit_ImageHijack_sysmon_13_1.evtx",
+      "https://blog.menasec.net/2021/01/"
+    ],
+    "risk_score": 47,
+    "rule_id": "ac5012b8-8da8-440b-aaaf-aedafdea2dff",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1036",
+            "name": "Masquerading",
+            "reference": "https://attack.mitre.org/techniques/T1036/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 4,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.11.2",
+          "pre_query": "event.category:process and event.type:(start or process_started) and process.parent.name:WerFault.exe and not process.name:(cofire.exe or psr.exe or VsJITDebugger.exe or TTTracer.exe or rundll32.exe)",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 3,
+          "updated": "7.12.0",
+          "pre_query": "event.category:process and event.type:(start or process_started) and process.parent.name:WerFault.exe and not process.name:(cofire.exe or psr.exe or VsJITDebugger.exe or TTTracer.exe or rundll32.exe)",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 4,
+          "updated": "7.13.0",
+          "pre_query": "event.category:process and event.type:(start or process_started) and process.parent.name:WerFault.exe and not process.name:(cofire.exe or psr.exe or VsJITDebugger.exe or TTTracer.exe or rundll32.exe)",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.13.0",
+    "added": "7.10.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "A suspicious Zoom child process was detected, which may indicate an attempt to run unnoticed. Verify process details such as command line, network connections, file writes and associated file signature details as well.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Suspicious Zoom Child Process",
+    "query": "process where event.type in (\"start\", \"process_started\", \"info\") and\n process.parent.name : \"Zoom.exe\" and process.name : (\"cmd.exe\", \"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\")\n",
+    "risk_score": 47,
+    "rule_id": "97aba1ef-6034-4bd3-8c1a-1e0996b27afa",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1036",
+            "name": "Masquerading",
+            "reference": "https://attack.mitre.org/techniques/T1036/"
+          },
+          {
+            "id": "T1055",
+            "name": "Process Injection",
+            "reference": "https://attack.mitre.org/techniques/T1055/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 5,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.11.0",
+          "pre_query": "event.category:process and event.type:(start or process_started) and process.parent.name:Zoom.exe and not process.name:(Zoom.exe or WerFault.exe or airhost.exe or CptControl.exe or CptHost.exe or cpthost.exe or CptInstall.exe or CptService.exe or Installer.exe or zCrashReport.exe or Zoom_launcher.exe or zTscoder.exe or plugin_Launcher.exe or mDNSResponder.exe or zDevHelper.exe or APcptControl.exe or CrashSender*.exe or aomhost64.exe or Magnify.exe or m_plugin_launcher.exe or com.zoom.us.zTranscode.exe or RoomConnector.exe or tabtip.exe or Explorer.exe or chrome.exe or firefox.exe or iexplore.exe or outlook.exe or lync.exe or ApplicationFrameHost.exe or ZoomAirhostInstaller.exe or narrator.exe or NVDA.exe or Magnify.exe or Outlook.exe or m_plugin_launcher.exe or mphost.exe or APcptControl.exe or winword.exe or excel.exe or powerpnt.exe or ONENOTE.EXE or wpp.exe or debug_message.exe or zAssistant.exe or msiexec.exe or msedge.exe or dwm.exe or vcredist_x86.exe or Controller.exe or Installer.exe or CptInstall.exe or Zoom_launcher.exe or ShellExperienceHost.exe or wps.exe)",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        },
+        {
+          "version": 3,
+          "updated": "7.11.2",
+          "pre_query": "process where event.type in (\"start\", \"process_started\", \"info\") and\n process.parent.name : \"Zoom.exe\" and process.name : (\"cmd.exe\", \"powershell.exe\", \"pwsh.exe\")\n",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 4,
+          "updated": "7.12.0",
+          "pre_query": "process where event.type in (\"start\", \"process_started\", \"info\") and\n process.parent.name : \"Zoom.exe\" and process.name : (\"cmd.exe\", \"powershell.exe\", \"pwsh.exe\")\n",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 5,
+          "updated": "7.16.0",
+          "pre_query": "process where event.type in (\"start\", \"process_started\", \"info\") and\n process.parent.name : \"Zoom.exe\" and process.name : (\"cmd.exe\", \"powershell.exe\", \"pwsh.exe\")\n",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.16.0",
+    "added": "7.10.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies suspicious child processes of frequently targeted Microsoft Office applications (Word, PowerPoint, and Excel). These child processes are often launched during exploitation of Office applications or by documents with malicious macros.",
+    "from": "now-9m",
+    "index": [
+      "logs-endpoint.events.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Suspicious macOS MS Office Child Process",
+    "query": "process where event.type in (\"start\", \"process_started\") and\n process.parent.name:(\"Microsoft Word\", \"Microsoft PowerPoint\", \"Microsoft Excel\") and\n process.name:\n (\n   \"bash\", \n   \"dash\", \n   \"sh\", \n   \"tcsh\", \n   \"csh\", \n   \"zsh\", \n   \"ksh\", \n   \"fish\", \n   \"python*\", \n   \"perl*\", \n   \"php*\", \n   \"osascript\",\n   \"pwsh\", \n   \"curl\", \n   \"wget\", \n   \"cp\", \n   \"mv\", \n   \"base64\", \n   \"launchctl\"\n  ) and\n  /* noisy false positives related to product version discovery and office errors reporting */\n  not process.args:\n    (\n      \"ProductVersion\",\n      \"hw.model\",\n      \"ioreg\",\n      \"ProductName\",\n      \"ProductUserVisibleVersion\",\n      \"ProductBuildVersion\",\n      \"/Library/Application Support/Microsoft/MERP*/Microsoft Error Reporting.app/Contents/MacOS/Microsoft Error Reporting\"\n    )\n",
+    "references": [
+      "https://blog.malwarebytes.com/cybercrime/2017/02/microsoft-office-macro-malware-targets-macs/"
+    ],
+    "risk_score": 47,
+    "rule_id": "66da12b1-ac83-40eb-814c-07ed1d82b7b9",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "macOS",
+      "Threat Detection",
+      "Initial Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0001",
+          "name": "Initial Access",
+          "reference": "https://attack.mitre.org/tactics/TA0001/"
+        },
+        "technique": [
+          {
+            "id": "T1566",
+            "name": "Phishing",
+            "reference": "https://attack.mitre.org/techniques/T1566/",
+            "subtechnique": [
+              {
+                "id": "T1566.001",
+                "name": "Spearphishing Attachment",
+                "reference": "https://attack.mitre.org/techniques/T1566/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 2,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.13.0",
+          "pre_query": "process where event.type in (\"start\", \"process_started\") and\n process.parent.name:(\"Microsoft Word\", \"Microsoft PowerPoint\", \"Microsoft Excel\") and\n process.name:\n (\n   \"bash\", \n   \"dash\", \n   \"sh\", \n   \"tcsh\", \n   \"csh\", \n   \"zsh\", \n   \"ksh\", \n   \"fish\", \n   \"python*\", \n   \"perl*\", \n   \"php*\", \n   \"osascript\",\n   \"pwsh\", \n   \"curl\", \n   \"wget\", \n   \"cp\", \n   \"mv\", \n   \"base64\", \n   \"launchctl\"\n )\n",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.13.0",
+    "added": "7.12.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies a suspicious parent child process relationship with cmd.exe descending from svchost.exe",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Svchost spawning Cmd",
+    "query": "process where event.type in (\"start\", \"process_started\") and\n  process.parent.name : \"svchost.exe\" and process.name : \"cmd.exe\" and \n  not (process.pe.original_file_name == \"Cmd.Exe\" and process.args : \"?:\\\\Program Files\\\\Npcap\\\\CheckStatus.bat??\")\n",
+    "risk_score": 21,
+    "rule_id": "fd7a6052-58fa-4397-93c3-4795249ccfa2",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Execution"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0002",
+          "name": "Execution",
+          "reference": "https://attack.mitre.org/tactics/TA0002/"
+        },
+        "technique": [
+          {
+            "id": "T1059",
+            "name": "Command and Scripting Interpreter",
+            "reference": "https://attack.mitre.org/techniques/T1059/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 8,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.7.0",
+          "pre_query": "process.parent.name:svchost.exe and process.name:cmd.exe",
+          "doc_text": "Formatting only"
+        },
+        {
+          "version": 3,
+          "updated": "7.9.0",
+          "pre_query": "process.parent.name:svchost.exe and process.name:cmd.exe",
+          "doc_text": "Updated query."
+        },
+        {
+          "version": 4,
+          "updated": "7.9.1",
+          "pre_query": "event.category:process and event.type:(start or process_started) and process.parent.name:svchost.exe and process.name:cmd.exe",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 5,
+          "updated": "7.10.0",
+          "pre_query": "event.category:process and event.type:(start or process_started) and process.parent.name:svchost.exe and process.name:cmd.exe",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 6,
+          "updated": "7.11.2",
+          "pre_query": "event.category:process and event.type:(start or process_started) and process.parent.name:svchost.exe and process.name:cmd.exe",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 7,
+          "updated": "7.12.0",
+          "pre_query": "event.category:process and event.type:(start or process_started) and process.parent.name:svchost.exe and process.name:cmd.exe",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 8,
+          "updated": "7.13.0",
+          "pre_query": "event.category:process and event.type:(start or process_started) and process.parent.name:svchost.exe and process.name:cmd.exe",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.13.0",
+    "added": "7.6.0"
+  },
+  {
+    "author": [
+      "Austin Songer"
+    ],
+    "description": "Identifies the creation of symbolic links to a shadow copy. Symbolic Links can be used to access files in the shadow copy, including sensitive files that may contain credential information.",
+    "false_positives": [
+      "Legitimate administrative activity related to shadow copies"
+    ],
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Symbolic Link to Shadow Copy Created",
+    "query": "process where event.type in (\"start\", \"process_started\") and\nprocess.pe.original_file_name == \"Cmd.Exe\" and\nprocess.args : \"*mklink*\" and\nprocess.args : \"*\\\\GLOBALROOT\\\\Device\\\\HarddiskVolumeShadowCopy*\"\n",
+    "references": [
+      "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/mklink",
+      "https://2017.zeronights.org/wp-content/uploads/materials/ZN17_Kheirkhabarov_Hunting_for_Credentials_Dumping_in_Windows_Environment.pdf"
+    ],
+    "risk_score": 47,
+    "rule_id": "d117cbb4-7d56-41b4-b999-bdf8c25648a0",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Credential Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0006",
+          "name": "Credential Access",
+          "reference": "https://attack.mitre.org/tactics/TA0006/"
+        },
+        "technique": [
+          {
+            "id": "T1003",
+            "name": "OS Credential Dumping",
+            "reference": "https://attack.mitre.org/techniques/T1003/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 1,
+    "last_update": "8.0.0",
+    "added": "8.0.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the deletion of sensitive Linux system logs. This may indicate an attempt to evade detection or destroy forensic evidence on a system.",
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "System Log File Deletion",
+    "query": "file where event.type == \"deletion\" and \n  file.path : \n    (\n    \"/var/run/utmp\", \n    \"/var/log/wtmp\", \n    \"/var/log/btmp\", \n    \"/var/log/lastlog\", \n    \"/var/log/faillog\",\n    \"/var/log/syslog\", \n    \"/var/log/messages\", \n    \"/var/log/secure\", \n    \"/var/log/auth.log\"\n    )\n",
+    "references": [
+      "https://www.fireeye.com/blog/threat-research/2020/11/live-off-the-land-an-overview-of-unc1945.html"
+    ],
+    "risk_score": 47,
+    "rule_id": "aa895aea-b69c-4411-b110-8d7599634b30",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1070",
+            "name": "Indicator Removal on Host",
+            "reference": "https://attack.mitre.org/techniques/T1070/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 3,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.11.2",
+          "pre_query": "file where event.type == \"deletion\" and \n  file.path : \n    (\n    \"/var/run/utmp\", \n    \"/var/log/wtmp\", \n    \"/var/log/btmp\", \n    \"/var/log/lastlog\", \n    \"/var/log/faillog\",\n    \"/var/log/syslog\", \n    \"/var/log/messages\", \n    \"/var/log/secure\", \n    \"/var/log/auth.log\"\n    )\n",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 3,
+          "updated": "7.12.0",
+          "pre_query": "file where event.type == \"deletion\" and \n  file.path : \n    (\n    \"/var/run/utmp\", \n    \"/var/log/wtmp\", \n    \"/var/log/btmp\", \n    \"/var/log/lastlog\", \n    \"/var/log/faillog\",\n    \"/var/log/syslog\", \n    \"/var/log/messages\", \n    \"/var/log/secure\", \n    \"/var/log/auth.log\"\n    )\n",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.12.0",
+    "added": "7.11.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Windows services typically run as SYSTEM and can be used as a privilege escalation opportunity. Malware or penetration testers may run a shell as a service to gain SYSTEM permissions.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "System Shells via Services",
+    "query": "process where event.type in (\"start\", \"process_started\") and\n  process.parent.name : \"services.exe\" and\n  process.name : (\"cmd.exe\", \"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\") and\n  \n  /* Third party FP's */\n  not process.args : \"NVDisplay.ContainerLocalSystem\"\n",
+    "risk_score": 47,
+    "rule_id": "0022d47d-39c7-4f69-a232-4fe9dc7a3acd",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Persistence"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1543",
+            "name": "Create or Modify System Process",
+            "reference": "https://attack.mitre.org/techniques/T1543/",
+            "subtechnique": [
+              {
+                "id": "T1543.003",
+                "name": "Windows Service",
+                "reference": "https://attack.mitre.org/techniques/T1543/003/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 10,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.7.0",
+          "pre_query": "event.action:\"Process Create (rule: ProcessCreate)\" and process.parent.name:\"services.exe\" and process.name:(\"cmd.exe\" or \"powershell.exe\")",
+          "doc_text": "Updated query."
+        },
+        {
+          "version": 3,
+          "updated": "7.9.0",
+          "pre_query": "event.action:\"Process Create (rule: ProcessCreate)\" and process.parent.name:services.exe and process.name:(cmd.exe or powershell.exe)",
+          "doc_text": "Updated query."
+        },
+        {
+          "version": 4,
+          "updated": "7.9.1",
+          "pre_query": "event.category:process and event.type:(start or process_started) and process.parent.name:services.exe and process.name:(cmd.exe or powershell.exe)",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 5,
+          "updated": "7.10.0",
+          "pre_query": "event.category:process and event.type:(start or process_started) and process.parent.name:services.exe and process.name:(cmd.exe or powershell.exe)",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 6,
+          "updated": "7.11.0",
+          "pre_query": "event.category:process and event.type:(start or process_started) and process.parent.name:services.exe and process.name:(cmd.exe or powershell.exe)",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 7,
+          "updated": "7.11.2",
+          "pre_query": "event.category:process and event.type:(start or process_started) and process.parent.name:services.exe and process.name:(cmd.exe or powershell.exe)",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 8,
+          "updated": "7.12.0",
+          "pre_query": "event.category:process and event.type:(start or process_started) and process.parent.name:services.exe and process.name:(cmd.exe or powershell.exe)",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 9,
+          "updated": "7.13.0",
+          "pre_query": "event.category:process and event.type:(start or process_started) and process.parent.name:services.exe and process.name:(cmd.exe or powershell.exe)",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        },
+        {
+          "version": 10,
+          "updated": "7.16.0",
+          "pre_query": "process where event.type in (\"start\", \"process_started\") and\n  process.parent.name : \"services.exe\" and\n  process.name : (\"cmd.exe\", \"powershell.exe\") and\n  \n  /* Third party FP's */\n  not process.args : \"NVDisplay.ContainerLocalSystem\"\n",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.16.0",
+    "added": "7.6.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Keychains are the built-in way for macOS to keep track of users' passwords and credentials for many services and features, including Wi-Fi and website passwords, secure notes, certificates, and Kerberos. Adversaries may collect the keychain storage data from a system to acquire credentials.",
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "SystemKey Access via Command Line",
+    "query": "event.category:process and event.type:(start or process_started) and\n  process.args:\"/private/var/db/SystemKey\"\n",
+    "references": [
+      "https://github.com/AlessandroZ/LaZagne/blob/master/Mac/lazagne/softwares/system/chainbreaker.py"
+    ],
+    "risk_score": 73,
+    "rule_id": "d75991f2-b989-419d-b797-ac1e54ec2d61",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "macOS",
+      "Threat Detection",
+      "Credential Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0006",
+          "name": "Credential Access",
+          "reference": "https://attack.mitre.org/tactics/TA0006/"
+        },
+        "technique": [
+          {
+            "id": "T1555",
+            "name": "Credentials from Password Stores",
+            "reference": "https://attack.mitre.org/techniques/T1555/",
+            "subtechnique": [
+              {
+                "id": "T1555.001",
+                "name": "Keychain",
+                "reference": "https://attack.mitre.org/techniques/T1555/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 1,
+    "last_update": "7.12.0",
+    "added": "7.12.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the use of the mount_apfs command to mount the entire file system through Apple File System (APFS) snapshots as read-only and with the noowners flag set. This action enables the adversary to access almost any file in the file system, including all user data and files protected by Apple\u2019s privacy framework (TCC).",
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "TCC Bypass via Mounted APFS Snapshot Access",
+    "query": "event.category : process and event.type : (start or process_started) and process.name : mount_apfs and\n  process.args : (/System/Volumes/Data and noowners)\n",
+    "references": [
+      "https://theevilbit.github.io/posts/cve_2020_9771/"
+    ],
+    "risk_score": 73,
+    "rule_id": "b00bcd89-000c-4425-b94c-716ef67762f6",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "macOS",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1006",
+            "name": "Direct Volume Access",
+            "reference": "https://attack.mitre.org/techniques/T1006/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 1,
+    "last_update": "7.12.0",
+    "added": "7.12.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Adversaries may attempt to clear or disable the Bash command-line history in an attempt to evade detection or forensic investigations.",
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Tampering of Bash Command-Line History",
+    "query": "process where event.type in (\"start\", \"process_started\") and\n (\n  (process.args : (\"rm\", \"echo\") and process.args : (\".bash_history\", \"/root/.bash_history\", \"/home/*/.bash_history\")) or\n  (process.name : \"history\" and process.args : \"-c\") or\n  (process.args : \"export\" and process.args : (\"HISTFILE=/dev/null\", \"HISTFILESIZE=0\")) or\n  (process.args : \"unset\" and process.args : \"HISTFILE\") or\n  (process.args : \"set\" and process.args : \"history\" and process.args : \"+o\")\n )\n",
+    "risk_score": 47,
+    "rule_id": "7bcbb3ac-e533-41ad-a612-d6c3bf666aba",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1070",
+            "name": "Indicator Removal on Host",
+            "reference": "https://attack.mitre.org/techniques/T1070/",
+            "subtechnique": [
+              {
+                "id": "T1070.003",
+                "name": "Clear Command History",
+                "reference": "https://attack.mitre.org/techniques/T1070/003/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 6,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.9.1",
+          "pre_query": "event.category:process AND event.type:(start or process_started) AND process.name:rm AND process.args:/\\/(home\\/.{1,255}|root)\\/\\.bash_history/",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 3,
+          "updated": "7.10.0",
+          "pre_query": "event.category:process AND event.type:(start or process_started) AND process.name:rm AND process.args:/\\/(home\\/.{1,255}|root)\\/\\.bash_history/",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 4,
+          "updated": "7.11.0",
+          "pre_query": "event.category:process AND event.type:(start or process_started) AND process.name:rm AND process.args:/\\/(home\\/.{1,255}|root)\\/\\.bash_history/",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 5,
+          "updated": "7.11.2",
+          "pre_query": "event.category:process AND event.type:(start or process_started) AND process.name:rm AND process.args:/\\/(home\\/.{1,255}|root)\\/\\.bash_history/",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 6,
+          "updated": "7.12.0",
+          "pre_query": "event.category:process AND event.type:(start or process_started) AND process.name:rm AND process.args:/\\/(home\\/.{1,255}|root)\\/\\.bash_history/",
+          "doc_text": "Updated query.",
+          "pre_name": "Deletion of Bash Command Line History",
+          "duplicate_old_file": "deletion-of-bash-command-line-history"
+        }
+      ]
+    },
+    "last_update": "7.12.0",
+    "added": "7.9.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "This rule detects network events that may indicate the use of Telnet traffic. Telnet is commonly used by system administrators to remotely control older or embedded systems using the command line shell. It should almost never be directly exposed to the Internet, as it is frequently targeted and exploited by threat actors as an initial access or backdoor vector. As a plain-text protocol, it may also expose usernames and passwords to anyone capable of observing the traffic.",
+    "false_positives": [
+      "IoT (Internet of Things) devices and networks may use telnet and can be excluded if desired. Some business work-flows may use Telnet for administration of older devices. These often have a predictable behavior. Telnet activity involving an unusual source or destination may be more suspicious. Telnet activity involving a production server that has no known associated Telnet work-flow or business requirement is often suspicious."
+    ],
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "filebeat-*",
+      "packetbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Telnet Port Activity",
+    "query": "event.category:(network or network_traffic) and network.transport:tcp and destination.port:23\n",
+    "risk_score": 47,
+    "rule_id": "34fde489-94b0-4500-a76f-b8a157cf9269",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Network",
+      "Threat Detection",
+      "Command and Control",
+      "Host"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0011",
+          "name": "Command and Control",
+          "reference": "https://attack.mitre.org/tactics/TA0011/"
+        },
+        "technique": []
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0008",
+          "name": "Lateral Movement",
+          "reference": "https://attack.mitre.org/tactics/TA0008/"
+        },
+        "technique": [
+          {
+            "id": "T1021",
+            "name": "Remote Services",
+            "reference": "https://attack.mitre.org/techniques/T1021/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0001",
+          "name": "Initial Access",
+          "reference": "https://attack.mitre.org/tactics/TA0001/"
+        },
+        "technique": [
+          {
+            "id": "T1190",
+            "name": "Exploit Public-Facing Application",
+            "reference": "https://attack.mitre.org/techniques/T1190/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 9,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.6.1",
+          "doc_text": "Removed auditbeat-\\*, packetbeat-*, and winlogbeat-* from the rule indices."
+        },
+        {
+          "version": 3,
+          "updated": "7.9.0",
+          "pre_query": "network.transport:tcp and destination.port:23",
+          "doc_text": "Updated query."
+        },
+        {
+          "version": 4,
+          "updated": "7.10.0",
+          "pre_query": "event.category:(network or network_traffic) and network.transport:tcp and destination.port:23",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 5,
+          "updated": "7.11.0",
+          "pre_query": "event.category:(network or network_traffic) and network.transport:tcp and destination.port:23",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 6,
+          "updated": "7.11.2",
+          "pre_query": "event.category:(network or network_traffic) and network.transport:tcp and destination.port:23",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 7,
+          "updated": "7.12.0",
+          "pre_query": "event.category:(network or network_traffic) and network.transport:tcp and destination.port:23",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 8,
+          "updated": "7.14.0",
+          "pre_query": "event.category:(network or network_traffic) and network.transport:tcp and destination.port:23",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        },
+        {
+          "version": 9,
+          "updated": "7.15.0",
+          "pre_query": "event.category:(network or network_traffic) and network.transport:tcp and destination.port:23\n",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.15.0",
+    "added": "7.6.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the deletion of backup files, saved using third-party software, by a process outside of the backup suite. Adversaries may delete Backup files to ensure that recovery from a ransomware attack is less likely.",
+    "false_positives": [
+      "Certain utilities that delete files for disk cleanup or Administrators manually removing backup files."
+    ],
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Third-party Backup Files Deleted via Unexpected Process",
+    "query": "file where event.type == \"deletion\" and\n  (\n  /* Veeam Related Backup Files */\n  (file.extension : (\"VBK\", \"VIB\", \"VBM\") and\n  not process.executable : (\"?:\\\\Windows\\\\Veeam\\\\Backup\\\\*\",\n                            \"?:\\\\Program Files\\\\Veeam\\\\Backup and Replication\\\\*\",\n                            \"?:\\\\Program Files (x86)\\\\Veeam\\\\Backup and Replication\\\\*\")) or\n\n  /* Veritas Backup Exec Related Backup File */\n  (file.extension : \"BKF\" and\n  not process.executable : (\"?:\\\\Program Files\\\\Veritas\\\\Backup Exec\\\\*\",\n                            \"?:\\\\Program Files (x86)\\\\Veritas\\\\Backup Exec\\\\*\"))\n  )\n",
+    "references": [
+      "https://www.advintel.io/post/backup-removal-solutions-from-conti-ransomware-with-love"
+    ],
+    "risk_score": 47,
+    "rule_id": "11ea6bec-ebde-4d71-a8e9-784948f8e3e9",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Impact"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0040",
+          "name": "Impact",
+          "reference": "https://attack.mitre.org/tactics/TA0040/"
+        },
+        "technique": [
+          {
+            "id": "T1490",
+            "name": "Inhibit System Recovery",
+            "reference": "https://attack.mitre.org/techniques/T1490/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 2,
+    "last_update": "8.0.0",
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "8.0.0",
+          "pre_query": "file where event.type == \"deletion\" and\n  (\n  /* Veeam Related Backup Files */\n  (file.extension : (\"VBK\", \"VIB\", \"VBM\") and\n  not process.executable : (\"?:\\\\Windows\\\\Veeam\\\\Backup\\\\*\",\n                            \"?:\\\\Program Files\\\\Veeam\\\\Backup and Replication\\\\*\",\n                            \"?:\\\\Program Files (x86)\\\\Veeam\\\\Backup and Replication\\\\*\")) or\n\n  /* Veritas Backup Exec Related Backup File */\n  (file.extension : \"BKF\" and\n  not process.executable : (\"?:\\\\Program Files\\\\Veritas\\\\Backup Exec\\\\*\",\n                            \"?:\\\\Program Files (x86)\\\\Veritas\\\\Backup Exec\\\\*\"))\n  )\n",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "added": "7.16.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Detects when Okta ThreatInsight identifies a request from a malicious IP address. Investigating requests from IP addresses identified as malicious by Okta ThreatInsight can help security teams monitor for and respond to credential based attacks against their organization, such as brute force and password spraying attacks.",
+    "index": [
+      "filebeat-*",
+      "logs-okta*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Threat Detected by Okta ThreatInsight",
+    "note": "## Config\n\nThe Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:okta.system and event.action:security.threat.detected\n",
+    "references": [
+      "https://developer.okta.com/docs/reference/api/system-log/",
+      "https://developer.okta.com/docs/reference/api/event-types/"
+    ],
+    "risk_score": 47,
+    "rule_id": "6885d2ae-e008-4762-b98a-e8e1cd3a81e9",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Identity",
+      "Okta",
+      "Continuous Monitoring",
+      "SecOps",
+      "Monitoring"
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 6,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.10.0",
+          "pre_query": "event.module:okta and event.dataset:okta.system and event.action:security.threat.detected",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        },
+        {
+          "version": 3,
+          "updated": "7.11.0",
+          "pre_query": "event.dataset:okta.system and event.action:security.threat.detected",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 4,
+          "updated": "7.11.2",
+          "pre_query": "event.dataset:okta.system and event.action:security.threat.detected",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 5,
+          "updated": "7.12.0",
+          "pre_query": "event.dataset:okta.system and event.action:security.threat.detected",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 6,
+          "updated": "7.13.0",
+          "pre_query": "event.dataset:okta.system and event.action:security.threat.detected",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.13.0",
+    "added": "7.9.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "This rule is triggered when indicators from the Threat Intel Filebeat module (v8.x) has a match against local file or network observations.",
+    "from": "now-65m",
+    "index": [
+      "auditbeat-*",
+      "endgame-*",
+      "filebeat-*",
+      "logs-*",
+      "packetbeat-*",
+      "winlogbeat-*"
+    ],
+    "interval": "1h",
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Threat Intel Filebeat Module (v8.x) Indicator Match",
+    "note": "## Triage and Analysis\n\n### Investigating Threat Intel Indicator Matches\n\nThreat Intel indicator match rules allow matching from a local observation such as an endpoint event that records a file\nhash with an entry of a file hash stored within the Threat Intel integrations. Other examples of matches can occur on\nan IP address, registry path, URL and imphash.\n\nThe matches will be based on the incoming last 30 days feed data so it's important to validate the data and review the results by\ninvestigating the associated activity to determine if it requires further investigation.\n\nIf an indicator matches a local observation, the following enriched fields will be generated to identify the indicator, field, and type matched.\n\n- `threat.indicator.matched.atomic` - this identifies the atomic indicator that matched the local observation\n- `threat.indicator.matched.field` - this identifies the indicator field that matched the local observation\n- `threat.indicator.matched.type` - this identifies the indicator type that matched the local observation\n\n#### Possible investigation steps:\n- Investigation should be validated and reviewed based on the data (file hash, registry path, URL, imphash) that was matched\nand viewing the source of that activity.\n- Consider the history of the indicator that was matched. Has it happened before? Is it happening on multiple machines?\nThese kinds of questions can help understand if the activity is related to legitimate behavior.\n- Consider the user and their role within the company, is this something related to their job or work function?\n\n### False Positive Analysis\n- For any matches found, it's important to consider the initial release date of that indicator. Threat intelligence can\nbe a great tool for augmenting existing security processes, while at the same time it should be understood that threat\nintelligence can represent a specific set of activity observed at a point in time. For example, an IP address\nmay have hosted malware observed in a Dridex campaign month ago, but it's possible that IP has been remediated and\nno longer represents any threat.\n- Adversaries often use legitimate tools as network administrators such as `PsExec` or `AdFind`, these tools often find their\nway into indicator lists creating the potential for false positives.\n- It's possible after large and publicly written campaigns, curious employees might end up going directly to attacker infrastructure and generating these rules\n\n### Response and Remediation\n- If suspicious or malicious behavior is observed, immediate response should be taken to isolate activity to prevent further\npost-compromise behavior.\n- One example of a response if a machine matched a command and control IP address would be to add an entry to a network\ndevice such as a firewall or proxy appliance to prevent any outbound activity from leaving that machine.\n- Another example of a response with a malicious file hash match would involve validating if the file was properly quarantined,\nreview current running processes looking for any abnormal activity, and investigating for any other follow-up actions such as persistence or lateral movement\n",
+    "query": "file.hash.*:* or file.pe.imphash:* or source.ip:* or destination.ip:* or url.full:* or registry.path:*\n",
+    "references": [
+      "https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-threatintel.html"
+    ],
+    "risk_score": 99,
+    "rule_id": "699e9fdb-b77c-4c01-995c-1c15019b9c43",
+    "severity": "critical",
+    "tags": [
+      "Elastic",
+      "Windows",
+      "Elastic Endgame",
+      "Network",
+      "Continuous Monitoring",
+      "SecOps",
+      "Monitoring"
+    ],
+    "threat_filters": [
+      {
+        "$state": {
+          "store": "appState"
+        },
+        "meta": {
+          "disabled": false,
+          "key": "event.dataset",
+          "negate": false,
+          "params": {
+            "query": "ti_*"
+          },
+          "type": "phrase"
+        },
+        "query": {
+          "match_phrase": {
+            "event.dataset": "ti_*"
+          }
+        }
+      },
+      {
+        "$state": {
+          "store": "appState"
+        },
+        "meta": {
+          "disabled": false,
+          "key": "event.category",
+          "negate": false,
+          "params": {
+            "query": "threat"
+          },
+          "type": "phrase"
+        },
+        "query": {
+          "match_phrase": {
+            "event.category": "threat"
+          }
+        }
+      },
+      {
+        "$state": {
+          "store": "appState"
+        },
+        "meta": {
+          "disabled": false,
+          "key": "event.kind",
+          "negate": false,
+          "params": {
+            "query": "enrichment"
+          },
+          "type": "phrase"
+        },
+        "query": {
+          "match_phrase": {
+            "event.kind": "enrichment"
+          }
+        }
+      },
+      {
+        "$state": {
+          "store": "appState"
+        },
+        "meta": {
+          "disabled": false,
+          "key": "event.type",
+          "negate": false,
+          "params": {
+            "query": "indicator"
+          },
+          "type": "phrase"
+        },
+        "query": {
+          "match_phrase": {
+            "event.type": "indicator"
+          }
+        }
+      }
+    ],
+    "threat_index": [
+      "filebeat-8*"
+    ],
+    "threat_indicator_path": "threat.indicator",
+    "threat_language": "kuery",
+    "threat_mapping": [
+      {
+        "entries": [
+          {
+            "field": "file.hash.md5",
+            "type": "mapping",
+            "value": "threat.indicator.file.hash.md5"
+          }
+        ]
+      },
+      {
+        "entries": [
+          {
+            "field": "file.hash.sha1",
+            "type": "mapping",
+            "value": "threat.indicator.file.hash.sha1"
+          }
+        ]
+      },
+      {
+        "entries": [
+          {
+            "field": "file.hash.sha256",
+            "type": "mapping",
+            "value": "threat.indicator.file.hash.sha256"
+          }
+        ]
+      },
+      {
+        "entries": [
+          {
+            "field": "file.pe.imphash",
+            "type": "mapping",
+            "value": "threat.indicator.file.pe.imphash"
+          }
+        ]
+      },
+      {
+        "entries": [
+          {
+            "field": "source.ip",
+            "type": "mapping",
+            "value": "threat.indicator.ip"
+          }
+        ]
+      },
+      {
+        "entries": [
+          {
+            "field": "destination.ip",
+            "type": "mapping",
+            "value": "threat.indicator.ip"
+          }
+        ]
+      },
+      {
+        "entries": [
+          {
+            "field": "url.full",
+            "type": "mapping",
+            "value": "threat.indicator.url.full"
+          }
+        ]
+      },
+      {
+        "entries": [
+          {
+            "field": "registry.path",
+            "type": "mapping",
+            "value": "threat.indicator.registry.path"
+          }
+        ]
+      }
+    ],
+    "threat_query": "@timestamp >= \"now-30d\" and event.dataset:ti_* and (threat.indicator.file.hash.*:* or threat.indicator.file.pe.imphash:* or threat.indicator.ip:* or threat.indicator.registry.path:* or threat.indicator.url.full:*)",
+    "timeline_id": "495ad7a7-316e-4544-8a0f-9c098daee76e",
+    "timeline_title": "Generic Threat Match Timeline",
+    "type": "threat_match",
+    "version": 1,
+    "last_update": "8.0.0",
+    "added": "8.0.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "This rule is triggered when indicators from the Threat Intel integrations has a match against local file or network observations.",
+    "from": "now-65m",
+    "index": [
+      "auditbeat-*",
+      "endgame-*",
+      "filebeat-*",
+      "logs-*",
+      "packetbeat-*",
+      "winlogbeat-*"
+    ],
+    "interval": "1h",
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Threat Intel Indicator Match",
+    "note": "## Triage and Analysis\n\n### Investigating Threat Intel Indicator Matches\n\nThreat Intel indicator match rules allow matching from a local observation such as an endpoint event that records a file\nhash with an entry of a file hash stored within the Threat Intel integrations. Other examples of matches can occur on\nan IP address, registry path, URL and imphash.\n\nThe matches will be based on the incoming last 30 days feed data so it's important to validate the data and review the results by\ninvestigating the associated activity to determine if it requires further investigation.\n\nIf an indicator matches a local observation, the following enriched fields will be generated to identify the indicator, field, and type matched.\n\n- `threat.indicator.matched.atomic` - this identifies the atomic indicator that matched the local observation\n- `threat.indicator.matched.field` - this identifies the indicator field that matched the local observation\n- `threat.indicator.matched.type` - this identifies the indicator type that matched the local observation\n\n#### Possible investigation steps:\n- Investigation should be validated and reviewed based on the data (file hash, registry path, URL, imphash) that was matched\nand viewing the source of that activity.\n- Consider the history of the indicator that was matched. Has it happened before? Is it happening on multiple machines?\nThese kinds of questions can help understand if the activity is related to legitimate behavior.\n- Consider the user and their role within the company, is this something related to their job or work function?\n\n### False Positive Analysis\n- For any matches found, it's important to consider the initial release date of that indicator. Threat intelligence can\nbe a great tool for augmenting existing security processes, while at the same time it should be understood that threat\nintelligence can represent a specific set of activity observed at a point in time. For example, an IP address\nmay have hosted malware observed in a Dridex campaign month ago, but it's possible that IP has been remediated and\nno longer represents any threat.\n- Adversaries often use legitimate tools as network administrators such as `PsExec` or `AdFind`, these tools often find their\nway into indicator lists creating the potential for false positives.\n- It's possible after large and publicly written campaigns, curious employees might end up going directly to attacker infrastructure and generating these rules\n\n### Response and Remediation\n- If suspicious or malicious behavior is observed, immediate response should be taken to isolate activity to prevent further\npost-compromise behavior.\n- One example of a response if a machine matched a command and control IP address would be to add an entry to a network\ndevice such as a firewall or proxy appliance to prevent any outbound activity from leaving that machine.\n- Another example of a response with a malicious file hash match would involve validating if the file was properly quarantined,\nreview current running processes looking for any abnormal activity, and investigating for any other follow-up actions such as persistence or lateral movement\n",
+    "query": "file.hash.*:* or file.pe.imphash:* or source.ip:* or destination.ip:* or url.full:* or registry.path:*\n",
+    "references": [
+      "https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-threatintel.html"
+    ],
+    "risk_score": 99,
+    "rule_id": "0c9a14d9-d65d-486f-9b5b-91e4e6b22bd0",
+    "severity": "critical",
+    "tags": [
+      "Elastic",
+      "Windows",
+      "Elastic Endgame",
+      "Network",
+      "Continuous Monitoring",
+      "SecOps",
+      "Monitoring"
+    ],
+    "threat_filters": [
+      {
+        "$state": {
+          "store": "appState"
+        },
+        "meta": {
+          "disabled": false,
+          "key": "event.dataset",
+          "negate": false,
+          "params": {
+            "query": "ti_*"
+          },
+          "type": "phrase"
+        },
+        "query": {
+          "match_phrase": {
+            "event.dataset": "ti_*"
+          }
+        }
+      },
+      {
+        "$state": {
+          "store": "appState"
+        },
+        "meta": {
+          "disabled": false,
+          "key": "event.category",
+          "negate": false,
+          "params": {
+            "query": "threat"
+          },
+          "type": "phrase"
+        },
+        "query": {
+          "match_phrase": {
+            "event.category": "threat"
+          }
+        }
+      },
+      {
+        "$state": {
+          "store": "appState"
+        },
+        "meta": {
+          "disabled": false,
+          "key": "event.kind",
+          "negate": false,
+          "params": {
+            "query": "enrichment"
+          },
+          "type": "phrase"
+        },
+        "query": {
+          "match_phrase": {
+            "event.kind": "enrichment"
+          }
+        }
+      },
+      {
+        "$state": {
+          "store": "appState"
+        },
+        "meta": {
+          "disabled": false,
+          "key": "event.type",
+          "negate": false,
+          "params": {
+            "query": "indicator"
+          },
+          "type": "phrase"
+        },
+        "query": {
+          "match_phrase": {
+            "event.type": "indicator"
+          }
+        }
+      }
+    ],
+    "threat_index": [
+      "logs-ti_*"
+    ],
+    "threat_indicator_path": "threat.indicator",
+    "threat_language": "kuery",
+    "threat_mapping": [
+      {
+        "entries": [
+          {
+            "field": "file.hash.md5",
+            "type": "mapping",
+            "value": "threat.indicator.file.hash.md5"
+          }
+        ]
+      },
+      {
+        "entries": [
+          {
+            "field": "file.hash.sha1",
+            "type": "mapping",
+            "value": "threat.indicator.file.hash.sha1"
+          }
+        ]
+      },
+      {
+        "entries": [
+          {
+            "field": "file.hash.sha256",
+            "type": "mapping",
+            "value": "threat.indicator.file.hash.sha256"
+          }
+        ]
+      },
+      {
+        "entries": [
+          {
+            "field": "file.pe.imphash",
+            "type": "mapping",
+            "value": "threat.indicator.file.pe.imphash"
+          }
+        ]
+      },
+      {
+        "entries": [
+          {
+            "field": "source.ip",
+            "type": "mapping",
+            "value": "threat.indicator.ip"
+          }
+        ]
+      },
+      {
+        "entries": [
+          {
+            "field": "destination.ip",
+            "type": "mapping",
+            "value": "threat.indicator.ip"
+          }
+        ]
+      },
+      {
+        "entries": [
+          {
+            "field": "url.full",
+            "type": "mapping",
+            "value": "threat.indicator.url.full"
+          }
+        ]
+      },
+      {
+        "entries": [
+          {
+            "field": "registry.path",
+            "type": "mapping",
+            "value": "threat.indicator.registry.path"
+          }
+        ]
+      }
+    ],
+    "threat_query": "@timestamp >= \"now-30d\" and event.dataset:ti_* and (threat.indicator.file.hash.*:* or threat.indicator.file.pe.imphash:* or threat.indicator.ip:* or threat.indicator.registry.path:* or threat.indicator.url.full:*)",
+    "timeline_id": "495ad7a7-316e-4544-8a0f-9c098daee76e",
+    "timeline_title": "Generic Threat Match Timeline",
+    "type": "threat_match",
+    "version": 1,
+    "last_update": "8.0.0",
+    "added": "8.0.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Timestomping is an anti-forensics technique which is used to modify the timestamps of a file, often to mimic files that are in the same folder.",
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "max_signals": 33,
+    "name": "Timestomping using Touch Command",
+    "query": "process where event.type == \"start\" and\n process.name : \"touch\" and user.id != \"0\" and\n process.args : (\"-r\", \"-t\", \"-a*\",\"-m*\") and\n not process.args : (\"/usr/lib/go-*/bin/go\", \"/usr/lib/dracut/dracut-functions.sh\", \"/tmp/KSInstallAction.*/m/.patch/*\")\n",
+    "risk_score": 47,
+    "rule_id": "b0046934-486e-462f-9487-0d4cf9e429c6",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "macOS",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1070",
+            "name": "Indicator Removal on Host",
+            "reference": "https://attack.mitre.org/techniques/T1070/",
+            "subtechnique": [
+              {
+                "id": "T1070.006",
+                "name": "Timestomp",
+                "reference": "https://attack.mitre.org/techniques/T1070/006/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 4,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.11.2",
+          "pre_query": "process where event.type in (\"start\", \"process_started\") and\n process.name == \"touch\" and wildcard(process.args, \"-r\", \"-t\", \"-a*\",\"-m*\")\n",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 3,
+          "updated": "7.12.0",
+          "pre_query": "process where event.type in (\"start\", \"process_started\") and\n process.name == \"touch\" and wildcard(process.args, \"-r\", \"-t\", \"-a*\",\"-m*\")\n",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        },
+        {
+          "version": 4,
+          "updated": "7.13.0",
+          "pre_query": "process where event.type in (\"start\", \"process_started\") and\n process.name : \"touch\" and process.args : (\"-r\", \"-t\", \"-a*\",\"-m*\")\n",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.13.0",
+    "added": "7.11.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies User Account Control (UAC) bypass attempts by abusing an elevated COM Interface to launch a malicious program. Attackers may attempt to bypass UAC to stealthily execute code with elevated permissions.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "UAC Bypass Attempt via Elevated COM Internet Explorer Add-On Installer",
+    "query": "process where event.type in (\"start\", \"process_started\") and\n process.executable : \"C:\\\\*\\\\AppData\\\\*\\\\Temp\\\\IDC*.tmp\\\\*.exe\" and\n process.parent.name : \"ieinstal.exe\" and process.parent.args : \"-Embedding\"\n\n /* uncomment once in winlogbeat */\n /* and not (process.code_signature.subject_name == \"Microsoft Corporation\" and process.code_signature.trusted == true) */\n",
+    "references": [
+      "https://swapcontext.blogspot.com/2020/11/uac-bypasses-from-comautoapprovallist.html"
+    ],
+    "risk_score": 47,
+    "rule_id": "fc7c0fa4-8f03-4b3e-8336-c5feab0be022",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Privilege Escalation"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0004",
+          "name": "Privilege Escalation",
+          "reference": "https://attack.mitre.org/tactics/TA0004/"
+        },
+        "technique": [
+          {
+            "id": "T1548",
+            "name": "Abuse Elevation Control Mechanism",
+            "reference": "https://attack.mitre.org/techniques/T1548/",
+            "subtechnique": [
+              {
+                "id": "T1548.002",
+                "name": "Bypass User Account Control",
+                "reference": "https://attack.mitre.org/techniques/T1548/002/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 4,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.11.2",
+          "pre_query": "process where event.type in (\"start\", \"process_started\", \"info\") and\n wildcard(process.executable, \"C:\\\\*\\\\AppData\\\\*\\\\Temp\\\\IDC*.tmp\\\\*.exe\") and\n process.parent.name == \"ieinstal.exe\" and process.parent.args == \"-Embedding\"\n\n /* uncomment once in winlogbeat */\n /* and not (process.code_signature.subject_name == \"Microsoft Corporation\" and process.code_signature.trusted == true) */\n",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 3,
+          "updated": "7.12.0",
+          "pre_query": "process where event.type in (\"start\", \"process_started\", \"info\") and\n wildcard(process.executable, \"C:\\\\*\\\\AppData\\\\*\\\\Temp\\\\IDC*.tmp\\\\*.exe\") and\n process.parent.name == \"ieinstal.exe\" and process.parent.args == \"-Embedding\"\n\n /* uncomment once in winlogbeat */\n /* and not (process.code_signature.subject_name == \"Microsoft Corporation\" and process.code_signature.trusted == true) */\n",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        },
+        {
+          "version": 4,
+          "updated": "7.15.0",
+          "pre_query": "process where event.type in (\"start\", \"process_started\") and\n process.executable : \"C:\\\\*\\\\AppData\\\\*\\\\Temp\\\\IDC*.tmp\\\\*.exe\" and\n process.parent.name : \"ieinstal.exe\" and process.parent.args : \"-Embedding\"\n\n /* uncomment once in winlogbeat */\n /* and not (process.code_signature.subject_name == \"Microsoft Corporation\" and process.code_signature.trusted == true) */\n",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.15.0",
+    "added": "7.11.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies attempts to bypass User Account Control (UAC) via DLL side-loading. Attackers may attempt to bypass UAC to stealthily execute code with elevated permissions.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "UAC Bypass Attempt via Privileged IFileOperation COM Interface",
+    "query": "file where event.type : \"change\" and process.name : \"dllhost.exe\" and\n  /* Known modules names side loaded into process running with high or system integrity level for UAC Bypass, update here for new modules */\n  file.name : (\"wow64log.dll\", \"comctl32.dll\", \"DismCore.dll\", \"OskSupport.dll\", \"duser.dll\", \"Accessibility.ni.dll\") and\n  /* has no impact on rule logic just to avoid OS install related FPs */\n  not file.path : (\"C:\\\\Windows\\\\SoftwareDistribution\\\\*\", \"C:\\\\Windows\\\\WinSxS\\\\*\")\n",
+    "references": [
+      "https://github.com/hfiref0x/UACME"
+    ],
+    "risk_score": 73,
+    "rule_id": "5a14d01d-7ac8-4545-914c-b687c2cf66b3",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Privilege Escalation"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0004",
+          "name": "Privilege Escalation",
+          "reference": "https://attack.mitre.org/tactics/TA0004/"
+        },
+        "technique": [
+          {
+            "id": "T1548",
+            "name": "Abuse Elevation Control Mechanism",
+            "reference": "https://attack.mitre.org/techniques/T1548/",
+            "subtechnique": [
+              {
+                "id": "T1548.002",
+                "name": "Bypass User Account Control",
+                "reference": "https://attack.mitre.org/techniques/T1548/002/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 4,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.11.2",
+          "pre_query": "file where event.type : \"change\" and process.name : \"dllhost.exe\" and\n  /* Known modules names side loaded into process running with high or system integrity level for UAC Bypass, update here for new modules */\n  file.name : (\"wow64log.dll\", \"comctl32.dll\", \"DismCore.dll\", \"OskSupport.dll\", \"duser.dll\", \"Accessibility.ni.dll\") and\n  /* has no impact on rule logic just to avoid OS install related FPs */\n  not file.path : (\"C:\\\\Windows\\\\SoftwareDistribution\\\\*\", \"C:\\\\Windows\\\\WinSxS\\\\*\")\n",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 3,
+          "updated": "7.12.0",
+          "pre_query": "file where event.type : \"change\" and process.name : \"dllhost.exe\" and\n  /* Known modules names side loaded into process running with high or system integrity level for UAC Bypass, update here for new modules */\n  file.name : (\"wow64log.dll\", \"comctl32.dll\", \"DismCore.dll\", \"OskSupport.dll\", \"duser.dll\", \"Accessibility.ni.dll\") and\n  /* has no impact on rule logic just to avoid OS install related FPs */\n  not file.path : (\"C:\\\\Windows\\\\SoftwareDistribution\\\\*\", \"C:\\\\Windows\\\\WinSxS\\\\*\")\n",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 4,
+          "updated": "7.15.0",
+          "pre_query": "file where event.type : \"change\" and process.name : \"dllhost.exe\" and\n  /* Known modules names side loaded into process running with high or system integrity level for UAC Bypass, update here for new modules */\n  file.name : (\"wow64log.dll\", \"comctl32.dll\", \"DismCore.dll\", \"OskSupport.dll\", \"duser.dll\", \"Accessibility.ni.dll\") and\n  /* has no impact on rule logic just to avoid OS install related FPs */\n  not file.path : (\"C:\\\\Windows\\\\SoftwareDistribution\\\\*\", \"C:\\\\Windows\\\\WinSxS\\\\*\")\n",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.15.0",
+    "added": "7.11.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies an attempt to bypass User Account Control (UAC) by masquerading as a Microsoft trusted Windows directory. Attackers may bypass UAC to stealthily execute code with elevated permissions.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "UAC Bypass Attempt via Windows Directory Masquerading",
+    "query": "process where event.type in (\"start\", \"process_started\") and\n  process.args : (\"C:\\\\Windows \\\\system32\\\\*.exe\", \"C:\\\\Windows \\\\SysWOW64\\\\*.exe\")\n",
+    "references": [
+      "https://medium.com/tenable-techblog/uac-bypass-by-mocking-trusted-directories-24a96675f6e"
+    ],
+    "risk_score": 73,
+    "rule_id": "290aca65-e94d-403b-ba0f-62f320e63f51",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Privilege Escalation"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0004",
+          "name": "Privilege Escalation",
+          "reference": "https://attack.mitre.org/tactics/TA0004/"
+        },
+        "technique": [
+          {
+            "id": "T1548",
+            "name": "Abuse Elevation Control Mechanism",
+            "reference": "https://attack.mitre.org/techniques/T1548/",
+            "subtechnique": [
+              {
+                "id": "T1548.002",
+                "name": "Bypass User Account Control",
+                "reference": "https://attack.mitre.org/techniques/T1548/002/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 4,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.11.2",
+          "pre_query": "process where event.type in (\"start\", \"process_started\") and\n  process.args : (\"C:\\\\Windows \\\\system32\\\\*.exe\", \"C:\\\\Windows \\\\SysWOW64\\\\*.exe\")\n",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 3,
+          "updated": "7.12.0",
+          "pre_query": "process where event.type in (\"start\", \"process_started\") and\n  process.args : (\"C:\\\\Windows \\\\system32\\\\*.exe\", \"C:\\\\Windows \\\\SysWOW64\\\\*.exe\")\n",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 4,
+          "updated": "7.15.0",
+          "pre_query": "process where event.type in (\"start\", \"process_started\") and\n  process.args : (\"C:\\\\Windows \\\\system32\\\\*.exe\", \"C:\\\\Windows \\\\SysWOW64\\\\*.exe\")\n",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.15.0",
+    "added": "7.11.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies attempts to bypass User Account Control (UAC) by abusing an elevated COM Interface to launch a rogue Windows ClipUp program. Attackers may attempt to bypass UAC to stealthily execute code with elevated permissions.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "UAC Bypass Attempt with IEditionUpgradeManager Elevated COM Interface",
+    "query": "process where event.type in (\"start\", \"process_started\") and process.name : \"Clipup.exe\" and\n  not process.executable : \"C:\\\\Windows\\\\System32\\\\ClipUp.exe\" and process.parent.name : \"dllhost.exe\" and\n  /* CLSID of the Elevated COM Interface IEditionUpgradeManager */\n  process.parent.args : \"/Processid:{BD54C901-076B-434E-B6C7-17C531F4AB41}\"\n",
+    "references": [
+      "https://github.com/hfiref0x/UACME"
+    ],
+    "risk_score": 73,
+    "rule_id": "b90cdde7-7e0d-4359-8bf0-2c112ce2008a",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Privilege Escalation"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0004",
+          "name": "Privilege Escalation",
+          "reference": "https://attack.mitre.org/tactics/TA0004/"
+        },
+        "technique": [
+          {
+            "id": "T1548",
+            "name": "Abuse Elevation Control Mechanism",
+            "reference": "https://attack.mitre.org/techniques/T1548/",
+            "subtechnique": [
+              {
+                "id": "T1548.002",
+                "name": "Bypass User Account Control",
+                "reference": "https://attack.mitre.org/techniques/T1548/002/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 4,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.11.2",
+          "pre_query": "process where event.type in (\"start\", \"process_started\", \"info\") and process.name == \"Clipup.exe\" and \nprocess.executable != \"C:\\\\Windows\\\\System32\\\\ClipUp.exe\" and process.parent.name == \"dllhost.exe\" and\n /* CLSID of the Elevated COM Interface IEditionUpgradeManager */\n wildcard(process.parent.args,\"/Processid:{BD54C901-076B-434E-B6C7-17C531F4AB41}\")\n",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 3,
+          "updated": "7.12.0",
+          "pre_query": "process where event.type in (\"start\", \"process_started\", \"info\") and process.name == \"Clipup.exe\" and \nprocess.executable != \"C:\\\\Windows\\\\System32\\\\ClipUp.exe\" and process.parent.name == \"dllhost.exe\" and\n /* CLSID of the Elevated COM Interface IEditionUpgradeManager */\n wildcard(process.parent.args,\"/Processid:{BD54C901-076B-434E-B6C7-17C531F4AB41}\")\n",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        },
+        {
+          "version": 4,
+          "updated": "7.15.0",
+          "pre_query": "process where event.type in (\"start\", \"process_started\") and process.name : \"Clipup.exe\" and\n  not process.executable : \"C:\\\\Windows\\\\System32\\\\ClipUp.exe\" and process.parent.name : \"dllhost.exe\" and\n  /* CLSID of the Elevated COM Interface IEditionUpgradeManager */\n  process.parent.args : \"/Processid:{BD54C901-076B-434E-B6C7-17C531F4AB41}\"\n",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.15.0",
+    "added": "7.11.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies User Account Control (UAC) bypass via hijacking DiskCleanup Scheduled Task. Attackers bypass UAC to stealthily execute code with elevated permissions.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "UAC Bypass via DiskCleanup Scheduled Task Hijack",
+    "query": "process where event.type == \"start\" and\n process.args : \"/autoclean\" and process.args : \"/d\" and\n not process.executable : (\"C:\\\\Windows\\\\System32\\\\cleanmgr.exe\",\n                           \"C:\\\\Windows\\\\SysWOW64\\\\cleanmgr.exe\",\n                           \"C:\\\\Windows\\\\System32\\\\taskhostw.exe\")\n",
+    "risk_score": 47,
+    "rule_id": "1dcc51f6-ba26-49e7-9ef4-2655abb2361e",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Privilege Escalation"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0004",
+          "name": "Privilege Escalation",
+          "reference": "https://attack.mitre.org/tactics/TA0004/"
+        },
+        "technique": [
+          {
+            "id": "T1548",
+            "name": "Abuse Elevation Control Mechanism",
+            "reference": "https://attack.mitre.org/techniques/T1548/",
+            "subtechnique": [
+              {
+                "id": "T1548.002",
+                "name": "Bypass User Account Control",
+                "reference": "https://attack.mitre.org/techniques/T1548/002/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 6,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.11.0",
+          "pre_query": "event.category:process and event.type:(start or process_started) and process.args:(/autoclean or /AUTOCLEAN) and process.parent.name:svchost.exe and not process.executable:(\"C:\\Windows\\System32\\cleanmgr.exe\" or \"C:\\Windows\\SysWOW64\\cleanmgr.exe\")",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        },
+        {
+          "version": 3,
+          "updated": "7.11.2",
+          "pre_query": "process where event.type in (\"start\", \"process_started\") and\nprocess.args:\"/autoclean\" and process.args:\"/d\" and\nnot process.executable : (\"C:\\\\Windows\\\\System32\\\\cleanmgr.exe\", \"C:\\\\Windows\\\\SysWOW64\\\\cleanmgr.exe\")\n",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 4,
+          "updated": "7.12.0",
+          "pre_query": "process where event.type in (\"start\", \"process_started\") and\nprocess.args:\"/autoclean\" and process.args:\"/d\" and\nnot process.executable : (\"C:\\\\Windows\\\\System32\\\\cleanmgr.exe\", \"C:\\\\Windows\\\\SysWOW64\\\\cleanmgr.exe\")\n",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 5,
+          "updated": "7.13.0",
+          "pre_query": "process where event.type in (\"start\", \"process_started\") and\nprocess.args:\"/autoclean\" and process.args:\"/d\" and\nnot process.executable : (\"C:\\\\Windows\\\\System32\\\\cleanmgr.exe\", \"C:\\\\Windows\\\\SysWOW64\\\\cleanmgr.exe\")\n",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        },
+        {
+          "version": 6,
+          "updated": "7.15.0",
+          "pre_query": "process where event.type == \"start\" and\n process.args : \"/autoclean\" and process.args : \"/d\" and\n not process.executable : (\"C:\\\\Windows\\\\System32\\\\cleanmgr.exe\",\n                           \"C:\\\\Windows\\\\SysWOW64\\\\cleanmgr.exe\",\n                           \"C:\\\\Windows\\\\System32\\\\taskhostw.exe\")\n",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.15.0",
+    "added": "7.10.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies User Account Control (UAC) bypass attempts via the ICMLuaUtil Elevated COM interface. Attackers may attempt to bypass UAC to stealthily execute code with elevated permissions.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "UAC Bypass via ICMLuaUtil Elevated COM Interface",
+    "query": "process where event.type in (\"start\", \"process_started\") and\n process.parent.name == \"dllhost.exe\" and\n process.parent.args in (\"/Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}\", \"/Processid:{D2E7041B-2927-42FB-8E9F-7CE93B6DC937}\") and\n process.pe.original_file_name != \"WerFault.exe\"\n",
+    "risk_score": 73,
+    "rule_id": "68d56fdc-7ffa-4419-8e95-81641bd6f845",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Privilege Escalation"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0004",
+          "name": "Privilege Escalation",
+          "reference": "https://attack.mitre.org/tactics/TA0004/"
+        },
+        "technique": [
+          {
+            "id": "T1548",
+            "name": "Abuse Elevation Control Mechanism",
+            "reference": "https://attack.mitre.org/techniques/T1548/",
+            "subtechnique": [
+              {
+                "id": "T1548.002",
+                "name": "Bypass User Account Control",
+                "reference": "https://attack.mitre.org/techniques/T1548/002/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 4,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.11.2",
+          "pre_query": "process where event.type in (\"start\", \"process_started\") and\n process.parent.name == \"dllhost.exe\" and\n process.parent.args in (\"/Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}\", \"/Processid:{D2E7041B-2927-42FB-8E9F-7CE93B6DC937}\") and\n process.pe.original_file_name != \"WerFault.exe\"\n",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 3,
+          "updated": "7.12.0",
+          "pre_query": "process where event.type in (\"start\", \"process_started\") and\n process.parent.name == \"dllhost.exe\" and\n process.parent.args in (\"/Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}\", \"/Processid:{D2E7041B-2927-42FB-8E9F-7CE93B6DC937}\") and\n process.pe.original_file_name != \"WerFault.exe\"\n",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 4,
+          "updated": "7.15.0",
+          "pre_query": "process where event.type in (\"start\", \"process_started\") and\n process.parent.name == \"dllhost.exe\" and\n process.parent.args in (\"/Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}\", \"/Processid:{D2E7041B-2927-42FB-8E9F-7CE93B6DC937}\") and\n process.pe.original_file_name != \"WerFault.exe\"\n",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.15.0",
+    "added": "7.11.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies attempts to bypass User Account Control (UAC) by hijacking the Microsoft Management Console (MMC) Windows Firewall snap-in. Attackers bypass UAC to stealthily execute code with elevated permissions.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "UAC Bypass via Windows Firewall Snap-In Hijack",
+    "query": "process where event.type in (\"start\", \"process_started\") and\n process.parent.name == \"mmc.exe\" and\n /* process.Ext.token.integrity_level_name == \"high\" can be added in future for tuning */\n /* args of the Windows Firewall SnapIn */\n  process.parent.args == \"WF.msc\" and process.name != \"WerFault.exe\"\n",
+    "references": [
+      "https://github.com/AzAgarampur/byeintegrity-uac"
+    ],
+    "risk_score": 47,
+    "rule_id": "1178ae09-5aff-460a-9f2f-455cd0ac4d8e",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Privilege Escalation"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0004",
+          "name": "Privilege Escalation",
+          "reference": "https://attack.mitre.org/tactics/TA0004/"
+        },
+        "technique": [
+          {
+            "id": "T1548",
+            "name": "Abuse Elevation Control Mechanism",
+            "reference": "https://attack.mitre.org/techniques/T1548/",
+            "subtechnique": [
+              {
+                "id": "T1548.002",
+                "name": "Bypass User Account Control",
+                "reference": "https://attack.mitre.org/techniques/T1548/002/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 4,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.11.2",
+          "pre_query": "process where event.type in (\"start\", \"process_started\") and\n process.parent.name == \"mmc.exe\" and\n /* process.Ext.token.integrity_level_name == \"high\" can be added in future for tuning */\n /* args of the Windows Firewall SnapIn */\n  process.parent.args == \"WF.msc\" and process.name != \"WerFault.exe\"\n",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 3,
+          "updated": "7.12.0",
+          "pre_query": "process where event.type in (\"start\", \"process_started\") and\n process.parent.name == \"mmc.exe\" and\n /* process.Ext.token.integrity_level_name == \"high\" can be added in future for tuning */\n /* args of the Windows Firewall SnapIn */\n  process.parent.args == \"WF.msc\" and process.name != \"WerFault.exe\"\n",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 4,
+          "updated": "7.15.0",
+          "pre_query": "process where event.type in (\"start\", \"process_started\") and\n process.parent.name == \"mmc.exe\" and\n /* process.Ext.token.integrity_level_name == \"high\" can be added in future for tuning */\n /* args of the Windows Firewall SnapIn */\n  process.parent.args == \"WF.msc\" and process.name != \"WerFault.exe\"\n",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.15.0",
+    "added": "7.11.0"
+  },
+  {
+    "author": [
+      "Elastic",
+      "Austin Songer"
+    ],
+    "description": "Identifies when an unauthorized access attempt is made by a user for an Okta application.",
+    "index": [
+      "filebeat-*",
+      "logs-okta*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Unauthorized Access to an Okta Application",
+    "note": "## Config\n\nThe Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:okta.system and event.action:app.generic.unauth_app_access_attempt\n",
+    "risk_score": 21,
+    "rule_id": "4edd3e1a-3aa0-499b-8147-4d2ea43b1613",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Identity",
+      "Okta",
+      "Continuous Monitoring",
+      "SecOps",
+      "Identity and Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0001",
+          "name": "Initial Access",
+          "reference": "https://attack.mitre.org/tactics/TA0001/"
+        },
+        "technique": [
+          {
+            "id": "T1078",
+            "name": "Valid Accounts",
+            "reference": "https://attack.mitre.org/techniques/T1078/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": []
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": []
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0004",
+          "name": "Privilege Escalation",
+          "reference": "https://attack.mitre.org/tactics/TA0004/"
+        },
+        "technique": []
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 1,
+    "last_update": "7.16.0",
+    "added": "7.16.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Detects changes to registry persistence keys that are uncommonly used or modified by legitimate programs. This could be an indication of an adversary's attempt to persist in a stealthy manner.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Uncommon Registry Persistence Change",
+    "query": "registry where\n  /* uncomment once stable length(registry.data.strings) > 0 and */\n registry.path : (\n      \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Terminal Server\\\\Install\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\*\",\n      \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Terminal Server\\\\Install\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Runonce\\\\*\",\n      \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows\\\\Load\",\n      \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows\\\\Run\",\n      \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows\\\\IconServiceLib\",\n      \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\Shell\",\n      \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\Shell\",\n      \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\AppSetup\",\n      \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\Taskman\",\n      \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\Userinit\",\n      \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\VmApplet\",\n      \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\\\*\",\n      \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\Shell\",\n      \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Logoff\\\\Script\",\n      \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Logon\\\\Script\",\n      \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Shutdown\\\\Script\",\n      \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Startup\\\\Script\",\n      \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\\\*\",\n      \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\Shell\",\n      \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Logoff\\\\Script\",\n      \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Logon\\\\Script\",\n      \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Shutdown\\\\Script\",\n      \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Startup\\\\Script\",\n      \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Active Setup\\\\Installed Components\\\\*\\\\ShellComponent\",\n      \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows CE Services\\\\AutoStartOnConnect\\\\MicrosoftActiveSync\",\n      \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows CE Services\\\\AutoStartOnDisconnect\\\\MicrosoftActiveSync\",\n      \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Ctf\\\\LangBarAddin\\\\*\\\\FilePath\",\n      \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Internet Explorer\\\\Extensions\\\\*\\\\Exec\",\n      \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Internet Explorer\\\\Extensions\\\\*\\\\Script\",\n      \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Command Processor\\\\Autorun\",\n      \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Ctf\\\\LangBarAddin\\\\*\\\\FilePath\",\n      \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Internet Explorer\\\\Extensions\\\\*\\\\Exec\",\n      \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Internet Explorer\\\\Extensions\\\\*\\\\Script\",\n      \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Command Processor\\\\Autorun\",\n      \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\*\\\\VerifierDlls\",\n      \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\GpExtensions\\\\*\\\\DllName\",\n      \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Control\\\\SafeBoot\\\\AlternateShell\",\n      \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Control\\\\Terminal Server\\\\Wds\\\\rdpwd\\\\StartupPrograms\",\n      \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Control\\\\Terminal Server\\\\WinStations\\\\RDP-Tcp\\\\InitialProgram\",\n      \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Control\\\\Session Manager\\\\BootExecute\",\n      \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Control\\\\Session Manager\\\\SetupExecute\",\n      \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Control\\\\Session Manager\\\\Execute\",\n      \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Control\\\\Session Manager\\\\S0InitialCommand\",\n      \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Control\\\\ServiceControlManagerExtension\",\n      \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Control\\\\BootVerificationProgram\\\\ImagePath\",\n      \"HKLM\\\\SYSTEM\\\\Setup\\\\CmdLine\",\n      \"HKEY_USERS\\\\*\\\\Environment\\\\UserInitMprLogonScript\") and\n      \n not registry.data.strings : (\"C:\\\\Windows\\\\system32\\\\userinit.exe\", \"cmd.exe\", \"C:\\\\Program Files (x86)\\\\*.exe\",\n                              \"C:\\\\Program Files\\\\*.exe\") and\n not (process.name : \"rundll32.exe\" and registry.path : \"*\\\\Software\\\\Microsoft\\\\Internet Explorer\\\\Extensions\\\\*\\\\Script\") and\n not process.executable : (\"C:\\\\Windows\\\\System32\\\\msiexec.exe\",\n                           \"C:\\\\Windows\\\\SysWOW64\\\\msiexec.exe\",\n                           \"C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\Platform\\\\*\\\\MsMpEng.exe\",\n                           \"C:\\\\Program Files\\\\*.exe\",\n                           \"C:\\\\Program Files (x86)\\\\*.exe\")\n",
+    "references": [
+      "https://www.microsoftpressstore.com/articles/article.aspx?p=2762082&seqNum=2"
+    ],
+    "risk_score": 47,
+    "rule_id": "54902e45-3467-49a4-8abc-529f2c8cfb80",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Persistence"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1547",
+            "name": "Boot or Logon Autostart Execution",
+            "reference": "https://attack.mitre.org/techniques/T1547/",
+            "subtechnique": [
+              {
+                "id": "T1547.001",
+                "name": "Registry Run Keys / Startup Folder",
+                "reference": "https://attack.mitre.org/techniques/T1547/001/"
+              }
+            ]
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1112",
+            "name": "Modify Registry",
+            "reference": "https://attack.mitre.org/techniques/T1112/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 4,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.11.2",
+          "pre_query": "registry where\n  /* uncomment once stable length(registry.data.strings) > 0 and */\n registry.path : (\n      \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Terminal Server\\\\Install\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\*\",\n      \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Terminal Server\\\\Install\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Runonce\\\\*\",\n      \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows\\\\Load\",\n      \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows\\\\Run\",\n      \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows\\\\IconServiceLib\",\n      \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\Shell\",\n      \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\Shell\",\n      \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\AppSetup\",\n      \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\Taskman\",\n      \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\Userinit\",\n      \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\VmApplet\",\n      \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\\\*\",\n      \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\Shell\",\n      \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Logoff\\\\Script\",\n      \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Logon\\\\Script\",\n      \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Shutdown\\\\Script\",\n      \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Startup\\\\Script\",\n      \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\\\*\",\n      \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\Shell\",\n      \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Logoff\\\\Script\",\n      \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Logon\\\\Script\",\n      \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Shutdown\\\\Script\",\n      \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Startup\\\\Script\",\n      \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Active Setup\\\\Installed Components\\\\*\\\\ShellComponent\",\n      \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows CE Services\\\\AutoStartOnConnect\\\\MicrosoftActiveSync\",\n      \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows CE Services\\\\AutoStartOnDisconnect\\\\MicrosoftActiveSync\",\n      \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Ctf\\\\LangBarAddin\\\\*\\\\FilePath\",\n      \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Internet Explorer\\\\Extensions\\\\*\\\\Exec\",\n      \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Internet Explorer\\\\Extensions\\\\*\\\\Script\",\n      \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Command Processor\\\\Autorun\",\n      \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Ctf\\\\LangBarAddin\\\\*\\\\FilePath\",\n      \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Internet Explorer\\\\Extensions\\\\*\\\\Exec\",\n      \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Internet Explorer\\\\Extensions\\\\*\\\\Script\",\n      \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Command Processor\\\\Autorun\",\n      \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\*\\\\VerifierDlls\",\n      \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\GpExtensions\\\\*\\\\DllName\",\n      \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Control\\\\SafeBoot\\\\AlternateShell\",\n      \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Control\\\\Terminal Server\\\\Wds\\\\rdpwd\\\\StartupPrograms\",\n      \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Control\\\\Terminal Server\\\\WinStations\\\\RDP-Tcp\\\\InitialProgram\",\n      \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Control\\\\Session Manager\\\\BootExecute\",\n      \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Control\\\\Session Manager\\\\SetupExecute\",\n      \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Control\\\\Session Manager\\\\Execute\",\n      \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Control\\\\Session Manager\\\\S0InitialCommand\",\n      \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Control\\\\ServiceControlManagerExtension\",\n      \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Control\\\\BootVerificationProgram\\\\ImagePath\",\n      \"HKLM\\\\SYSTEM\\\\Setup\\\\CmdLine\",\n      \"HKEY_USERS\\\\*\\\\Environment\\\\UserInitMprLogonScript\") and\n      \n not registry.data.strings : (\"C:\\\\Windows\\\\system32\\\\userinit.exe\", \"cmd.exe\", \"C:\\\\Program Files (x86)\\\\*.exe\",\n                              \"C:\\\\Program Files\\\\*.exe\") and\n not (process.name : \"rundll32.exe\" and registry.path : \"*\\\\Software\\\\Microsoft\\\\Internet Explorer\\\\Extensions\\\\*\\\\Script\") and\n not process.executable : (\"C:\\\\Windows\\\\System32\\\\msiexec.exe\",\n                           \"C:\\\\Windows\\\\SysWOW64\\\\msiexec.exe\",\n                           \"C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\Platform\\\\*\\\\MsMpEng.exe\",\n                           \"C:\\\\Program Files\\\\*.exe\",\n                           \"C:\\\\Program Files (x86)\\\\*.exe\")\n",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 3,
+          "updated": "7.12.0",
+          "pre_query": "registry where\n  /* uncomment once stable length(registry.data.strings) > 0 and */\n registry.path : (\n      \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Terminal Server\\\\Install\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\*\",\n      \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Terminal Server\\\\Install\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Runonce\\\\*\",\n      \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows\\\\Load\",\n      \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows\\\\Run\",\n      \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows\\\\IconServiceLib\",\n      \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\Shell\",\n      \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\Shell\",\n      \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\AppSetup\",\n      \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\Taskman\",\n      \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\Userinit\",\n      \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\VmApplet\",\n      \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\\\*\",\n      \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\Shell\",\n      \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Logoff\\\\Script\",\n      \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Logon\\\\Script\",\n      \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Shutdown\\\\Script\",\n      \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Startup\\\\Script\",\n      \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\\\*\",\n      \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\Shell\",\n      \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Logoff\\\\Script\",\n      \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Logon\\\\Script\",\n      \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Shutdown\\\\Script\",\n      \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Startup\\\\Script\",\n      \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Active Setup\\\\Installed Components\\\\*\\\\ShellComponent\",\n      \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows CE Services\\\\AutoStartOnConnect\\\\MicrosoftActiveSync\",\n      \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows CE Services\\\\AutoStartOnDisconnect\\\\MicrosoftActiveSync\",\n      \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Ctf\\\\LangBarAddin\\\\*\\\\FilePath\",\n      \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Internet Explorer\\\\Extensions\\\\*\\\\Exec\",\n      \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Internet Explorer\\\\Extensions\\\\*\\\\Script\",\n      \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Command Processor\\\\Autorun\",\n      \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Ctf\\\\LangBarAddin\\\\*\\\\FilePath\",\n      \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Internet Explorer\\\\Extensions\\\\*\\\\Exec\",\n      \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Internet Explorer\\\\Extensions\\\\*\\\\Script\",\n      \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Command Processor\\\\Autorun\",\n      \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\*\\\\VerifierDlls\",\n      \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\GpExtensions\\\\*\\\\DllName\",\n      \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Control\\\\SafeBoot\\\\AlternateShell\",\n      \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Control\\\\Terminal Server\\\\Wds\\\\rdpwd\\\\StartupPrograms\",\n      \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Control\\\\Terminal Server\\\\WinStations\\\\RDP-Tcp\\\\InitialProgram\",\n      \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Control\\\\Session Manager\\\\BootExecute\",\n      \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Control\\\\Session Manager\\\\SetupExecute\",\n      \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Control\\\\Session Manager\\\\Execute\",\n      \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Control\\\\Session Manager\\\\S0InitialCommand\",\n      \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Control\\\\ServiceControlManagerExtension\",\n      \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Control\\\\BootVerificationProgram\\\\ImagePath\",\n      \"HKLM\\\\SYSTEM\\\\Setup\\\\CmdLine\",\n      \"HKEY_USERS\\\\*\\\\Environment\\\\UserInitMprLogonScript\") and\n      \n not registry.data.strings : (\"C:\\\\Windows\\\\system32\\\\userinit.exe\", \"cmd.exe\", \"C:\\\\Program Files (x86)\\\\*.exe\",\n                              \"C:\\\\Program Files\\\\*.exe\") and\n not (process.name : \"rundll32.exe\" and registry.path : \"*\\\\Software\\\\Microsoft\\\\Internet Explorer\\\\Extensions\\\\*\\\\Script\") and\n not process.executable : (\"C:\\\\Windows\\\\System32\\\\msiexec.exe\",\n                           \"C:\\\\Windows\\\\SysWOW64\\\\msiexec.exe\",\n                           \"C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\Platform\\\\*\\\\MsMpEng.exe\",\n                           \"C:\\\\Program Files\\\\*.exe\",\n                           \"C:\\\\Program Files (x86)\\\\*.exe\")\n",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 4,
+          "updated": "7.16.0",
+          "pre_query": "registry where\n  /* uncomment once stable length(registry.data.strings) > 0 and */\n registry.path : (\n      \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Terminal Server\\\\Install\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\*\",\n      \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Terminal Server\\\\Install\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Runonce\\\\*\",\n      \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows\\\\Load\",\n      \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows\\\\Run\",\n      \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows\\\\IconServiceLib\",\n      \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\Shell\",\n      \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\Shell\",\n      \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\AppSetup\",\n      \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\Taskman\",\n      \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\Userinit\",\n      \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\VmApplet\",\n      \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\\\*\",\n      \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\Shell\",\n      \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Logoff\\\\Script\",\n      \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Logon\\\\Script\",\n      \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Shutdown\\\\Script\",\n      \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Startup\\\\Script\",\n      \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\\\*\",\n      \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\Shell\",\n      \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Logoff\\\\Script\",\n      \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Logon\\\\Script\",\n      \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Shutdown\\\\Script\",\n      \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Startup\\\\Script\",\n      \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Active Setup\\\\Installed Components\\\\*\\\\ShellComponent\",\n      \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows CE Services\\\\AutoStartOnConnect\\\\MicrosoftActiveSync\",\n      \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows CE Services\\\\AutoStartOnDisconnect\\\\MicrosoftActiveSync\",\n      \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Ctf\\\\LangBarAddin\\\\*\\\\FilePath\",\n      \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Internet Explorer\\\\Extensions\\\\*\\\\Exec\",\n      \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Internet Explorer\\\\Extensions\\\\*\\\\Script\",\n      \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Command Processor\\\\Autorun\",\n      \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Ctf\\\\LangBarAddin\\\\*\\\\FilePath\",\n      \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Internet Explorer\\\\Extensions\\\\*\\\\Exec\",\n      \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Internet Explorer\\\\Extensions\\\\*\\\\Script\",\n      \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Command Processor\\\\Autorun\",\n      \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\*\\\\VerifierDlls\",\n      \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\GpExtensions\\\\*\\\\DllName\",\n      \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Control\\\\SafeBoot\\\\AlternateShell\",\n      \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Control\\\\Terminal Server\\\\Wds\\\\rdpwd\\\\StartupPrograms\",\n      \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Control\\\\Terminal Server\\\\WinStations\\\\RDP-Tcp\\\\InitialProgram\",\n      \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Control\\\\Session Manager\\\\BootExecute\",\n      \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Control\\\\Session Manager\\\\SetupExecute\",\n      \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Control\\\\Session Manager\\\\Execute\",\n      \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Control\\\\Session Manager\\\\S0InitialCommand\",\n      \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Control\\\\ServiceControlManagerExtension\",\n      \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Control\\\\BootVerificationProgram\\\\ImagePath\",\n      \"HKLM\\\\SYSTEM\\\\Setup\\\\CmdLine\",\n      \"HKEY_USERS\\\\*\\\\Environment\\\\UserInitMprLogonScript\") and\n      \n not registry.data.strings : (\"C:\\\\Windows\\\\system32\\\\userinit.exe\", \"cmd.exe\", \"C:\\\\Program Files (x86)\\\\*.exe\",\n                              \"C:\\\\Program Files\\\\*.exe\") and\n not (process.name : \"rundll32.exe\" and registry.path : \"*\\\\Software\\\\Microsoft\\\\Internet Explorer\\\\Extensions\\\\*\\\\Script\") and\n not process.executable : (\"C:\\\\Windows\\\\System32\\\\msiexec.exe\",\n                           \"C:\\\\Windows\\\\SysWOW64\\\\msiexec.exe\",\n                           \"C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\Platform\\\\*\\\\MsMpEng.exe\",\n                           \"C:\\\\Program Files\\\\*.exe\",\n                           \"C:\\\\Program Files (x86)\\\\*.exe\")\n",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.16.0",
+    "added": "7.11.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies when a child process is spawned by the screensaver engine process, which is consistent with an attacker's malicious payload being executed after the screensaver activated on the endpoint. An adversary can maintain persistence on a macOS endpoint by creating a malicious screensaver (.saver) file and configuring the screensaver plist file to execute code each time the screensaver is activated.",
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Unexpected Child Process of macOS Screensaver Engine",
+    "note": "## Triage and analysis\n\n- Analyze the descendant processes of the ScreenSaverEngine process for malicious code and suspicious behavior such\nas downloading a payload from a server\n- Review the installed and activated screensaver on the host. Triage the screensaver (.saver) file that was triggered to\nidentify whether the file is malicious or not.\n",
+    "query": "process where event.type == \"start\" and process.parent.name == \"ScreenSaverEngine\"\n",
+    "references": [
+      "https://posts.specterops.io/saving-your-access-d562bf5bf90b",
+      "https://github.com/D00MFist/PersistentJXA"
+    ],
+    "risk_score": 47,
+    "rule_id": "48d7f54d-c29e-4430-93a9-9db6b5892270",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "macOS",
+      "Threat Detection",
+      "Persistence"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1546",
+            "name": "Event Triggered Execution",
+            "reference": "https://attack.mitre.org/techniques/T1546/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 1,
+    "last_update": "7.16.0",
+    "added": "7.16.0"
+  },
+  {
+    "anomaly_threshold": 75,
+    "author": [
+      "Elastic"
+    ],
+    "description": "A machine learning job detected an AWS API command that, while not inherently suspicious or abnormal, is being made by a user context that does not normally use the command. This can be the result of compromised credentials or keys as someone uses a valid account to persist, move laterally, or exfiltrate data.",
+    "false_positives": [
+      "New or unusual user command activity can be due to manual troubleshooting or reconfiguration; changes in cloud automation scripts or workflows; adoption of new services; or changes in the way services are used."
+    ],
+    "from": "now-2h",
+    "interval": "15m",
+    "license": "Elastic License v2",
+    "machine_learning_job_id": "rare_method_for_a_username",
+    "name": "Unusual AWS Command for a User",
+    "note": "## Config\n\nThe AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\n\n## Triage and analysis\n\n### Investigating an Unusual CloudTrail Event\n\nDetection alerts from this rule indicate an AWS API command or method call that is rare and unusual for the calling IAM user. Here are some possible avenues of investigation:\n- Consider the user as identified by the `user.name` field. Is this command part of an expected workflow for the user context? Examine the user identity in the `aws.cloudtrail.user_identity.arn` field and the access key ID in the `aws.cloudtrail.user_identity.access_key_id` field, which can help identify the precise user context. The user agent details in the `user_agent.original` field may also indicate what kind of a client made the request.\n- Consider the source IP address and geolocation for the calling user who issued the command. Do they look normal for the calling user? If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts, or could it be sourcing from an EC2 instance that's not under your control? If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance?\n- Consider the time of day. If the user is a human, not a program or script, did the activity take place during a normal time of day?\n- Examine the history of the command. If the command, which is visible in the `event.action field`, only manifested recently, it might be part of a new automation module or script. If it has a consistent cadence (for example, if it appears in small numbers on a weekly or monthly cadence), it might be part of a housekeeping or maintenance process.\n- Examine the request parameters. These may provide indications as to the source of the program or the nature of the tasks it is performing.",
+    "references": [
+      "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"
+    ],
+    "risk_score": 21,
+    "rule_id": "ac706eae-d5ec-4b14-b4fd-e8ba8086f0e1",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "AWS",
+      "ML"
+    ],
+    "type": "machine_learning",
+    "version": 7,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.10.0",
+          "pre_query": "N/A",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 3,
+          "updated": "7.12.0",
+          "pre_query": "N/A",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 4,
+          "updated": "7.13.0",
+          "pre_query": "N/A",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 5,
+          "updated": "7.14.0",
+          "pre_query": "N/A",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 6,
+          "updated": "7.15.0",
+          "pre_query": "N/A",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 7,
+          "updated": "7.16.0",
+          "pre_query": "N/A",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.16.0",
+    "added": "7.9.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies a suspicious child process of the Windows virtual system process, which could indicate code injection.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Unusual Child Process from a System Virtual Process",
+    "query": "process where event.type in (\"start\", \"process_started\") and\n  process.parent.pid == 4 and\n  not process.executable : (\"Registry\", \"MemCompression\", \"?:\\\\Windows\\\\System32\\\\smss.exe\")\n",
+    "risk_score": 73,
+    "rule_id": "de9bd7e0-49e9-4e92-a64d-53ade2e66af1",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1055",
+            "name": "Process Injection",
+            "reference": "https://attack.mitre.org/techniques/T1055/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 4,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.11.2",
+          "pre_query": "event.category:process and event.type:(start or process_started) and process.parent.pid:4 and not process.executable:(Registry or MemCompression or \"C:\\Windows\\System32\\smss.exe\")",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 3,
+          "updated": "7.12.0",
+          "pre_query": "event.category:process and event.type:(start or process_started) and process.parent.pid:4 and not process.executable:(Registry or MemCompression or \"C:\\Windows\\System32\\smss.exe\")",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 4,
+          "updated": "7.13.0",
+          "pre_query": "event.category:process and event.type:(start or process_started) and process.parent.pid:4 and not process.executable:(Registry or MemCompression or \"C:\\Windows\\System32\\smss.exe\")",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.13.0",
+    "added": "7.10.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies an unexpected process spawning from dns.exe, the process responsible for Windows DNS server services, which may indicate activity related to remote code execution or other forms of exploitation.",
+    "false_positives": [
+      "Werfault.exe will legitimately spawn when dns.exe crashes, but the DNS service is very stable and so this is a low occurring event. Denial of Service (DoS) attempts by intentionally crashing the service will also cause werfault.exe to spawn."
+    ],
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Unusual Child Process of dns.exe",
+    "note": "## Triage and analysis\n\n### Investigating Unusual Child Process\nDetection alerts from this rule indicate potential suspicious child processes spawned after exploitation from CVE-2020-1350 (SigRed) has occurred. Here are some possible avenues of investigation:\n- Any suspicious or abnormal child process spawned from dns.exe should be reviewed and investigated with care. It's impossible to predict what an adversary may deploy as the follow-on process after the exploit, but built-in discovery/enumeration utilities should be top of mind (whoami.exe, netstat.exe, systeminfo.exe, tasklist.exe).\n- Built-in Windows programs that contain capabilities used to download and execute additional payloads should also be considered. This is not an exhaustive list, but ideal candidates to start out would be: mshta.exe, powershell.exe, regsvr32.exe, rundll32.exe, wscript.exe, wmic.exe.\n- If the DoS exploit is successful and DNS Server service crashes, be mindful of potential child processes related to werfault.exe occurring.\n- Any subsequent activity following the child process spawned related to execution/network activity should be thoroughly reviewed from the endpoint.",
+    "query": "process where event.type == \"start\" and process.parent.name : \"dns.exe\" and\n  not process.name : \"conhost.exe\"\n",
+    "references": [
+      "https://research.checkpoint.com/2020/resolving-your-way-into-domain-admin-exploiting-a-17-year-old-bug-in-windows-dns-servers/",
+      "https://msrc-blog.microsoft.com/2020/07/14/july-2020-security-update-cve-2020-1350-vulnerability-in-windows-domain-name-system-dns-server/",
+      "https://github.com/maxpl0it/CVE-2020-1350-DoS"
+    ],
+    "risk_score": 73,
+    "rule_id": "8c37dc0e-e3ac-4c97-8aa0-cf6a9122de45",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Initial Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0001",
+          "name": "Initial Access",
+          "reference": "https://attack.mitre.org/tactics/TA0001/"
+        },
+        "technique": [
+          {
+            "id": "T1133",
+            "name": "External Remote Services",
+            "reference": "https://attack.mitre.org/techniques/T1133/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 5,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.11.0",
+          "pre_query": "event.category:process and event.type:start and process.parent.name:dns.exe and not process.name:conhost.exe",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 3,
+          "updated": "7.11.2",
+          "pre_query": "event.category:process and event.type:start and process.parent.name:dns.exe and not process.name:conhost.exe",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 4,
+          "updated": "7.12.0",
+          "pre_query": "event.category:process and event.type:start and process.parent.name:dns.exe and not process.name:conhost.exe",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 5,
+          "updated": "7.13.0",
+          "pre_query": "event.category:process and event.type:start and process.parent.name:dns.exe and not process.name:conhost.exe",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.13.0",
+    "added": "7.10.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies child processes of unusual instances of RunDLL32 where the command line parameters were suspicious. Misuse of RunDLL32 could indicate malicious activity.",
+    "from": "now-60m",
+    "index": [
+      "logs-endpoint.events.*",
+      "winlogbeat-*",
+      "logs-windows.*"
+    ],
+    "interval": "30m",
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Unusual Child Processes of RunDLL32",
+    "query": "sequence with maxspan=1h\n  [process where event.type in (\"start\", \"process_started\") and\n     (process.name : \"rundll32.exe\" or process.pe.original_file_name == \"RUNDLL32.EXE\") and\n      process.args_count == 1\n  ] by process.entity_id\n  [process where event.type in (\"start\", \"process_started\") and process.parent.name : \"rundll32.exe\"\n  ] by process.parent.entity_id\n",
+    "risk_score": 21,
+    "rule_id": "f036953a-4615-4707-a1ca-dc53bf69dcd5",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1218",
+            "name": "Signed Binary Proxy Execution",
+            "reference": "https://attack.mitre.org/techniques/T1218/",
+            "subtechnique": [
+              {
+                "id": "T1218.011",
+                "name": "Rundll32",
+                "reference": "https://attack.mitre.org/techniques/T1218/011/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "type": "eql",
+    "version": 4,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.11.0",
+          "pre_query": "sequence with maxspan=1h\n  [process where event.type in (\"start\", \"process_started\") and\n                                    /* uncomment once in winlogbeat */\n     (process.name : \"rundll32.exe\" /* or process.pe.original_file_name == \"RUNDLL32.EXE\" */ ) and\n     process.args_count < 2\n  ] by process.entity_id\n  [process where event.type in (\"start\", \"process_started\") and process.parent.name : \"rundll32.exe\"\n  ] by process.parent.entity_id\n",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        },
+        {
+          "version": 3,
+          "updated": "7.12.0",
+          "pre_query": "sequence with maxspan=1h\n  [process where event.type in (\"start\", \"process_started\") and\n     (process.name : \"rundll32.exe\" or process.pe.original_file_name == \"RUNDLL32.EXE\") and\n      process.args_count == 1\n  ] by process.entity_id\n  [process where event.type in (\"start\", \"process_started\") and process.parent.name : \"rundll32.exe\"\n  ] by process.parent.entity_id\n",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 4,
+          "updated": "7.14.0",
+          "pre_query": "sequence with maxspan=1h\n  [process where event.type in (\"start\", \"process_started\") and\n     (process.name : \"rundll32.exe\" or process.pe.original_file_name == \"RUNDLL32.EXE\") and\n      process.args_count == 1\n  ] by process.entity_id\n  [process where event.type in (\"start\", \"process_started\") and process.parent.name : \"rundll32.exe\"\n  ] by process.parent.entity_id\n",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.14.0",
+    "added": "7.10.0"
+  },
+  {
+    "anomaly_threshold": 50,
+    "author": [
+      "Elastic"
+    ],
+    "description": "A machine learning job detected AWS command activity that, while not inherently suspicious or abnormal, is sourcing from a geolocation (city) that is unusual for the command. This can be the result of compromised credentials or keys being used by a threat actor in a different geography than the authorized user(s).",
+    "false_positives": [
+      "New or unusual command and user geolocation activity can be due to manual troubleshooting or reconfiguration; changes in cloud automation scripts or workflows; adoption of new services; expansion into new regions; increased adoption of work from home policies; or users who travel frequently."
+    ],
+    "from": "now-2h",
+    "interval": "15m",
+    "license": "Elastic License v2",
+    "machine_learning_job_id": "rare_method_for_a_city",
+    "name": "Unusual City For an AWS Command",
+    "note": "## Config\n\nThe AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\n\n## Triage and analysis\n\n### Investigating an Unusual CloudTrail Event\nDetection alerts from this rule indicate an AWS API command or method call that is rare and unusual for the geolocation of the source IP address. Here are some possible avenues of investigation:\n- Consider the source IP address and geolocation for the calling user who issued the command. Do they look normal for the calling user? If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts, or could it be sourcing from an EC2 instance that's not under your control? If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance?\n- Consider the user as identified by the `user.name` field. Is this command part of an expected workflow for the user context? Examine the user identity in the `aws.cloudtrail.user_identity.arn` field and the access key ID in the `aws.cloudtrail.user_identity.access_key_id` field, which can help identify the precise user context. The user agent details in the `user_agent.original` field may also indicate what kind of a client made the request.\n- Consider the time of day. If the user is a human, not a program or script, did the activity take place during a normal time of day?\n- Examine the history of the command. If the command, which is visible in the `event.action field`, only manifested recently, it might be part of a new automation module or script. If it has a consistent cadence (for example, if it appears in small numbers on a weekly or monthly cadence), it might be part of a housekeeping or maintenance process.\n- Examine the request parameters. These may provide indications as to the source of the program or the nature of the tasks it is performing.",
+    "references": [
+      "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"
+    ],
+    "risk_score": 21,
+    "rule_id": "809b70d3-e2c3-455e-af1b-2626a5a1a276",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "AWS",
+      "ML"
+    ],
+    "type": "machine_learning",
+    "version": 7,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.10.0",
+          "pre_query": "N/A",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 3,
+          "updated": "7.12.0",
+          "pre_query": "N/A",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 4,
+          "updated": "7.13.0",
+          "pre_query": "N/A",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 5,
+          "updated": "7.14.0",
+          "pre_query": "N/A",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 6,
+          "updated": "7.15.0",
+          "pre_query": "N/A",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 7,
+          "updated": "7.16.0",
+          "pre_query": "N/A",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.16.0",
+    "added": "7.9.0"
+  },
+  {
+    "anomaly_threshold": 50,
+    "author": [
+      "Elastic"
+    ],
+    "description": "A machine learning job detected AWS command activity that, while not inherently suspicious or abnormal, is sourcing from a geolocation (country) that is unusual for the command. This can be the result of compromised credentials or keys being used by a threat actor in a different geography than the authorized user(s).",
+    "false_positives": [
+      "New or unusual command and user geolocation activity can be due to manual troubleshooting or reconfiguration; changes in cloud automation scripts or workflows; adoption of new services; expansion into new regions; increased adoption of work from home policies; or users who travel frequently."
+    ],
+    "from": "now-2h",
+    "interval": "15m",
+    "license": "Elastic License v2",
+    "machine_learning_job_id": "rare_method_for_a_country",
+    "name": "Unusual Country For an AWS Command",
+    "note": "## Config\n\nThe AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\n\n## Triage and analysis\n\n### Investigating an Unusual Country For an AWS Command\n\nCloudTrail logging provides visibility on actions taken within an AWS environment. By monitoring these events and understanding\nwhat is considered normal behavior within an organization, suspicious or malicious activity can be spotted when deviations\nare observed. This example rule focuses on AWS command activity where the country from the source of the activity has been\nconsidered unusual based on previous history.\n\n#### Possible investigation steps:\n- Consider the source IP address and geolocation for the calling user who issued the command. Do they look normal for the calling user? If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts, or could it be sourcing from an EC2 instance that's not under your control? If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance?\n- Consider the user as identified by the `user.name` field. Is this command part of an expected workflow for the user context? Examine the user identity in the `aws.cloudtrail.user_identity.arn` field and the access key ID in the `aws.cloudtrail.user_identity.access_key_id` field, which can help identify the precise user context. The user agent details in the `user_agent.original` field may also indicate what kind of a client made the request.\n- Consider the time of day. If the user is a human, not a program or script, did the activity take place during a normal time of day?\n- Examine the history of the command. If the command, which is visible in the `event.action field`, only manifested recently, it might be part of a new automation module or script. If it has a consistent cadence (for example, if it appears in small numbers on a weekly or monthly cadence), it might be part of a housekeeping or maintenance process.\n- Examine the request parameters. These may provide indications as to the source of the program or the nature of the tasks it is performing.\n\n### False Positive Analysis\n- False positives can occur if activity is coming from new employees based in a country with no previous history in AWS,\ntherefore it's important to validate the activity listed in the investigation steps above.\n\n### Related Rules\n- Unusual City For an AWS Command\n- Unusual AWS Command for a User\n- Rare AWS Error Code\n\n### Response and Remediation\n- If activity is observed as suspicious or malicious, immediate response should be looked into rotating and deleting AWS IAM access keys\n- Validate if any unauthorized new users were created, remove these accounts and request password resets for other IAM users\n- Look into enabling multi-factor authentication for users\n- Follow security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS\n",
+    "references": [
+      "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"
+    ],
+    "risk_score": 21,
+    "rule_id": "dca28dee-c999-400f-b640-50a081cc0fd1",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "AWS",
+      "ML"
+    ],
+    "type": "machine_learning",
+    "version": 7,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.10.0",
+          "pre_query": "N/A",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 3,
+          "updated": "7.12.0",
+          "pre_query": "N/A",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 4,
+          "updated": "7.13.0",
+          "pre_query": "N/A",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 5,
+          "updated": "7.14.0",
+          "pre_query": "N/A",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 6,
+          "updated": "7.15.0",
+          "pre_query": "N/A",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 7,
+          "updated": "7.16.0",
+          "pre_query": "N/A",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.16.0",
+    "added": "7.9.0"
+  },
+  {
+    "anomaly_threshold": 50,
+    "author": [
+      "Elastic"
+    ],
+    "description": "A machine learning job detected a rare and unusual DNS query that indicate network activity with unusual DNS domains. This can be due to initial access, persistence, command-and-control, or exfiltration activity. For example, when a user clicks on a link in a phishing email or opens a malicious document, a request may be sent to download and run a payload from an uncommon domain. When malware is already running, it may send requests to an uncommon DNS domain the malware uses for command-and-control communication.",
+    "false_positives": [
+      "A newly installed program or one that runs rarely as part of a monthly or quarterly workflow could trigger this alert. Network activity that occurs rarely, in small quantities, can trigger this alert. Possible examples are browsing technical support or vendor networks sparsely. A user who visits a new or unique web destination may trigger this alert."
+    ],
+    "from": "now-45m",
+    "interval": "15m",
+    "license": "Elastic License v2",
+    "machine_learning_job_id": "packetbeat_rare_dns_question",
+    "name": "Unusual DNS Activity",
+    "references": [
+      "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"
+    ],
+    "risk_score": 21,
+    "rule_id": "746edc4c-c54c-49c6-97a1-651223819448",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Network",
+      "Threat Detection",
+      "ML"
+    ],
+    "type": "machine_learning",
+    "version": 4,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.9.0",
+          "pre_query": "N/A",
+          "doc_text": "Formatting only"
+        },
+        {
+          "version": 3,
+          "updated": "7.10.0",
+          "pre_query": "N/A",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 4,
+          "updated": "7.12.0",
+          "pre_query": "N/A",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.12.0",
+    "added": "7.7.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies an unexpected executable file being created or modified by a Windows system critical process, which may indicate activity related to remote code execution or other forms of exploitation.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Unusual Executable File Creation by a System Critical Process",
+    "query": "file where event.type != \"deletion\" and\n  file.extension : (\"exe\", \"dll\") and\n  process.name : (\"smss.exe\",\n                  \"autochk.exe\",\n                  \"csrss.exe\",\n                  \"wininit.exe\",\n                  \"services.exe\",\n                  \"lsass.exe\",\n                  \"winlogon.exe\",\n                  \"userinit.exe\",\n                  \"LogonUI.exe\")\n",
+    "risk_score": 73,
+    "rule_id": "e94262f2-c1e9-4d3f-a907-aeab16712e1a",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1211",
+            "name": "Exploitation for Defense Evasion",
+            "reference": "https://attack.mitre.org/techniques/T1211/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 4,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.11.2",
+          "pre_query": "event.category:file and not event.type:deletion and file.extension:(exe or dll) and process.name:(smss.exe or autochk.exe or csrss.exe or wininit.exe or services.exe or lsass.exe or winlogon.exe or userinit.exe or LogonUI.exe)",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 3,
+          "updated": "7.12.0",
+          "pre_query": "event.category:file and not event.type:deletion and file.extension:(exe or dll) and process.name:(smss.exe or autochk.exe or csrss.exe or wininit.exe or services.exe or lsass.exe or winlogon.exe or userinit.exe or LogonUI.exe)",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 4,
+          "updated": "7.13.0",
+          "pre_query": "event.category:file and not event.type:deletion and file.extension:(exe or dll) and process.name:(smss.exe or autochk.exe or csrss.exe or wininit.exe or services.exe or lsass.exe or winlogon.exe or userinit.exe or LogonUI.exe)",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.13.0",
+    "added": "7.10.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies suspicious creation of Alternate Data Streams on highly targeted files. This is uncommon for legitimate files and sometimes done by adversaries to hide malware.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Unusual File Creation - Alternate Data Stream",
+    "query": "file where event.type == \"creation\" and\n  file.path : \"C:\\\\*:*\" and\n  not file.path : \"C:\\\\*:zone.identifier*\" and\n  file.extension :\n    (\n      \"pdf\",\n      \"dll\",\n      \"png\",\n      \"exe\",\n      \"dat\",\n      \"com\",\n      \"bat\",\n      \"cmd\",\n      \"sys\",\n      \"vbs\",\n      \"ps1\",\n      \"hta\",\n      \"txt\",\n      \"vbe\",\n      \"js\",\n      \"wsh\",\n      \"docx\",\n      \"doc\",\n      \"xlsx\",\n      \"xls\",\n      \"pptx\",\n      \"ppt\",\n      \"rtf\",\n      \"gif\",\n      \"jpg\",\n      \"png\",\n      \"bmp\",\n      \"img\",\n      \"iso\"\n    )\n",
+    "risk_score": 47,
+    "rule_id": "71bccb61-e19b-452f-b104-79a60e546a95",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1564",
+            "name": "Hide Artifacts",
+            "reference": "https://attack.mitre.org/techniques/T1564/",
+            "subtechnique": [
+              {
+                "id": "T1564.004",
+                "name": "NTFS File Attributes",
+                "reference": "https://attack.mitre.org/techniques/T1564/004/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 1,
+    "last_update": "7.12.0",
+    "added": "7.12.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies an unexpected file being modified by dns.exe, the process responsible for Windows DNS Server services, which may indicate activity related to remote code execution or other forms of exploitation.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Unusual File Modification by dns.exe",
+    "note": "## Triage and analysis\n\n### Investigating Unusual File Write\nDetection alerts from this rule indicate potential unusual/abnormal file writes from the DNS Server service process (`dns.exe`) after exploitation from CVE-2020-1350 (SigRed) has occurred. Here are some possible avenues of investigation:\n- Post-exploitation, adversaries may write additional files or payloads to the system as additional discovery/exploitation/persistence mechanisms.\n- Any suspicious or abnormal files written from `dns.exe` should be reviewed and investigated with care.",
+    "query": "file where process.name : \"dns.exe\" and event.type in (\"creation\", \"deletion\", \"change\") and\n  not file.name : \"dns.log\"\n",
+    "references": [
+      "https://research.checkpoint.com/2020/resolving-your-way-into-domain-admin-exploiting-a-17-year-old-bug-in-windows-dns-servers/",
+      "https://msrc-blog.microsoft.com/2020/07/14/july-2020-security-update-cve-2020-1350-vulnerability-in-windows-domain-name-system-dns-server/"
+    ],
+    "risk_score": 73,
+    "rule_id": "c7ce36c0-32ff-4f9a-bfc2-dcb242bf99f9",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Initial Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0001",
+          "name": "Initial Access",
+          "reference": "https://attack.mitre.org/tactics/TA0001/"
+        },
+        "technique": [
+          {
+            "id": "T1133",
+            "name": "External Remote Services",
+            "reference": "https://attack.mitre.org/techniques/T1133/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 5,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.11.0",
+          "pre_query": "event.category:file and process.name:dns.exe and not file.name:dns.log",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        },
+        {
+          "version": 3,
+          "updated": "7.11.2",
+          "pre_query": "event.category:file and process.name:dns.exe and event.type:(creation or deletion or change) and not file.name:dns.log",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 4,
+          "updated": "7.12.0",
+          "pre_query": "event.category:file and process.name:dns.exe and event.type:(creation or deletion or change) and not file.name:dns.log",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 5,
+          "updated": "7.13.0",
+          "pre_query": "event.category:file and process.name:dns.exe and event.type:(creation or deletion or change) and not file.name:dns.log",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.13.0",
+    "added": "7.10.0"
+  },
+  {
+    "anomaly_threshold": 75,
+    "author": [
+      "Elastic"
+    ],
+    "description": "A machine learning job detected a user logging in at a time of day that is unusual for the user. This can be due to credentialed access via a compromised account when the user and the threat actor are in different time zones. In addition, unauthorized user activity often takes place during non-business hours.",
+    "false_positives": [
+      "Users working late, or logging in from unusual time zones while traveling, may trigger this rule."
+    ],
+    "from": "now-30m",
+    "interval": "15m",
+    "license": "Elastic License v2",
+    "machine_learning_job_id": "auth_rare_hour_for_a_user",
+    "name": "Unusual Hour for a User to Logon",
+    "references": [
+      "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"
+    ],
+    "risk_score": 21,
+    "rule_id": "745b0119-0560-43ba-860a-7235dd8cee8d",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Authentication",
+      "Threat Detection",
+      "ML"
+    ],
+    "type": "machine_learning",
+    "version": 1,
+    "last_update": "7.14.0",
+    "added": "7.14.0"
+  },
+  {
+    "anomaly_threshold": 50,
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies Linux processes that do not usually use the network but have unexpected network activity, which can indicate command-and-control, lateral movement, persistence, or data exfiltration activity. A process with unusual network activity can denote process exploitation or injection, where the process is used to run persistence mechanisms that allow a malicious actor remote access or control of the host, data exfiltration, and execution of unauthorized network applications.",
+    "from": "now-45m",
+    "interval": "15m",
+    "license": "Elastic License v2",
+    "machine_learning_job_id": "linux_anomalous_network_activity_ecs",
+    "name": "Unusual Linux Network Activity",
+    "note": "## Triage and analysis\n\n### Investigating Unusual Network Activity\nDetection alerts from this rule indicate the presence of network activity from a Linux process for which network activity is rare and unusual.  Here are some possible avenues of investigation:\n- Consider the IP addresses and ports. Are these used by normal but infrequent network workflows? Are they expected or unexpected?\n- If the destination IP address is remote or external, does it associate with an expected domain, organization or geography? Note: avoid interacting directly with suspected malicious IP addresses.\n- Consider the user as identified by the username field. Is this network activity part of an expected workflow for the user who ran the program?\n- Examine the history of execution. If this process only manifested recently, it might be part of a new software package. If it has a consistent cadence (for example if it runs monthly or quarterly), it might be part of a monthly or quarterly business or maintenance process.\n- Examine the process arguments, title and working directory. These may provide indications as to the source of the program or the nature of the tasks it is performing.",
+    "references": [
+      "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"
+    ],
+    "risk_score": 21,
+    "rule_id": "52afbdc5-db15-485e-bc24-f5707f820c4b",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "Threat Detection",
+      "ML"
+    ],
+    "type": "machine_learning",
+    "version": 6,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.9.0",
+          "pre_query": "N/A",
+          "doc_text": "Formatting only"
+        },
+        {
+          "version": 3,
+          "updated": "7.10.0",
+          "pre_query": "N/A",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 4,
+          "updated": "7.12.0",
+          "pre_query": "N/A",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 5,
+          "updated": "7.13.0",
+          "pre_query": "N/A",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 6,
+          "updated": "7.15.0",
+          "pre_query": "N/A",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.15.0",
+    "added": "7.7.0"
+  },
+  {
+    "anomaly_threshold": 25,
+    "author": [
+      "Elastic"
+    ],
+    "description": "Looks for commands related to system network connection discovery from an unusual user context. This can be due to uncommon troubleshooting activity or due to a compromised account. A compromised account may be used by a threat actor to engage in system network connection discovery in order to increase their understanding of connected services and systems. This information may be used to shape follow-up behaviors such as lateral movement or additional discovery.",
+    "false_positives": [
+      "Uncommon user command activity can be due to an engineer logging onto a server instance in order to perform manual troubleshooting or reconfiguration."
+    ],
+    "from": "now-45m",
+    "interval": "15m",
+    "license": "Elastic License v2",
+    "machine_learning_job_id": "linux_network_connection_discovery",
+    "name": "Unusual Linux Network Connection Discovery",
+    "risk_score": 21,
+    "rule_id": "c28c4d8c-f014-40ef-88b6-79a1d67cd499",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "Threat Detection",
+      "ML"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0007",
+          "name": "Discovery",
+          "reference": "https://attack.mitre.org/tactics/TA0007/"
+        },
+        "technique": [
+          {
+            "id": "T1049",
+            "name": "System Network Connections Discovery",
+            "reference": "https://attack.mitre.org/techniques/T1049/"
+          }
+        ]
+      }
+    ],
+    "type": "machine_learning",
+    "version": 2,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.12.0",
+          "pre_query": "N/A",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.12.0",
+    "added": "7.10.0"
+  },
+  {
+    "anomaly_threshold": 50,
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies unusual destination port activity that can indicate command-and-control, persistence mechanism, or data exfiltration activity. Rarely used destination port activity is generally unusual in Linux fleets, and can indicate unauthorized access or threat actor activity.",
+    "false_positives": [
+      "A newly installed program or one that rarely uses the network could trigger this alert."
+    ],
+    "from": "now-45m",
+    "interval": "15m",
+    "license": "Elastic License v2",
+    "machine_learning_job_id": [
+      "linux_anomalous_network_port_activity_ecs",
+      "v2_linux_anomalous_network_port_activity_ecs"
+    ],
+    "name": "Unusual Linux Network Port Activity",
+    "references": [
+      "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"
+    ],
+    "risk_score": 21,
+    "rule_id": "3c7e32e6-6104-46d9-a06e-da0f8b5795a0",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "Threat Detection",
+      "ML"
+    ],
+    "type": "machine_learning",
+    "version": 5,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.9.0",
+          "pre_query": "N/A",
+          "doc_text": "Formatting only"
+        },
+        {
+          "version": 3,
+          "updated": "7.10.0",
+          "pre_query": "N/A",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 4,
+          "updated": "7.12.0",
+          "pre_query": "N/A",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 5,
+          "updated": "7.14.0",
+          "pre_query": "N/A",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.14.0",
+    "added": "7.7.0"
+  },
+  {
+    "anomaly_threshold": 50,
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies unusual listening ports on Linux instances that can indicate execution of unauthorized services, backdoors, or persistence mechanisms.",
+    "false_positives": [
+      "A newly installed program or one that rarely uses the network could trigger this alert."
+    ],
+    "from": "now-45m",
+    "interval": "15m",
+    "license": "Elastic License v2",
+    "machine_learning_job_id": "linux_anomalous_network_service",
+    "name": "Unusual Linux Network Service",
+    "references": [
+      "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"
+    ],
+    "risk_score": 21,
+    "rule_id": "52afbdc5-db15-596e-bc35-f5707f820c4b",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "Threat Detection",
+      "ML"
+    ],
+    "type": "machine_learning",
+    "version": 4,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.9.0",
+          "pre_query": "N/A",
+          "doc_text": "Formatting only"
+        },
+        {
+          "version": 3,
+          "updated": "7.10.0",
+          "pre_query": "N/A",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 4,
+          "updated": "7.12.0",
+          "pre_query": "N/A",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.12.0",
+    "added": "7.7.0"
+  },
+  {
+    "anomaly_threshold": 50,
+    "author": [
+      "Elastic"
+    ],
+    "description": "Looks for anomalous access to the metadata service by an unusual process. The metadata service may be targeted in order to harvest credentials or user data scripts containing secrets.",
+    "false_positives": [
+      "A newly installed program or one that runs very rarely as part of a monthly or quarterly workflow could trigger this detection rule."
+    ],
+    "from": "now-45m",
+    "interval": "15m",
+    "license": "Elastic License v2",
+    "machine_learning_job_id": [
+      "linux_rare_metadata_process",
+      "v2_linux_rare_metadata_process"
+    ],
+    "name": "Unusual Linux Process Calling the Metadata Service",
+    "risk_score": 21,
+    "rule_id": "9d302377-d226-4e12-b54c-1906b5aec4f6",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "Threat Detection",
+      "ML"
+    ],
+    "type": "machine_learning",
+    "version": 3,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.12.0",
+          "pre_query": "N/A",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 3,
+          "updated": "7.14.0",
+          "pre_query": "N/A",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.14.0",
+    "added": "7.10.0"
+  },
+  {
+    "anomaly_threshold": 50,
+    "author": [
+      "Elastic"
+    ],
+    "description": "Looks for commands related to system process discovery from an unusual user context. This can be due to uncommon troubleshooting activity or due to a compromised account. A compromised account may be used by a threat actor to engage in system process discovery in order to increase their understanding of software applications running on a target host or network. This may be a precursor to selection of a persistence mechanism or a method of privilege elevation.",
+    "false_positives": [
+      "Uncommon user command activity can be due to an engineer logging onto a server instance in order to perform manual troubleshooting or reconfiguration."
+    ],
+    "from": "now-45m",
+    "interval": "15m",
+    "license": "Elastic License v2",
+    "machine_learning_job_id": "linux_system_process_discovery",
+    "name": "Unusual Linux Process Discovery Activity",
+    "risk_score": 21,
+    "rule_id": "5c983105-4681-46c3-9890-0c66d05e776b",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "Threat Detection",
+      "ML"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0007",
+          "name": "Discovery",
+          "reference": "https://attack.mitre.org/tactics/TA0007/"
+        },
+        "technique": [
+          {
+            "id": "T1057",
+            "name": "Process Discovery",
+            "reference": "https://attack.mitre.org/techniques/T1057/"
+          }
+        ]
+      }
+    ],
+    "type": "machine_learning",
+    "version": 2,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.12.0",
+          "pre_query": "N/A",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.12.0",
+    "added": "7.10.0"
+  },
+  {
+    "anomaly_threshold": 75,
+    "author": [
+      "Elastic"
+    ],
+    "description": "Looks for commands related to system information discovery from an unusual user context. This can be due to uncommon troubleshooting activity or due to a compromised account. A compromised account may be used to engage in system information discovery in order to gather detailed information about system configuration and software versions. This may be a precursor to selection of a persistence mechanism or a method of privilege elevation.",
+    "false_positives": [
+      "Uncommon user command activity can be due to an engineer logging onto a server instance in order to perform manual troubleshooting or reconfiguration."
+    ],
+    "from": "now-45m",
+    "interval": "15m",
+    "license": "Elastic License v2",
+    "machine_learning_job_id": "linux_system_information_discovery",
+    "name": "Unusual Linux System Information Discovery Activity",
+    "risk_score": 21,
+    "rule_id": "d4af3a06-1e0a-48ec-b96a-faf2309fae46",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "Threat Detection",
+      "ML"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0007",
+          "name": "Discovery",
+          "reference": "https://attack.mitre.org/tactics/TA0007/"
+        },
+        "technique": [
+          {
+            "id": "T1082",
+            "name": "System Information Discovery",
+            "reference": "https://attack.mitre.org/techniques/T1082/"
+          }
+        ]
+      }
+    ],
+    "type": "machine_learning",
+    "version": 2,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.12.0",
+          "pre_query": "N/A",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.12.0",
+    "added": "7.10.0"
+  },
+  {
+    "anomaly_threshold": 25,
+    "author": [
+      "Elastic"
+    ],
+    "description": "Looks for commands related to system network configuration discovery from an unusual user context. This can be due to uncommon troubleshooting activity or due to a compromised account. A compromised account may be used by a threat actor to engage in system network configuration discovery in order to increase their understanding of connected networks and hosts. This information may be used to shape follow-up behaviors such as lateral movement or additional discovery.",
+    "false_positives": [
+      "Uncommon user command activity can be due to an engineer logging onto a server instance in order to perform manual troubleshooting or reconfiguration."
+    ],
+    "from": "now-45m",
+    "interval": "15m",
+    "license": "Elastic License v2",
+    "machine_learning_job_id": "linux_network_configuration_discovery",
+    "name": "Unusual Linux System Network Configuration Discovery",
+    "risk_score": 21,
+    "rule_id": "f9590f47-6bd5-4a49-bd49-a2f886476fb9",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "Threat Detection",
+      "ML"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0007",
+          "name": "Discovery",
+          "reference": "https://attack.mitre.org/tactics/TA0007/"
+        },
+        "technique": [
+          {
+            "id": "T1016",
+            "name": "System Network Configuration Discovery",
+            "reference": "https://attack.mitre.org/techniques/T1016/"
+          }
+        ]
+      }
+    ],
+    "type": "machine_learning",
+    "version": 2,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.12.0",
+          "pre_query": "N/A",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.12.0",
+    "added": "7.10.0"
+  },
+  {
+    "anomaly_threshold": 75,
+    "author": [
+      "Elastic"
+    ],
+    "description": "Looks for commands related to system user or owner discovery from an unusual user context. This can be due to uncommon troubleshooting activity or due to a compromised account. A compromised account may be used to engage in system owner or user discovery in order to identify currently active or primary users of a system. This may be a precursor to additional discovery, credential dumping or privilege elevation activity.",
+    "false_positives": [
+      "Uncommon user command activity can be due to an engineer logging onto a server instance in order to perform manual troubleshooting or reconfiguration."
+    ],
+    "from": "now-45m",
+    "interval": "15m",
+    "license": "Elastic License v2",
+    "machine_learning_job_id": "linux_system_user_discovery",
+    "name": "Unusual Linux System Owner or User Discovery Activity",
+    "risk_score": 21,
+    "rule_id": "59756272-1998-4b8c-be14-e287035c4d10",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "Threat Detection",
+      "ML"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0007",
+          "name": "Discovery",
+          "reference": "https://attack.mitre.org/tactics/TA0007/"
+        },
+        "technique": [
+          {
+            "id": "T1033",
+            "name": "System Owner/User Discovery",
+            "reference": "https://attack.mitre.org/techniques/T1033/"
+          }
+        ]
+      }
+    ],
+    "type": "machine_learning",
+    "version": 2,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.12.0",
+          "pre_query": "N/A",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.12.0",
+    "added": "7.10.0"
+  },
+  {
+    "anomaly_threshold": 75,
+    "author": [
+      "Elastic"
+    ],
+    "description": "Looks for anomalous access to the cloud platform metadata service by an unusual user. The metadata service may be targeted in order to harvest credentials or user data scripts containing secrets.",
+    "false_positives": [
+      "A newly installed program, or one that runs under a new or rarely used user context, could trigger this detection rule. Manual interrogation of the metadata service during debugging or troubleshooting could trigger this rule."
+    ],
+    "from": "now-45m",
+    "interval": "15m",
+    "license": "Elastic License v2",
+    "machine_learning_job_id": [
+      "linux_rare_metadata_user",
+      "v2_linux_rare_metadata_user"
+    ],
+    "name": "Unusual Linux User Calling the Metadata Service",
+    "risk_score": 21,
+    "rule_id": "1faec04b-d902-4f89-8aff-92cd9043c16f",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "Threat Detection",
+      "ML"
+    ],
+    "type": "machine_learning",
+    "version": 3,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.12.0",
+          "pre_query": "N/A",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 3,
+          "updated": "7.14.0",
+          "pre_query": "N/A",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.14.0",
+    "added": "7.10.0"
+  },
+  {
+    "anomaly_threshold": 50,
+    "author": [
+      "Elastic"
+    ],
+    "description": "A machine learning job detected activity for a username that is not normally active, which can indicate unauthorized changes, activity by unauthorized users, lateral movement, or compromised credentials. In many organizations, new usernames are not often created apart from specific types of system activities, such as creating new accounts for new employees. These user accounts quickly become active and routine. Events from rarely used usernames can point to suspicious activity. Additionally, automated Linux fleets tend to see activity from rarely used usernames only when personnel log in to make authorized or unauthorized changes, or threat actors have acquired credentials and log in for malicious purposes. Unusual usernames can also indicate pivoting, where compromised credentials are used to try and move laterally from one host to another.",
+    "false_positives": [
+      "Uncommon user activity can be due to an engineer logging onto a server instance in order to perform manual troubleshooting or reconfiguration."
+    ],
+    "from": "now-45m",
+    "interval": "15m",
+    "license": "Elastic License v2",
+    "machine_learning_job_id": [
+      "linux_anomalous_user_name_ecs",
+      "v2_linux_anomalous_user_name_ecs"
+    ],
+    "name": "Unusual Linux Username",
+    "note": "## Triage and analysis\n\n### Investigating an Unusual Linux User\nDetection alerts from this rule indicate activity for a Linux user name that is rare and unusual. Here are some possible avenues of investigation:\n- Consider the user as identified by the username field. Is this program part of an expected workflow for the user who ran this program on this host? Could this be related to troubleshooting or debugging activity by a developer or site reliability engineer?\n- Examine the history of user activity. If this user only manifested recently, it might be a service account for a new software package. If it has a consistent cadence (for example if it runs monthly or quarterly), it might be part of a monthly or quarterly business process.\n- Examine the process arguments, title and working directory. These may provide indications as to the source of the program or the nature of the tasks that the user is performing.",
+    "references": [
+      "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"
+    ],
+    "risk_score": 21,
+    "rule_id": "b347b919-665f-4aac-b9e8-68369bf2340c",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "Threat Detection",
+      "ML"
+    ],
+    "type": "machine_learning",
+    "version": 7,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.9.0",
+          "pre_query": "N/A",
+          "doc_text": "Formatting only"
+        },
+        {
+          "version": 3,
+          "updated": "7.10.0",
+          "pre_query": "N/A",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 4,
+          "updated": "7.12.0",
+          "pre_query": "N/A",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 5,
+          "updated": "7.13.0",
+          "pre_query": "N/A",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 6,
+          "updated": "7.14.0",
+          "pre_query": "N/A",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 7,
+          "updated": "7.15.0",
+          "pre_query": "N/A",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.15.0",
+    "added": "7.7.0"
+  },
+  {
+    "anomaly_threshold": 50,
+    "author": [
+      "Elastic"
+    ],
+    "description": "A machine learning job detected an unusual web URL request from a Linux host, which can indicate malware delivery and execution. Wget and cURL are commonly used by Linux programs to download code and data. Most of the time, their usage is entirely normal. Generally, because they use a list of URLs, they repeatedly download from the same locations. However, Wget and cURL are sometimes used to deliver Linux exploit payloads, and threat actors use these tools to download additional software and code. For these reasons, unusual URLs can indicate unauthorized downloads or threat activity.",
+    "false_positives": [
+      "A new and unusual program or artifact download in the course of software upgrades, debugging, or troubleshooting could trigger this alert."
+    ],
+    "from": "now-45m",
+    "interval": "15m",
+    "license": "Elastic License v2",
+    "machine_learning_job_id": "linux_anomalous_network_url_activity_ecs",
+    "name": "Unusual Linux Web Activity",
+    "references": [
+      "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"
+    ],
+    "risk_score": 21,
+    "rule_id": "52afbdc5-db15-485e-bc35-f5707f820c4c",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "Threat Detection",
+      "ML"
+    ],
+    "type": "machine_learning",
+    "version": 4,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.9.0",
+          "pre_query": "N/A",
+          "doc_text": "Formatting only"
+        },
+        {
+          "version": 3,
+          "updated": "7.10.0",
+          "pre_query": "N/A",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 4,
+          "updated": "7.12.0",
+          "pre_query": "N/A",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.12.0",
+    "added": "7.7.0"
+  },
+  {
+    "anomaly_threshold": 50,
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies an unusually high number of authentication attempts.",
+    "false_positives": [
+      "Security audits may trigger this alert. Conditions that generate bursts of failed logins, such as misconfigured applications or account lockouts could trigger this alert."
+    ],
+    "from": "now-45m",
+    "interval": "15m",
+    "license": "Elastic License v2",
+    "machine_learning_job_id": "suspicious_login_activity_ecs",
+    "name": "Unusual Login Activity",
+    "references": [
+      "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"
+    ],
+    "risk_score": 21,
+    "rule_id": "4330272b-9724-4bc6-a3ca-f1532b81e5c2",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "Threat Detection",
+      "ML"
+    ],
+    "type": "machine_learning",
+    "version": 4,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.9.0",
+          "pre_query": "N/A",
+          "doc_text": "Formatting only"
+        },
+        {
+          "version": 3,
+          "updated": "7.10.0",
+          "pre_query": "N/A",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 4,
+          "updated": "7.12.0",
+          "pre_query": "N/A",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.12.0",
+    "added": "7.7.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies network activity from unexpected system applications. This may indicate adversarial activity as these applications are often leveraged by adversaries to execute code and evade detection.",
+    "from": "now-9m",
+    "index": [
+      "logs-endpoint.events.*",
+      "winlogbeat-*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Unusual Network Activity from a Windows System Binary",
+    "query": "sequence by process.entity_id with maxspan=5m\n  [process where event.type in (\"start\", \"process_started\") and\n\n     /* known applocker bypasses */\n     (process.name : \"bginfo.exe\" or\n      process.name : \"cdb.exe\" or\n      process.name : \"control.exe\" or\n      process.name : \"cmstp.exe\" or\n      process.name : \"csi.exe\" or\n      process.name : \"dnx.exe\" or\n      process.name : \"fsi.exe\" or\n      process.name : \"ieexec.exe\" or\n      process.name : \"iexpress.exe\" or\n      process.name : \"installutil.exe\" or\n      process.name : \"Microsoft.Workflow.Compiler.exe\" or\n      process.name : \"MSBuild.exe\" or\n      process.name : \"msdt.exe\" or\n      process.name : \"mshta.exe\" or\n      process.name : \"msiexec.exe\" or\n      process.name : \"msxsl.exe\" or\n      process.name : \"odbcconf.exe\" or\n      process.name : \"rcsi.exe\" or\n      process.name : \"regsvr32.exe\" or\n      process.name : \"xwizard.exe\")]\n  [network where\n     (process.name : \"bginfo.exe\" or\n      process.name : \"cdb.exe\" or\n      process.name : \"control.exe\" or\n      process.name : \"cmstp.exe\" or\n      process.name : \"csi.exe\" or\n      process.name : \"dnx.exe\" or\n      process.name : \"fsi.exe\" or\n      process.name : \"ieexec.exe\" or\n      process.name : \"iexpress.exe\" or\n      process.name : \"installutil.exe\" or\n      process.name : \"Microsoft.Workflow.Compiler.exe\" or\n      process.name : \"MSBuild.exe\" or\n      process.name : \"msdt.exe\" or\n      process.name : \"mshta.exe\" or\n      process.name : \"msiexec.exe\" or\n      process.name : \"msxsl.exe\" or\n      process.name : \"odbcconf.exe\" or\n      process.name : \"rcsi.exe\" or\n      process.name : \"regsvr32.exe\" or\n      process.name : \"xwizard.exe\")]\n",
+    "risk_score": 21,
+    "rule_id": "1fe3b299-fbb5-4657-a937-1d746f2c711a",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1127",
+            "name": "Trusted Developer Utilities Proxy Execution",
+            "reference": "https://attack.mitre.org/techniques/T1127/"
+          }
+        ]
+      }
+    ],
+    "type": "eql",
+    "version": 2,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.12.0",
+          "pre_query": "sequence by process.entity_id with maxspan=5m\n  [process where event.type in (\"start\", \"process_started\") and\n\n     /* known applocker bypasses */\n     (process.name : \"bginfo.exe\" or\n      process.name : \"cdb.exe\" or\n      process.name : \"control.exe\" or\n      process.name : \"cmstp.exe\" or\n      process.name : \"csi.exe\" or\n      process.name : \"dnx.exe\" or\n      process.name : \"fsi.exe\" or\n      process.name : \"ieexec.exe\" or\n      process.name : \"iexpress.exe\" or\n      process.name : \"installutil.exe\" or\n      process.name : \"Microsoft.Workflow.Compiler.exe\" or\n      process.name : \"MSBuild.exe\" or\n      process.name : \"msdt.exe\" or\n      process.name : \"mshta.exe\" or\n      process.name : \"msiexec.exe\" or\n      process.name : \"msxsl.exe\" or\n      process.name : \"odbcconf.exe\" or\n      process.name : \"rcsi.exe\" or\n      process.name : \"regsvr32.exe\" or\n      process.name : \"xwizard.exe\")]\n  [network where\n     (process.name : \"bginfo.exe\" or\n      process.name : \"cdb.exe\" or\n      process.name : \"control.exe\" or\n      process.name : \"cmstp.exe\" or\n      process.name : \"csi.exe\" or\n      process.name : \"dnx.exe\" or\n      process.name : \"fsi.exe\" or\n      process.name : \"ieexec.exe\" or\n      process.name : \"iexpress.exe\" or\n      process.name : \"installutil.exe\" or\n      process.name : \"Microsoft.Workflow.Compiler.exe\" or\n      process.name : \"MSBuild.exe\" or\n      process.name : \"msdt.exe\" or\n      process.name : \"mshta.exe\" or\n      process.name : \"msiexec.exe\" or\n      process.name : \"msxsl.exe\" or\n      process.name : \"odbcconf.exe\" or\n      process.name : \"rcsi.exe\" or\n      process.name : \"regsvr32.exe\" or\n      process.name : \"xwizard.exe\")]\n",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.12.0",
+    "added": "7.10.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies unusual instances of dllhost.exe making outbound network connections. This may indicate adversarial Command and Control activity.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Unusual Network Connection via DllHost",
+    "query": "sequence by host.id, process.entity_id with maxspan=1m\n  [process where event.type in (\"start\", \"process_started\") and process.name : \"dllhost.exe\" and process.args_count == 1]\n  [network where process.name : \"dllhost.exe\" and\n   not cidrmatch(destination.ip, \"10.0.0.0/8\", \"127.0.0.0/8\", \"169.254.0.0/16\", \"172.16.0.0/12\", \"192.0.0.0/24\",\n    \"192.0.0.0/29\", \"192.0.0.8/32\", \"192.0.0.9/32\", \"192.0.0.10/32\", \"192.0.0.170/32\", \"192.0.0.171/32\", \"192.0.2.0/24\",\n    \"192.31.196.0/24\", \"192.52.193.0/24\", \"192.168.0.0/16\", \"192.88.99.0/24\", \"224.0.0.0/4\", \"100.64.0.0/10\",\n    \"192.175.48.0/24\", \"198.18.0.0/15\", \"198.51.100.0/24\", \"203.0.113.0/24\", \"240.0.0.0/4\", \"::1\", \"FE80::/10\",\n    \"FF00::/8\")]\n",
+    "references": [
+      "https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/",
+      "https://www.volexity.com/blog/2021/05/27/suspected-apt29-operation-launches-election-fraud-themed-phishing-campaigns/",
+      "https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml"
+    ],
+    "risk_score": 47,
+    "rule_id": "c7894234-7814-44c2-92a9-f7d851ea246a",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1218",
+            "name": "Signed Binary Proxy Execution",
+            "reference": "https://attack.mitre.org/techniques/T1218/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 1,
+    "last_update": "7.14.0",
+    "added": "7.14.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies unusual instances of rundll32.exe making outbound network connections. This may indicate adversarial Command and Control activity.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Unusual Network Connection via RunDLL32",
+    "query": "sequence by host.id, process.entity_id with maxspan=1m\n  [process where event.type in (\"start\", \"process_started\") and process.name : \"rundll32.exe\" and process.args_count == 1]\n  [network where process.name : \"rundll32.exe\" and\n   not cidrmatch(destination.ip, \"10.0.0.0/8\", \"127.0.0.0/8\", \"169.254.0.0/16\", \"172.16.0.0/12\", \"192.0.0.0/24\",\n       \"192.0.0.0/29\", \"192.0.0.8/32\", \"192.0.0.9/32\", \"192.0.0.10/32\", \"192.0.0.170/32\", \"192.0.0.171/32\",\n       \"192.0.2.0/24\", \"192.31.196.0/24\", \"192.52.193.0/24\", \"192.168.0.0/16\", \"192.88.99.0/24\", \"224.0.0.0/4\",\n       \"100.64.0.0/10\", \"192.175.48.0/24\",\"198.18.0.0/15\", \"198.51.100.0/24\", \"203.0.113.0/24\", \"240.0.0.0/4\", \"::1\",\n       \"FE80::/10\", \"FF00::/8\")]\n",
+    "references": [
+      "https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml"
+    ],
+    "risk_score": 47,
+    "rule_id": "52aaab7b-b51c-441a-89ce-4387b3aea886",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1218",
+            "name": "Signed Binary Proxy Execution",
+            "reference": "https://attack.mitre.org/techniques/T1218/",
+            "subtechnique": [
+              {
+                "id": "T1218.011",
+                "name": "Rundll32",
+                "reference": "https://attack.mitre.org/techniques/T1218/011/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "type": "eql",
+    "version": 10,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.7.0",
+          "pre_query": "process.name:rundll32.exe and event.action:\"Network connection detected (rule: NetworkConnect)\" and not destination.ip:10.0.0.0/8 and not destination.ip:172.16.0.0/12 and not destination.ip:192.168.0.0/16",
+          "doc_text": "Updated query."
+        },
+        {
+          "version": 3,
+          "updated": "7.8.0",
+          "pre_query": "process.name:rundll32.exe and event.action:\"Network connection detected (rule: NetworkConnect)\" and not destination.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16)",
+          "doc_text": "Updated query."
+        },
+        {
+          "version": 4,
+          "updated": "7.9.0",
+          "pre_query": "process.name:rundll32.exe and event.action:\"Network connection detected (rule: NetworkConnect)\" and not destination.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 or 127.0.0.0/8)",
+          "doc_text": "Updated query."
+        },
+        {
+          "version": 5,
+          "updated": "7.9.1",
+          "pre_query": "event.category:network and event.type:connection and process.name:rundll32.exe and not destination.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 or 127.0.0.0/8)",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 6,
+          "updated": "7.10.0",
+          "pre_query": "event.category:network and event.type:connection and process.name:rundll32.exe and not destination.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 or 127.0.0.0/8)",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        },
+        {
+          "version": 7,
+          "updated": "7.11.0",
+          "pre_query": "sequence by process.entity_id\n  [process where process.name : \"rundll32.exe\" and event.type == \"start\"]\n  [network where process.name : \"rundll32.exe\" and\n     not cidrmatch(destination.ip, \"10.0.0.0/8\",  \"172.16.0.0/12\", \"192.168.0.0/16\", \"127.0.0.0/8\")]\n",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        },
+        {
+          "version": 8,
+          "updated": "7.12.0",
+          "pre_query": "sequence by host.id, process.entity_id with maxspan=1m\n  [process where event.type in (\"start\", \"process_started\", \"info\") and process.name : \"rundll32.exe\" and process.args_count == 1]\n  [network where process.name : \"rundll32.exe\" and network.protocol != \"dns\" and network.direction == \"outgoing\" and\n   not cidrmatch(destination.ip, \"10.0.0.0/8\",  \"172.16.0.0/12\", \"192.168.0.0/16\", \"127.0.0.0/8\")]\n",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 9,
+          "updated": "7.13.0",
+          "pre_query": "sequence by host.id, process.entity_id with maxspan=1m\n  [process where event.type in (\"start\", \"process_started\", \"info\") and process.name : \"rundll32.exe\" and process.args_count == 1]\n  [network where process.name : \"rundll32.exe\" and network.protocol != \"dns\" and network.direction == \"outgoing\" and\n   not cidrmatch(destination.ip, \"10.0.0.0/8\",  \"172.16.0.0/12\", \"192.168.0.0/16\", \"127.0.0.0/8\")]\n",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        },
+        {
+          "version": 10,
+          "updated": "7.14.0",
+          "pre_query": "sequence by host.id, process.entity_id with maxspan=1m\n  [process where event.type in (\"start\", \"process_started\") and process.name : \"rundll32.exe\" and process.args_count == 1]\n  [network where process.name : \"rundll32.exe\" and\n   not cidrmatch(destination.ip, \"10.0.0.0/8\", \"172.16.0.0/12\", \"192.168.0.0/16\", \"127.0.0.0/8\", \"FE80::/10\", \"::1/128\")]\n",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.14.0",
+    "added": "7.6.0"
+  },
+  {
+    "anomaly_threshold": 50,
+    "author": [
+      "Elastic"
+    ],
+    "description": "A machine learning job detected an unusual network destination domain name. This can be due to initial access, persistence, command-and-control, or exfiltration activity. For example, when a user clicks on a link in a phishing email or opens a malicious document, a request may be sent to download and run a payload from an uncommon web server name. When malware is already running, it may send requests to an uncommon DNS domain the malware uses for command-and-control communication.",
+    "false_positives": [
+      "Web activity that occurs rarely in small quantities can trigger this alert. Possible examples are browsing technical support or vendor URLs that are used very sparsely. A user who visits a new and unique web destination may trigger this alert when the activity is sparse. Web applications that generate URLs unique to a transaction may trigger this when they are used sparsely. Web domains can be excluded in cases such as these."
+    ],
+    "from": "now-45m",
+    "interval": "15m",
+    "license": "Elastic License v2",
+    "machine_learning_job_id": "packetbeat_rare_server_domain",
+    "name": "Unusual Network Destination Domain Name",
+    "references": [
+      "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"
+    ],
+    "risk_score": 21,
+    "rule_id": "17e68559-b274-4948-ad0b-f8415bb31126",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Network",
+      "Threat Detection",
+      "ML"
+    ],
+    "type": "machine_learning",
+    "version": 4,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.9.0",
+          "pre_query": "N/A",
+          "doc_text": "Formatting only"
+        },
+        {
+          "version": 3,
+          "updated": "7.10.0",
+          "pre_query": "N/A",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 4,
+          "updated": "7.12.0",
+          "pre_query": "N/A",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.12.0",
+    "added": "7.7.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies a suspicious parent child process relationship with cmd.exe descending from an unusual process.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Unusual Parent Process for cmd.exe",
+    "query": "process where event.type in (\"start\", \"process_started\") and\n  process.name : \"cmd.exe\" and\n  process.parent.name : (\"lsass.exe\",\n                         \"csrss.exe\",\n                         \"epad.exe\",\n                         \"regsvr32.exe\",\n                         \"dllhost.exe\",\n                         \"LogonUI.exe\",\n                         \"wermgr.exe\",\n                         \"spoolsv.exe\",\n                         \"jucheck.exe\",\n                         \"jusched.exe\",\n                         \"ctfmon.exe\",\n                         \"taskhostw.exe\",\n                         \"GoogleUpdate.exe\",\n                         \"sppsvc.exe\",\n                         \"sihost.exe\",\n                         \"slui.exe\",\n                         \"SIHClient.exe\",\n                         \"SearchIndexer.exe\",\n                         \"SearchProtocolHost.exe\",\n                         \"FlashPlayerUpdateService.exe\",\n                         \"WerFault.exe\",\n                         \"WUDFHost.exe\",\n                         \"unsecapp.exe\",\n                         \"wlanext.exe\" )\n",
+    "risk_score": 47,
+    "rule_id": "3b47900d-e793-49e8-968f-c90dc3526aa1",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Execution"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0002",
+          "name": "Execution",
+          "reference": "https://attack.mitre.org/tactics/TA0002/"
+        },
+        "technique": [
+          {
+            "id": "T1059",
+            "name": "Command and Scripting Interpreter",
+            "reference": "https://attack.mitre.org/techniques/T1059/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 4,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.11.2",
+          "pre_query": "event.category:process and event.type:(start or process_started) and process.name:cmd.exe and process.parent.name:(lsass.exe or csrss.exe or notepad.exe or regsvr32.exe or dllhost.exe or LogonUI.exe or wermgr.exe or spoolsv.exe or jucheck.exe or jusched.exe or ctfmon.exe or taskhostw.exe or GoogleUpdate.exe or sppsvc.exe or sihost.exe or slui.exe or SIHClient.exe or SearchIndexer.exe or SearchProtocolHost.exe or FlashPlayerUpdateService.exe or WerFault.exe or WUDFHost.exe or unsecapp.exe or wlanext.exe)",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 3,
+          "updated": "7.12.0",
+          "pre_query": "event.category:process and event.type:(start or process_started) and process.name:cmd.exe and process.parent.name:(lsass.exe or csrss.exe or notepad.exe or regsvr32.exe or dllhost.exe or LogonUI.exe or wermgr.exe or spoolsv.exe or jucheck.exe or jusched.exe or ctfmon.exe or taskhostw.exe or GoogleUpdate.exe or sppsvc.exe or sihost.exe or slui.exe or SIHClient.exe or SearchIndexer.exe or SearchProtocolHost.exe or FlashPlayerUpdateService.exe or WerFault.exe or WUDFHost.exe or unsecapp.exe or wlanext.exe)",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 4,
+          "updated": "7.13.0",
+          "pre_query": "event.category:process and event.type:(start or process_started) and process.name:cmd.exe and process.parent.name:(lsass.exe or csrss.exe or notepad.exe or regsvr32.exe or dllhost.exe or LogonUI.exe or wermgr.exe or spoolsv.exe or jucheck.exe or jusched.exe or ctfmon.exe or taskhostw.exe or GoogleUpdate.exe or sppsvc.exe or sihost.exe or slui.exe or SIHClient.exe or SearchIndexer.exe or SearchProtocolHost.exe or FlashPlayerUpdateService.exe or WerFault.exe or WUDFHost.exe or unsecapp.exe or wlanext.exe)",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.13.0",
+    "added": "7.10.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies Windows programs run from unexpected parent processes. This could indicate masquerading or other strange activity on a system.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Unusual Parent-Child Relationship",
+    "query": "process where event.type in (\"start\", \"process_started\") and\nprocess.parent.name != null and\n (\n   /* suspicious parent processes */\n   (process.name:\"autochk.exe\" and not process.parent.name:\"smss.exe\") or\n   (process.name:(\"fontdrvhost.exe\", \"dwm.exe\") and not process.parent.name:(\"wininit.exe\", \"winlogon.exe\")) or\n   (process.name:(\"consent.exe\", \"RuntimeBroker.exe\", \"TiWorker.exe\") and not process.parent.name:\"svchost.exe\") or\n   (process.name:\"SearchIndexer.exe\" and not process.parent.name:\"services.exe\") or\n   (process.name:\"SearchProtocolHost.exe\" and not process.parent.name:(\"SearchIndexer.exe\", \"dllhost.exe\")) or\n   (process.name:\"dllhost.exe\" and not process.parent.name:(\"services.exe\", \"svchost.exe\")) or\n   (process.name:\"smss.exe\" and not process.parent.name:(\"System\", \"smss.exe\")) or\n   (process.name:\"csrss.exe\" and not process.parent.name:(\"smss.exe\", \"svchost.exe\")) or\n   (process.name:\"wininit.exe\" and not process.parent.name:\"smss.exe\") or\n   (process.name:\"winlogon.exe\" and not process.parent.name:\"smss.exe\") or\n   (process.name:(\"lsass.exe\", \"LsaIso.exe\") and not process.parent.name:\"wininit.exe\") or\n   (process.name:\"LogonUI.exe\" and not process.parent.name:(\"wininit.exe\", \"winlogon.exe\")) or\n   (process.name:\"services.exe\" and not process.parent.name:\"wininit.exe\") or\n   (process.name:\"svchost.exe\" and not process.parent.name:(\"MsMpEng.exe\", \"services.exe\")) or\n   (process.name:\"spoolsv.exe\" and not process.parent.name:\"services.exe\") or\n   (process.name:\"taskhost.exe\" and not process.parent.name:(\"services.exe\", \"svchost.exe\")) or\n   (process.name:\"taskhostw.exe\" and not process.parent.name:(\"services.exe\", \"svchost.exe\")) or\n   (process.name:\"userinit.exe\" and not process.parent.name:(\"dwm.exe\", \"winlogon.exe\")) or\n   (process.name:(\"wmiprvse.exe\", \"wsmprovhost.exe\", \"winrshost.exe\") and not process.parent.name:\"svchost.exe\") or\n   /* suspicious child processes */\n   (process.parent.name:(\"SearchProtocolHost.exe\", \"taskhost.exe\", \"csrss.exe\") and not process.name:(\"werfault.exe\", \"wermgr.exe\", \"WerFaultSecure.exe\")) or\n   (process.parent.name:\"autochk.exe\" and not process.name:(\"chkdsk.exe\", \"doskey.exe\", \"WerFault.exe\")) or\n   (process.parent.name:\"smss.exe\" and not process.name:(\"autochk.exe\", \"smss.exe\", \"csrss.exe\", \"wininit.exe\", \"winlogon.exe\", \"setupcl.exe\", \"WerFault.exe\")) or\n   (process.parent.name:\"wermgr.exe\" and not process.name:(\"WerFaultSecure.exe\", \"wermgr.exe\", \"WerFault.exe\")) or\n   (process.parent.name:\"conhost.exe\" and not process.name:(\"mscorsvw.exe\", \"wermgr.exe\", \"WerFault.exe\", \"WerFaultSecure.exe\"))\n  )\n",
+    "references": [
+      "https://github.com/sbousseaden/Slides/blob/master/Hunting%20MindMaps/PNG/Windows%20Processes%20TH.map.png",
+      "https://www.andreafortuna.org/2017/06/15/standard-windows-processes-a-brief-reference/"
+    ],
+    "risk_score": 47,
+    "rule_id": "35df0dd8-092d-4a83-88c1-5151a804f31b",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Privilege Escalation"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0004",
+          "name": "Privilege Escalation",
+          "reference": "https://attack.mitre.org/tactics/TA0004/"
+        },
+        "technique": [
+          {
+            "id": "T1055",
+            "name": "Process Injection",
+            "reference": "https://attack.mitre.org/techniques/T1055/",
+            "subtechnique": [
+              {
+                "id": "T1055.012",
+                "name": "Process Hollowing",
+                "reference": "https://attack.mitre.org/techniques/T1055/012/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 10,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.7.0",
+          "pre_query": "event.action:\"Process Create (rule: ProcessCreate)\" and process.parent.executable:* and ( (process.name:\"smss.exe\" and not process.parent.name:(\"System\" or \"smss.exe\")) or (process.name:\"csrss.exe\" and not process.parent.name:(\"smss.exe\" or \"svchost.exe\")) or (process.name:\"wininit.exe\" and not process.parent.name:\"smss.exe\") or (process.name:\"winlogon.exe\" and not process.parent.name:\"smss.exe\") or (process.name:\"lsass.exe\" and not process.parent.name:\"wininit.exe\") or (process.name:\"LogonUI.exe\" and not process.parent.name:(\"winlogon.exe\" or \"wininit.exe\")) or (process.name:\"services.exe\" and not process.parent.name:\"wininit.exe\") or (process.name:\"svchost.exe\" and not process.parent.name:(\"services.exe\" or \"MsMpEng.exe\")) or (process.name:\"spoolsv.exe\" and not process.parent.name:\"services.exe\") or (process.name:\"taskhost.exe\" and not process.parent.name:(\"services.exe\" or \"svchost.exe\")) or (process.name:\"taskhostw.exe\" and not process.parent.name:(\"services.exe\" or \"svchost.exe\")) or (process.name:\"userinit.exe\" and not process.parent.name:(\"dwm.exe\" or \"winlogon.exe\")) )",
+          "doc_text": "Updated query."
+        },
+        {
+          "version": 3,
+          "updated": "7.9.0",
+          "pre_query": "event.action:\"Process Create (rule: ProcessCreate)\" and process.parent.executable:* and (process.name:smss.exe and not process.parent.name:(System or smss.exe) or process.name:csrss.exe and not process.parent.name:(smss.exe or svchost.exe) or process.name:wininit.exe and not process.parent.name:smss.exe or process.name:winlogon.exe and not process.parent.name:smss.exe or process.name:lsass.exe and not process.parent.name:wininit.exe or process.name:LogonUI.exe and not process.parent.name:(wininit.exe or winlogon.exe) or process.name:services.exe and not process.parent.name:wininit.exe or process.name:svchost.exe and not process.parent.name:(MsMpEng.exe or services.exe) or process.name:spoolsv.exe and not process.parent.name:services.exe or process.name:taskhost.exe and not process.parent.name:(services.exe or svchost.exe) or process.name:taskhostw.exe and not process.parent.name:(services.exe or svchost.exe) or process.name:userinit.exe and not process.parent.name:(dwm.exe or winlogon.exe))",
+          "doc_text": "Updated query."
+        },
+        {
+          "version": 4,
+          "updated": "7.9.1",
+          "pre_query": "event.category:process and event.type:(start or process_started) and process.parent.executable:* and (process.name:smss.exe and not process.parent.name:(System or smss.exe) or process.name:csrss.exe and not process.parent.name:(smss.exe or svchost.exe) or process.name:wininit.exe and not process.parent.name:smss.exe or process.name:winlogon.exe and not process.parent.name:smss.exe or process.name:lsass.exe and not process.parent.name:wininit.exe or process.name:LogonUI.exe and not process.parent.name:(wininit.exe or winlogon.exe) or process.name:services.exe and not process.parent.name:wininit.exe or process.name:svchost.exe and not process.parent.name:(MsMpEng.exe or services.exe) or process.name:spoolsv.exe and not process.parent.name:services.exe or process.name:taskhost.exe and not process.parent.name:(services.exe or svchost.exe) or process.name:taskhostw.exe and not process.parent.name:(services.exe or svchost.exe) or process.name:userinit.exe and not process.parent.name:(dwm.exe or winlogon.exe))",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 5,
+          "updated": "7.10.0",
+          "pre_query": "event.category:process and event.type:(start or process_started) and process.parent.executable:* and (process.name:smss.exe and not process.parent.name:(System or smss.exe) or process.name:csrss.exe and not process.parent.name:(smss.exe or svchost.exe) or process.name:wininit.exe and not process.parent.name:smss.exe or process.name:winlogon.exe and not process.parent.name:smss.exe or process.name:lsass.exe and not process.parent.name:wininit.exe or process.name:LogonUI.exe and not process.parent.name:(wininit.exe or winlogon.exe) or process.name:services.exe and not process.parent.name:wininit.exe or process.name:svchost.exe and not process.parent.name:(MsMpEng.exe or services.exe) or process.name:spoolsv.exe and not process.parent.name:services.exe or process.name:taskhost.exe and not process.parent.name:(services.exe or svchost.exe) or process.name:taskhostw.exe and not process.parent.name:(services.exe or svchost.exe) or process.name:userinit.exe and not process.parent.name:(dwm.exe or winlogon.exe))",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        },
+        {
+          "version": 6,
+          "updated": "7.11.0",
+          "pre_query": "event.category:process and event.type:(start or process_started) and process.parent.executable:* and (process.parent.name:autochk.exe and not process.name:(chkdsk.exe or doskey.exe or WerFault.exe) or process.parent.name:smss.exe and not process.name:(autochk.exe or smss.exe or csrss.exe or wininit.exe or winlogon.exe or WerFault.exe) or process.name:autochk.exe and not process.parent.name:smss.exe or process.name:(fontdrvhost.exe or dwm.exe) and not process.parent.name:(wininit.exe or winlogon.exe) or process.name:(consent.exe or RuntimeBroker.exe or TiWorker.exe) and not process.parent.name:svchost.exe or process.name:wermgr.exe and not process.parent.name:(svchost.exe or TiWorker.exe) or process.name:SearchIndexer.exe and not process.parent.name:services.exe or process.name:SearchProtocolHost.exe and not process.parent.name:(SearchIndexer.exe or dllhost.exe) or process.name:dllhost.exe and not process.parent.name:(services.exe or svchost.exe) or process.name:smss.exe and not process.parent.name:(System or smss.exe) or process.name:csrss.exe and not process.parent.name:(smss.exe or svchost.exe) or process.name:wininit.exe and not process.parent.name:smss.exe or process.name:winlogon.exe and not process.parent.name:smss.exe or process.name:(lsass.exe or LsaIso.exe) and not process.parent.name:wininit.exe or process.name:LogonUI.exe and not process.parent.name:(wininit.exe or winlogon.exe) or process.name:services.exe and not process.parent.name:wininit.exe or process.name:svchost.exe and not process.parent.name:(MsMpEng.exe or services.exe) or process.name:spoolsv.exe and not process.parent.name:services.exe or process.name:taskhost.exe and not process.parent.name:(services.exe or svchost.exe) or process.name:taskhostw.exe and not process.parent.name:(services.exe or svchost.exe) or process.name:userinit.exe and not process.parent.name:(dwm.exe or winlogon.exe))",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        },
+        {
+          "version": 7,
+          "updated": "7.11.2",
+          "pre_query": "process where event.type in (\"start\", \"process_started\") and\nprocess.parent.name != null and\n (\n   /* suspicious parent processes */\n   (process.name:\"autochk.exe\" and not process.parent.name:\"smss.exe\") or\n   (process.name:(\"fontdrvhost.exe\", \"dwm.exe\") and not process.parent.name:(\"wininit.exe\", \"winlogon.exe\")) or\n   (process.name:(\"consent.exe\", \"RuntimeBroker.exe\", \"TiWorker.exe\") and not process.parent.name:\"svchost.exe\") or\n   (process.name:\"SearchIndexer.exe\" and not process.parent.name:\"services.exe\") or\n   (process.name:\"SearchProtocolHost.exe\" and not process.parent.name:(\"SearchIndexer.exe\", \"dllhost.exe\")) or\n   (process.name:\"dllhost.exe\" and not process.parent.name:(\"services.exe\", \"svchost.exe\")) or\n   (process.name:\"smss.exe\" and not process.parent.name:(\"System\", \"smss.exe\")) or\n   (process.name:\"csrss.exe\" and not process.parent.name:(\"smss.exe\", \"svchost.exe\")) or\n   (process.name:\"wininit.exe\" and not process.parent.name:\"smss.exe\") or\n   (process.name:\"winlogon.exe\" and not process.parent.name:\"smss.exe\") or\n   (process.name:(\"lsass.exe\", \"LsaIso.exe\") and not process.parent.name:\"wininit.exe\") or\n   (process.name:\"LogonUI.exe\" and not process.parent.name:(\"wininit.exe\", \"winlogon.exe\")) or\n   (process.name:\"services.exe\" and not process.parent.name:\"wininit.exe\") or\n   (process.name:\"svchost.exe\" and not process.parent.name:(\"MsMpEng.exe\", \"services.exe\")) or\n   (process.name:\"spoolsv.exe\" and not process.parent.name:\"services.exe\") or\n   (process.name:\"taskhost.exe\" and not process.parent.name:(\"services.exe\", \"svchost.exe\")) or\n   (process.name:\"taskhostw.exe\" and not process.parent.name:(\"services.exe\", \"svchost.exe\")) or\n   (process.name:\"userinit.exe\" and not process.parent.name:(\"dwm.exe\", \"winlogon.exe\")) or\n   (process.name:(\"wmiprvse.exe\", \"wsmprovhost.exe\", \"winrshost.exe\") and not process.parent.name:\"svchost.exe\") or\n   /* suspicious child processes */\n   (process.parent.name:(\"SearchProtocolHost.exe\", \"taskhost.exe\", \"csrss.exe\") and not process.name:(\"werfault.exe\", \"wermgr.exe\", \"WerFaultSecure.exe\")) or\n   (process.parent.name:\"autochk.exe\" and not process.name:(\"chkdsk.exe\", \"doskey.exe\", \"WerFault.exe\")) or\n   (process.parent.name:\"smss.exe\" and not process.name:(\"autochk.exe\", \"smss.exe\", \"csrss.exe\", \"wininit.exe\", \"winlogon.exe\", \"setupcl.exe\", \"WerFault.exe\")) or\n   (process.parent.name:\"wermgr.exe\" and not process.name:(\"WerFaultSecure.exe\", \"wermgr.exe\", \"WerFault.exe\")) or\n   (process.parent.name:\"conhost.exe\" and not process.name:(\"mscorsvw.exe\", \"wermgr.exe\", \"WerFault.exe\", \"WerFaultSecure.exe\"))\n  )\n",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 8,
+          "updated": "7.12.0",
+          "pre_query": "process where event.type in (\"start\", \"process_started\") and\nprocess.parent.name != null and\n (\n   /* suspicious parent processes */\n   (process.name:\"autochk.exe\" and not process.parent.name:\"smss.exe\") or\n   (process.name:(\"fontdrvhost.exe\", \"dwm.exe\") and not process.parent.name:(\"wininit.exe\", \"winlogon.exe\")) or\n   (process.name:(\"consent.exe\", \"RuntimeBroker.exe\", \"TiWorker.exe\") and not process.parent.name:\"svchost.exe\") or\n   (process.name:\"SearchIndexer.exe\" and not process.parent.name:\"services.exe\") or\n   (process.name:\"SearchProtocolHost.exe\" and not process.parent.name:(\"SearchIndexer.exe\", \"dllhost.exe\")) or\n   (process.name:\"dllhost.exe\" and not process.parent.name:(\"services.exe\", \"svchost.exe\")) or\n   (process.name:\"smss.exe\" and not process.parent.name:(\"System\", \"smss.exe\")) or\n   (process.name:\"csrss.exe\" and not process.parent.name:(\"smss.exe\", \"svchost.exe\")) or\n   (process.name:\"wininit.exe\" and not process.parent.name:\"smss.exe\") or\n   (process.name:\"winlogon.exe\" and not process.parent.name:\"smss.exe\") or\n   (process.name:(\"lsass.exe\", \"LsaIso.exe\") and not process.parent.name:\"wininit.exe\") or\n   (process.name:\"LogonUI.exe\" and not process.parent.name:(\"wininit.exe\", \"winlogon.exe\")) or\n   (process.name:\"services.exe\" and not process.parent.name:\"wininit.exe\") or\n   (process.name:\"svchost.exe\" and not process.parent.name:(\"MsMpEng.exe\", \"services.exe\")) or\n   (process.name:\"spoolsv.exe\" and not process.parent.name:\"services.exe\") or\n   (process.name:\"taskhost.exe\" and not process.parent.name:(\"services.exe\", \"svchost.exe\")) or\n   (process.name:\"taskhostw.exe\" and not process.parent.name:(\"services.exe\", \"svchost.exe\")) or\n   (process.name:\"userinit.exe\" and not process.parent.name:(\"dwm.exe\", \"winlogon.exe\")) or\n   (process.name:(\"wmiprvse.exe\", \"wsmprovhost.exe\", \"winrshost.exe\") and not process.parent.name:\"svchost.exe\") or\n   /* suspicious child processes */\n   (process.parent.name:(\"SearchProtocolHost.exe\", \"taskhost.exe\", \"csrss.exe\") and not process.name:(\"werfault.exe\", \"wermgr.exe\", \"WerFaultSecure.exe\")) or\n   (process.parent.name:\"autochk.exe\" and not process.name:(\"chkdsk.exe\", \"doskey.exe\", \"WerFault.exe\")) or\n   (process.parent.name:\"smss.exe\" and not process.name:(\"autochk.exe\", \"smss.exe\", \"csrss.exe\", \"wininit.exe\", \"winlogon.exe\", \"setupcl.exe\", \"WerFault.exe\")) or\n   (process.parent.name:\"wermgr.exe\" and not process.name:(\"WerFaultSecure.exe\", \"wermgr.exe\", \"WerFault.exe\")) or\n   (process.parent.name:\"conhost.exe\" and not process.name:(\"mscorsvw.exe\", \"wermgr.exe\", \"WerFault.exe\", \"WerFaultSecure.exe\"))\n  )\n",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 9,
+          "updated": "7.15.0",
+          "pre_query": "process where event.type in (\"start\", \"process_started\") and\nprocess.parent.name != null and\n (\n   /* suspicious parent processes */\n   (process.name:\"autochk.exe\" and not process.parent.name:\"smss.exe\") or\n   (process.name:(\"fontdrvhost.exe\", \"dwm.exe\") and not process.parent.name:(\"wininit.exe\", \"winlogon.exe\")) or\n   (process.name:(\"consent.exe\", \"RuntimeBroker.exe\", \"TiWorker.exe\") and not process.parent.name:\"svchost.exe\") or\n   (process.name:\"SearchIndexer.exe\" and not process.parent.name:\"services.exe\") or\n   (process.name:\"SearchProtocolHost.exe\" and not process.parent.name:(\"SearchIndexer.exe\", \"dllhost.exe\")) or\n   (process.name:\"dllhost.exe\" and not process.parent.name:(\"services.exe\", \"svchost.exe\")) or\n   (process.name:\"smss.exe\" and not process.parent.name:(\"System\", \"smss.exe\")) or\n   (process.name:\"csrss.exe\" and not process.parent.name:(\"smss.exe\", \"svchost.exe\")) or\n   (process.name:\"wininit.exe\" and not process.parent.name:\"smss.exe\") or\n   (process.name:\"winlogon.exe\" and not process.parent.name:\"smss.exe\") or\n   (process.name:(\"lsass.exe\", \"LsaIso.exe\") and not process.parent.name:\"wininit.exe\") or\n   (process.name:\"LogonUI.exe\" and not process.parent.name:(\"wininit.exe\", \"winlogon.exe\")) or\n   (process.name:\"services.exe\" and not process.parent.name:\"wininit.exe\") or\n   (process.name:\"svchost.exe\" and not process.parent.name:(\"MsMpEng.exe\", \"services.exe\")) or\n   (process.name:\"spoolsv.exe\" and not process.parent.name:\"services.exe\") or\n   (process.name:\"taskhost.exe\" and not process.parent.name:(\"services.exe\", \"svchost.exe\")) or\n   (process.name:\"taskhostw.exe\" and not process.parent.name:(\"services.exe\", \"svchost.exe\")) or\n   (process.name:\"userinit.exe\" and not process.parent.name:(\"dwm.exe\", \"winlogon.exe\")) or\n   (process.name:(\"wmiprvse.exe\", \"wsmprovhost.exe\", \"winrshost.exe\") and not process.parent.name:\"svchost.exe\") or\n   /* suspicious child processes */\n   (process.parent.name:(\"SearchProtocolHost.exe\", \"taskhost.exe\", \"csrss.exe\") and not process.name:(\"werfault.exe\", \"wermgr.exe\", \"WerFaultSecure.exe\")) or\n   (process.parent.name:\"autochk.exe\" and not process.name:(\"chkdsk.exe\", \"doskey.exe\", \"WerFault.exe\")) or\n   (process.parent.name:\"smss.exe\" and not process.name:(\"autochk.exe\", \"smss.exe\", \"csrss.exe\", \"wininit.exe\", \"winlogon.exe\", \"setupcl.exe\", \"WerFault.exe\")) or\n   (process.parent.name:\"wermgr.exe\" and not process.name:(\"WerFaultSecure.exe\", \"wermgr.exe\", \"WerFault.exe\")) or\n   (process.parent.name:\"conhost.exe\" and not process.name:(\"mscorsvw.exe\", \"wermgr.exe\", \"WerFault.exe\", \"WerFaultSecure.exe\"))\n  )\n",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 10,
+          "updated": "7.16.0",
+          "pre_query": "process where event.type in (\"start\", \"process_started\") and\nprocess.parent.name != null and\n (\n   /* suspicious parent processes */\n   (process.name:\"autochk.exe\" and not process.parent.name:\"smss.exe\") or\n   (process.name:(\"fontdrvhost.exe\", \"dwm.exe\") and not process.parent.name:(\"wininit.exe\", \"winlogon.exe\")) or\n   (process.name:(\"consent.exe\", \"RuntimeBroker.exe\", \"TiWorker.exe\") and not process.parent.name:\"svchost.exe\") or\n   (process.name:\"SearchIndexer.exe\" and not process.parent.name:\"services.exe\") or\n   (process.name:\"SearchProtocolHost.exe\" and not process.parent.name:(\"SearchIndexer.exe\", \"dllhost.exe\")) or\n   (process.name:\"dllhost.exe\" and not process.parent.name:(\"services.exe\", \"svchost.exe\")) or\n   (process.name:\"smss.exe\" and not process.parent.name:(\"System\", \"smss.exe\")) or\n   (process.name:\"csrss.exe\" and not process.parent.name:(\"smss.exe\", \"svchost.exe\")) or\n   (process.name:\"wininit.exe\" and not process.parent.name:\"smss.exe\") or\n   (process.name:\"winlogon.exe\" and not process.parent.name:\"smss.exe\") or\n   (process.name:(\"lsass.exe\", \"LsaIso.exe\") and not process.parent.name:\"wininit.exe\") or\n   (process.name:\"LogonUI.exe\" and not process.parent.name:(\"wininit.exe\", \"winlogon.exe\")) or\n   (process.name:\"services.exe\" and not process.parent.name:\"wininit.exe\") or\n   (process.name:\"svchost.exe\" and not process.parent.name:(\"MsMpEng.exe\", \"services.exe\")) or\n   (process.name:\"spoolsv.exe\" and not process.parent.name:\"services.exe\") or\n   (process.name:\"taskhost.exe\" and not process.parent.name:(\"services.exe\", \"svchost.exe\")) or\n   (process.name:\"taskhostw.exe\" and not process.parent.name:(\"services.exe\", \"svchost.exe\")) or\n   (process.name:\"userinit.exe\" and not process.parent.name:(\"dwm.exe\", \"winlogon.exe\")) or\n   (process.name:(\"wmiprvse.exe\", \"wsmprovhost.exe\", \"winrshost.exe\") and not process.parent.name:\"svchost.exe\") or\n   /* suspicious child processes */\n   (process.parent.name:(\"SearchProtocolHost.exe\", \"taskhost.exe\", \"csrss.exe\") and not process.name:(\"werfault.exe\", \"wermgr.exe\", \"WerFaultSecure.exe\")) or\n   (process.parent.name:\"autochk.exe\" and not process.name:(\"chkdsk.exe\", \"doskey.exe\", \"WerFault.exe\")) or\n   (process.parent.name:\"smss.exe\" and not process.name:(\"autochk.exe\", \"smss.exe\", \"csrss.exe\", \"wininit.exe\", \"winlogon.exe\", \"setupcl.exe\", \"WerFault.exe\")) or\n   (process.parent.name:\"wermgr.exe\" and not process.name:(\"WerFaultSecure.exe\", \"wermgr.exe\", \"WerFault.exe\")) or\n   (process.parent.name:\"conhost.exe\" and not process.name:(\"mscorsvw.exe\", \"wermgr.exe\", \"WerFault.exe\", \"WerFaultSecure.exe\"))\n  )\n",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.16.0",
+    "added": "7.6.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies processes modifying the services registry key directly, instead of through the expected Windows APIs. This could be an indication of an adversary attempting to stealthily persist through abnormal service creation or modification of an existing service.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Unusual Persistence via Services Registry",
+    "query": "registry where registry.path : (\"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Services\\\\*\\\\ServiceDLL\", \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Services\\\\*\\\\ImagePath\") and\n  not registry.data.strings : (\"?:\\\\windows\\\\system32\\\\Drivers\\\\*.sys\",\n                               \"\\\\SystemRoot\\\\System32\\\\drivers\\\\*.sys\",\n                               \"\\\\??\\\\?:\\\\Windows\\\\system32\\\\Drivers\\\\*.SYS\",\n                               \"system32\\\\DRIVERS\\\\USBSTOR\") and\n  not (process.name : \"procexp??.exe\" and registry.data.strings : \"?:\\\\*\\\\procexp*.sys\") and\n  not process.executable : (\"?:\\\\Program Files\\\\*.exe\",\n                            \"?:\\\\Program Files (x86)\\\\*.exe\",\n                            \"?:\\\\Windows\\\\System32\\\\svchost.exe\",\n                            \"?:\\\\Windows\\\\winsxs\\\\*\\\\TiWorker.exe\",\n                            \"?:\\\\Windows\\\\System32\\\\drvinst.exe\",\n                            \"?:\\\\Windows\\\\System32\\\\services.exe\",\n                            \"?:\\\\Windows\\\\System32\\\\msiexec.exe\",\n                            \"?:\\\\Windows\\\\System32\\\\regsvr32.exe\")\n",
+    "risk_score": 21,
+    "rule_id": "403ef0d3-8259-40c9-a5b6-d48354712e49",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Persistence"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1543",
+            "name": "Create or Modify System Process",
+            "reference": "https://attack.mitre.org/techniques/T1543/",
+            "subtechnique": [
+              {
+                "id": "T1543.003",
+                "name": "Windows Service",
+                "reference": "https://attack.mitre.org/techniques/T1543/003/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 4,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.11.2",
+          "pre_query": "registry where registry.path : (\"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Services\\\\*\\\\ServiceDLL\", \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Services\\\\*\\\\ImagePath\") and\n  not registry.data.strings : (\"C:\\\\windows\\\\system32\\\\Drivers\\\\*.sys\", \n                               \"\\\\SystemRoot\\\\System32\\\\drivers\\\\*.sys\", \n                               \"system32\\\\DRIVERS\\\\USBSTOR\") and\n  not (process.name : \"procexp??.exe\" and registry.data.strings : \"C:\\\\*\\\\procexp*.sys\") and\n  not process.executable : (\"C:\\\\Program Files*\\\\*.exe\", \n                            \"C:\\\\Windows\\\\System32\\\\svchost.exe\", \n                            \"C:\\\\Windows\\\\winsxs\\\\*\\\\TiWorker.exe\", \n                            \"C:\\\\Windows\\\\System32\\\\drvinst.exe\", \n                            \"C:\\\\Windows\\\\System32\\\\services.exe\", \n                            \"C:\\\\Windows\\\\System32\\\\msiexec.exe\", \n                            \"C:\\\\Windows\\\\System32\\\\regsvr32.exe\")\n",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 3,
+          "updated": "7.12.0",
+          "pre_query": "registry where registry.path : (\"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Services\\\\*\\\\ServiceDLL\", \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Services\\\\*\\\\ImagePath\") and\n  not registry.data.strings : (\"C:\\\\windows\\\\system32\\\\Drivers\\\\*.sys\", \n                               \"\\\\SystemRoot\\\\System32\\\\drivers\\\\*.sys\", \n                               \"system32\\\\DRIVERS\\\\USBSTOR\") and\n  not (process.name : \"procexp??.exe\" and registry.data.strings : \"C:\\\\*\\\\procexp*.sys\") and\n  not process.executable : (\"C:\\\\Program Files*\\\\*.exe\", \n                            \"C:\\\\Windows\\\\System32\\\\svchost.exe\", \n                            \"C:\\\\Windows\\\\winsxs\\\\*\\\\TiWorker.exe\", \n                            \"C:\\\\Windows\\\\System32\\\\drvinst.exe\", \n                            \"C:\\\\Windows\\\\System32\\\\services.exe\", \n                            \"C:\\\\Windows\\\\System32\\\\msiexec.exe\", \n                            \"C:\\\\Windows\\\\System32\\\\regsvr32.exe\")\n",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 4,
+          "updated": "7.13.0",
+          "pre_query": "registry where registry.path : (\"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Services\\\\*\\\\ServiceDLL\", \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Services\\\\*\\\\ImagePath\") and\n  not registry.data.strings : (\"C:\\\\windows\\\\system32\\\\Drivers\\\\*.sys\", \n                               \"\\\\SystemRoot\\\\System32\\\\drivers\\\\*.sys\", \n                               \"system32\\\\DRIVERS\\\\USBSTOR\") and\n  not (process.name : \"procexp??.exe\" and registry.data.strings : \"C:\\\\*\\\\procexp*.sys\") and\n  not process.executable : (\"C:\\\\Program Files*\\\\*.exe\", \n                            \"C:\\\\Windows\\\\System32\\\\svchost.exe\", \n                            \"C:\\\\Windows\\\\winsxs\\\\*\\\\TiWorker.exe\", \n                            \"C:\\\\Windows\\\\System32\\\\drvinst.exe\", \n                            \"C:\\\\Windows\\\\System32\\\\services.exe\", \n                            \"C:\\\\Windows\\\\System32\\\\msiexec.exe\", \n                            \"C:\\\\Windows\\\\System32\\\\regsvr32.exe\")\n",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.13.0",
+    "added": "7.11.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Detects unusual Print Spooler service (spoolsv.exe) child processes. This may indicate an attempt to exploit privilege escalation vulnerabilities related to the Printing Service on Windows.",
+    "false_positives": [
+      "Install or update of a legitimate printing driver. Verify the printer driver file metadata such as manufacturer and signature information."
+    ],
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Unusual Print Spooler Child Process",
+    "query": "process where event.type == \"start\" and\n process.parent.name : \"spoolsv.exe\" and user.id : \"S-1-5-18\" and\n\n /* exclusions for FP control below */\n not process.name : (\"splwow64.exe\", \"PDFCreator.exe\", \"acrodist.exe\", \"spoolsv.exe\", \"msiexec.exe\", \"route.exe\", \"WerFault.exe\") and\n not process.command_line : \"*\\\\WINDOWS\\\\system32\\\\spool\\\\DRIVERS*\" and\n not (process.name : \"net.exe\" and process.command_line : (\"*stop*\", \"*start*\")) and\n not (process.name : (\"cmd.exe\", \"powershell.exe\") and process.command_line : (\"*.spl*\", \"*\\\\program files*\", \"*route add*\")) and\n not (process.name : \"netsh.exe\" and process.command_line : (\"*add portopening*\", \"*rule name*\")) and\n not (process.name : \"regsvr32.exe\" and process.command_line : \"*PrintConfig.dll*\")\n",
+    "references": [
+      "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527",
+      "https://github.com/afwu/PrintNightmare"
+    ],
+    "risk_score": 47,
+    "rule_id": "ee5300a7-7e31-4a72-a258-250abb8b3aa1",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Privilege Escalation"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0004",
+          "name": "Privilege Escalation",
+          "reference": "https://attack.mitre.org/tactics/TA0004/"
+        },
+        "technique": [
+          {
+            "id": "T1068",
+            "name": "Exploitation for Privilege Escalation",
+            "reference": "https://attack.mitre.org/techniques/T1068/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 2,
+    "last_update": "7.14.0",
+    "added": "7.14.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies processes running in a temporary folder. This is sometimes done by adversaries to hide malware.",
+    "false_positives": [
+      "Build systems, like Jenkins, may start processes in the `/tmp` directory. These can be exempted by name or by username."
+    ],
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Unusual Process Execution - Temp",
+    "query": "event.category:process and event.type:(start or process_started) and process.working_directory:/tmp\n",
+    "risk_score": 47,
+    "rule_id": "df959768-b0c9-4d45-988c-5606a2be8e5a",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "Threat Detection"
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 7,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.7.0",
+          "pre_query": "process.working_directory: /tmp and event.action:executed",
+          "doc_text": "Updated query."
+        },
+        {
+          "version": 3,
+          "updated": "7.9.0",
+          "pre_query": "process.working_directory:/tmp and event.action:executed",
+          "doc_text": "Updated query."
+        },
+        {
+          "version": 4,
+          "updated": "7.9.1",
+          "pre_query": "event.category:process and event.type:(start or process_started) and process.working_directory:/tmp",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 5,
+          "updated": "7.10.0",
+          "pre_query": "event.category:process and event.type:(start or process_started) and process.working_directory:/tmp",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 6,
+          "updated": "7.11.2",
+          "pre_query": "event.category:process and event.type:(start or process_started) and process.working_directory:/tmp",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 7,
+          "updated": "7.12.0",
+          "pre_query": "event.category:process and event.type:(start or process_started) and process.working_directory:/tmp",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.12.0",
+    "added": "7.6.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies processes running from an Alternate Data Stream. This is uncommon for legitimate processes and sometimes done by adversaries to hide malware.",
+    "from": "now-9m",
+    "index": [
+      "logs-endpoint.events.*",
+      "winlogbeat-*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Unusual Process Execution Path - Alternate Data Stream",
+    "query": "process where event.type == \"start\" and\n  process.args : \"?:\\\\*:*\" and process.args_count == 1\n",
+    "risk_score": 47,
+    "rule_id": "4bd1c1af-79d4-4d37-9efa-6e0240640242",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1564",
+            "name": "Hide Artifacts",
+            "reference": "https://attack.mitre.org/techniques/T1564/",
+            "subtechnique": [
+              {
+                "id": "T1564.004",
+                "name": "NTFS File Attributes",
+                "reference": "https://attack.mitre.org/techniques/T1564/004/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 5,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.11.2",
+          "pre_query": "process where event.type in (\"start\", \"process_started\") and\n  process.args : \"C:\\\\*:*\"\n",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 3,
+          "updated": "7.12.0",
+          "pre_query": "process where event.type in (\"start\", \"process_started\") and\n  process.args : \"C:\\\\*:*\"\n",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 4,
+          "updated": "7.13.0",
+          "pre_query": "process where event.type in (\"start\", \"process_started\") and\n  process.args : \"C:\\\\*:*\"\n",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        },
+        {
+          "version": 5,
+          "updated": "7.16.0",
+          "pre_query": "process where event.type == \"start\" and\n  process.args : \"?:\\\\*:*\" and process.args_count == 1\n",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.16.0",
+    "added": "7.11.0"
+  },
+  {
+    "anomaly_threshold": 50,
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies rare processes that do not usually run on individual hosts, which can indicate execution of unauthorized services, malware, or persistence mechanisms. Processes are considered rare when they only run occasionally as compared with other processes running on the host.",
+    "false_positives": [
+      "A newly installed program or one that runs rarely as part of a monthly or quarterly workflow could trigger this alert."
+    ],
+    "from": "now-45m",
+    "interval": "15m",
+    "license": "Elastic License v2",
+    "machine_learning_job_id": [
+      "rare_process_by_host_linux_ecs",
+      "v2_rare_process_by_host_linux_ecs"
+    ],
+    "name": "Unusual Process For a Linux Host",
+    "note": "## Triage and analysis\n\n### Investigating an Unusual Linux Process\nDetection alerts from this rule indicate the presence of a Linux process that is rare and unusual for the host it ran on. Here are some possible avenues of investigation:\n- Consider the user as identified by the username field. Is this program part of an expected workflow for the user who ran this program on this host?\n- Examine the history of execution. If this process only manifested recently, it might be part of a new software package. If it has a consistent cadence (for example if it runs monthly or quarterly), it might be part of a monthly or quarterly business process.\n- Examine the process arguments, title and working directory. These may provide indications as to the source of the program or the nature of the tasks it is performing.",
+    "references": [
+      "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"
+    ],
+    "risk_score": 21,
+    "rule_id": "46f804f5-b289-43d6-a881-9387cf594f75",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "Threat Detection",
+      "ML"
+    ],
+    "type": "machine_learning",
+    "version": 7,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.9.0",
+          "pre_query": "N/A",
+          "doc_text": "Formatting only"
+        },
+        {
+          "version": 3,
+          "updated": "7.10.0",
+          "pre_query": "N/A",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 4,
+          "updated": "7.12.0",
+          "pre_query": "N/A",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 5,
+          "updated": "7.13.0",
+          "pre_query": "N/A",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 6,
+          "updated": "7.14.0",
+          "pre_query": "N/A",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 7,
+          "updated": "7.15.0",
+          "pre_query": "N/A",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.15.0",
+    "added": "7.7.0"
+  },
+  {
+    "anomaly_threshold": 50,
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies rare processes that do not usually run on individual hosts, which can indicate execution of unauthorized services, malware, or persistence mechanisms. Processes are considered rare when they only run occasionally as compared with other processes running on the host.",
+    "false_positives": [
+      "A newly installed program or one that runs rarely as part of a monthly or quarterly workflow could trigger this alert."
+    ],
+    "from": "now-45m",
+    "interval": "15m",
+    "license": "Elastic License v2",
+    "machine_learning_job_id": [
+      "rare_process_by_host_windows_ecs",
+      "v2_rare_process_by_host_windows_ecs"
+    ],
+    "name": "Unusual Process For a Windows Host",
+    "note": "## Triage and analysis\n\n###  Investigating an Unusual Windows Process\n\nSearching for abnormal Windows processes is a good methodology to find potentially malicious activity within a network.\nBy understanding what is commonly run within an environment and developing baselines for legitimate activity can help\nuncover potential malware and suspicious behaviors.\n\n#### Possible investigation steps:\n- Consider the user as identified by the `user.name` field. Is this program part of an expected workflow for the user who ran this program on this host?\n- Examine the history of execution. If this process only manifested recently, it might be part of a new software package. If it has a consistent cadence (for example if it runs monthly or quarterly), it might be part of a monthly or quarterly business process.\n- Examine the process metadata like the values of the Company, Description and Product fields which may indicate whether the program is associated with an expected software vendor or package.\n- Examine arguments and working directory. These may provide indications as to the source of the program or the nature of the tasks it is performing.\n- Consider the same for the parent process. If the parent process is a legitimate system utility or service, this could be related to software updates or system management. If the parent process is something user-facing like an Office application, this process could be more suspicious.\n- If you have file hash values in the event data, and you suspect malware, you can optionally run a search for the file hash to see if the file is identified as malware by anti-malware tools.\n\n### False Positive Analysis\n- Validate the unusual Windows process is not related to new benign software installation activity. If related to\nlegitimate software, this can be done by leveraging the exception workflow in the Kibana Security App or Elasticsearch\nAPI to tune this rule to your environment\n- Try to understand the context of the execution by thinking about the user, machine, or business purpose.  It's possible that a small number of endpoints\nsuch as servers that have very unique software that might appear to be unusual, but satisfy a specific business need.\n\n### Related Rules\n- Anomalous Windows Process Creation\n- Unusual Windows Path Activity\n- Unusual Windows Process Calling the Metadata Service\n\n### Response and Remediation\n- This rule is related to process execution events and should be immediately reviewed and investigated to determine if malicious\n- Based on validation and if malicious, the impacted machine should be isolated and analyzed to determine other post-compromise\nbehavior such as setting up persistence or performing lateral movement.\n- Look into preventive measures such as Windows Defender Application Control and AppLocker to gain better control on\nwhat is allowed to run on Windows infrastructure.\n",
+    "references": [
+      "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"
+    ],
+    "risk_score": 21,
+    "rule_id": "6d448b96-c922-4adb-b51c-b767f1ea5b76",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "ML"
+    ],
+    "type": "machine_learning",
+    "version": 8,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.9.0",
+          "pre_query": "N/A",
+          "doc_text": "Formatting only"
+        },
+        {
+          "version": 3,
+          "updated": "7.10.0",
+          "pre_query": "N/A",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 4,
+          "updated": "7.12.0",
+          "pre_query": "N/A",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 5,
+          "updated": "7.13.0",
+          "pre_query": "N/A",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 6,
+          "updated": "7.14.0",
+          "pre_query": "N/A",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 7,
+          "updated": "7.15.0",
+          "pre_query": "N/A",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 8,
+          "updated": "7.16.0",
+          "pre_query": "N/A",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.16.0",
+    "added": "7.7.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies network activity from unexpected system applications. This may indicate adversarial activity as these applications are often leveraged by adversaries to execute code and evade detection.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Unusual Process Network Connection",
+    "query": "sequence by process.entity_id\n  [process where (process.name : \"Microsoft.Workflow.Compiler.exe\" or\n                  process.name : \"bginfo.exe\" or\n                  process.name : \"cdb.exe\" or\n                  process.name : \"cmstp.exe\" or\n                  process.name : \"csi.exe\" or\n                  process.name : \"dnx.exe\" or\n                  process.name : \"fsi.exe\" or\n                  process.name : \"ieexec.exe\" or\n                  process.name : \"iexpress.exe\" or\n                  process.name : \"odbcconf.exe\" or\n                  process.name : \"rcsi.exe\" or\n                  process.name : \"xwizard.exe\") and\n     event.type == \"start\"]\n  [network where (process.name : \"Microsoft.Workflow.Compiler.exe\" or\n                  process.name : \"bginfo.exe\" or\n                  process.name : \"cdb.exe\" or\n                  process.name : \"cmstp.exe\" or\n                  process.name : \"csi.exe\" or\n                  process.name : \"dnx.exe\" or\n                  process.name : \"fsi.exe\" or\n                  process.name : \"ieexec.exe\" or\n                  process.name : \"iexpress.exe\" or\n                  process.name : \"odbcconf.exe\" or\n                  process.name : \"rcsi.exe\" or\n                  process.name : \"xwizard.exe\")]\n",
+    "risk_score": 21,
+    "rule_id": "610949a1-312f-4e04-bb55-3a79b8c95267",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1127",
+            "name": "Trusted Developer Utilities Proxy Execution",
+            "reference": "https://attack.mitre.org/techniques/T1127/"
+          }
+        ]
+      }
+    ],
+    "type": "eql",
+    "version": 7,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.7.0",
+          "pre_query": "event.action:\"Network connection detected (rule: NetworkConnect)\" and process.name:(bginfo.exe or cdb.exe or cmstp.exe or csi.exe or dnx.exe or fsi.exe or ieexec.exe or iexpress.exe or Microsoft.Workflow.Compiler.exe or odbcconf.exe or rcsi.exe or xwizard.exe)",
+          "doc_text": "Updated query."
+        },
+        {
+          "version": 3,
+          "updated": "7.9.0",
+          "pre_query": "event.action:\"Network connection detected (rule: NetworkConnect)\" and process.name:(Microsoft.Workflow.Compiler.exe or bginfo.exe or cdb.exe or cmstp.exe or csi.exe or dnx.exe or fsi.exe or ieexec.exe or iexpress.exe or odbcconf.exe or rcsi.exe or xwizard.exe)",
+          "doc_text": "Updated query."
+        },
+        {
+          "version": 4,
+          "updated": "7.9.1",
+          "pre_query": "event.category:network and event.type:connection and process.name:(Microsoft.Workflow.Compiler.exe or bginfo.exe or cdb.exe or cmstp.exe or csi.exe or dnx.exe or fsi.exe or ieexec.exe or iexpress.exe or odbcconf.exe or rcsi.exe or xwizard.exe)",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 5,
+          "updated": "7.10.0",
+          "pre_query": "event.category:network and event.type:connection and process.name:(Microsoft.Workflow.Compiler.exe or bginfo.exe or cdb.exe or cmstp.exe or csi.exe or dnx.exe or fsi.exe or ieexec.exe or iexpress.exe or odbcconf.exe or rcsi.exe or xwizard.exe)",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        },
+        {
+          "version": 6,
+          "updated": "7.11.0",
+          "pre_query": "sequence by process.entity_id\n  [process where (process.name : \"Microsoft.Workflow.Compiler.exe\" or\n                  process.name : \"bginfo.exe\" or\n                  process.name : \"cdb.exe\" or\n                  process.name : \"cmstp.exe\" or\n                  process.name : \"csi.exe\" or\n                  process.name : \"dnx.exe\" or\n                  process.name : \"fsi.exe\" or\n                  process.name : \"ieexec.exe\" or\n                  process.name : \"iexpress.exe\" or\n                  process.name : \"odbcconf.exe\" or\n                  process.name : \"rcsi.exe\" or\n                  process.name : \"xwizard.exe\") and\n     event.type == \"start\"]\n  [network where (process.name : \"Microsoft.Workflow.Compiler.exe\" or\n                  process.name : \"bginfo.exe\" or\n                  process.name : \"cdb.exe\" or\n                  process.name : \"cmstp.exe\" or\n                  process.name : \"csi.exe\" or\n                  process.name : \"dnx.exe\" or\n                  process.name : \"fsi.exe\" or\n                  process.name : \"ieexec.exe\" or\n                  process.name : \"iexpress.exe\" or\n                  process.name : \"odbcconf.exe\" or\n                  process.name : \"rcsi.exe\" or\n                  process.name : \"xwizard.exe\")]\n",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 7,
+          "updated": "7.12.0",
+          "pre_query": "sequence by process.entity_id\n  [process where (process.name : \"Microsoft.Workflow.Compiler.exe\" or\n                  process.name : \"bginfo.exe\" or\n                  process.name : \"cdb.exe\" or\n                  process.name : \"cmstp.exe\" or\n                  process.name : \"csi.exe\" or\n                  process.name : \"dnx.exe\" or\n                  process.name : \"fsi.exe\" or\n                  process.name : \"ieexec.exe\" or\n                  process.name : \"iexpress.exe\" or\n                  process.name : \"odbcconf.exe\" or\n                  process.name : \"rcsi.exe\" or\n                  process.name : \"xwizard.exe\") and\n     event.type == \"start\"]\n  [network where (process.name : \"Microsoft.Workflow.Compiler.exe\" or\n                  process.name : \"bginfo.exe\" or\n                  process.name : \"cdb.exe\" or\n                  process.name : \"cmstp.exe\" or\n                  process.name : \"csi.exe\" or\n                  process.name : \"dnx.exe\" or\n                  process.name : \"fsi.exe\" or\n                  process.name : \"ieexec.exe\" or\n                  process.name : \"iexpress.exe\" or\n                  process.name : \"odbcconf.exe\" or\n                  process.name : \"rcsi.exe\" or\n                  process.name : \"xwizard.exe\")]\n",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.12.0",
+    "added": "7.6.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies unusual child processes of Service Host (svchost.exe) that traditionally do not spawn any child processes. This may indicate a code injection or an equivalent form of exploitation.",
+    "false_positives": [
+      "Changes to Windows services or a rarely executed child process."
+    ],
+    "from": "now-9m",
+    "index": [
+      "logs-endpoint.events.*",
+      "winlogbeat-*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Unusual Service Host Child Process - Childless Service",
+    "query": "process where event.type in (\"start\", \"process_started\") and\n     process.parent.name : \"svchost.exe\" and\n\n     /* based on svchost service arguments -s svcname where the service is known to be childless */\n\n    process.parent.args : (\"WdiSystemHost\",\"LicenseManager\",\n      \"StorSvc\",\"CDPSvc\",\"cdbhsvc\",\"BthAvctpSvc\",\"SstpSvc\",\"WdiServiceHost\",\n      \"imgsvc\",\"TrkWks\",\"WpnService\",\"IKEEXT\",\"PolicyAgent\",\"CryptSvc\",\n      \"netprofm\",\"ProfSvc\",\"StateRepository\",\"camsvc\",\"LanmanWorkstation\",\n      \"NlaSvc\",\"EventLog\",\"hidserv\",\"DisplayEnhancementService\",\"ShellHWDetection\",\n      \"AppHostSvc\",\"fhsvc\",\"CscService\",\"PushToInstall\") and\n\n      /* unknown FPs can be added here */\n\n     not process.name : (\"WerFault.exe\",\"WerFaultSecure.exe\",\"wermgr.exe\")\n",
+    "risk_score": 47,
+    "rule_id": "6a8ab9cc-4023-4d17-b5df-1a3e16882ce7",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion",
+      "Privilege Escalation"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0004",
+          "name": "Privilege Escalation",
+          "reference": "https://attack.mitre.org/tactics/TA0004/"
+        },
+        "technique": [
+          {
+            "id": "T1055",
+            "name": "Process Injection",
+            "reference": "https://attack.mitre.org/techniques/T1055/",
+            "subtechnique": [
+              {
+                "id": "T1055.012",
+                "name": "Process Hollowing",
+                "reference": "https://attack.mitre.org/techniques/T1055/012/"
+              }
+            ]
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1055",
+            "name": "Process Injection",
+            "reference": "https://attack.mitre.org/techniques/T1055/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 3,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.11.2",
+          "pre_query": "process where event.type in (\"start\", \"process_started\") and\n     process.parent.name : \"svchost.exe\" and\n\n     /* based on svchost service arguments -s svcname where the service is known to be childless */\n\n    process.parent.args : (\"WdiSystemHost\",\"LicenseManager\",\n      \"StorSvc\",\"CDPSvc\",\"cdbhsvc\",\"BthAvctpSvc\",\"SstpSvc\",\"WdiServiceHost\",\n      \"imgsvc\",\"TrkWks\",\"WpnService\",\"IKEEXT\",\"PolicyAgent\",\"CryptSvc\",\n      \"netprofm\",\"ProfSvc\",\"StateRepository\",\"camsvc\",\"LanmanWorkstation\",\n      \"NlaSvc\",\"EventLog\",\"hidserv\",\"DisplayEnhancementService\",\"ShellHWDetection\",\n      \"AppHostSvc\",\"fhsvc\",\"CscService\",\"PushToInstall\") and\n\n      /* unknown FPs can be added here */\n\n     not process.name : (\"WerFault.exe\",\"WerFaultSecure.exe\",\"wermgr.exe\")\n",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 3,
+          "updated": "7.12.0",
+          "pre_query": "process where event.type in (\"start\", \"process_started\") and\n     process.parent.name : \"svchost.exe\" and\n\n     /* based on svchost service arguments -s svcname where the service is known to be childless */\n\n    process.parent.args : (\"WdiSystemHost\",\"LicenseManager\",\n      \"StorSvc\",\"CDPSvc\",\"cdbhsvc\",\"BthAvctpSvc\",\"SstpSvc\",\"WdiServiceHost\",\n      \"imgsvc\",\"TrkWks\",\"WpnService\",\"IKEEXT\",\"PolicyAgent\",\"CryptSvc\",\n      \"netprofm\",\"ProfSvc\",\"StateRepository\",\"camsvc\",\"LanmanWorkstation\",\n      \"NlaSvc\",\"EventLog\",\"hidserv\",\"DisplayEnhancementService\",\"ShellHWDetection\",\n      \"AppHostSvc\",\"fhsvc\",\"CscService\",\"PushToInstall\") and\n\n      /* unknown FPs can be added here */\n\n     not process.name : (\"WerFault.exe\",\"WerFaultSecure.exe\",\"wermgr.exe\")\n",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.12.0",
+    "added": "7.11.0"
+  },
+  {
+    "anomaly_threshold": 75,
+    "author": [
+      "Elastic"
+    ],
+    "description": "A machine learning job detected a user logging in from an IP address that is unusual for the user. This can be due to credentialed access via a compromised account when the user and the threat actor are in different locations. An unusual source IP address for a username could also be due to lateral movement when a compromised account is used to pivot between hosts.",
+    "false_positives": [
+      "Business travelers who roam to new locations may trigger this alert."
+    ],
+    "from": "now-30m",
+    "interval": "15m",
+    "license": "Elastic License v2",
+    "machine_learning_job_id": "auth_rare_source_ip_for_a_user",
+    "name": "Unusual Source IP for a User to Logon from",
+    "references": [
+      "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"
+    ],
+    "risk_score": 21,
+    "rule_id": "d4b73fa0-9d43-465e-b8bf-50230da6718b",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Authentication",
+      "Threat Detection",
+      "ML"
+    ],
+    "type": "machine_learning",
+    "version": 1,
+    "last_update": "7.14.0",
+    "added": "7.14.0"
+  },
+  {
+    "anomaly_threshold": 75,
+    "author": [
+      "Elastic"
+    ],
+    "description": "Looks for sudo activity from an unusual user context. An unusual sudo user could be due to troubleshooting activity or it could be a sign of credentialed access via compromised accounts.",
+    "false_positives": [
+      "Uncommon sudo activity can be due to an engineer logging onto a server instance in order to perform manual troubleshooting or reconfiguration."
+    ],
+    "from": "now-45m",
+    "interval": "15m",
+    "license": "Elastic License v2",
+    "machine_learning_job_id": "linux_rare_sudo_user",
+    "name": "Unusual Sudo Activity",
+    "risk_score": 21,
+    "rule_id": "1e9fc667-9ff1-4b33-9f40-fefca8537eb0",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "Threat Detection",
+      "ML"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1548",
+            "name": "Abuse Elevation Control Mechanism",
+            "reference": "https://attack.mitre.org/techniques/T1548/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0004",
+          "name": "Privilege Escalation",
+          "reference": "https://attack.mitre.org/tactics/TA0004/"
+        },
+        "technique": [
+          {
+            "id": "T1548",
+            "name": "Abuse Elevation Control Mechanism",
+            "reference": "https://attack.mitre.org/techniques/T1548/"
+          }
+        ]
+      }
+    ],
+    "type": "machine_learning",
+    "version": 2,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.12.0",
+          "pre_query": "N/A",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.12.0",
+    "added": "7.10.0"
+  },
+  {
+    "anomaly_threshold": 50,
+    "author": [
+      "Elastic"
+    ],
+    "description": "A machine learning job detected a rare and unusual URL that indicates unusual web browsing activity. This can be due to initial access, persistence, command-and-control, or exfiltration activity. For example, in a strategic web compromise or watering hole attack, when a trusted website is compromised to target a particular sector or organization, targeted users may receive emails with uncommon URLs for trusted websites. These URLs can be used to download and run a payload. When malware is already running, it may send requests to uncommon URLs on trusted websites the malware uses for command-and-control communication. When rare URLs are observed being requested for a local web server by a remote source, these can be due to web scanning, enumeration or attack traffic, or they can be due to bots and web scrapers which are part of common Internet background traffic.",
+    "false_positives": [
+      "Web activity that occurs rarely in small quantities can trigger this alert. Possible examples are browsing technical support or vendor URLs that are used very sparsely. A user who visits a new and unique web destination may trigger this alert when the activity is sparse. Web applications that generate URLs unique to a transaction may trigger this when they are used sparsely. Web domains can be excluded in cases such as these."
+    ],
+    "from": "now-45m",
+    "interval": "15m",
+    "license": "Elastic License v2",
+    "machine_learning_job_id": "packetbeat_rare_urls",
+    "name": "Unusual Web Request",
+    "references": [
+      "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"
+    ],
+    "risk_score": 21,
+    "rule_id": "91f02f01-969f-4167-8f55-07827ac3acc9",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Network",
+      "Threat Detection",
+      "ML"
+    ],
+    "type": "machine_learning",
+    "version": 4,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.9.0",
+          "pre_query": "N/A",
+          "doc_text": "Formatting only"
+        },
+        {
+          "version": 3,
+          "updated": "7.10.0",
+          "pre_query": "N/A",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 4,
+          "updated": "7.12.0",
+          "pre_query": "N/A",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.12.0",
+    "added": "7.7.0"
+  },
+  {
+    "anomaly_threshold": 50,
+    "author": [
+      "Elastic"
+    ],
+    "description": "A machine learning job detected a rare and unusual user agent indicating web browsing activity by an unusual process other than a web browser. This can be due to persistence, command-and-control, or exfiltration activity. Uncommon user agents coming from remote sources to local destinations are often the result of scanners, bots, and web scrapers, which are part of common Internet background traffic. Much of this is noise, but more targeted attacks on websites using tools like Burp or SQLmap can sometimes be discovered by spotting uncommon user agents. Uncommon user agents in traffic from local sources to remote destinations can be any number of things, including harmless programs like weather monitoring or stock-trading programs. However, uncommon user agents from local sources can also be due to malware or scanning activity.",
+    "false_positives": [
+      "Web activity that is uncommon, like security scans, may trigger this alert and may need to be excluded. A new or rarely used program that calls web services may trigger this alert."
+    ],
+    "from": "now-45m",
+    "interval": "15m",
+    "license": "Elastic License v2",
+    "machine_learning_job_id": "packetbeat_rare_user_agent",
+    "name": "Unusual Web User Agent",
+    "references": [
+      "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"
+    ],
+    "risk_score": 21,
+    "rule_id": "91f02f01-969f-4167-8d77-07827ac4cee0",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Network",
+      "Threat Detection",
+      "ML"
+    ],
+    "type": "machine_learning",
+    "version": 4,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.9.0",
+          "pre_query": "N/A",
+          "doc_text": "Formatting only"
+        },
+        {
+          "version": 3,
+          "updated": "7.10.0",
+          "pre_query": "N/A",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 4,
+          "updated": "7.12.0",
+          "pre_query": "N/A",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.12.0",
+    "added": "7.7.0"
+  },
+  {
+    "anomaly_threshold": 50,
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies Windows processes that do not usually use the network but have unexpected network activity, which can indicate command-and-control, lateral movement, persistence, or data exfiltration activity. A process with unusual network activity can denote process exploitation or injection, where the process is used to run persistence mechanisms that allow a malicious actor remote access or control of the host, data exfiltration, and execution of unauthorized network applications.",
+    "false_positives": [
+      "A newly installed program or one that rarely uses the network could trigger this alert."
+    ],
+    "from": "now-45m",
+    "interval": "15m",
+    "license": "Elastic License v2",
+    "machine_learning_job_id": [
+      "windows_anomalous_network_activity_ecs",
+      "v2_windows_anomalous_network_activity_ecs"
+    ],
+    "name": "Unusual Windows Network Activity",
+    "note": "## Triage and analysis\n\n### Investigating Unusual Network Activity\nDetection alerts from this rule indicate the presence of network activity from a Windows process for which network activity is very unusual.  Here are some possible avenues of investigation:\n- Consider the IP addresses, protocol and ports. Are these used by normal but infrequent network workflows? Are they expected or unexpected?\n- If the destination IP address is remote or external, does it associate with an expected domain, organization or geography? Note: avoid interacting directly with suspected malicious IP addresses.\n- Consider the user as identified by the username field. Is this network activity part of an expected workflow for the user who ran the program?\n- Examine the history of execution. If this process only manifested recently, it might be part of a new software package. If it has a consistent cadence (for example if it runs monthly or quarterly), it might be part of a monthly or quarterly business process.\n- Examine the process arguments, title and working directory. These may provide indications as to the source of the program or the nature of the tasks it is performing.\n- Consider the same for the parent process. If the parent process is a legitimate system utility or service, this could be related to software updates or system management. If the parent process is something user-facing like an Office application, this process could be more suspicious.\n- If you have file hash values in the event data, and you suspect malware, you can optionally run a search for the file hash to see if the file is identified as malware by anti-malware tools.",
+    "references": [
+      "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"
+    ],
+    "risk_score": 21,
+    "rule_id": "ba342eb2-583c-439f-b04d-1fdd7c1417cc",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "ML"
+    ],
+    "type": "machine_learning",
+    "version": 7,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.9.0",
+          "pre_query": "N/A",
+          "doc_text": "Formatting only"
+        },
+        {
+          "version": 3,
+          "updated": "7.10.0",
+          "pre_query": "N/A",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 4,
+          "updated": "7.12.0",
+          "pre_query": "N/A",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 5,
+          "updated": "7.13.0",
+          "pre_query": "N/A",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 6,
+          "updated": "7.14.0",
+          "pre_query": "N/A",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 7,
+          "updated": "7.15.0",
+          "pre_query": "N/A",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.15.0",
+    "added": "7.7.0"
+  },
+  {
+    "anomaly_threshold": 50,
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies processes started from atypical folders in the file system, which might indicate malware execution or persistence mechanisms. In corporate Windows environments, software installation is centrally managed and it is unusual for programs to be executed from user or temporary directories. Processes executed from these locations can denote that a user downloaded software directly from the Internet or a malicious script or macro executed malware.",
+    "false_positives": [
+      "A new and unusual program or artifact download in the course of software upgrades, debugging, or troubleshooting could trigger this alert. Users downloading and running programs from unusual locations, such as temporary directories, browser caches, or profile paths could trigger this alert."
+    ],
+    "from": "now-45m",
+    "interval": "15m",
+    "license": "Elastic License v2",
+    "machine_learning_job_id": [
+      "windows_anomalous_path_activity_ecs",
+      "v2_windows_anomalous_path_activity_ecs"
+    ],
+    "name": "Unusual Windows Path Activity",
+    "references": [
+      "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"
+    ],
+    "risk_score": 21,
+    "rule_id": "445a342e-03fb-42d0-8656-0367eb2dead5",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "ML"
+    ],
+    "type": "machine_learning",
+    "version": 5,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.9.0",
+          "pre_query": "N/A",
+          "doc_text": "Formatting only"
+        },
+        {
+          "version": 3,
+          "updated": "7.10.0",
+          "pre_query": "N/A",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 4,
+          "updated": "7.12.0",
+          "pre_query": "N/A",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 5,
+          "updated": "7.14.0",
+          "pre_query": "N/A",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.14.0",
+    "added": "7.7.0"
+  },
+  {
+    "anomaly_threshold": 50,
+    "author": [
+      "Elastic"
+    ],
+    "description": "Looks for anomalous access to the metadata service by an unusual process. The metadata service may be targeted in order to harvest credentials or user data scripts containing secrets.",
+    "false_positives": [
+      "A newly installed program or one that runs very rarely as part of a monthly or quarterly workflow could trigger this detection rule."
+    ],
+    "from": "now-45m",
+    "interval": "15m",
+    "license": "Elastic License v2",
+    "machine_learning_job_id": [
+      "windows_rare_metadata_process",
+      "v2_windows_rare_metadata_process"
+    ],
+    "name": "Unusual Windows Process Calling the Metadata Service",
+    "risk_score": 21,
+    "rule_id": "abae61a8-c560-4dbd-acca-1e1438bff36b",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "ML"
+    ],
+    "type": "machine_learning",
+    "version": 3,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.12.0",
+          "pre_query": "N/A",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 3,
+          "updated": "7.14.0",
+          "pre_query": "N/A",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.14.0",
+    "added": "7.10.0"
+  },
+  {
+    "anomaly_threshold": 50,
+    "author": [
+      "Elastic"
+    ],
+    "description": "A machine learning job detected an unusual remote desktop protocol (RDP) username, which can indicate account takeover or credentialed persistence using compromised accounts. RDP attacks, such as BlueKeep, also tend to use unusual usernames.",
+    "false_positives": [
+      "Uncommon username activity can be due to an engineer logging onto a server instance in order to perform manual troubleshooting or reconfiguration."
+    ],
+    "from": "now-45m",
+    "interval": "15m",
+    "license": "Elastic License v2",
+    "machine_learning_job_id": "windows_rare_user_type10_remote_login",
+    "name": "Unusual Windows Remote User",
+    "note": "## Triage and analysis\n\n### Investigating an Unusual Windows User\nDetection alerts from this rule indicate activity for a rare and unusual Windows RDP (remote desktop) user. Here are some possible avenues of investigation:\n- Consider the user as identified by the username field. Is the user part of a group who normally logs into Windows hosts using RDP (remote desktop protocol)? Is this logon activity part of an expected workflow for the user?\n- Consider the source of the login. If the source is remote, could this be related to occasional troubleshooting or support activity by a vendor or an employee working remotely?",
+    "references": [
+      "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"
+    ],
+    "risk_score": 21,
+    "rule_id": "1781d055-5c66-4adf-9e93-fc0fa69550c9",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "ML"
+    ],
+    "type": "machine_learning",
+    "version": 5,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.9.0",
+          "pre_query": "N/A",
+          "doc_text": "Formatting only"
+        },
+        {
+          "version": 3,
+          "updated": "7.10.0",
+          "pre_query": "N/A",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 4,
+          "updated": "7.12.0",
+          "pre_query": "N/A",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 5,
+          "updated": "7.13.0",
+          "pre_query": "N/A",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.13.0",
+    "added": "7.7.0"
+  },
+  {
+    "anomaly_threshold": 50,
+    "author": [
+      "Elastic"
+    ],
+    "description": "A machine learning job detected an unusual Windows service, This can indicate execution of unauthorized services, malware, or persistence mechanisms. In corporate Windows environments, hosts do not generally run many rare or unique services. This job helps detect malware and persistence mechanisms that have been installed and run as a service.",
+    "false_positives": [
+      "A newly installed program or one that runs rarely as part of a monthly or quarterly workflow could trigger this alert."
+    ],
+    "from": "now-45m",
+    "interval": "15m",
+    "license": "Elastic License v2",
+    "machine_learning_job_id": "windows_anomalous_service",
+    "name": "Unusual Windows Service",
+    "references": [
+      "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"
+    ],
+    "risk_score": 21,
+    "rule_id": "1781d055-5c66-4adf-9c71-fc0fa58338c7",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "ML"
+    ],
+    "type": "machine_learning",
+    "version": 4,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.9.0",
+          "pre_query": "N/A",
+          "doc_text": "Formatting only"
+        },
+        {
+          "version": 3,
+          "updated": "7.10.0",
+          "pre_query": "N/A",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 4,
+          "updated": "7.12.0",
+          "pre_query": "N/A",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.12.0",
+    "added": "7.7.0"
+  },
+  {
+    "anomaly_threshold": 75,
+    "author": [
+      "Elastic"
+    ],
+    "description": "Looks for anomalous access to the cloud platform metadata service by an unusual user. The metadata service may be targeted in order to harvest credentials or user data scripts containing secrets.",
+    "false_positives": [
+      "A newly installed program, or one that runs under a new or rarely used user context, could trigger this detection rule. Manual interrogation of the metadata service during debugging or troubleshooting could trigger this rule."
+    ],
+    "from": "now-45m",
+    "interval": "15m",
+    "license": "Elastic License v2",
+    "machine_learning_job_id": [
+      "windows_rare_metadata_user",
+      "v2_windows_rare_metadata_user"
+    ],
+    "name": "Unusual Windows User Calling the Metadata Service",
+    "risk_score": 21,
+    "rule_id": "df197323-72a8-46a9-a08e-3f5b04a4a97a",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "ML"
+    ],
+    "type": "machine_learning",
+    "version": 3,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.12.0",
+          "pre_query": "N/A",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 3,
+          "updated": "7.14.0",
+          "pre_query": "N/A",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.14.0",
+    "added": "7.10.0"
+  },
+  {
+    "anomaly_threshold": 50,
+    "author": [
+      "Elastic"
+    ],
+    "description": "A machine learning job detected an unusual user context switch, using the runas command or similar techniques, which can indicate account takeover or privilege escalation using compromised accounts. Privilege elevation using tools like runas are more commonly used by domain and network administrators than by regular Windows users.",
+    "false_positives": [
+      "Uncommon user privilege elevation activity can be due to an administrator, help desk technician, or a user performing manual troubleshooting or reconfiguration."
+    ],
+    "from": "now-45m",
+    "interval": "15m",
+    "license": "Elastic License v2",
+    "machine_learning_job_id": "windows_rare_user_runas_event",
+    "name": "Unusual Windows User Privilege Elevation Activity",
+    "references": [
+      "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"
+    ],
+    "risk_score": 21,
+    "rule_id": "1781d055-5c66-4adf-9d82-fc0fa58449c8",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "ML"
+    ],
+    "type": "machine_learning",
+    "version": 4,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.9.0",
+          "pre_query": "N/A",
+          "doc_text": "Formatting only"
+        },
+        {
+          "version": 3,
+          "updated": "7.10.0",
+          "pre_query": "N/A",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 4,
+          "updated": "7.12.0",
+          "pre_query": "N/A",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.12.0",
+    "added": "7.7.0"
+  },
+  {
+    "anomaly_threshold": 50,
+    "author": [
+      "Elastic"
+    ],
+    "description": "A machine learning job detected activity for a username that is not normally active, which can indicate unauthorized changes, activity by unauthorized users, lateral movement, or compromised credentials. In many organizations, new usernames are not often created apart from specific types of system activities, such as creating new accounts for new employees. These user accounts quickly become active and routine. Events from rarely used usernames can point to suspicious activity. Additionally, automated Linux fleets tend to see activity from rarely used usernames only when personnel log in to make authorized or unauthorized changes, or threat actors have acquired credentials and log in for malicious purposes. Unusual usernames can also indicate pivoting, where compromised credentials are used to try and move laterally from one host to another.",
+    "false_positives": [
+      "Uncommon user activity can be due to an administrator or help desk technician logging onto a workstation or server in order to perform manual troubleshooting or reconfiguration."
+    ],
+    "from": "now-45m",
+    "interval": "15m",
+    "license": "Elastic License v2",
+    "machine_learning_job_id": [
+      "windows_anomalous_user_name_ecs",
+      "v2_windows_anomalous_user_name_ecs"
+    ],
+    "name": "Unusual Windows Username",
+    "note": "## Triage and analysis\n\n### Investigating an Unusual Windows User\nDetection alerts from this rule indicate activity for a Windows user name that is rare and unusual. Here are some possible avenues of investigation:\n- Consider the user as identified by the username field. Is this program part of an expected workflow for the user who ran this program on this host? Could this be related to occasional troubleshooting or support activity?\n- Examine the history of user activity. If this user only manifested recently, it might be a service account for a new software package. If it has a consistent cadence (for example if it runs monthly or quarterly), it might be part of a monthly or quarterly business process.\n- Examine the process arguments, title and working directory. These may provide indications as to the source of the program or the nature of the tasks that the user is performing.\n- Consider the same for the parent process. If the parent process is a legitimate system utility or service, this could be related to software updates or system management. If the parent process is something user-facing like an Office application, this process could be more suspicious.",
+    "references": [
+      "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"
+    ],
+    "risk_score": 21,
+    "rule_id": "1781d055-5c66-4adf-9c59-fc0fa58336a5",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "ML"
+    ],
+    "type": "machine_learning",
+    "version": 7,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.9.0",
+          "pre_query": "N/A",
+          "doc_text": "Formatting only"
+        },
+        {
+          "version": 3,
+          "updated": "7.10.0",
+          "pre_query": "N/A",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 4,
+          "updated": "7.12.0",
+          "pre_query": "N/A",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 5,
+          "updated": "7.13.0",
+          "pre_query": "N/A",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 6,
+          "updated": "7.14.0",
+          "pre_query": "N/A",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 7,
+          "updated": "7.15.0",
+          "pre_query": "N/A",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.15.0",
+    "added": "7.7.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies attempts to create new local users. This is sometimes done by attackers to increase access to a system or domain.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "User Account Creation",
+    "query": "process where event.type in (\"start\", \"process_started\") and\n  process.name : (\"net.exe\", \"net1.exe\") and\n  not process.parent.name : \"net.exe\" and\n  (process.args : \"user\" and process.args : (\"/ad\", \"/add\"))\n",
+    "risk_score": 21,
+    "rule_id": "1aa9181a-492b-4c01-8b16-fa0735786b2b",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Persistence"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1136",
+            "name": "Create Account",
+            "reference": "https://attack.mitre.org/techniques/T1136/",
+            "subtechnique": [
+              {
+                "id": "T1136.001",
+                "name": "Local Account",
+                "reference": "https://attack.mitre.org/techniques/T1136/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 9,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.7.0",
+          "pre_query": "event.action:\"Process Create (rule: ProcessCreate)\" and process.name:(\"net.exe\" or \"net1.exe\") and not process.parent.name:\"net.exe\" and process.args:(\"user\" and (\"/add\" or \"/ad\")) ",
+          "doc_text": "Updated query."
+        },
+        {
+          "version": 3,
+          "updated": "7.9.0",
+          "pre_query": "event.action:\"Process Create (rule: ProcessCreate)\" and process.name:(net.exe or net1.exe) and not process.parent.name:net.exe and process.args:(user and (/ad or /add))",
+          "doc_text": "Updated query."
+        },
+        {
+          "version": 4,
+          "updated": "7.9.1",
+          "pre_query": "event.category:process and event.type:(start or process_started) and process.name:(net.exe or net1.exe) and not process.parent.name:net.exe and process.args:(user and (/ad or /add))",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 5,
+          "updated": "7.10.0",
+          "pre_query": "event.category:process and event.type:(start or process_started) and process.name:(net.exe or net1.exe) and not process.parent.name:net.exe and process.args:(user and (/ad or /add))",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 6,
+          "updated": "7.11.2",
+          "pre_query": "event.category:process and event.type:(start or process_started) and process.name:(net.exe or net1.exe) and not process.parent.name:net.exe and process.args:(user and (/ad or /add))",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 7,
+          "updated": "7.12.0",
+          "pre_query": "event.category:process and event.type:(start or process_started) and process.name:(net.exe or net1.exe) and not process.parent.name:net.exe and process.args:(user and (/ad or /add))",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 8,
+          "updated": "7.13.0",
+          "pre_query": "event.category:process and event.type:(start or process_started) and process.name:(net.exe or net1.exe) and not process.parent.name:net.exe and process.args:(user and (/ad or /add))",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        },
+        {
+          "version": 9,
+          "updated": "7.16.0",
+          "pre_query": "process where event.type in (\"start\", \"process_started\") and\n  process.name : (\"net.exe\", \"net1.exe\") and\n  not process.parent.name : \"net.exe\" and\n  (process.args : \"user\" and process.args : (\"/ad\", \"/add\"))\n",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.16.0",
+    "added": "7.6.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies when a user is added as an owner for an Azure application. An adversary may add a user account as an owner for an Azure application in order to grant additional permissions and modify the application's configuration using another account.",
+    "from": "now-25m",
+    "index": [
+      "filebeat-*",
+      "logs-azure*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "User Added as Owner for Azure Application",
+    "note": "## Config\n\nThe Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:azure.auditlogs and azure.auditlogs.operation_name:\"Add owner to application\" and event.outcome:(Success or success)\n",
+    "risk_score": 21,
+    "rule_id": "774f5e28-7b75-4a58-b94e-41bf060fdd86",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "Azure",
+      "Continuous Monitoring",
+      "SecOps",
+      "Configuration Audit"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1098",
+            "name": "Account Manipulation",
+            "reference": "https://attack.mitre.org/techniques/T1098/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 5,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.11.0",
+          "pre_query": "event.dataset:azure.auditlogs and azure.auditlogs.operation_name:\"Add owner to application\" and event.outcome:Success",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        },
+        {
+          "version": 3,
+          "updated": "7.11.2",
+          "pre_query": "event.dataset:azure.auditlogs and azure.auditlogs.operation_name:\"Add owner to application\" and event.outcome:(Success or success)",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 4,
+          "updated": "7.12.0",
+          "pre_query": "event.dataset:azure.auditlogs and azure.auditlogs.operation_name:\"Add owner to application\" and event.outcome:(Success or success)",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 5,
+          "updated": "7.13.0",
+          "pre_query": "event.dataset:azure.auditlogs and azure.auditlogs.operation_name:\"Add owner to application\" and event.outcome:(Success or success)",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.13.0",
+    "added": "7.10.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies when a user is added as an owner for an Azure service principal. The service principal object defines what the application can do in the specific tenant, who can access the application, and what resources the app can access. A service principal object is created when an application is given permission to access resources in a tenant. An adversary may add a user account as an owner for a service principal and use that account in order to define what an application can do in the Azure AD tenant.",
+    "from": "now-25m",
+    "index": [
+      "filebeat-*",
+      "logs-azure*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "User Added as Owner for Azure Service Principal",
+    "note": "## Config\n\nThe Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:azure.auditlogs and azure.auditlogs.operation_name:\"Add owner to service principal\" and event.outcome:(Success or success)\n",
+    "references": [
+      "https://docs.microsoft.com/en-us/azure/active-directory/develop/app-objects-and-service-principals"
+    ],
+    "risk_score": 21,
+    "rule_id": "38e5acdd-5f20-4d99-8fe4-f0a1a592077f",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "Azure",
+      "Continuous Monitoring",
+      "SecOps",
+      "Configuration Audit"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1098",
+            "name": "Account Manipulation",
+            "reference": "https://attack.mitre.org/techniques/T1098/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 5,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.11.0",
+          "pre_query": "event.dataset:azure.auditlogs and azure.auditlogs.operation_name:\"Add owner to service principal\" and event.outcome:Success",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        },
+        {
+          "version": 3,
+          "updated": "7.11.2",
+          "pre_query": "event.dataset:azure.auditlogs and azure.auditlogs.operation_name:\"Add owner to service principal\" and event.outcome:(Success or success)",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 4,
+          "updated": "7.12.0",
+          "pre_query": "event.dataset:azure.auditlogs and azure.auditlogs.operation_name:\"Add owner to service principal\" and event.outcome:(Success or success)",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 5,
+          "updated": "7.13.0",
+          "pre_query": "event.dataset:azure.auditlogs and azure.auditlogs.operation_name:\"Add owner to service principal\" and event.outcome:(Success or success)",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.13.0",
+    "added": "7.10.0"
+  },
+  {
+    "author": [
+      "Elastic",
+      "Skoetting"
+    ],
+    "description": "Identifies a user being added to a privileged group in Active Directory. Privileged accounts and groups in Active Directory are those to which powerful rights, privileges, and permissions are granted that allow them to perform nearly any action in Active Directory and on domain-joined systems.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "User Added to Privileged Group in Active Directory",
+    "query": "iam where event.action == \"added-member-to-group\" and\n  group.name : (\"Admin*\",\n                \"Local Administrators\",\n                \"Domain Admins\",\n                \"Enterprise Admins\",\n                \"Backup Admins\",\n                \"Schema Admins\",\n                \"DnsAdmins\",\n                \"Exchange Organization Administrators\")\n",
+    "references": [
+      "https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/appendix-b--privileged-accounts-and-groups-in-active-directory"
+    ],
+    "risk_score": 47,
+    "rule_id": "5cd8e1f7-0050-4afc-b2df-904e40b2f5ae",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Persistence"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1098",
+            "name": "Account Manipulation",
+            "reference": "https://attack.mitre.org/techniques/T1098/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 3,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.13.0",
+          "pre_query": "event.category:iam and event.action:\"added-member-to-group\" and group.name:(Administrators or \"Local Administrators\" or \"Domain Admins\" or \"Enterprise Admins\" or \"Backup Admins\" or \"Schema Admins\" or \"DnsAdmins\")",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        },
+        {
+          "version": 3,
+          "updated": "7.16.0",
+          "pre_query": "iam where event.action == \"added-member-to-group\" and\n  group.name : (\"Admin*\",\n                \"Local Administrators\",\n                \"Domain Admins\",\n                \"Enterprise Admins\",\n                \"Backup Admins\",\n                \"Schema Admins\",\n                \"DnsAdmins\",\n                \"Exchange Organization Administrators\")\n",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.16.0",
+    "added": "7.12.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "This rule detects network events that may indicate the use of VNC traffic from the Internet. VNC is commonly used by system administrators to remotely control a system for maintenance or to use shared resources. It should almost never be directly exposed to the Internet, as it is frequently targeted and exploited by threat actors as an initial access or backdoor vector.",
+    "false_positives": [
+      "VNC connections may be received directly to Linux cloud server instances but such connections are usually made only by engineers. VNC is less common than SSH or RDP but may be required by some work-flows such as remote access and support for specialized software products or servers. Such work-flows are usually known and not unexpected. Usage that is unfamiliar to server or network owners can be unexpected and suspicious."
+    ],
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "filebeat-*",
+      "packetbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "VNC (Virtual Network Computing) from the Internet",
+    "query": "event.category:(network or network_traffic) and network.transport:tcp and destination.port >= 5800 and destination.port <= 5810 and\n  not source.ip:(\n    10.0.0.0/8 or\n    127.0.0.0/8 or\n    169.254.0.0/16 or\n    172.16.0.0/12 or\n    192.0.0.0/24 or\n    192.0.0.0/29 or\n    192.0.0.8/32 or\n    192.0.0.9/32 or\n    192.0.0.10/32 or\n    192.0.0.170/32 or\n    192.0.0.171/32 or\n    192.0.2.0/24 or\n    192.31.196.0/24 or\n    192.52.193.0/24 or\n    192.168.0.0/16 or\n    192.88.99.0/24 or\n    224.0.0.0/4 or\n    100.64.0.0/10 or\n    192.175.48.0/24 or\n    198.18.0.0/15 or\n    198.51.100.0/24 or\n    203.0.113.0/24 or\n    240.0.0.0/4 or\n    \"::1\" or\n    \"FE80::/10\" or\n    \"FF00::/8\"\n  ) and\n  destination.ip:(\n    10.0.0.0/8 or\n    172.16.0.0/12 or\n    192.168.0.0/16\n  )\n",
+    "references": [
+      "https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml"
+    ],
+    "risk_score": 73,
+    "rule_id": "5700cb81-df44-46aa-a5d7-337798f53eb8",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Network",
+      "Threat Detection",
+      "Command and Control",
+      "Host"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0011",
+          "name": "Command and Control",
+          "reference": "https://attack.mitre.org/tactics/TA0011/"
+        },
+        "technique": [
+          {
+            "id": "T1219",
+            "name": "Remote Access Software",
+            "reference": "https://attack.mitre.org/techniques/T1219/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0001",
+          "name": "Initial Access",
+          "reference": "https://attack.mitre.org/tactics/TA0001/"
+        },
+        "technique": [
+          {
+            "id": "T1190",
+            "name": "Exploit Public-Facing Application",
+            "reference": "https://attack.mitre.org/techniques/T1190/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 11,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.6.1",
+          "doc_text": "Removed auditbeat-\\*, packetbeat-*, and winlogbeat-* from the rule indices."
+        },
+        {
+          "version": 3,
+          "updated": "7.7.0",
+          "pre_query": "network.transport: tcp and (destination.port >= 5800 and destination.port <= 5810) and (\n network.direction: inbound or (\n not source.ip: (10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and\n destination.ip: (10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16)\n )\n)\n",
+          "doc_text": "Updated query."
+        },
+        {
+          "version": 4,
+          "updated": "7.9.0",
+          "pre_query": "network.transport:tcp and destination.port >= 5800 and destination.port <= 5810 and not source.ip:(10.0.0.0/8 or 127.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 or \"::1\") and destination.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16)",
+          "doc_text": "Updated query."
+        },
+        {
+          "version": 5,
+          "updated": "7.10.0",
+          "pre_query": "event.category:(network or network_traffic) and network.transport:tcp and destination.port >= 5800 and destination.port <= 5810 and not source.ip:(10.0.0.0/8 or 127.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 or \"::1\") and destination.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16)",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 6,
+          "updated": "7.11.0",
+          "pre_query": "event.category:(network or network_traffic) and network.transport:tcp and destination.port >= 5800 and destination.port <= 5810 and not source.ip:(10.0.0.0/8 or 127.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 or \"::1\") and destination.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16)",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        },
+        {
+          "version": 7,
+          "updated": "7.11.2",
+          "pre_query": "event.category:(network or network_traffic) and network.transport:tcp and destination.port >= 5800 and destination.port <= 5810 and not source.ip:( 10.0.0.0/8 or 127.0.0.0/8 or 169.254.0.0/16 or 172.16.0.0/12 or 192.168.0.0/16 or 224.0.0.0/4 or \"::1\" or \"FE80::/10\" or \"FF00::/8\" ) and destination.ip:( 10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 )",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 8,
+          "updated": "7.12.0",
+          "pre_query": "event.category:(network or network_traffic) and network.transport:tcp and destination.port >= 5800 and destination.port <= 5810 and not source.ip:( 10.0.0.0/8 or 127.0.0.0/8 or 169.254.0.0/16 or 172.16.0.0/12 or 192.168.0.0/16 or 224.0.0.0/4 or \"::1\" or \"FE80::/10\" or \"FF00::/8\" ) and destination.ip:( 10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 )",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 10,
+          "updated": "7.14.0",
+          "pre_query": "event.category:(network or network_traffic) and network.transport:tcp and destination.port >= 5800 and destination.port <= 5810 and not source.ip:( 10.0.0.0/8 or 127.0.0.0/8 or 169.254.0.0/16 or 172.16.0.0/12 or 192.168.0.0/16 or 224.0.0.0/4 or \"::1\" or \"FE80::/10\" or \"FF00::/8\" ) and destination.ip:( 10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 )",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        },
+        {
+          "version": 11,
+          "updated": "7.15.0",
+          "pre_query": "event.category:(network or network_traffic) and network.transport:tcp and destination.port >= 5800 and destination.port <= 5810 and\n  not source.ip:(\n    10.0.0.0/8 or\n    127.0.0.0/8 or\n    169.254.0.0/16 or\n    172.16.0.0/12 or\n    192.0.0.0/24 or\n    192.0.0.0/29 or\n    192.0.0.8/32 or\n    192.0.0.9/32 or\n    192.0.0.10/32 or\n    192.0.0.170/32 or\n    192.0.0.171/32 or\n    192.0.2.0/24 or\n    192.31.196.0/24 or\n    192.52.193.0/24 or\n    192.168.0.0/16 or\n    192.88.99.0/24 or\n    224.0.0.0/4 or\n    100.64.0.0/10 or\n    192.175.48.0/24 or\n    198.18.0.0/15 or\n    198.51.100.0/24 or\n    203.0.113.0/24 or\n    240.0.0.0/4 or\n    \"::1\" or\n    \"FE80::/10\" or\n    \"FF00::/8\"\n  ) and\n  destination.ip:(\n    10.0.0.0/8 or\n    172.16.0.0/12 or\n    192.168.0.0/16\n  )\n",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.15.0",
+    "added": "7.6.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "This rule detects network events that may indicate the use of VNC traffic to the Internet. VNC is commonly used by system administrators to remotely control a system for maintenance or to use shared resources. It should almost never be directly exposed to the Internet, as it is frequently targeted and exploited by threat actors as an initial access or backdoor vector.",
+    "false_positives": [
+      "VNC connections may be made directly to Linux cloud server instances but such connections are usually made only by engineers. VNC is less common than SSH or RDP but may be required by some work flows such as remote access and support for specialized software products or servers. Such work-flows are usually known and not unexpected. Usage that is unfamiliar to server or network owners can be unexpected and suspicious."
+    ],
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "filebeat-*",
+      "packetbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "VNC (Virtual Network Computing) to the Internet",
+    "query": "event.category:(network or network_traffic) and network.transport:tcp and destination.port >= 5800 and destination.port <= 5810 and\n  source.ip:(\n    10.0.0.0/8 or\n    172.16.0.0/12 or\n    192.168.0.0/16\n  ) and\n  not destination.ip:(\n    10.0.0.0/8 or\n    127.0.0.0/8 or\n    169.254.0.0/16 or\n    172.16.0.0/12 or\n    192.0.0.0/24 or\n    192.0.0.0/29 or\n    192.0.0.8/32 or\n    192.0.0.9/32 or\n    192.0.0.10/32 or\n    192.0.0.170/32 or\n    192.0.0.171/32 or\n    192.0.2.0/24 or\n    192.31.196.0/24 or\n    192.52.193.0/24 or\n    192.168.0.0/16 or\n    192.88.99.0/24 or\n    224.0.0.0/4 or\n    100.64.0.0/10 or\n    192.175.48.0/24 or\n    198.18.0.0/15 or\n    198.51.100.0/24 or\n    203.0.113.0/24 or\n    240.0.0.0/4 or\n    \"::1\" or\n    \"FE80::/10\" or\n    \"FF00::/8\"\n  )\n",
+    "references": [
+      "https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml"
+    ],
+    "risk_score": 47,
+    "rule_id": "3ad49c61-7adc-42c1-b788-732eda2f5abf",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Network",
+      "Threat Detection",
+      "Command and Control",
+      "Host"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0011",
+          "name": "Command and Control",
+          "reference": "https://attack.mitre.org/tactics/TA0011/"
+        },
+        "technique": [
+          {
+            "id": "T1219",
+            "name": "Remote Access Software",
+            "reference": "https://attack.mitre.org/techniques/T1219/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 11,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.6.1",
+          "doc_text": "Removed auditbeat-\\*, packetbeat-*, and winlogbeat-* from the rule indices."
+        },
+        {
+          "version": 3,
+          "updated": "7.7.0",
+          "pre_query": "network.transport: tcp and (destination.port >= 5800 and destination.port <= 5810) and (\n network.direction: outbound or (\n source.ip: (10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and\n not destination.ip: (10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16)\n )\n)\n",
+          "doc_text": "Updated query."
+        },
+        {
+          "version": 4,
+          "updated": "7.9.0",
+          "pre_query": "network.transport:tcp and destination.port >= 5800 and destination.port <= 5810 and source.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and not destination.ip:(10.0.0.0/8 or 127.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 or \"::1\")",
+          "doc_text": "Updated query."
+        },
+        {
+          "version": 5,
+          "updated": "7.10.0",
+          "pre_query": "event.category:(network or network_traffic) and network.transport:tcp and destination.port >= 5800 and destination.port <= 5810 and source.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and not destination.ip:(10.0.0.0/8 or 127.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 or \"::1\")",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 6,
+          "updated": "7.11.0",
+          "pre_query": "event.category:(network or network_traffic) and network.transport:tcp and destination.port >= 5800 and destination.port <= 5810 and source.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and not destination.ip:(10.0.0.0/8 or 127.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 or \"::1\")",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        },
+        {
+          "version": 7,
+          "updated": "7.11.2",
+          "pre_query": "event.category:(network or network_traffic) and network.transport:tcp and destination.port >= 5800 and destination.port <= 5810 and source.ip:( 10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 ) and not destination.ip:( 10.0.0.0/8 or 127.0.0.0/8 or 169.254.0.0/16 or 172.16.0.0/12 or 192.168.0.0/16 or 224.0.0.0/4 or \"::1\" or \"FE80::/10\" or \"FF00::/8\" )",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 8,
+          "updated": "7.12.0",
+          "pre_query": "event.category:(network or network_traffic) and network.transport:tcp and destination.port >= 5800 and destination.port <= 5810 and source.ip:( 10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 ) and not destination.ip:( 10.0.0.0/8 or 127.0.0.0/8 or 169.254.0.0/16 or 172.16.0.0/12 or 192.168.0.0/16 or 224.0.0.0/4 or \"::1\" or \"FE80::/10\" or \"FF00::/8\" )",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 10,
+          "updated": "7.14.0",
+          "pre_query": "event.category:(network or network_traffic) and network.transport:tcp and destination.port >= 5800 and destination.port <= 5810 and source.ip:( 10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 ) and not destination.ip:( 10.0.0.0/8 or 127.0.0.0/8 or 169.254.0.0/16 or 172.16.0.0/12 or 192.168.0.0/16 or 224.0.0.0/4 or \"::1\" or \"FE80::/10\" or \"FF00::/8\" )",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        },
+        {
+          "version": 11,
+          "updated": "7.15.0",
+          "pre_query": "event.category:(network or network_traffic) and network.transport:tcp and destination.port >= 5800 and destination.port <= 5810 and\n  source.ip:(\n    10.0.0.0/8 or\n    172.16.0.0/12 or\n    192.168.0.0/16\n  ) and\n  not destination.ip:(\n    10.0.0.0/8 or\n    127.0.0.0/8 or\n    169.254.0.0/16 or\n    172.16.0.0/12 or\n    192.0.0.0/24 or\n    192.0.0.0/29 or\n    192.0.0.8/32 or\n    192.0.0.9/32 or\n    192.0.0.10/32 or\n    192.0.0.170/32 or\n    192.0.0.171/32 or\n    192.0.2.0/24 or\n    192.31.196.0/24 or\n    192.52.193.0/24 or\n    192.168.0.0/16 or\n    192.88.99.0/24 or\n    224.0.0.0/4 or\n    100.64.0.0/10 or\n    192.175.48.0/24 or\n    198.18.0.0/15 or\n    198.51.100.0/24 or\n    203.0.113.0/24 or\n    240.0.0.0/4 or\n    \"::1\" or\n    \"FE80::/10\" or\n    \"FF00::/8\"\n  )\n",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.15.0",
+    "added": "7.6.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "An adversary may attempt to get detailed information about the operating system and hardware. This rule identifies common locations used to discover virtual machine hardware by a non-root user. This technique has been used by the Pupy RAT and other malware.",
+    "false_positives": [
+      "Certain tools or automated software may enumerate hardware information. These tools can be exempted via user name or process arguments to eliminate potential noise."
+    ],
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Virtual Machine Fingerprinting",
+    "query": "event.category:process and event.type:(start or process_started) and\n  process.args:(\"/sys/class/dmi/id/bios_version\" or\n                \"/sys/class/dmi/id/product_name\" or\n                \"/sys/class/dmi/id/chassis_vendor\" or\n                \"/proc/scsi/scsi\" or\n                \"/proc/ide/hd0/model\") and\n  not user.name:root\n",
+    "risk_score": 73,
+    "rule_id": "5b03c9fb-9945-4d2f-9568-fd690fee3fba",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "Threat Detection",
+      "Discovery"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0007",
+          "name": "Discovery",
+          "reference": "https://attack.mitre.org/tactics/TA0007/"
+        },
+        "technique": [
+          {
+            "id": "T1082",
+            "name": "System Information Discovery",
+            "reference": "https://attack.mitre.org/techniques/T1082/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 6,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.9.0",
+          "pre_query": "event.action:executed and process.args:(\"/sys/class/dmi/id/bios_version\" or \"/sys/class/dmi/id/product_name\" or \"/sys/class/dmi/id/chassis_vendor\" or \"/proc/scsi/scsi\" or \"/proc/ide/hd0/model\") and not user.name:root",
+          "doc_text": "Updated query."
+        },
+        {
+          "version": 3,
+          "updated": "7.9.1",
+          "pre_query": "event.category:process and event.type:(start or process_started) and process.args:(\"/sys/class/dmi/id/bios_version\" or \"/sys/class/dmi/id/product_name\" or \"/sys/class/dmi/id/chassis_vendor\" or \"/proc/scsi/scsi\" or \"/proc/ide/hd0/model\") and not user.name:root",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 4,
+          "updated": "7.10.0",
+          "pre_query": "event.category:process and event.type:(start or process_started) and process.args:(\"/sys/class/dmi/id/bios_version\" or \"/sys/class/dmi/id/product_name\" or \"/sys/class/dmi/id/chassis_vendor\" or \"/proc/scsi/scsi\" or \"/proc/ide/hd0/model\") and not user.name:root",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 5,
+          "updated": "7.11.2",
+          "pre_query": "event.category:process and event.type:(start or process_started) and process.args:(\"/sys/class/dmi/id/bios_version\" or \"/sys/class/dmi/id/product_name\" or \"/sys/class/dmi/id/chassis_vendor\" or \"/proc/scsi/scsi\" or \"/proc/ide/hd0/model\") and not user.name:root",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 6,
+          "updated": "7.12.0",
+          "pre_query": "event.category:process and event.type:(start or process_started) and process.args:(\"/sys/class/dmi/id/bios_version\" or \"/sys/class/dmi/id/product_name\" or \"/sys/class/dmi/id/chassis_vendor\" or \"/proc/scsi/scsi\" or \"/proc/ide/hd0/model\") and not user.name:root",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.12.0",
+    "added": "7.8.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "An adversary may attempt to get detailed information about the operating system and hardware. This rule identifies common locations used to discover virtual machine hardware by a non-root user. This technique has been used by the Pupy RAT and other malware.",
+    "false_positives": [
+      "Certain tools or automated software may enumerate hardware information. These tools can be exempted via user name or process arguments to eliminate potential noise."
+    ],
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Virtual Machine Fingerprinting via Grep",
+    "query": "process where event.type == \"start\" and\n process.name in (\"grep\", \"egrep\") and user.id != \"0\" and\n process.args : (\"parallels*\", \"vmware*\", \"virtualbox*\") and process.args : \"Manufacturer*\" and \n not process.parent.executable in (\"/Applications/Docker.app/Contents/MacOS/Docker\", \"/usr/libexec/kcare/virt-what\")\n",
+    "references": [
+      "https://objective-see.com/blog/blog_0x4F.html"
+    ],
+    "risk_score": 47,
+    "rule_id": "c85eb82c-d2c8-485c-a36f-534f914b7663",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "macOS",
+      "Linux",
+      "Threat Detection",
+      "Discovery"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0007",
+          "name": "Discovery",
+          "reference": "https://attack.mitre.org/tactics/TA0007/"
+        },
+        "technique": [
+          {
+            "id": "T1082",
+            "name": "System Information Discovery",
+            "reference": "https://attack.mitre.org/techniques/T1082/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 1,
+    "last_update": "7.16.0",
+    "added": "7.16.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the execution of macOS built-in commands to connect to an existing Virtual Private Network (VPN).",
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Virtual Private Network Connection Attempt",
+    "query": "process where event.type in (\"start\", \"process_started\") and\n  (\n    (process.name : \"networksetup\" and process.args : \"-connectpppoeservice\") or\n    (process.name : \"scutil\" and process.args : \"--nc\" and process.args : \"start\") or\n    (process.name : \"osascript\" and process.command_line : \"osascript*set VPN to service*\")\n  )\n",
+    "references": [
+      "https://github.com/rapid7/metasploit-framework/blob/master/modules/post/osx/manage/vpn.rb",
+      "https://www.unix.com/man-page/osx/8/networksetup/",
+      "https://superuser.com/questions/358513/start-configured-vpn-from-command-line-osx"
+    ],
+    "risk_score": 21,
+    "rule_id": "15dacaa0-5b90-466b-acab-63435a59701a",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "macOS",
+      "Threat Detection",
+      "Lateral Movement"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0008",
+          "name": "Lateral Movement",
+          "reference": "https://attack.mitre.org/tactics/TA0008/"
+        },
+        "technique": [
+          {
+            "id": "T1021",
+            "name": "Remote Services",
+            "reference": "https://attack.mitre.org/techniques/T1021/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 1,
+    "last_update": "7.12.0",
+    "added": "7.12.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies use of vssadmin.exe for shadow copy deletion or resizing on endpoints. This commonly occurs in tandem with ransomware or other destructive attacks.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Volume Shadow Copy Deleted or Resized via VssAdmin",
+    "query": "process where event.type in (\"start\", \"process_started\") and event.action == \"start\" \n  and (process.name : \"vssadmin.exe\" or process.pe.original_file_name == \"VSSADMIN.EXE\") and\n  process.args in (\"delete\", \"resize\") and process.args : \"shadows*\"\n",
+    "risk_score": 73,
+    "rule_id": "b5ea4bfe-a1b2-421f-9d47-22a75a6f2921",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Impact"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0040",
+          "name": "Impact",
+          "reference": "https://attack.mitre.org/tactics/TA0040/"
+        },
+        "technique": [
+          {
+            "id": "T1490",
+            "name": "Inhibit System Recovery",
+            "reference": "https://attack.mitre.org/techniques/T1490/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 10,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.7.0",
+          "pre_query": "event.action:\"Process Create (rule: ProcessCreate)\" and process.name:\"vssadmin.exe\" and process.args:(\"delete\" and \"shadows\") ",
+          "doc_text": "Updated query."
+        },
+        {
+          "version": 3,
+          "updated": "7.9.0",
+          "pre_query": "event.action:\"Process Create (rule: ProcessCreate)\" and process.name:vssadmin.exe and process.args:(delete and shadows)",
+          "doc_text": "Updated query."
+        },
+        {
+          "version": 4,
+          "updated": "7.9.1",
+          "pre_query": "event.category:process and event.type:(start or process_started) and process.name:vssadmin.exe and process.args:(delete and shadows)",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 5,
+          "updated": "7.10.0",
+          "pre_query": "event.category:process and event.type:(start or process_started) and process.name:vssadmin.exe and process.args:(delete and shadows)",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 6,
+          "updated": "7.11.0",
+          "pre_query": "event.category:process and event.type:(start or process_started) and process.name:vssadmin.exe and process.args:(delete and shadows)",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 7,
+          "updated": "7.11.2",
+          "pre_query": "event.category:process and event.type:(start or process_started) and process.name:vssadmin.exe and process.args:(delete and shadows)",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 8,
+          "updated": "7.12.0",
+          "pre_query": "event.category:process and event.type:(start or process_started) and process.name:vssadmin.exe and process.args:(delete and shadows)",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 9,
+          "updated": "7.13.0",
+          "pre_query": "event.category:process and event.type:(start or process_started) and process.name:vssadmin.exe and process.args:(delete and shadows)",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        },
+        {
+          "version": 10,
+          "updated": "7.16.0",
+          "pre_query": "process where event.type in (\"start\", \"process_started\") and\n  (process.name : \"vssadmin.exe\" or process.pe.original_file_name == \"VSSADMIN.EXE\") and\n  process.args : \"delete\" and process.args : \"shadows\"\n",
+          "doc_text": "Updated query.",
+          "pre_name": "Volume Shadow Copy Deletion via VssAdmin",
+          "duplicate_old_file": "volume-shadow-copy-deletion-via-vssadmin"
+        }
+      ]
+    },
+    "last_update": "7.16.0",
+    "added": "7.6.0"
+  },
+  {
+    "author": [
+      "Elastic",
+      "Austin Songer"
+    ],
+    "description": "Identifies the use of the Win32_ShadowCopy class and related cmdlets to achieve shadow copy deletion. This commonly occurs in tandem with ransomware or other destructive attacks.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Volume Shadow Copy Deletion via PowerShell",
+    "query": "process where event.type in (\"start\", \"process_started\") and\n  process.name : (\"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\") and \n  process.args : (\"*Get-WmiObject*\", \"*gwmi*\", \"*Get-CimInstance*\", \"*gcim*\") and\n  process.args : (\"*Win32_ShadowCopy*\") and\n  process.args : (\"*.Delete()*\", \"*Remove-WmiObject*\", \"*rwmi*\", \"*Remove-CimInstance*\", \"*rcim*\")\n",
+    "references": [
+      "https://docs.microsoft.com/en-us/previous-versions/windows/desktop/vsswmi/win32-shadowcopy",
+      "https://powershell.one/wmi/root/cimv2/win32_shadowcopy",
+      "https://www.fortinet.com/blog/threat-research/stomping-shadow-copies-a-second-look-into-deletion-methods"
+    ],
+    "risk_score": 73,
+    "rule_id": "d99a037b-c8e2-47a5-97b9-170d076827c4",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Impact"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0040",
+          "name": "Impact",
+          "reference": "https://attack.mitre.org/tactics/TA0040/"
+        },
+        "technique": [
+          {
+            "id": "T1490",
+            "name": "Inhibit System Recovery",
+            "reference": "https://attack.mitre.org/techniques/T1490/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 2,
+    "last_update": "7.16.0",
+    "added": "7.16.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies use of wmic.exe for shadow copy deletion on endpoints. This commonly occurs in tandem with ransomware or other destructive attacks.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Volume Shadow Copy Deletion via WMIC",
+    "query": "process where event.type in (\"start\", \"process_started\") and\n  (process.name : \"WMIC.exe\" or process.pe.original_file_name == \"wmic.exe\") and\n  process.args : \"delete\" and process.args : \"shadowcopy\"\n",
+    "risk_score": 73,
+    "rule_id": "dc9c1f74-dac3-48e3-b47f-eb79db358f57",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Impact"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0040",
+          "name": "Impact",
+          "reference": "https://attack.mitre.org/tactics/TA0040/"
+        },
+        "technique": [
+          {
+            "id": "T1490",
+            "name": "Inhibit System Recovery",
+            "reference": "https://attack.mitre.org/techniques/T1490/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 10,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.7.0",
+          "pre_query": "event.action:\"Process Create (rule: ProcessCreate)\" and process.name:\"WMIC.exe\" and process.args:(\"shadowcopy\" and \"delete\")",
+          "doc_text": "Updated query."
+        },
+        {
+          "version": 3,
+          "updated": "7.9.0",
+          "pre_query": "event.action:\"Process Create (rule: ProcessCreate)\" and process.name:WMIC.exe and process.args:(delete and shadowcopy)",
+          "doc_text": "Updated query."
+        },
+        {
+          "version": 4,
+          "updated": "7.9.1",
+          "pre_query": "event.category:process and event.type:(start or process_started) and process.name:WMIC.exe and process.args:(delete and shadowcopy)",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 5,
+          "updated": "7.10.0",
+          "pre_query": "event.category:process and event.type:(start or process_started) and process.name:WMIC.exe and process.args:(delete and shadowcopy)",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 6,
+          "updated": "7.11.0",
+          "pre_query": "event.category:process and event.type:(start or process_started) and process.name:WMIC.exe and process.args:(delete and shadowcopy)",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 7,
+          "updated": "7.11.2",
+          "pre_query": "event.category:process and event.type:(start or process_started) and process.name:WMIC.exe and process.args:(delete and shadowcopy)",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 8,
+          "updated": "7.12.0",
+          "pre_query": "event.category:process and event.type:(start or process_started) and process.name:WMIC.exe and process.args:(delete and shadowcopy)",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 9,
+          "updated": "7.13.0",
+          "pre_query": "event.category:process and event.type:(start or process_started) and process.name:WMIC.exe and process.args:(delete and shadowcopy)",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        },
+        {
+          "version": 10,
+          "updated": "7.16.0",
+          "pre_query": "process where event.type in (\"start\", \"process_started\") and\n  (process.name : \"WMIC.exe\" or process.pe.original_file_name == \"wmic.exe\") and\n  process.args : \"delete\" and process.args : \"shadowcopy\"\n",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.16.0",
+    "added": "7.6.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies processes executed via Windows Management Instrumentation (WMI) on a remote host. This could be indicative of adversary lateral movement, but could be noisy if administrators use WMI to remotely manage hosts.",
+    "from": "now-9m",
+    "index": [
+      "logs-endpoint.events.*",
+      "winlogbeat-*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "WMI Incoming Lateral Movement",
+    "query": "sequence by host.id with maxspan = 2s\n\n /* Accepted Incoming RPC connection by Winmgmt service */\n\n  [network where process.name : \"svchost.exe\" and network.direction : (\"incoming\", \"ingress\") and\n   source.ip != \"127.0.0.1\" and source.ip != \"::1\" and source.port >= 49152 and destination.port >= 49152\n  ]\n\n  /* Excluding Common FPs Nessus and SCCM */\n\n  [process where event.type in (\"start\", \"process_started\") and process.parent.name : \"WmiPrvSE.exe\" and\n   not process.args : (\"C:\\\\windows\\\\temp\\\\nessus_*.txt\", \n                       \"C:\\\\windows\\\\TEMP\\\\nessus_*.TMP\", \n                       \"C:\\\\Windows\\\\CCM\\\\SystemTemp\\\\*\", \n                       \"C:\\\\Windows\\\\CCMCache\\\\*\", \n                       \"C:\\\\CCM\\\\Cache\\\\*\")\n   ]\n",
+    "risk_score": 47,
+    "rule_id": "f3475224-b179-4f78-8877-c2bd64c26b88",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Lateral Movement"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0008",
+          "name": "Lateral Movement",
+          "reference": "https://attack.mitre.org/tactics/TA0008/"
+        },
+        "technique": []
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0002",
+          "name": "Execution",
+          "reference": "https://attack.mitre.org/tactics/TA0002/"
+        },
+        "technique": [
+          {
+            "id": "T1047",
+            "name": "Windows Management Instrumentation",
+            "reference": "https://attack.mitre.org/techniques/T1047/"
+          }
+        ]
+      }
+    ],
+    "type": "eql",
+    "version": 4,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.12.0",
+          "pre_query": "sequence by host.id with maxspan = 2s\n\n /* Accepted Incoming RPC connection by Winmgmt service */\n\n  [network where process.name : \"svchost.exe\" and network.direction == \"incoming\" and\n   source.address != \"127.0.0.1\" and source.address != \"::1\" and \n   source.port >= 49152 and destination.port >= 49152\n  ]\n\n  /* Excluding Common FPs Nessus and SCCM */\n\n  [process where event.type in (\"start\", \"process_started\") and process.parent.name : \"WmiPrvSE.exe\" and\n   not process.args : (\"C:\\\\windows\\\\temp\\\\nessus_*.txt\", \n                       \"C:\\\\windows\\\\TEMP\\\\nessus_*.TMP\", \n                       \"C:\\\\Windows\\\\CCM\\\\SystemTemp\\\\*\", \n                       \"C:\\\\Windows\\\\CCMCache\\\\*\", \n                       \"C:\\\\CCM\\\\Cache\\\\*\")\n   ]\n",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 3,
+          "updated": "7.16.0",
+          "pre_query": "sequence by host.id with maxspan = 2s\n\n /* Accepted Incoming RPC connection by Winmgmt service */\n\n  [network where process.name : \"svchost.exe\" and network.direction == \"incoming\" and\n   source.address != \"127.0.0.1\" and source.address != \"::1\" and \n   source.port >= 49152 and destination.port >= 49152\n  ]\n\n  /* Excluding Common FPs Nessus and SCCM */\n\n  [process where event.type in (\"start\", \"process_started\") and process.parent.name : \"WmiPrvSE.exe\" and\n   not process.args : (\"C:\\\\windows\\\\temp\\\\nessus_*.txt\", \n                       \"C:\\\\windows\\\\TEMP\\\\nessus_*.TMP\", \n                       \"C:\\\\Windows\\\\CCM\\\\SystemTemp\\\\*\", \n                       \"C:\\\\Windows\\\\CCMCache\\\\*\", \n                       \"C:\\\\CCM\\\\Cache\\\\*\")\n   ]\n",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        },
+        {
+          "version": 4,
+          "updated": "8.0.0",
+          "pre_query": "sequence by host.id with maxspan = 2s\n\n /* Accepted Incoming RPC connection by Winmgmt service */\n\n  [network where process.name : \"svchost.exe\" and network.direction : (\"incoming\", \"ingress\") and\n   source.address != \"127.0.0.1\" and source.address != \"::1\" and \n   source.port >= 49152 and destination.port >= 49152\n  ]\n\n  /* Excluding Common FPs Nessus and SCCM */\n\n  [process where event.type in (\"start\", \"process_started\") and process.parent.name : \"WmiPrvSE.exe\" and\n   not process.args : (\"C:\\\\windows\\\\temp\\\\nessus_*.txt\", \n                       \"C:\\\\windows\\\\TEMP\\\\nessus_*.TMP\", \n                       \"C:\\\\Windows\\\\CCM\\\\SystemTemp\\\\*\", \n                       \"C:\\\\Windows\\\\CCMCache\\\\*\", \n                       \"C:\\\\CCM\\\\Cache\\\\*\")\n   ]\n",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "8.0.0",
+    "added": "7.11.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "A request to a web application server contained no identifying user agent string.",
+    "false_positives": [
+      "Some normal applications and scripts may contain no user agent. Most legitimate web requests from the Internet contain a user agent string. Requests from web browsers almost always contain a user agent string. If the source is unexpected, the user unauthorized, or the request unusual, these may indicate suspicious or malicious activity."
+    ],
+    "filters": [
+      {
+        "$state": {
+          "store": "appState"
+        },
+        "exists": {
+          "field": "user_agent.original"
+        },
+        "meta": {
+          "disabled": false,
+          "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+          "key": "user_agent.original",
+          "negate": true,
+          "type": "exists",
+          "value": "exists"
+        }
+      }
+    ],
+    "index": [
+      "apm-*-transaction*",
+      "traces-apm*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Web Application Suspicious Activity: No User Agent",
+    "query": "url.path:*\n",
+    "references": [
+      "https://en.wikipedia.org/wiki/User_agent"
+    ],
+    "risk_score": 47,
+    "rule_id": "43303fd4-4839-4e48-b2b2-803ab060758d",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "APM"
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 7,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.7.0",
+          "pre_query": "url.path: *",
+          "doc_text": "Updated query."
+        },
+        {
+          "version": 3,
+          "updated": "7.9.0",
+          "pre_query": "url.path:*",
+          "doc_text": "Formatting only"
+        },
+        {
+          "version": 4,
+          "updated": "7.10.0",
+          "pre_query": "url.path:*",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 5,
+          "updated": "7.11.2",
+          "pre_query": "url.path:*",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 6,
+          "updated": "7.12.0",
+          "pre_query": "url.path:*",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 7,
+          "updated": "7.14.0",
+          "pre_query": "url.path:*",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.14.0",
+    "added": "7.6.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "A POST request to a web application returned a 403 response, which indicates the web application declined to process the request because the action requested was not allowed.",
+    "false_positives": [
+      "Security scans and tests may result in these errors. Misconfigured or buggy applications may produce large numbers of these errors. If the source is unexpected, the user unauthorized, or the request unusual, these may indicate suspicious or malicious activity."
+    ],
+    "index": [
+      "apm-*-transaction*",
+      "traces-apm*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Web Application Suspicious Activity: POST Request Declined",
+    "query": "http.response.status_code:403 and http.request.method:post\n",
+    "references": [
+      "https://en.wikipedia.org/wiki/HTTP_403"
+    ],
+    "risk_score": 47,
+    "rule_id": "a87a4e42-1d82-44bd-b0bf-d9b7f91fb89e",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "APM"
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 8,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.7.0",
+          "pre_query": "http.response.status_code:403 and http.request.method:post",
+          "doc_text": "Formatting only"
+        },
+        {
+          "version": 3,
+          "updated": "7.9.0",
+          "pre_query": "http.response.status_code:403 and http.request.method:post",
+          "doc_text": "Formatting only"
+        },
+        {
+          "version": 4,
+          "updated": "7.10.0",
+          "pre_query": "http.response.status_code:403 and http.request.method:post",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 5,
+          "updated": "7.11.2",
+          "pre_query": "http.response.status_code:403 and http.request.method:post",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 6,
+          "updated": "7.12.0",
+          "pre_query": "http.response.status_code:403 and http.request.method:post",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 7,
+          "updated": "7.14.0",
+          "pre_query": "http.response.status_code:403 and http.request.method:post",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        },
+        {
+          "version": 8,
+          "updated": "7.15.0",
+          "pre_query": "http.response.status_code:403 and http.request.method:post\n",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.15.0",
+    "added": "7.6.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "A request to a web application returned a 405 response, which indicates the web application declined to process the request because the HTTP method is not allowed for the resource.",
+    "false_positives": [
+      "Security scans and tests may result in these errors. Misconfigured or buggy applications may produce large numbers of these errors. If the source is unexpected, the user unauthorized, or the request unusual, these may indicate suspicious or malicious activity."
+    ],
+    "index": [
+      "apm-*-transaction*",
+      "traces-apm*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Web Application Suspicious Activity: Unauthorized Method",
+    "query": "http.response.status_code:405\n",
+    "references": [
+      "https://en.wikipedia.org/wiki/HTTP_405"
+    ],
+    "risk_score": 47,
+    "rule_id": "75ee75d8-c180-481c-ba88-ee50129a6aef",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "APM"
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 8,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.7.0",
+          "pre_query": "http.response.status_code:405",
+          "doc_text": "Formatting only"
+        },
+        {
+          "version": 3,
+          "updated": "7.9.0",
+          "pre_query": "http.response.status_code:405",
+          "doc_text": "Formatting only"
+        },
+        {
+          "version": 4,
+          "updated": "7.10.0",
+          "pre_query": "http.response.status_code:405",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 5,
+          "updated": "7.11.2",
+          "pre_query": "http.response.status_code:405",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 6,
+          "updated": "7.12.0",
+          "pre_query": "http.response.status_code:405",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 7,
+          "updated": "7.14.0",
+          "pre_query": "http.response.status_code:405",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        },
+        {
+          "version": 8,
+          "updated": "7.15.0",
+          "pre_query": "http.response.status_code:405\n",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.15.0",
+    "added": "7.6.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "This is an example of how to detect an unwanted web client user agent. This search matches the user agent for sqlmap 1.3.11, which is a popular FOSS tool for testing web applications for SQL injection vulnerabilities.",
+    "false_positives": [
+      "This rule does not indicate that a SQL injection attack occurred, only that the `sqlmap` tool was used. Security scans and tests may result in these errors. If the source is not an authorized security tester, this is generally suspicious or malicious activity."
+    ],
+    "index": [
+      "apm-*-transaction*",
+      "traces-apm*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Web Application Suspicious Activity: sqlmap User Agent",
+    "query": "user_agent.original:\"sqlmap/1.3.11#stable (http://sqlmap.org)\"\n",
+    "references": [
+      "http://sqlmap.org/"
+    ],
+    "risk_score": 47,
+    "rule_id": "d49cc73f-7a16-4def-89ce-9fc7127d7820",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "APM"
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 7,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.7.0",
+          "pre_query": "user_agent.original:\"sqlmap/1.3.11#stable (http://sqlmap.org)\"",
+          "doc_text": "Formatting only"
+        },
+        {
+          "version": 3,
+          "updated": "7.9.0",
+          "pre_query": "user_agent.original:\"sqlmap/1.3.11#stable (http://sqlmap.org)\"",
+          "doc_text": "Formatting only"
+        },
+        {
+          "version": 4,
+          "updated": "7.10.0",
+          "pre_query": "user_agent.original:\"sqlmap/1.3.11#stable (http://sqlmap.org)\"",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 5,
+          "updated": "7.11.2",
+          "pre_query": "user_agent.original:\"sqlmap/1.3.11#stable (http://sqlmap.org)\"",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 6,
+          "updated": "7.12.0",
+          "pre_query": "user_agent.original:\"sqlmap/1.3.11#stable (http://sqlmap.org)\"",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 7,
+          "updated": "7.14.0",
+          "pre_query": "user_agent.original:\"sqlmap/1.3.11#stable (http://sqlmap.org)\"",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.14.0",
+    "added": "7.6.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the use of the built-in networksetup command to configure webproxy settings. This may indicate an attempt to hijack web browser traffic for credential access via traffic sniffing or redirection.",
+    "false_positives": [
+      "Legitimate WebProxy Settings Modification"
+    ],
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "WebProxy Settings Modification",
+    "query": "event.category : process and event.type : start and\n process.name : networksetup and process.args : ((\"-setwebproxy\" or \"-setsecurewebproxy\" or \"-setautoproxyurl\") and not (Bluetooth or off)) and\n not process.parent.executable : (\"/Library/PrivilegedHelperTools/com.80pct.FreedomHelper\" or\n                                  \"/Applications/Fiddler Everywhere.app/Contents/Resources/app/out/WebServer/Fiddler.WebUi\" or\n                                  \"/usr/libexec/xpcproxy\")\n",
+    "references": [
+      "https://unit42.paloaltonetworks.com/mac-malware-steals-cryptocurrency-exchanges-cookies/",
+      "https://objectivebythesea.com/v2/talks/OBTS_v2_Zohar.pdf"
+    ],
+    "risk_score": 47,
+    "rule_id": "10a500bb-a28f-418e-ba29-ca4c8d1a9f2f",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "macOS",
+      "Threat Detection",
+      "Credential Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0006",
+          "name": "Credential Access",
+          "reference": "https://attack.mitre.org/tactics/TA0006/"
+        },
+        "technique": [
+          {
+            "id": "T1539",
+            "name": "Steal Web Session Cookie",
+            "reference": "https://attack.mitre.org/techniques/T1539/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 2,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.13.0",
+          "pre_query": "event.category:process and event.type:start and process.name:networksetup and process.args:(\"-setwebproxy\" or \"-setsecurewebproxy\" or \"-setautoproxyurl\")",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.13.0",
+    "added": "7.12.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the deletion of WebServer access logs. This may indicate an attempt to evade detection or destroy forensic evidence on a system.",
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "WebServer Access Logs Deleted",
+    "query": "file where event.type == \"deletion\" and\n  file.path : (\"C:\\\\inetpub\\\\logs\\\\LogFiles\\\\*.log\", \n               \"/var/log/apache*/access.log\",\n               \"/etc/httpd/logs/access_log\", \n               \"/var/log/httpd/access_log\", \n               \"/var/www/*/logs/access.log\")\n",
+    "risk_score": 47,
+    "rule_id": "665e7a4f-c58e-4fc6-bc83-87a7572670ac",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "Windows",
+      "macOS",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1070",
+            "name": "Indicator Removal on Host",
+            "reference": "https://attack.mitre.org/techniques/T1070/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 3,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.11.2",
+          "pre_query": "file where event.type == \"deletion\" and\n  file.path : (\"C:\\\\inetpub\\\\logs\\\\LogFiles\\\\*.log\", \n               \"/var/log/apache*/access.log\",\n               \"/etc/httpd/logs/access_log\", \n               \"/var/log/httpd/access_log\", \n               \"/var/www/*/logs/access.log\")\n",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 3,
+          "updated": "7.12.0",
+          "pre_query": "file where event.type == \"deletion\" and\n  file.path : (\"C:\\\\inetpub\\\\logs\\\\LogFiles\\\\*.log\", \n               \"/var/log/apache*/access.log\",\n               \"/etc/httpd/logs/access_log\", \n               \"/var/log/httpd/access_log\", \n               \"/var/www/*/logs/access.log\")\n",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.12.0",
+    "added": "7.11.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies suspicious commands executed via a web server, which may suggest a vulnerability and remote shell access.",
+    "false_positives": [
+      "Security audits, maintenance, and network administrative scripts may trigger this alert when run under web processes."
+    ],
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Webshell Detection: Script Process Child of Common Web Processes",
+    "note": "## Triage and analysis\n\nDetections should be investigated to identify if the activity corresponds to legitimate activity. As this rule detects post-exploitation process activity, investigations into this should be prioritized.",
+    "query": "process where event.type == \"start\" and\n  process.parent.name : (\"w3wp.exe\", \"httpd.exe\", \"nginx.exe\", \"php.exe\", \"php-cgi.exe\", \"tomcat.exe\") and \n  process.name : (\"cmd.exe\", \"cscript.exe\", \"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\", \"wmic.exe\", \"wscript.exe\")\n",
+    "references": [
+      "https://www.microsoft.com/security/blog/2020/02/04/ghost-in-the-shell-investigating-web-shell-attacks/"
+    ],
+    "risk_score": 73,
+    "rule_id": "2917d495-59bd-4250-b395-c29409b76086",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Persistence"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1505",
+            "name": "Server Software Component",
+            "reference": "https://attack.mitre.org/techniques/T1505/",
+            "subtechnique": [
+              {
+                "id": "T1505.003",
+                "name": "Web Shell",
+                "reference": "https://attack.mitre.org/techniques/T1505/003/"
+              }
+            ]
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0001",
+          "name": "Initial Access",
+          "reference": "https://attack.mitre.org/tactics/TA0001/"
+        },
+        "technique": [
+          {
+            "id": "T1190",
+            "name": "Exploit Public-Facing Application",
+            "reference": "https://attack.mitre.org/techniques/T1190/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 3,
+    "changelog": {
+      "changes": [
+        {
+          "version": 3,
+          "updated": "7.16.0",
+          "pre_query": "process where event.type == \"start\" and\n  process.parent.name : (\"w3wp.exe\", \"httpd.exe\", \"nginx.exe\", \"php.exe\", \"php-cgi.exe\", \"tomcat.exe\") and \n  process.name : (\"cmd.exe\", \"cscript.exe\", \"powershell.exe\", \"pwsh.exe\", \"wmic.exe\", \"wscript.exe\")\n",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.16.0",
+    "added": "7.15.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies process execution events where the command line value contains a long sequence of whitespace characters or multiple occurrences of contiguous whitespace. Attackers may attempt to evade signature-based detections by padding their malicious command with unnecessary whitespace characters. These observations should be investigated for malicious behavior.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Whitespace Padding in Process Command Line",
+    "note": "## Triage and analysis\n\n- Analyze the command line of the process in question for evidence of malicious code execution.\n- Review the ancestor and child processes spawned by the process in question for indicators of further malicious code execution.",
+    "query": "process where event.type in (\"start\", \"process_started\") and\n  process.command_line regex \".*[ ]{20,}.*\" or \n  \n  /* this will match on 3 or more separate occurrences of 5+ contiguous whitespace characters */\n  process.command_line regex \".*(.*[ ]{5,}[^ ]*){3,}.*\"\n",
+    "references": [
+      "https://twitter.com/JohnLaTwC/status/1419251082736201737"
+    ],
+    "risk_score": 47,
+    "rule_id": "e0dacebe-4311-4d50-9387-b17e89c2e7fd",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": []
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 4,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.16.0",
+          "pre_query": "process where event.type in (\"start\", \"process_started\") and\n  process.command_line regex \".*[ ]{20,}.*\" or \n  \n  /* this will match on 3 or more separate occurrences of 5+ contiguous whitespace characters */\n  process.command_line regex \".*(.*[ ]{5,}[^ ]*){3,}.*\"\n",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 4,
+          "updated": "8.0.0",
+          "pre_query": "process where event.type in (\"start\", \"process_started\") and\n  process.command_line regex \".*[ ]{20,}.*\" or \n  \n  /* this will match on 3 or more separate occurrences of 5+ contiguous whitespace characters */\n  process.command_line regex \".*(.*[ ]{5,}[^ ]*){3,}.*\"\n",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "8.0.0",
+    "added": "7.15.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies use of whoami.exe which displays user, group, and privileges information for the user who is currently logged on to the local system.",
+    "false_positives": [
+      "Some normal use of this program, at varying levels of frequency, may originate from scripts, automation tools and frameworks. Usage by non-engineers and ordinary users is unusual."
+    ],
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Whoami Process Activity",
+    "query": "process where event.type in (\"start\", \"process_started\") and process.name : \"whoami.exe\"\n",
+    "risk_score": 21,
+    "rule_id": "ef862985-3f13-4262-a686-5f357bbb9bc2",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Discovery"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0007",
+          "name": "Discovery",
+          "reference": "https://attack.mitre.org/tactics/TA0007/"
+        },
+        "technique": [
+          {
+            "id": "T1033",
+            "name": "System Owner/User Discovery",
+            "reference": "https://attack.mitre.org/techniques/T1033/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 7,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.7.0",
+          "pre_query": "process.name:whoami.exe and event.code:1",
+          "doc_text": "Formatting only"
+        },
+        {
+          "version": 3,
+          "updated": "7.9.0",
+          "pre_query": "process.name:whoami.exe and event.code:1",
+          "doc_text": "Formatting only"
+        },
+        {
+          "version": 4,
+          "updated": "7.10.0",
+          "pre_query": "process.name:whoami.exe and event.code:1",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        },
+        {
+          "version": 5,
+          "updated": "7.11.2",
+          "pre_query": "event.category:process and event.type:(start or process_started) and process.name:whoami.exe",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 6,
+          "updated": "7.12.0",
+          "pre_query": "event.category:process and event.type:(start or process_started) and process.name:whoami.exe",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 7,
+          "updated": "7.13.0",
+          "pre_query": "event.category:process and event.type:(start or process_started) and process.name:whoami.exe",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.13.0",
+    "added": "7.6.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "A spoofing vulnerability exists in the way Windows CryptoAPI (Crypt32.dll) validates Elliptic Curve Cryptography (ECC) certificates. An attacker could exploit the vulnerability by using a spoofed code-signing certificate to sign a malicious executable, making it appear the file was from a trusted, legitimate source.",
+    "index": [
+      "winlogbeat-*",
+      "logs-windows.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Windows CryptoAPI Spoofing Vulnerability (CVE-2020-0601 - CurveBall)",
+    "query": "event.provider:\"Microsoft-Windows-Audit-CVE\" and message:\"[CVE-2020-0601]\"\n",
+    "risk_score": 21,
+    "rule_id": "56557cde-d923-4b88-adee-c61b3f3b5dc3",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1553",
+            "name": "Subvert Trust Controls",
+            "reference": "https://attack.mitre.org/techniques/T1553/",
+            "subtechnique": [
+              {
+                "id": "T1553.002",
+                "name": "Code Signing",
+                "reference": "https://attack.mitre.org/techniques/T1553/002/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 6,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.9.0",
+          "pre_query": "event.provider:\"Microsoft-Windows-Audit-CVE\" and message:\"[CVE-2020-0601]\"",
+          "doc_text": "Formatting only"
+        },
+        {
+          "version": 3,
+          "updated": "7.10.0",
+          "pre_query": "event.provider:\"Microsoft-Windows-Audit-CVE\" and message:\"[CVE-2020-0601]\"",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 4,
+          "updated": "7.11.0",
+          "pre_query": "event.provider:\"Microsoft-Windows-Audit-CVE\" and message:\"[CVE-2020-0601]\"",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 5,
+          "updated": "7.11.2",
+          "pre_query": "event.provider:\"Microsoft-Windows-Audit-CVE\" and message:\"[CVE-2020-0601]\"",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 6,
+          "updated": "7.12.0",
+          "pre_query": "event.provider:\"Microsoft-Windows-Audit-CVE\" and message:\"[CVE-2020-0601]\"",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.12.0",
+    "added": "7.7.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies modifications to the Windows Defender registry settings to disable the service or set the service to be started manually.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Windows Defender Disabled via Registry Modification",
+    "note": "## Triage and analysis\n\nDetections should be investigated to identify if the hosts and users are authorized to use this tool. As this rule detects post-exploitation process activity, investigations into this should be prioritized.",
+    "query": "registry where event.type in (\"creation\", \"change\") and\n  ((registry.path:\"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\DisableAntiSpyware\" and\n     registry.data.strings:\"1\") or\n  (registry.path:\"HKLM\\\\System\\\\ControlSet*\\\\Services\\\\WinDefend\\\\Start\" and\n     registry.data.strings in (\"3\", \"4\")))\n",
+    "references": [
+      "https://thedfirreport.com/2020/12/13/defender-control/"
+    ],
+    "risk_score": 21,
+    "rule_id": "2ffa1f1e-b6db-47fa-994b-1512743847eb",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1562",
+            "name": "Impair Defenses",
+            "reference": "https://attack.mitre.org/techniques/T1562/",
+            "subtechnique": [
+              {
+                "id": "T1562.006",
+                "name": "Indicator Blocking",
+                "reference": "https://attack.mitre.org/techniques/T1562/006/"
+              },
+              {
+                "id": "T1562.001",
+                "name": "Disable or Modify Tools",
+                "reference": "https://attack.mitre.org/techniques/T1562/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 3,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.13.0",
+          "pre_query": "registry where event.type in (\"creation\", \"change\") and\n  ((registry.path:\"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\DisableAntiSpyware\" and\n     registry.data.strings:\"1\") or\n  (registry.path:\"HKLM\\\\System\\\\ControlSet*\\\\Services\\\\WinDefend\\\\Start\" and\n     registry.data.strings in (\"3\", \"4\")))\n",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 3,
+          "updated": "7.15.0",
+          "pre_query": "registry where event.type in (\"creation\", \"change\") and\n  ((registry.path:\"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\DisableAntiSpyware\" and\n     registry.data.strings:\"1\") or\n  (registry.path:\"HKLM\\\\System\\\\ControlSet*\\\\Services\\\\WinDefend\\\\Start\" and\n     registry.data.strings in (\"3\", \"4\")))\n",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.15.0",
+    "added": "7.12.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies modifications to the Windows Defender configuration settings using PowerShell to add exclusions at the folder directory or process level.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Windows Defender Exclusions Added via PowerShell",
+    "note": "## Triage and analysis\n\n### Investigating Windows Defender Exclusions\n\nMicrosoft Windows Defender is an anti-virus product built-in within Microsoft Windows. Since this software product is\nused to prevent and stop malware, it's important to monitor what specific exclusions are made to the product's configuration\nsettings. These can often be signs of an adversary or malware trying to bypass Windows Defender's capabilities. One of the more\nnotable [examples](https://www.cyberbit.com/blog/endpoint-security/latest-trickbot-variant-has-new-tricks-up-its-sleeve/) was observed in 2018 where Trickbot incorporated mechanisms to disable Windows Defense to avoid detection.\n\n#### Possible investigation steps:\n- With this specific rule, it's completely possible to trigger detections on network administrative activity or benign users\nusing scripting and PowerShell to configure the different exclusions for Windows Defender. Therefore, it's important to\nidentify the source of the activity first and determine if there is any mal-intent behind the events.\n- The actual exclusion such as the process, the file or directory should be reviewed in order to determine the original\nintent behind the exclusion. Is the excluded file or process malicious in nature or is it related to software that needs\nto be legitimately whitelisted from Windows Defender?\n\n### False Positive Analysis\n- This rule has a higher chance to produce false positives based on the nature around configuring exclusions by possibly\na network administrator. In order to validate the activity further, review the specific exclusion made and determine based\non the exclusion of the original intent behind the exclusion. There are often many legitimate reasons why exclusions are made\nwith Windows Defender so it's important to gain context around the exclusion.\n\n### Related Rules\n- Windows Defender Disabled via Registry Modification\n- Disabling Windows Defender Security Settings via PowerShell\n\n### Response and Remediation\n- Since this is related to post-exploitation activity, immediate response should be taken to review, investigate and\npotentially isolate further activity\n- If further analysis showed malicious intent was behind the Defender exclusions, administrators should remove\nthe exclusion and ensure antimalware capability has not been disabled or deleted\n- Exclusion lists for antimalware capabilities should always be routinely monitored for review\n",
+    "query": "process where event.type == \"start\" and\n (process.name : (\"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\") or process.pe.original_file_name in (\"powershell.exe\", \"pwsh.dll\", \"powershell_ise.exe\")) and\n  process.args : (\"*Add-MpPreference*\", \"*Set-MpPreference*\") and\n  process.args : (\"*-Exclusion*\")\n",
+    "references": [
+      "https://www.bitdefender.com/files/News/CaseStudies/study/400/Bitdefender-PR-Whitepaper-MosaicLoader-creat5540-en-EN.pdf"
+    ],
+    "risk_score": 47,
+    "rule_id": "2c17e5d7-08b9-43b2-b58a-0270d65ac85b",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1562",
+            "name": "Impair Defenses",
+            "reference": "https://attack.mitre.org/techniques/T1562/",
+            "subtechnique": [
+              {
+                "id": "T1562.006",
+                "name": "Indicator Blocking",
+                "reference": "https://attack.mitre.org/techniques/T1562/006/"
+              },
+              {
+                "id": "T1562.001",
+                "name": "Disable or Modify Tools",
+                "reference": "https://attack.mitre.org/techniques/T1562/001/"
+              }
+            ]
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0002",
+          "name": "Execution",
+          "reference": "https://attack.mitre.org/tactics/TA0002/"
+        },
+        "technique": [
+          {
+            "id": "T1059",
+            "name": "Command and Scripting Interpreter",
+            "reference": "https://attack.mitre.org/techniques/T1059/",
+            "subtechnique": [
+              {
+                "id": "T1059.001",
+                "name": "PowerShell",
+                "reference": "https://attack.mitre.org/techniques/T1059/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 5,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.15.0",
+          "pre_query": "process where event.type == \"start\" and\n (process.name : (\"powershell.exe\", \"pwsh.exe\") or process.pe.original_file_name : (\"powershell.exe\", \"pwsh.exe\")) and\n  process.args : (\"*Add-MpPreference*-Exclusion*\", \"*Set-MpPreference*-Exclusion*\")\n",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 4,
+          "updated": "7.16.0",
+          "pre_query": "process where event.type == \"start\" and\n (process.name : (\"powershell.exe\", \"pwsh.exe\") or process.pe.original_file_name : (\"powershell.exe\", \"pwsh.exe\")) and\n  process.args : (\"*Add-MpPreference*-Exclusion*\", \"*Set-MpPreference*-Exclusion*\")\n",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        },
+        {
+          "version": 5,
+          "updated": "8.0.0",
+          "pre_query": "process where event.type == \"start\" and\n (process.name : (\"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\") or process.pe.original_file_name in (\"powershell.exe\", \"pwsh.dll\", \"powershell_ise.exe\")) and\n  process.args : (\"*Add-MpPreference*-Exclusion*\", \"*Set-MpPreference*-Exclusion*\")\n",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "8.0.0",
+    "added": "7.14.0"
+  },
+  {
+    "author": [
+      "Elastic",
+      "Anabella Cristaldi"
+    ],
+    "description": "Identifies attempts to clear Windows event log stores. This is often done by attackers in an attempt to evade detection or destroy forensic evidence on a system.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-windows.*",
+      "logs-system.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Windows Event Logs Cleared",
+    "query": "event.action:(\"audit-log-cleared\" or \"Log clear\")\n",
+    "risk_score": 21,
+    "rule_id": "45ac4800-840f-414c-b221-53dd36a5aaf7",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1070",
+            "name": "Indicator Removal on Host",
+            "reference": "https://attack.mitre.org/techniques/T1070/",
+            "subtechnique": [
+              {
+                "id": "T1070.001",
+                "name": "Clear Windows Event Logs",
+                "reference": "https://attack.mitre.org/techniques/T1070/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 2,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.16.0",
+          "pre_query": "event.action:(\"audit-log-cleared\" or \"Log clear\")\n",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.16.0",
+    "added": "7.12.0"
+  },
+  {
+    "author": [
+      "Austin Songer"
+    ],
+    "description": "Identifies when the Windows Firewall is disabled using PowerShell cmdlets, which attackers do to evade network constraints, like internet and network lateral communication restrictions.",
+    "false_positives": [
+      "Windows Firewall can be disabled may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Windows Profile being disabled from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "from": "now-9m",
+    "index": [
+      "logs-endpoint.events.*",
+      "winlogbeat-*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Windows Firewall Disabled via PowerShell",
+    "query": "process where event.action == \"start\" and\n  (process.name : (\"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\") or process.pe.original_file_name == \"PowerShell.EXE\") and\n   process.args : \"*Set-NetFirewallProfile*\" and\n  (process.args : \"*-Enabled*\" and process.args : \"*False*\") and\n  (process.args : \"*-All*\" or process.args : (\"*Public*\", \"*Domain*\", \"*Private*\"))\n",
+    "references": [
+      "https://docs.microsoft.com/en-us/powershell/module/netsecurity/set-netfirewallprofile?view=windowsserver2019-ps",
+      "https://www.tutorialspoint.com/how-to-get-windows-firewall-profile-settings-using-powershell",
+      "http://powershellhelp.space/commands/set-netfirewallrule-psv5.php",
+      "http://woshub.com/manage-windows-firewall-powershell/"
+    ],
+    "risk_score": 47,
+    "rule_id": "f63c8e3c-d396-404f-b2ea-0379d3942d73",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1562",
+            "name": "Impair Defenses",
+            "reference": "https://attack.mitre.org/techniques/T1562/",
+            "subtechnique": [
+              {
+                "id": "T1562.004",
+                "name": "Disable or Modify System Firewall",
+                "reference": "https://attack.mitre.org/techniques/T1562/004/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 1,
+    "last_update": "8.0.0",
+    "added": "8.0.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies attempts to enumerate hosts in a network using the built-in Windows net.exe tool.",
+    "from": "now-9m",
+    "index": [
+      "logs-endpoint.events.*",
+      "winlogbeat-*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Windows Network Enumeration",
+    "query": "process where event.type in (\"start\", \"process_started\") and\n  ((process.name : \"net.exe\" or process.pe.original_file_name == \"net.exe\") or\n   ((process.name : \"net1.exe\" or process.pe.original_file_name == \"net1.exe\") and\n       not process.parent.name : \"net.exe\")) and\n  (process.args : \"view\" or (process.args : \"time\" and process.args : \"\\\\\\\\*\"))\n\n\n  /* expand when ancestry is available\n  and not descendant of [process where event.type == (\"start\", \"process_started\") and process.name : \"cmd.exe\" and\n                           ((process.parent.name : \"userinit.exe\") or\n                            (process.parent.name : \"gpscript.exe\") or\n                            (process.parent.name : \"explorer.exe\" and\n                               process.args : \"C:\\\\*\\\\Start Menu\\\\Programs\\\\Startup\\\\*.bat*\"))]\n  */\n",
+    "risk_score": 47,
+    "rule_id": "7b8bfc26-81d2-435e-965c-d722ee397ef1",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Discovery"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0007",
+          "name": "Discovery",
+          "reference": "https://attack.mitre.org/tactics/TA0007/"
+        },
+        "technique": [
+          {
+            "id": "T1018",
+            "name": "Remote System Discovery",
+            "reference": "https://attack.mitre.org/techniques/T1018/"
+          },
+          {
+            "id": "T1135",
+            "name": "Network Share Discovery",
+            "reference": "https://attack.mitre.org/techniques/T1135/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 4,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.11.2",
+          "pre_query": "process where event.type in (\"start\", \"process_started\") and\n  ((process.name : \"net.exe\" or process.pe.original_file_name == \"net.exe\") or\n   ((process.name : \"net1.exe\" or process.pe.original_file_name == \"net1.exe\") and\n       not process.parent.name : \"net.exe\")) and\n  (process.args : \"view\" or (process.args : \"time\" and process.args : \"\\\\\\\\*\"))\n\n\n  /* expand when ancestory is available\n  and not descendant of [process where event.type == (\"start\", \"process_started\") and process.name : \"cmd.exe\" and\n                           ((process.parent.name : \"userinit.exe\") or\n                            (process.parent.name : \"gpscript.exe\") or\n                            (process.parent.name : \"explorer.exe\" and\n                               process.args : \"C:\\\\*\\\\Start Menu\\\\Programs\\\\Startup\\\\*.bat*\"))]\n  */\n",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 3,
+          "updated": "7.12.0",
+          "pre_query": "process where event.type in (\"start\", \"process_started\") and\n  ((process.name : \"net.exe\" or process.pe.original_file_name == \"net.exe\") or\n   ((process.name : \"net1.exe\" or process.pe.original_file_name == \"net1.exe\") and\n       not process.parent.name : \"net.exe\")) and\n  (process.args : \"view\" or (process.args : \"time\" and process.args : \"\\\\\\\\*\"))\n\n\n  /* expand when ancestory is available\n  and not descendant of [process where event.type == (\"start\", \"process_started\") and process.name : \"cmd.exe\" and\n                           ((process.parent.name : \"userinit.exe\") or\n                            (process.parent.name : \"gpscript.exe\") or\n                            (process.parent.name : \"explorer.exe\" and\n                               process.args : \"C:\\\\*\\\\Start Menu\\\\Programs\\\\Startup\\\\*.bat*\"))]\n  */\n",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 4,
+          "updated": "7.15.0",
+          "pre_query": "process where event.type in (\"start\", \"process_started\") and\n  ((process.name : \"net.exe\" or process.pe.original_file_name == \"net.exe\") or\n   ((process.name : \"net1.exe\" or process.pe.original_file_name == \"net1.exe\") and\n       not process.parent.name : \"net.exe\")) and\n  (process.args : \"view\" or (process.args : \"time\" and process.args : \"\\\\\\\\*\"))\n\n\n  /* expand when ancestory is available\n  and not descendant of [process where event.type == (\"start\", \"process_started\") and process.name : \"cmd.exe\" and\n                           ((process.parent.name : \"userinit.exe\") or\n                            (process.parent.name : \"gpscript.exe\") or\n                            (process.parent.name : \"explorer.exe\" and\n                               process.args : \"C:\\\\*\\\\Start Menu\\\\Programs\\\\Startup\\\\*.bat*\"))]\n  */\n",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.15.0",
+    "added": "7.11.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies a PowerShell process launched by either cscript.exe or wscript.exe. Observing Windows scripting processes executing a PowerShell script, may be indicative of malicious activity.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Windows Script Executing PowerShell",
+    "query": "process where event.type in (\"start\", \"process_started\") and\n  process.parent.name : (\"cscript.exe\", \"wscript.exe\") and process.name : \"powershell.exe\"\n",
+    "risk_score": 21,
+    "rule_id": "f545ff26-3c94-4fd0-bd33-3c7f95a3a0fc",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Initial Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0001",
+          "name": "Initial Access",
+          "reference": "https://attack.mitre.org/tactics/TA0001/"
+        },
+        "technique": [
+          {
+            "id": "T1566",
+            "name": "Phishing",
+            "reference": "https://attack.mitre.org/techniques/T1566/",
+            "subtechnique": [
+              {
+                "id": "T1566.001",
+                "name": "Spearphishing Attachment",
+                "reference": "https://attack.mitre.org/techniques/T1566/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 9,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.7.0",
+          "pre_query": "event.action:\"Process Create (rule: ProcessCreate)\" and process.parent.name:(\"wscript.exe\" or \"cscript.exe\") and process.name:\"powershell.exe\"",
+          "doc_text": "Updated query."
+        },
+        {
+          "version": 3,
+          "updated": "7.9.0",
+          "pre_query": "event.action:\"Process Create (rule: ProcessCreate)\" and process.parent.name:(cscript.exe or wscript.exe) and process.name:powershell.exe",
+          "doc_text": "Updated query."
+        },
+        {
+          "version": 4,
+          "updated": "7.9.1",
+          "pre_query": "event.category:process and event.type:(start or process_started) and process.parent.name:(cscript.exe or wscript.exe) and process.name:powershell.exe",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 5,
+          "updated": "7.10.0",
+          "pre_query": "event.category:process and event.type:(start or process_started) and process.parent.name:(cscript.exe or wscript.exe) and process.name:powershell.exe",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 6,
+          "updated": "7.11.0",
+          "pre_query": "event.category:process and event.type:(start or process_started) and process.parent.name:(cscript.exe or wscript.exe) and process.name:powershell.exe",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 7,
+          "updated": "7.11.2",
+          "pre_query": "event.category:process and event.type:(start or process_started) and process.parent.name:(cscript.exe or wscript.exe) and process.name:powershell.exe",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 8,
+          "updated": "7.12.0",
+          "pre_query": "event.category:process and event.type:(start or process_started) and process.parent.name:(cscript.exe or wscript.exe) and process.name:powershell.exe",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 9,
+          "updated": "7.13.0",
+          "pre_query": "event.category:process and event.type:(start or process_started) and process.parent.name:(cscript.exe or wscript.exe) and process.name:powershell.exe",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.13.0",
+    "added": "7.6.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies use of the built-in Windows script interpreters (cscript.exe or wscript.exe) being used to execute a process via Windows Management Instrumentation (WMI). This may be indicative of malicious activity.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Windows Script Interpreter Executing Process via WMI",
+    "query": "sequence by host.id with maxspan = 5s\n    [library where dll.name : \"wmiutils.dll\" and process.name : (\"wscript.exe\", \"cscript.exe\")]\n    [process where event.type in (\"start\", \"process_started\") and\n     process.parent.name : \"wmiprvse.exe\" and\n     user.domain != \"NT AUTHORITY\" and\n     (process.pe.original_file_name :\n        (\n          \"cscript.exe\",\n          \"wscript.exe\",\n          \"PowerShell.EXE\",\n          \"Cmd.Exe\",\n          \"MSHTA.EXE\",\n          \"RUNDLL32.EXE\",\n          \"REGSVR32.EXE\",\n          \"MSBuild.exe\",\n          \"InstallUtil.exe\",\n          \"RegAsm.exe\",\n          \"RegSvcs.exe\",\n          \"msxsl.exe\",\n          \"CONTROL.EXE\",\n          \"EXPLORER.EXE\",\n          \"Microsoft.Workflow.Compiler.exe\",\n          \"msiexec.exe\"\n        ) or\n      process.executable : (\"C:\\\\Users\\\\*.exe\", \"C:\\\\ProgramData\\\\*.exe\")\n     )\n    ]\n",
+    "risk_score": 47,
+    "rule_id": "b64b183e-1a76-422d-9179-7b389513e74d",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Initial Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0001",
+          "name": "Initial Access",
+          "reference": "https://attack.mitre.org/tactics/TA0001/"
+        },
+        "technique": [
+          {
+            "id": "T1566",
+            "name": "Phishing",
+            "reference": "https://attack.mitre.org/techniques/T1566/",
+            "subtechnique": [
+              {
+                "id": "T1566.001",
+                "name": "Spearphishing Attachment",
+                "reference": "https://attack.mitre.org/techniques/T1566/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "type": "eql",
+    "version": 2,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.12.0",
+          "pre_query": "sequence by host.id with maxspan=5s\n    [library where file.name : \"wmiutils.dll\" and process.name : (\"wscript.exe\", \"cscript.exe\")]\n    [process where event.type in (\"start\", \"process_started\") and\n     process.parent.name : \"wmiprvse.exe\" and\n     user.domain != \"NT AUTHORITY\" and\n     (process.pe.original_file_name in\n                                (\n                                  \"cscript.exe\",\n                                  \"wscript.exe\",\n                                  \"PowerShell.EXE\",\n                                  \"Cmd.Exe\",\n                                  \"MSHTA.EXE\",\n                                  \"RUNDLL32.EXE\",\n                                  \"REGSVR32.EXE\",\n                                  \"MSBuild.exe\",\n                                  \"InstallUtil.exe\",\n                                  \"RegAsm.exe\",\n                                  \"RegSvcs.exe\",\n                                  \"msxsl.exe\",\n                                  \"CONTROL.EXE\",\n                                  \"EXPLORER.EXE\",\n                                  \"Microsoft.Workflow.Compiler.exe\",\n                                  \"msiexec.exe\"\n                                  ) or\n      process.executable : (\"C:\\\\Users\\\\*.exe\", \"C:\\\\ProgramData\\\\*.exe\")\n     )\n    ]\n",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.12.0",
+    "added": "7.11.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "This rule identifies Zoom meetings that are created without a passcode. Meetings without a passcode are susceptible to Zoombombing. Zoombombing is carried out by taking advantage of Zoom sessions that are not protected with a passcode. Zoombombing refers to the unwanted, disruptive intrusion, generally by Internet trolls and hackers, into a video conference call. In a typical Zoombombing incident, a teleconferencing session is hijacked by the insertion of material that is lewd, obscene, racist, or antisemitic in nature, typically resulting of the shutdown of the session.",
+    "index": [
+      "filebeat-*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Zoom Meeting with no Passcode",
+    "note": "## Config\n\nThe Zoom Filebeat module or similarly structured data is required to be compatible with this rule.",
+    "query": "event.type:creation and event.module:zoom and event.dataset:zoom.webhook and\n  event.action:meeting.created and not zoom.meeting.password:*\n",
+    "references": [
+      "https://blog.zoom.us/a-message-to-our-users/",
+      "https://www.fbi.gov/contact-us/field-offices/boston/news/press-releases/fbi-warns-of-teleconferencing-and-online-classroom-hijacking-during-covid-19-pandemic"
+    ],
+    "risk_score": 47,
+    "rule_id": "58ac2aa5-6718-427c-a845-5f3ac5af00ba",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Application",
+      "Communication",
+      "Zoom",
+      "Continuous Monitoring",
+      "SecOps",
+      "Configuration Audit"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0001",
+          "name": "Initial Access",
+          "reference": "https://attack.mitre.org/tactics/TA0001/"
+        },
+        "technique": [
+          {
+            "id": "T1190",
+            "name": "Exploit Public-Facing Application",
+            "reference": "https://attack.mitre.org/techniques/T1190/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 4,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.11.2",
+          "pre_query": "event.type:creation and event.module:zoom and event.dataset:zoom.webhook and event.action:meeting.created and not zoom.meeting.password:*",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 3,
+          "updated": "7.12.0",
+          "pre_query": "event.type:creation and event.module:zoom and event.dataset:zoom.webhook and event.action:meeting.created and not zoom.meeting.password:*",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 4,
+          "updated": "7.13.0",
+          "pre_query": "event.type:creation and event.module:zoom and event.dataset:zoom.webhook and event.action:meeting.created and not zoom.meeting.password:*",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.13.0",
+    "added": "7.10.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies when the built in macOS Installer program generates a network event after attempting to install a .pkg file. This activity has been observed being leveraged by malware.",
+    "false_positives": [
+      "Custom organization-specific macOS packages that use .pkg files to run cURL could trigger this rule. If known behavior is causing false positives, it can be excluded from the rule."
+    ],
+    "from": "now-9m",
+    "index": [
+      "logs-endpoint.events.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "macOS Installer Spawns Network Event",
+    "query": "sequence by process.entity_id with maxspan=1m\n  [process where event.type == \"start\" and host.os.family == \"macos\" and\n    process.parent.executable in (\"/usr/sbin/installer\", \"/System/Library/CoreServices/Installer.app/Contents/MacOS/Installer\") ]\n  [network where not cidrmatch(destination.ip,\n    \"10.0.0.0/8\", \"127.0.0.0/8\", \"169.254.0.0/16\", \"172.16.0.0/12\", \"192.0.0.0/24\", \"192.0.0.0/29\", \"192.0.0.8/32\",\n    \"192.0.0.9/32\", \"192.0.0.10/32\", \"192.0.0.170/32\", \"192.0.0.171/32\", \"192.0.2.0/24\", \"192.31.196.0/24\",\n    \"192.52.193.0/24\", \"192.168.0.0/16\", \"192.88.99.0/24\", \"224.0.0.0/4\", \"100.64.0.0/10\", \"192.175.48.0/24\",\n    \"198.18.0.0/15\", \"198.51.100.0/24\", \"203.0.113.0/24\", \"240.0.0.0/4\", \"::1\", \"FE80::/10\", \"FF00::/8\")]\n",
+    "references": [
+      "https://redcanary.com/blog/clipping-silver-sparrows-wings",
+      "https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml"
+    ],
+    "risk_score": 47,
+    "rule_id": "99239e7d-b0d4-46e3-8609-acafcf99f68c",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "macOS",
+      "Threat Detection",
+      "Execution"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0002",
+          "name": "Execution",
+          "reference": "https://attack.mitre.org/tactics/TA0002/"
+        },
+        "technique": [
+          {
+            "id": "T1059",
+            "name": "Command and Scripting Interpreter",
+            "reference": "https://attack.mitre.org/techniques/T1059/",
+            "subtechnique": [
+              {
+                "id": "T1059.007",
+                "name": "JavaScript",
+                "reference": "https://attack.mitre.org/techniques/T1059/007/"
+              }
+            ]
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0011",
+          "name": "Command and Control",
+          "reference": "https://attack.mitre.org/tactics/TA0011/"
+        },
+        "technique": [
+          {
+            "id": "T1071",
+            "name": "Application Layer Protocol",
+            "reference": "https://attack.mitre.org/techniques/T1071/",
+            "subtechnique": [
+              {
+                "id": "T1071.001",
+                "name": "Web Protocols",
+                "reference": "https://attack.mitre.org/techniques/T1071/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 3,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.14.0",
+          "pre_query": "sequence by process.entity_id with maxspan=1m\n  [ process where event.type == \"start\" and host.os.family == \"macos\" and \n      process.parent.executable in (\"/usr/sbin/installer\", \"/System/Library/CoreServices/Installer.app/Contents/MacOS/Installer\") ]\n  [ network where not cidrmatch(destination.ip,\n      \"192.168.0.0/16\",\n      \"10.0.0.0/8\",\n      \"172.16.0.0/12\",\n      \"224.0.0.0/8\",\n      \"127.0.0.0/8\",\n      \"169.254.0.0/16\",\n      \"::1\",\n      \"FE80::/10\",\n      \"FF00::/8\") ]\n",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        },
+        {
+          "version": 3,
+          "updated": "7.15.0",
+          "pre_query": "sequence by process.entity_id with maxspan=1m\n  [process where event.type == \"start\" and host.os.family == \"macos\" and\n    process.parent.executable in (\"/usr/sbin/installer\", \"/System/Library/CoreServices/Installer.app/Contents/MacOS/Installer\") ]\n  [network where not cidrmatch(destination.ip,\n    \"10.0.0.0/8\", \"127.0.0.0/8\", \"169.254.0.0/16\", \"172.16.0.0/12\", \"192.0.0.0/24\", \"192.0.0.0/29\", \"192.0.0.8/32\",\n    \"192.0.0.9/32\", \"192.0.0.10/32\", \"192.0.0.170/32\", \"192.0.0.171/32\", \"192.0.2.0/24\", \"192.31.196.0/24\",\n    \"192.52.193.0/24\", \"192.168.0.0/16\", \"192.88.99.0/24\", \"224.0.0.0/4\", \"100.64.0.0/10\", \"192.175.48.0/24\",\n    \"198.18.0.0/15\", \"198.51.100.0/24\", \"203.0.113.0/24\", \"240.0.0.0/4\", \"::1\", \"FE80::/10\", \"FF00::/8\")]\n",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.15.0",
+    "added": "7.12.0"
+  }
+]
\ No newline at end of file
diff --git a/prebuilt-rules-scripts/diff-files/gen-files/json-from-docs-8.0.0.json b/prebuilt-rules-scripts/diff-files/gen-files/json-from-docs-8.0.0.json
new file mode 100644
index 0000000000..b8cace39ee
--- /dev/null
+++ b/prebuilt-rules-scripts/diff-files/gen-files/json-from-docs-8.0.0.json
@@ -0,0 +1,33946 @@
+[
+  {
+    "author": [
+      "Nick Jones",
+      "Elastic"
+    ],
+    "description": "An adversary may attempt to access the secrets in secrets manager to steal certificates, credentials, or other sensitive material",
+    "false_positives": [
+      "Verify whether the user identity, user agent, and/or hostname should be using GetSecretString API for the specified SecretId. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "from": "now-60m",
+    "index": [
+      "filebeat-*",
+      "logs-aws*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "AWS Access Secret in Secrets Manager",
+    "note": "## Config\n\nThe AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:aws.cloudtrail and event.provider:secretsmanager.amazonaws.com and event.action:GetSecretValue\n",
+    "references": [
+      "https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_GetSecretValue.html",
+      "http://detectioninthe.cloud/credential_access/access_secret_in_secrets_manager/"
+    ],
+    "risk_score": 73,
+    "rule_id": "a00681e3-9ed6-447c-ab2c-be648821c622",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "AWS",
+      "Continuous Monitoring",
+      "SecOps",
+      "Data Protection"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0006",
+          "name": "Credential Access",
+          "reference": "https://attack.mitre.org/tactics/TA0006/"
+        },
+        "technique": [
+          {
+            "id": "T1528",
+            "name": "Steal Application Access Token",
+            "reference": "https://attack.mitre.org/techniques/T1528/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 5
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the creation of an AWS log trail that specifies the settings for delivery of log data.",
+    "false_positives": [
+      "Trail creations may be made by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Trail creations from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "from": "now-60m",
+    "index": [
+      "filebeat-*",
+      "logs-aws*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "AWS CloudTrail Log Created",
+    "note": "## Config\n\nThe AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:aws.cloudtrail and event.provider:cloudtrail.amazonaws.com and event.action:CreateTrail and event.outcome:success\n",
+    "references": [
+      "https://docs.aws.amazon.com/awscloudtrail/latest/APIReference/API_CreateTrail.html",
+      "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cloudtrail/create-trail.html"
+    ],
+    "risk_score": 21,
+    "rule_id": "594e0cbf-86cc-45aa-9ff7-ff27db27d3ed",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "AWS",
+      "Continuous Monitoring",
+      "SecOps",
+      "Log Auditing"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0009",
+          "name": "Collection",
+          "reference": "https://attack.mitre.org/tactics/TA0009/"
+        },
+        "technique": [
+          {
+            "id": "T1530",
+            "name": "Data from Cloud Storage Object",
+            "reference": "https://attack.mitre.org/techniques/T1530/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 5
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the deletion of an AWS log trail. An adversary may delete trails in an attempt to evade defenses.",
+    "false_positives": [
+      "Trail deletions may be made by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Trail deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "from": "now-60m",
+    "index": [
+      "filebeat-*",
+      "logs-aws*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "AWS CloudTrail Log Deleted",
+    "note": "## Config\n\nThe AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:aws.cloudtrail and event.provider:cloudtrail.amazonaws.com and event.action:DeleteTrail and event.outcome:success\n",
+    "references": [
+      "https://docs.aws.amazon.com/awscloudtrail/latest/APIReference/API_DeleteTrail.html",
+      "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cloudtrail/delete-trail.html"
+    ],
+    "risk_score": 47,
+    "rule_id": "7024e2a0-315d-4334-bb1a-441c593e16ab",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "AWS",
+      "Continuous Monitoring",
+      "SecOps",
+      "Log Auditing"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1562",
+            "name": "Impair Defenses",
+            "reference": "https://attack.mitre.org/techniques/T1562/",
+            "subtechnique": [
+              {
+                "id": "T1562.001",
+                "name": "Disable or Modify Tools",
+                "reference": "https://attack.mitre.org/techniques/T1562/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 6
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies suspending the recording of AWS API calls and log file delivery for the specified trail. An adversary may suspend trails in an attempt to evade defenses.",
+    "false_positives": [
+      "Suspending the recording of a trail may be done by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Trail suspensions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "from": "now-60m",
+    "index": [
+      "filebeat-*",
+      "logs-aws*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "AWS CloudTrail Log Suspended",
+    "note": "## Config\n\nThe AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:aws.cloudtrail and event.provider:cloudtrail.amazonaws.com and event.action:StopLogging and event.outcome:success\n",
+    "references": [
+      "https://docs.aws.amazon.com/awscloudtrail/latest/APIReference/API_StopLogging.html",
+      "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cloudtrail/stop-logging.html"
+    ],
+    "risk_score": 47,
+    "rule_id": "1aa8fa52-44a7-4dae-b058-f3333b91c8d7",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "AWS",
+      "Continuous Monitoring",
+      "SecOps",
+      "Log Auditing"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1562",
+            "name": "Impair Defenses",
+            "reference": "https://attack.mitre.org/techniques/T1562/",
+            "subtechnique": [
+              {
+                "id": "T1562.001",
+                "name": "Disable or Modify Tools",
+                "reference": "https://attack.mitre.org/techniques/T1562/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 6
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies an update to an AWS log trail setting that specifies the delivery of log files.",
+    "false_positives": [
+      "Trail updates may be made by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Trail updates from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "from": "now-60m",
+    "index": [
+      "filebeat-*",
+      "logs-aws*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "AWS CloudTrail Log Updated",
+    "note": "## Config\n\nThe AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:aws.cloudtrail and event.provider:cloudtrail.amazonaws.com and event.action:UpdateTrail and event.outcome:success\n",
+    "references": [
+      "https://docs.aws.amazon.com/awscloudtrail/latest/APIReference/API_UpdateTrail.html",
+      "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cloudtrail/update-trail.html"
+    ],
+    "risk_score": 21,
+    "rule_id": "3e002465-876f-4f04-b016-84ef48ce7e5d",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "AWS",
+      "Continuous Monitoring",
+      "SecOps",
+      "Log Auditing"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0040",
+          "name": "Impact",
+          "reference": "https://attack.mitre.org/tactics/TA0040/"
+        },
+        "technique": [
+          {
+            "id": "T1565",
+            "name": "Data Manipulation",
+            "reference": "https://attack.mitre.org/techniques/T1565/",
+            "subtechnique": [
+              {
+                "id": "T1565.001",
+                "name": "Stored Data Manipulation",
+                "reference": "https://attack.mitre.org/techniques/T1565/001/"
+              }
+            ]
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0009",
+          "name": "Collection",
+          "reference": "https://attack.mitre.org/tactics/TA0009/"
+        },
+        "technique": [
+          {
+            "id": "T1530",
+            "name": "Data from Cloud Storage Object",
+            "reference": "https://attack.mitre.org/techniques/T1530/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 6
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the deletion of an AWS CloudWatch alarm. An adversary may delete alarms in an attempt to evade defenses.",
+    "false_positives": [
+      "Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Alarm deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "from": "now-60m",
+    "index": [
+      "filebeat-*",
+      "logs-aws*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "AWS CloudWatch Alarm Deletion",
+    "note": "## Config\n\nThe AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:aws.cloudtrail and event.provider:monitoring.amazonaws.com and event.action:DeleteAlarms and event.outcome:success\n",
+    "references": [
+      "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cloudwatch/delete-alarms.html",
+      "https://docs.aws.amazon.com/AmazonCloudWatch/latest/APIReference/API_DeleteAlarms.html"
+    ],
+    "risk_score": 47,
+    "rule_id": "f772ec8a-e182-483c-91d2-72058f76a44c",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "AWS",
+      "Continuous Monitoring",
+      "SecOps",
+      "Monitoring"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1562",
+            "name": "Impair Defenses",
+            "reference": "https://attack.mitre.org/techniques/T1562/",
+            "subtechnique": [
+              {
+                "id": "T1562.001",
+                "name": "Disable or Modify Tools",
+                "reference": "https://attack.mitre.org/techniques/T1562/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 6
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the deletion of a specified AWS CloudWatch log group. When a log group is deleted, all the archived log events associated with the log group are also permanently deleted.",
+    "false_positives": [
+      "Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Log group deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "from": "now-60m",
+    "index": [
+      "filebeat-*",
+      "logs-aws*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "AWS CloudWatch Log Group Deletion",
+    "note": "## Config\n\nThe AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:aws.cloudtrail and event.provider:logs.amazonaws.com and event.action:DeleteLogGroup and event.outcome:success\n",
+    "references": [
+      "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/logs/delete-log-group.html",
+      "https://docs.aws.amazon.com/AmazonCloudWatchLogs/latest/APIReference/API_DeleteLogGroup.html"
+    ],
+    "risk_score": 47,
+    "rule_id": "68a7a5a5-a2fc-4a76-ba9f-26849de881b4",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "AWS",
+      "Continuous Monitoring",
+      "SecOps",
+      "Log Auditing"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0040",
+          "name": "Impact",
+          "reference": "https://attack.mitre.org/tactics/TA0040/"
+        },
+        "technique": [
+          {
+            "id": "T1485",
+            "name": "Data Destruction",
+            "reference": "https://attack.mitre.org/techniques/T1485/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1562",
+            "name": "Impair Defenses",
+            "reference": "https://attack.mitre.org/techniques/T1562/",
+            "subtechnique": [
+              {
+                "id": "T1562.001",
+                "name": "Disable or Modify Tools",
+                "reference": "https://attack.mitre.org/techniques/T1562/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 6
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the deletion of an AWS CloudWatch log stream, which permanently deletes all associated archived log events with the stream.",
+    "false_positives": [
+      "A log stream may be deleted by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Log stream deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "from": "now-60m",
+    "index": [
+      "filebeat-*",
+      "logs-aws*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "AWS CloudWatch Log Stream Deletion",
+    "note": "## Config\n\nThe AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:aws.cloudtrail and event.provider:logs.amazonaws.com and event.action:DeleteLogStream and event.outcome:success\n",
+    "references": [
+      "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/logs/delete-log-stream.html",
+      "https://docs.aws.amazon.com/AmazonCloudWatchLogs/latest/APIReference/API_DeleteLogStream.html"
+    ],
+    "risk_score": 47,
+    "rule_id": "d624f0ae-3dd1-4856-9aad-ccfe4d4bfa17",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "AWS",
+      "Continuous Monitoring",
+      "SecOps",
+      "Log Auditing"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0040",
+          "name": "Impact",
+          "reference": "https://attack.mitre.org/tactics/TA0040/"
+        },
+        "technique": [
+          {
+            "id": "T1485",
+            "name": "Data Destruction",
+            "reference": "https://attack.mitre.org/techniques/T1485/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1562",
+            "name": "Impair Defenses",
+            "reference": "https://attack.mitre.org/techniques/T1562/",
+            "subtechnique": [
+              {
+                "id": "T1562.001",
+                "name": "Disable or Modify Tools",
+                "reference": "https://attack.mitre.org/techniques/T1562/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 6
+  },
+  {
+    "author": [
+      "Elastic",
+      "Austin Songer"
+    ],
+    "description": "Identifies attempts to delete an AWS Config Service resource. An adversary may tamper with Config services in order to reduce visibility into the security posture of an account and / or its workload instances.",
+    "false_positives": [
+      "Privileged IAM users with security responsibilities may be expected to make changes to the Config service in order to align with local security policies and requirements. Automation, orchestration, and security tools may also make changes to the Config service, where they are used to automate setup or configuration of AWS accounts. Other kinds of user or service contexts do not commonly make changes to this service."
+    ],
+    "from": "now-60m",
+    "index": [
+      "filebeat-*",
+      "logs-aws*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "AWS Config Service Tampering",
+    "note": "## Config\n\nThe AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:aws.cloudtrail and event.provider:config.amazonaws.com and\n    event.action:(DeleteConfigRule or DeleteOrganizationConfigRule or DeleteConfigurationAggregator or\n    DeleteConfigurationRecorder or DeleteConformancePack or DeleteOrganizationConformancePack or\n    DeleteDeliveryChannel or DeleteRemediationConfiguration or DeleteRetentionConfiguration)\n",
+    "references": [
+      "https://docs.aws.amazon.com/config/latest/developerguide/how-does-config-work.html",
+      "https://docs.aws.amazon.com/config/latest/APIReference/API_Operations.html"
+    ],
+    "risk_score": 47,
+    "rule_id": "7024e2a0-315d-4334-bb1a-552d604f27bc",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "AWS",
+      "Continuous Monitoring",
+      "SecOps",
+      "Monitoring"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1562",
+            "name": "Impair Defenses",
+            "reference": "https://attack.mitre.org/techniques/T1562/",
+            "subtechnique": [
+              {
+                "id": "T1562.001",
+                "name": "Disable or Modify Tools",
+                "reference": "https://attack.mitre.org/techniques/T1562/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 6
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies an AWS configuration change to stop recording a designated set of resources.",
+    "false_positives": [
+      "Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Recording changes from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "from": "now-60m",
+    "index": [
+      "filebeat-*",
+      "logs-aws*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "AWS Configuration Recorder Stopped",
+    "note": "## Config\n\nThe AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:aws.cloudtrail and event.provider:config.amazonaws.com and event.action:StopConfigurationRecorder and event.outcome:success\n",
+    "references": [
+      "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/configservice/stop-configuration-recorder.html",
+      "https://docs.aws.amazon.com/config/latest/APIReference/API_StopConfigurationRecorder.html"
+    ],
+    "risk_score": 73,
+    "rule_id": "fbd44836-0d69-4004-a0b4-03c20370c435",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "AWS",
+      "Continuous Monitoring",
+      "SecOps",
+      "Monitoring"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1562",
+            "name": "Impair Defenses",
+            "reference": "https://attack.mitre.org/techniques/T1562/",
+            "subtechnique": [
+              {
+                "id": "T1562.001",
+                "name": "Disable or Modify Tools",
+                "reference": "https://attack.mitre.org/techniques/T1562/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 6
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies disabling of Amazon Elastic Block Store (EBS) encryption by default in the current region. Disabling encryption by default does not change the encryption status of your existing volumes.",
+    "false_positives": [
+      "Disabling encryption may be done by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Disabling encryption by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "from": "now-60m",
+    "index": [
+      "filebeat-*",
+      "logs-aws*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "AWS EC2 Encryption Disabled",
+    "note": "## Config\n\nThe AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.action:DisableEbsEncryptionByDefault and event.outcome:success\n",
+    "references": [
+      "https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html",
+      "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/disable-ebs-encryption-by-default.html",
+      "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DisableEbsEncryptionByDefault.html"
+    ],
+    "risk_score": 47,
+    "rule_id": "bb9b13b2-1700-48a8-a750-b43b0a72ab69",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "AWS",
+      "Continuous Monitoring",
+      "SecOps",
+      "Data Protection"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0040",
+          "name": "Impact",
+          "reference": "https://attack.mitre.org/tactics/TA0040/"
+        },
+        "technique": [
+          {
+            "id": "T1565",
+            "name": "Data Manipulation",
+            "reference": "https://attack.mitre.org/techniques/T1565/",
+            "subtechnique": [
+              {
+                "id": "T1565.001",
+                "name": "Stored Data Manipulation",
+                "reference": "https://attack.mitre.org/techniques/T1565/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 6
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the deletion of one or more flow logs in AWS Elastic Compute Cloud (EC2). An adversary may delete flow logs in an attempt to evade defenses.",
+    "false_positives": [
+      "Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Flow log deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "from": "now-60m",
+    "index": [
+      "filebeat-*",
+      "logs-aws*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "AWS EC2 Flow Log Deletion",
+    "note": "## Config\n\nThe AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.action:DeleteFlowLogs and event.outcome:success\n",
+    "references": [
+      "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/delete-flow-logs.html",
+      "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteFlowLogs.html"
+    ],
+    "risk_score": 73,
+    "rule_id": "9395fd2c-9947-4472-86ef-4aceb2f7e872",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "AWS",
+      "Continuous Monitoring",
+      "SecOps",
+      "Log Auditing"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1562",
+            "name": "Impair Defenses",
+            "reference": "https://attack.mitre.org/techniques/T1562/",
+            "subtechnique": [
+              {
+                "id": "T1562.001",
+                "name": "Disable or Modify Tools",
+                "reference": "https://attack.mitre.org/techniques/T1562/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 6
+  },
+  {
+    "author": [
+      "Elastic",
+      "Austin Songer"
+    ],
+    "description": "Identifies potential Traffic Mirroring in an Amazon Elastic Compute Cloud (EC2) instance. Traffic Mirroring is an Amazon VPC feature that you can use to copy network traffic from an Elastic network interface. This feature can potentially be abused to exfiltrate sensitive data from unencrypted internal traffic.",
+    "false_positives": [
+      "Traffic Mirroring may be done by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Traffic Mirroring from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "from": "now-60m",
+    "index": [
+      "filebeat-*",
+      "logs-aws*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "AWS EC2 Full Network Packet Capture Detected",
+    "note": "## Config\n\nThe AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and \nevent.action:(CreateTrafficMirrorFilter or CreateTrafficMirrorFilterRule or CreateTrafficMirrorSession or CreateTrafficMirrorTarget) and \nevent.outcome:success\n",
+    "references": [
+      "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_TrafficMirrorFilter.html",
+      "https://github.com/easttimor/aws-incident-response"
+    ],
+    "risk_score": 47,
+    "rule_id": "c1812764-0788-470f-8e74-eb4a14d47573",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "AWS",
+      "Continuous Monitoring",
+      "SecOps",
+      "Network Security"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0010",
+          "name": "Exfiltration",
+          "reference": "https://attack.mitre.org/tactics/TA0010/"
+        },
+        "technique": [
+          {
+            "id": "T1020",
+            "name": "Automated Exfiltration",
+            "reference": "https://attack.mitre.org/techniques/T1020/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0009",
+          "name": "Collection",
+          "reference": "https://attack.mitre.org/tactics/TA0009/"
+        },
+        "technique": [
+          {
+            "id": "T1074",
+            "name": "Data Staged",
+            "reference": "https://attack.mitre.org/techniques/T1074/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 2
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the creation of an AWS Elastic Compute Cloud (EC2) network access control list (ACL) or an entry in a network ACL with a specified rule number.",
+    "false_positives": [
+      "Network ACL's may be created by a network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Network ACL creations from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "from": "now-60m",
+    "index": [
+      "filebeat-*",
+      "logs-aws*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "AWS EC2 Network Access Control List Creation",
+    "note": "## Config\n\nThe AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.action:(CreateNetworkAcl or CreateNetworkAclEntry) and event.outcome:success\n",
+    "references": [
+      "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/create-network-acl.html",
+      "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateNetworkAcl.html",
+      "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/create-network-acl-entry.html",
+      "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateNetworkAclEntry.html"
+    ],
+    "risk_score": 21,
+    "rule_id": "39144f38-5284-4f8e-a2ae-e3fd628d90b0",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "AWS",
+      "Continuous Monitoring",
+      "SecOps",
+      "Network Security"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1133",
+            "name": "External Remote Services",
+            "reference": "https://attack.mitre.org/techniques/T1133/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 6
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the deletion of an Amazon Elastic Compute Cloud (EC2) network access control list (ACL) or one of its ingress/egress entries.",
+    "false_positives": [
+      "Network ACL's may be deleted by a network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Network ACL deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "from": "now-60m",
+    "index": [
+      "filebeat-*",
+      "logs-aws*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "AWS EC2 Network Access Control List Deletion",
+    "note": "## Config\n\nThe AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.action:(DeleteNetworkAcl or DeleteNetworkAclEntry) and event.outcome:success\n",
+    "references": [
+      "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/delete-network-acl.html",
+      "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteNetworkAcl.html",
+      "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/delete-network-acl-entry.html",
+      "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteNetworkAclEntry.html"
+    ],
+    "risk_score": 47,
+    "rule_id": "8623535c-1e17-44e1-aa97-7a0699c3037d",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "AWS",
+      "Continuous Monitoring",
+      "SecOps",
+      "Network Security"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1562",
+            "name": "Impair Defenses",
+            "reference": "https://attack.mitre.org/techniques/T1562/",
+            "subtechnique": [
+              {
+                "id": "T1562.001",
+                "name": "Disable or Modify Tools",
+                "reference": "https://attack.mitre.org/techniques/T1562/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 6
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "An attempt was made to modify AWS EC2 snapshot attributes. Snapshots are sometimes shared by threat actors in order to exfiltrate bulk data from an EC2 fleet. If the permissions were modified, verify the snapshot was not shared with an unauthorized or unexpected AWS account.",
+    "false_positives": [
+      "IAM users may occasionally share EC2 snapshots with another AWS account belonging to the same organization. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "from": "now-60m",
+    "index": [
+      "filebeat-*",
+      "logs-aws*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "AWS EC2 Snapshot Activity",
+    "note": "## Config\n\nThe AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.action:ModifySnapshotAttribute\n",
+    "references": [
+      "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/modify-snapshot-attribute.html",
+      "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ModifySnapshotAttribute.html"
+    ],
+    "risk_score": 47,
+    "rule_id": "98fd7407-0bd5-5817-cda0-3fcc33113a56",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "AWS",
+      "Continuous Monitoring",
+      "SecOps",
+      "Asset Visibility"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0010",
+          "name": "Exfiltration",
+          "reference": "https://attack.mitre.org/tactics/TA0010/"
+        },
+        "technique": [
+          {
+            "id": "T1537",
+            "name": "Transfer Data to Cloud Account",
+            "reference": "https://attack.mitre.org/techniques/T1537/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 5
+  },
+  {
+    "author": [
+      "Elastic",
+      "Austin Songer"
+    ],
+    "description": "Identifies an attempt to export an AWS EC2 instance. A virtual machine (VM) export may indicate an attempt to extract or exfiltrate information.",
+    "false_positives": [
+      "VM exports may be done by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. VM exports from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "from": "now-60m",
+    "index": [
+      "filebeat-*",
+      "logs-aws*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "AWS EC2 VM Export Failure",
+    "note": "## Config\n\nThe AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.action:CreateInstanceExportTask and event.outcome:failure\n",
+    "references": [
+      "https://docs.aws.amazon.com/vm-import/latest/userguide/vmexport.html#export-instance"
+    ],
+    "risk_score": 21,
+    "rule_id": "e919611d-6b6f-493b-8314-7ed6ac2e413b",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "AWS",
+      "Continuous Monitoring",
+      "SecOps",
+      "Asset Visibility"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0010",
+          "name": "Exfiltration",
+          "reference": "https://attack.mitre.org/tactics/TA0010/"
+        },
+        "technique": [
+          {
+            "id": "T1537",
+            "name": "Transfer Data to Cloud Account",
+            "reference": "https://attack.mitre.org/techniques/T1537/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0009",
+          "name": "Collection",
+          "reference": "https://attack.mitre.org/tactics/TA0009/"
+        },
+        "technique": [
+          {
+            "id": "T1005",
+            "name": "Data from Local System",
+            "reference": "https://attack.mitre.org/techniques/T1005/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 2
+  },
+  {
+    "author": [
+      "Austin Songer"
+    ],
+    "description": "Detects when a EFS File System or Mount is deleted. An adversary could break any file system using the mount target that is being deleted, which might disrupt instances or applications using those mounts. The mount must be deleted prior to deleting the File System, or the adversary will be unable to delete the File System.",
+    "false_positives": [
+      "File System or Mount being deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. File System Mount deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "from": "now-60m",
+    "index": [
+      "filebeat-*",
+      "logs-aws*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "AWS EFS File System or Mount Deleted",
+    "note": "## Config\n\nThe AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:aws.cloudtrail and event.provider:elasticfilesystem.amazonaws.com and \nevent.action:(DeleteMountTarget or DeleteFileSystem) and event.outcome:success\n",
+    "references": [
+      "https://docs.aws.amazon.com/efs/latest/ug/API_DeleteFileSystem.html",
+      "https://docs.aws.amazon.com/efs/latest/ug/API_DeleteMountTarget.html"
+    ],
+    "risk_score": 47,
+    "rule_id": "536997f7-ae73-447d-a12d-bff1e8f5f0a0",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "AWS",
+      "Continuous Monitoring",
+      "SecOps",
+      "Data Protection"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0040",
+          "name": "Impact",
+          "reference": "https://attack.mitre.org/tactics/TA0040/"
+        },
+        "technique": [
+          {
+            "id": "T1485",
+            "name": "Data Destruction",
+            "reference": "https://attack.mitre.org/techniques/T1485/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 1
+  },
+  {
+    "author": [
+      "Austin Songer"
+    ],
+    "description": "Identifies when an ElastiCache security group has been created.",
+    "false_positives": [
+      "A ElastiCache security group may be created by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Security group creations from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "from": "now-60m",
+    "index": [
+      "filebeat-*",
+      "logs-aws*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "AWS ElastiCache Security Group Created",
+    "note": "## Config\n\nThe AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:aws.cloudtrail and event.provider:elasticache.amazonaws.com and event.action:\"Create Cache Security Group\" and \nevent.outcome:success\n",
+    "references": [
+      "https://docs.aws.amazon.com/AmazonElastiCache/latest/APIReference/API_CreateCacheSecurityGroup.html"
+    ],
+    "risk_score": 21,
+    "rule_id": "7b3da11a-60a2-412e-8aa7-011e1eb9ed47",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "AWS",
+      "Continuous Monitoring",
+      "SecOps",
+      "Monitoring"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1562",
+            "name": "Impair Defenses",
+            "reference": "https://attack.mitre.org/techniques/T1562/",
+            "subtechnique": [
+              {
+                "id": "T1562.007",
+                "name": "Disable or Modify Cloud Firewall",
+                "reference": "https://attack.mitre.org/techniques/T1562/007/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 1
+  },
+  {
+    "author": [
+      "Austin Songer"
+    ],
+    "description": "Identifies when an ElastiCache security group has been modified or deleted.",
+    "false_positives": [
+      "A ElastiCache security group deletion may be done by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Security Group deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "from": "now-60m",
+    "index": [
+      "filebeat-*",
+      "logs-aws*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "AWS ElastiCache Security Group Modified or Deleted",
+    "note": "## Config\n\nThe AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:aws.cloudtrail and event.provider:elasticache.amazonaws.com and event.action:(\"Delete Cache Security Group\" or \n\"Authorize Cache Security Group Ingress\" or  \"Revoke Cache Security Group Ingress\" or \"AuthorizeCacheSecurityGroupEgress\" or \n\"RevokeCacheSecurityGroupEgress\") and event.outcome:success\n",
+    "references": [
+      "https://docs.aws.amazon.com/AmazonElastiCache/latest/APIReference/Welcome.html"
+    ],
+    "risk_score": 21,
+    "rule_id": "1ba5160d-f5a2-4624-b0ff-6a1dc55d2516",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "AWS",
+      "Continuous Monitoring",
+      "SecOps",
+      "Monitoring"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1562",
+            "name": "Impair Defenses",
+            "reference": "https://attack.mitre.org/techniques/T1562/",
+            "subtechnique": [
+              {
+                "id": "T1562.007",
+                "name": "Disable or Modify Cloud Firewall",
+                "reference": "https://attack.mitre.org/techniques/T1562/007/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 1
+  },
+  {
+    "author": [
+      "Austin Songer"
+    ],
+    "description": "Identifies when a user has disabled or deleted an EventBridge rule. This activity can result in an unintended loss of visibility in applications or a break in the flow with other AWS services.",
+    "false_positives": [
+      "EventBridge Rules could be deleted or disabled by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. EventBridge Rules being deleted or disabled from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "from": "now-20m",
+    "index": [
+      "filebeat-*",
+      "logs-aws*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "AWS EventBridge Rule Disabled or Deleted",
+    "note": "## Config\n\nThe AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:aws.cloudtrail and event.provider:eventbridge.amazonaws.com and event.action:(DeleteRule or DisableRule) and \nevent.outcome:success\n",
+    "references": [
+      "https://docs.aws.amazon.com/eventbridge/latest/APIReference/API_DeleteRule.html",
+      "https://docs.aws.amazon.com/eventbridge/latest/APIReference/API_DisableRule.html"
+    ],
+    "risk_score": 21,
+    "rule_id": "87594192-4539-4bc4-8543-23bc3d5bd2b4",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "AWS",
+      "Continuous Monitoring",
+      "SecOps",
+      "Monitoring"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0040",
+          "name": "Impact",
+          "reference": "https://attack.mitre.org/tactics/TA0040/"
+        },
+        "technique": []
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 2
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the execution of commands and scripts via System Manager. Execution methods such as RunShellScript, RunPowerShellScript, and alike can be abused by an authenticated attacker to install a backdoor or to interact with a compromised instance via reverse-shell using system only commands.",
+    "false_positives": [
+      "Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Suspicious commands from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "from": "now-60m",
+    "index": [
+      "filebeat-*",
+      "logs-aws*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "AWS Execution via System Manager",
+    "note": "## Config\n\nThe AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:aws.cloudtrail and event.provider:ssm.amazonaws.com and event.action:SendCommand and event.outcome:success\n",
+    "references": [
+      "https://docs.aws.amazon.com/systems-manager/latest/userguide/ssm-plugins.html"
+    ],
+    "risk_score": 21,
+    "rule_id": "37b211e8-4e2f-440f-86d8-06cc8f158cfa",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "AWS",
+      "Continuous Monitoring",
+      "SecOps",
+      "Log Auditing"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0001",
+          "name": "Initial Access",
+          "reference": "https://attack.mitre.org/tactics/TA0001/"
+        },
+        "technique": [
+          {
+            "id": "T1566",
+            "name": "Phishing",
+            "reference": "https://attack.mitre.org/techniques/T1566/",
+            "subtechnique": [
+              {
+                "id": "T1566.002",
+                "name": "Spearphishing Link",
+                "reference": "https://attack.mitre.org/techniques/T1566/002/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 6
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the deletion of an Amazon GuardDuty detector. Upon deletion, GuardDuty stops monitoring the environment and all existing findings are lost.",
+    "false_positives": [
+      "The GuardDuty detector may be deleted by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Detector deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "from": "now-60m",
+    "index": [
+      "filebeat-*",
+      "logs-aws*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "AWS GuardDuty Detector Deletion",
+    "note": "## Config\n\nThe AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:aws.cloudtrail and event.provider:guardduty.amazonaws.com and event.action:DeleteDetector and event.outcome:success\n",
+    "references": [
+      "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/guardduty/delete-detector.html",
+      "https://docs.aws.amazon.com/guardduty/latest/APIReference/API_DeleteDetector.html"
+    ],
+    "risk_score": 73,
+    "rule_id": "523116c0-d89d-4d7c-82c2-39e6845a78ef",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "AWS",
+      "Continuous Monitoring",
+      "SecOps",
+      "Monitoring"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1562",
+            "name": "Impair Defenses",
+            "reference": "https://attack.mitre.org/techniques/T1562/",
+            "subtechnique": [
+              {
+                "id": "T1562.001",
+                "name": "Disable or Modify Tools",
+                "reference": "https://attack.mitre.org/techniques/T1562/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 6
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies attempts to modify an AWS IAM Assume Role Policy. An adversary may attempt to modify the AssumeRolePolicy of a misconfigured role in order to gain the privileges of that role.",
+    "false_positives": [
+      "Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Policy updates from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "from": "now-60m",
+    "index": [
+      "filebeat-*",
+      "logs-aws*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "AWS IAM Assume Role Policy Update",
+    "note": "## Config\n\nThe AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.action:UpdateAssumeRolePolicy and event.outcome:success\n",
+    "references": [
+      "https://labs.bishopfox.com/tech-blog/5-privesc-attack-vectors-in-aws"
+    ],
+    "risk_score": 21,
+    "rule_id": "a60326d7-dca7-4fb7-93eb-1ca03a1febbd",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "AWS",
+      "Continuous Monitoring",
+      "SecOps",
+      "Identity and Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0004",
+          "name": "Privilege Escalation",
+          "reference": "https://attack.mitre.org/tactics/TA0004/"
+        },
+        "technique": [
+          {
+            "id": "T1078",
+            "name": "Valid Accounts",
+            "reference": "https://attack.mitre.org/techniques/T1078/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 5
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies a high number of failed attempts to assume an AWS Identity and Access Management (IAM) role. IAM roles are used to delegate access to users or services. An adversary may attempt to enumerate IAM roles in order to determine if a role exists before attempting to assume or hijack the discovered role.",
+    "from": "now-20m",
+    "index": [
+      "filebeat-*",
+      "logs-aws*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "AWS IAM Brute Force of Assume Role Policy",
+    "note": "## Config\n\nThe AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:aws.cloudtrail and\n  event.provider:iam.amazonaws.com and event.action:UpdateAssumeRolePolicy and\n  aws.cloudtrail.error_code:MalformedPolicyDocumentException and event.outcome:failure\n",
+    "references": [
+      "https://www.praetorian.com/blog/aws-iam-assume-role-vulnerabilities",
+      "https://rhinosecuritylabs.com/aws/assume-worst-aws-assume-role-enumeration/"
+    ],
+    "risk_score": 47,
+    "rule_id": "ea248a02-bc47-4043-8e94-2885b19b2636",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "AWS",
+      "Continuous Monitoring",
+      "SecOps",
+      "Identity and Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0006",
+          "name": "Credential Access",
+          "reference": "https://attack.mitre.org/tactics/TA0006/"
+        },
+        "technique": [
+          {
+            "id": "T1110",
+            "name": "Brute Force",
+            "reference": "https://attack.mitre.org/techniques/T1110/"
+          }
+        ]
+      }
+    ],
+    "threshold": {
+      "field": [],
+      "value": 25
+    },
+    "type": "threshold",
+    "version": 5
+  },
+  {
+    "author": [
+      "Elastic",
+      "Austin Songer"
+    ],
+    "description": "Identifies the deactivation of a specified multi-factor authentication (MFA) device and removes it from association with the user name for which it was originally enabled. In AWS Identity and Access Management (IAM), a device must be deactivated before it can be deleted.",
+    "false_positives": [
+      "A MFA device may be deactivated by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. MFA device deactivations from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "from": "now-60m",
+    "index": [
+      "filebeat-*",
+      "logs-aws*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "AWS IAM Deactivation of MFA Device",
+    "note": "## Config\n\nThe AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.action:(DeactivateMFADevice or DeleteVirtualMFADevice) and event.outcome:success\n",
+    "references": [
+      "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/deactivate-mfa-device.html",
+      "https://docs.aws.amazon.com/IAM/latest/APIReference/API_DeactivateMFADevice.html"
+    ],
+    "risk_score": 47,
+    "rule_id": "d8fc1cca-93ed-43c1-bbb6-c0dd3eff2958",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "AWS",
+      "Continuous Monitoring",
+      "SecOps",
+      "Monitoring"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0040",
+          "name": "Impact",
+          "reference": "https://attack.mitre.org/tactics/TA0040/"
+        },
+        "technique": [
+          {
+            "id": "T1531",
+            "name": "Account Access Removal",
+            "reference": "https://attack.mitre.org/techniques/T1531/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 5
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the creation of a group in AWS Identity and Access Management (IAM). Groups specify permissions for multiple users. Any user in a group automatically has the permissions that are assigned to the group.",
+    "false_positives": [
+      "A group may be created by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Group creations from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "from": "now-60m",
+    "index": [
+      "filebeat-*",
+      "logs-aws*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "AWS IAM Group Creation",
+    "note": "## Config\n\nThe AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.action:CreateGroup and event.outcome:success\n",
+    "references": [
+      "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/create-group.html",
+      "https://docs.aws.amazon.com/IAM/latest/APIReference/API_CreateGroup.html"
+    ],
+    "risk_score": 21,
+    "rule_id": "169f3a93-efc7-4df2-94d6-0d9438c310d1",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "AWS",
+      "Continuous Monitoring",
+      "SecOps",
+      "Identity and Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1136",
+            "name": "Create Account",
+            "reference": "https://attack.mitre.org/techniques/T1136/",
+            "subtechnique": [
+              {
+                "id": "T1136.003",
+                "name": "Cloud Account",
+                "reference": "https://attack.mitre.org/techniques/T1136/003/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 6
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the deletion of a specified AWS Identity and Access Management (IAM) resource group. Deleting a resource group does not delete resources that are members of the group; it only deletes the group structure.",
+    "false_positives": [
+      "A resource group may be deleted by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Resource group deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "from": "now-60m",
+    "index": [
+      "filebeat-*",
+      "logs-aws*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "AWS IAM Group Deletion",
+    "note": "## Config\n\nThe AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.action:DeleteGroup and event.outcome:success\n",
+    "references": [
+      "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/delete-group.html",
+      "https://docs.aws.amazon.com/IAM/latest/APIReference/API_DeleteGroup.html"
+    ],
+    "risk_score": 21,
+    "rule_id": "867616ec-41e5-4edc-ada2-ab13ab45de8a",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "AWS",
+      "Continuous Monitoring",
+      "SecOps",
+      "Monitoring"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0040",
+          "name": "Impact",
+          "reference": "https://attack.mitre.org/tactics/TA0040/"
+        },
+        "technique": [
+          {
+            "id": "T1531",
+            "name": "Account Access Removal",
+            "reference": "https://attack.mitre.org/techniques/T1531/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 5
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies AWS IAM password recovery requests. An adversary may attempt to gain unauthorized AWS access by abusing password recovery mechanisms.",
+    "false_positives": [
+      "Verify whether the user identity, user agent, and/or hostname should be requesting changes in your environment. Password reset attempts from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "from": "now-60m",
+    "index": [
+      "filebeat-*",
+      "logs-aws*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "AWS IAM Password Recovery Requested",
+    "note": "## Config\n\nThe AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:aws.cloudtrail and event.provider:signin.amazonaws.com and event.action:PasswordRecoveryRequested and event.outcome:success\n",
+    "references": [
+      "https://www.cadosecurity.com/2020/06/11/an-ongoing-aws-phishing-campaign/"
+    ],
+    "risk_score": 21,
+    "rule_id": "69c420e8-6c9e-4d28-86c0-8a2be2d1e78c",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "AWS",
+      "Continuous Monitoring",
+      "SecOps",
+      "Identity and Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0001",
+          "name": "Initial Access",
+          "reference": "https://attack.mitre.org/tactics/TA0001/"
+        },
+        "technique": [
+          {
+            "id": "T1078",
+            "name": "Valid Accounts",
+            "reference": "https://attack.mitre.org/techniques/T1078/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 5
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the addition of a user to a specified group in AWS Identity and Access Management (IAM).",
+    "false_positives": [
+      "Adding users to a specified group may be done by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. User additions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "from": "now-60m",
+    "index": [
+      "filebeat-*",
+      "logs-aws*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "AWS IAM User Addition to Group",
+    "note": "## Config\n\nThe AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.action:AddUserToGroup and event.outcome:success\n",
+    "references": [
+      "https://docs.aws.amazon.com/IAM/latest/APIReference/API_AddUserToGroup.html"
+    ],
+    "risk_score": 21,
+    "rule_id": "333de828-8190-4cf5-8d7c-7575846f6fe0",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "AWS",
+      "Continuous Monitoring",
+      "SecOps",
+      "Identity and Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0006",
+          "name": "Credential Access",
+          "reference": "https://attack.mitre.org/tactics/TA0006/"
+        },
+        "technique": []
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1098",
+            "name": "Account Manipulation",
+            "reference": "https://attack.mitre.org/techniques/T1098/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 6
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies a high number of failed authentication attempts to the AWS management console for the Root user identity. An adversary may attempt to brute force the password for the Root user identity, as it has complete access to all services and resources for the AWS account.",
+    "false_positives": [
+      "Automated processes that attempt to authenticate using expired credentials and unbounded retries may lead to false positives."
+    ],
+    "from": "now-20m",
+    "index": [
+      "filebeat-*",
+      "logs-aws*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "AWS Management Console Brute Force of Root User Identity",
+    "note": "## Config\n\nThe AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:aws.cloudtrail and event.provider:signin.amazonaws.com and event.action:ConsoleLogin and aws.cloudtrail.user_identity.type:Root and event.outcome:failure\n",
+    "references": [
+      "https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html"
+    ],
+    "risk_score": 73,
+    "rule_id": "4d50a94f-2844-43fa-8395-6afbd5e1c5ef",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "AWS",
+      "Continuous Monitoring",
+      "SecOps",
+      "Identity and Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0006",
+          "name": "Credential Access",
+          "reference": "https://attack.mitre.org/tactics/TA0006/"
+        },
+        "technique": [
+          {
+            "id": "T1110",
+            "name": "Brute Force",
+            "reference": "https://attack.mitre.org/techniques/T1110/"
+          }
+        ]
+      }
+    ],
+    "threshold": {
+      "field": [
+        "cloud.account.id"
+      ],
+      "value": 10
+    },
+    "type": "threshold",
+    "version": 3
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies a successful login to the AWS Management Console by the Root user.",
+    "false_positives": [
+      "It's strongly recommended that the root user is not used for everyday tasks, including the administrative ones. Verify whether the IP address, location, and/or hostname should be logging in as root in your environment. Unfamiliar root logins should be investigated immediately. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "from": "now-60m",
+    "index": [
+      "filebeat-*",
+      "logs-aws*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "AWS Management Console Root Login",
+    "note": "## Config\n\nThe AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:aws.cloudtrail and event.provider:signin.amazonaws.com and event.action:ConsoleLogin and aws.cloudtrail.user_identity.type:Root and event.outcome:success\n",
+    "references": [
+      "https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html"
+    ],
+    "risk_score": 73,
+    "rule_id": "e2a67480-3b79-403d-96e3-fdd2992c50ef",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "AWS",
+      "Continuous Monitoring",
+      "SecOps",
+      "Identity and Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0001",
+          "name": "Initial Access",
+          "reference": "https://attack.mitre.org/tactics/TA0001/"
+        },
+        "technique": [
+          {
+            "id": "T1078",
+            "name": "Valid Accounts",
+            "reference": "https://attack.mitre.org/techniques/T1078/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1078",
+            "name": "Valid Accounts",
+            "reference": "https://attack.mitre.org/techniques/T1078/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 5
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the creation of a new Amazon Relational Database Service (RDS) Aurora DB cluster or global database spread across multiple regions.",
+    "false_positives": [
+      "Valid clusters may be created by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Cluster creations from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "from": "now-60m",
+    "index": [
+      "filebeat-*",
+      "logs-aws*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "AWS RDS Cluster Creation",
+    "note": "## Config\n\nThe AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.action:(CreateDBCluster or CreateGlobalCluster) and event.outcome:success\n",
+    "references": [
+      "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/rds/create-db-cluster.html",
+      "https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_CreateDBCluster.html",
+      "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/rds/create-global-cluster.html",
+      "https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_CreateGlobalCluster.html"
+    ],
+    "risk_score": 21,
+    "rule_id": "e14c5fd7-fdd7-49c2-9e5b-ec49d817bc8d",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "AWS",
+      "Continuous Monitoring",
+      "SecOps",
+      "Asset Visibility"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1133",
+            "name": "External Remote Services",
+            "reference": "https://attack.mitre.org/techniques/T1133/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": []
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 6
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the deletion of an Amazon Relational Database Service (RDS) Aurora database cluster or global database cluster.",
+    "false_positives": [
+      "Clusters may be deleted by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Cluster deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "from": "now-60m",
+    "index": [
+      "filebeat-*",
+      "logs-aws*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "AWS RDS Cluster Deletion",
+    "note": "## Config\n\nThe AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.action:(DeleteDBCluster or DeleteGlobalCluster) and event.outcome:success\n",
+    "references": [
+      "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/rds/delete-db-cluster.html",
+      "https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_DeleteDBCluster.html",
+      "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/rds/delete-global-cluster.html",
+      "https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_DeleteGlobalCluster.html"
+    ],
+    "risk_score": 47,
+    "rule_id": "9055ece6-2689-4224-a0e0-b04881e1f8ad",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "AWS",
+      "Continuous Monitoring",
+      "SecOps",
+      "Asset Visibility"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0040",
+          "name": "Impact",
+          "reference": "https://attack.mitre.org/tactics/TA0040/"
+        },
+        "technique": [
+          {
+            "id": "T1485",
+            "name": "Data Destruction",
+            "reference": "https://attack.mitre.org/techniques/T1485/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 5
+  },
+  {
+    "author": [
+      "Elastic",
+      "Austin Songer"
+    ],
+    "description": "Identifies the creation of an Amazon Relational Database Service (RDS) Aurora database instance.",
+    "false_positives": [
+      "A database instance may be created by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Instances creations from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "from": "now-60m",
+    "index": [
+      "filebeat-*",
+      "logs-aws*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "AWS RDS Instance Creation",
+    "note": "## Config\n\nThe AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.action:CreateDBInstance and event.outcome:success\n",
+    "references": [
+      "https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_CreateDBInstance.html"
+    ],
+    "risk_score": 21,
+    "rule_id": "f30f3443-4fbb-4c27-ab89-c3ad49d62315",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "AWS",
+      "Continuous Monitoring",
+      "SecOps",
+      "Asset Visibility"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": []
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 2
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies that an Amazon Relational Database Service (RDS) cluster or instance has been stopped.",
+    "false_positives": [
+      "Valid clusters or instances may be stopped by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Cluster or instance stoppages from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "from": "now-60m",
+    "index": [
+      "filebeat-*",
+      "logs-aws*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "AWS RDS Instance/Cluster Stoppage",
+    "note": "## Config\n\nThe AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.action:(StopDBCluster or StopDBInstance) and event.outcome:success\n",
+    "references": [
+      "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/rds/stop-db-cluster.html",
+      "https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_StopDBCluster.html",
+      "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/rds/stop-db-instance.html",
+      "https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_StopDBInstance.html"
+    ],
+    "risk_score": 47,
+    "rule_id": "ecf2b32c-e221-4bd4-aa3b-c7d59b3bc01d",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "AWS",
+      "Continuous Monitoring",
+      "SecOps",
+      "Asset Visibility"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0040",
+          "name": "Impact",
+          "reference": "https://attack.mitre.org/tactics/TA0040/"
+        },
+        "technique": [
+          {
+            "id": "T1489",
+            "name": "Service Stop",
+            "reference": "https://attack.mitre.org/techniques/T1489/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 5
+  },
+  {
+    "author": [
+      "Elastic",
+      "Austin Songer"
+    ],
+    "description": "Identifies the creation of an Amazon Relational Database Service (RDS) Security group.",
+    "false_positives": [
+      "An RDS security group may be created by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Security group creations from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "from": "now-60m",
+    "index": [
+      "filebeat-*",
+      "logs-aws*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "AWS RDS Security Group Creation",
+    "note": "## Config\n\nThe AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.action:CreateDBSecurityGroup and event.outcome:success\n",
+    "references": [
+      "https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_CreateDBSecurityGroup.html"
+    ],
+    "risk_score": 21,
+    "rule_id": "378f9024-8a0c-46a5-aa08-ce147ac73a4e",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "AWS",
+      "Continuous Monitoring",
+      "SecOps",
+      "Monitoring"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1136",
+            "name": "Create Account",
+            "reference": "https://attack.mitre.org/techniques/T1136/",
+            "subtechnique": [
+              {
+                "id": "T1136.003",
+                "name": "Cloud Account",
+                "reference": "https://attack.mitre.org/techniques/T1136/003/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 2
+  },
+  {
+    "author": [
+      "Elastic",
+      "Austin Songer"
+    ],
+    "description": "Identifies the deletion of an Amazon Relational Database Service (RDS) Security group.",
+    "false_positives": [
+      "An RDS security group deletion may be done by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Security group deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "from": "now-60m",
+    "index": [
+      "filebeat-*",
+      "logs-aws*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "AWS RDS Security Group Deletion",
+    "note": "## Config\n\nThe AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.action:DeleteDBSecurityGroup and event.outcome:success\n",
+    "references": [
+      "https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_DeleteDBSecurityGroup.html"
+    ],
+    "risk_score": 21,
+    "rule_id": "863cdf31-7fd3-41cf-a185-681237ea277b",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "AWS",
+      "Continuous Monitoring",
+      "SecOps",
+      "Monitoring"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0040",
+          "name": "Impact",
+          "reference": "https://attack.mitre.org/tactics/TA0040/"
+        },
+        "technique": [
+          {
+            "id": "T1531",
+            "name": "Account Access Removal",
+            "reference": "https://attack.mitre.org/techniques/T1531/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 2
+  },
+  {
+    "author": [
+      "Elastic",
+      "Austin Songer"
+    ],
+    "description": "Identifies the export of an Amazon Relational Database Service (RDS) Aurora database snapshot.",
+    "false_positives": [
+      "Exporting snapshots may be done by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Snapshot exports from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "from": "now-60m",
+    "index": [
+      "filebeat-*",
+      "logs-aws*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "AWS RDS Snapshot Export",
+    "note": "## Config\n\nThe AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.action:StartExportTask and event.outcome:success\n",
+    "references": [
+      "https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_StartExportTask.html"
+    ],
+    "risk_score": 21,
+    "rule_id": "119c8877-8613-416d-a98a-96b6664ee73a",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "AWS",
+      "Continuous Monitoring",
+      "SecOps",
+      "Asset Visibility"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0010",
+          "name": "Exfiltration",
+          "reference": "https://attack.mitre.org/tactics/TA0010/"
+        },
+        "technique": []
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 1
+  },
+  {
+    "author": [
+      "Austin Songer"
+    ],
+    "description": "Identifies when an attempt was made to restore an RDS Snapshot. Snapshots are sometimes shared by threat actors in order to exfiltrate bulk data. If the permissions were modified, verify if the snapshot was shared with an unauthorized or unexpected AWS account.",
+    "false_positives": [
+      "Restoring snapshots may be done by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Snapshot restoration from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "index": [
+      "filebeat-*",
+      "logs-aws*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "AWS RDS Snapshot Restored",
+    "note": "## Config\n\nThe AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.action:RestoreDBInstanceFromDBSnapshot and\nevent.outcome:success\n",
+    "references": [
+      "https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_RestoreDBInstanceFromDBSnapshot.html",
+      "https://github.com/RhinoSecurityLabs/pacu/blob/master/pacu/modules/rds__explore_snapshots/main.py"
+    ],
+    "risk_score": 47,
+    "rule_id": "bf1073bf-ce26-4607-b405-ba1ed8e9e204",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "AWS",
+      "Continuous Monitoring",
+      "SecOps",
+      "Asset Visibility"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0010",
+          "name": "Exfiltration",
+          "reference": "https://attack.mitre.org/tactics/TA0010/"
+        },
+        "technique": []
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 2
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies attempts to login to AWS as the root user without using multi-factor authentication (MFA). Amazon AWS best practices indicate that the root user should be protected by MFA.",
+    "false_positives": [
+      "Some organizations allow login with the root user without MFA, however, this is not considered best practice by AWS and increases the risk of compromised credentials."
+    ],
+    "from": "now-60m",
+    "index": [
+      "filebeat-*",
+      "logs-aws*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "AWS Root Login Without MFA",
+    "note": "## Config\n\nThe AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:aws.cloudtrail and event.provider:signin.amazonaws.com and event.action:ConsoleLogin and\n  aws.cloudtrail.user_identity.type:Root and\n  aws.cloudtrail.console_login.additional_eventdata.mfa_used:false and\n  event.outcome:success\n",
+    "references": [
+      "https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html"
+    ],
+    "risk_score": 73,
+    "rule_id": "bc0c6f0d-dab0-47a3-b135-0925f0a333bc",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "AWS",
+      "Continuous Monitoring",
+      "SecOps",
+      "Identity and Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0004",
+          "name": "Privilege Escalation",
+          "reference": "https://attack.mitre.org/tactics/TA0004/"
+        },
+        "technique": [
+          {
+            "id": "T1078",
+            "name": "Valid Accounts",
+            "reference": "https://attack.mitre.org/techniques/T1078/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 5
+  },
+  {
+    "author": [
+      "Elastic",
+      "Austin Songer"
+    ],
+    "description": "Identifies when a transfer lock was removed from a Route 53 domain. It is recommended to refrain from performing this action unless intending to transfer the domain to a different registrar.",
+    "false_positives": [
+      "A domain transfer lock may be disabled by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Activity from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "from": "now-60m",
+    "index": [
+      "filebeat-*",
+      "logs-aws*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "AWS Route 53 Domain Transfer Lock Disabled",
+    "note": "## Config\n\nThe AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:aws.cloudtrail and event.provider:route53.amazonaws.com and event.action:DisableDomainTransferLock and event.outcome:success\n",
+    "references": [
+      "https://docs.aws.amazon.com/Route53/latest/APIReference/API_Operations_Amazon_Route_53.html",
+      "https://docs.aws.amazon.com/Route53/latest/APIReference/API_domains_DisableDomainTransferLock.html"
+    ],
+    "risk_score": 21,
+    "rule_id": "12051077-0124-4394-9522-8f4f4db1d674",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "AWS",
+      "Continuous Monitoring",
+      "SecOps",
+      "Asset Visibility"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1098",
+            "name": "Account Manipulation",
+            "reference": "https://attack.mitre.org/techniques/T1098/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0006",
+          "name": "Credential Access",
+          "reference": "https://attack.mitre.org/tactics/TA0006/"
+        },
+        "technique": []
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic",
+      "Austin Songer"
+    ],
+    "description": "Identifies when a request has been made to transfer a Route 53 domain to another AWS account.",
+    "false_positives": [
+      "A domain may be transferred to another AWS account by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Domain transfers from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "from": "now-60m",
+    "index": [
+      "filebeat-*",
+      "logs-aws*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "AWS Route 53 Domain Transferred to Another Account",
+    "note": "## Config\n\nThe AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:aws.cloudtrail and event.provider:route53.amazonaws.com and event.action:TransferDomainToAnotherAwsAccount and event.outcome:success\n",
+    "references": [
+      "https://docs.aws.amazon.com/Route53/latest/APIReference/API_Operations_Amazon_Route_53.html"
+    ],
+    "risk_score": 21,
+    "rule_id": "2045567e-b0af-444a-8c0b-0b6e2dae9e13",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "AWS",
+      "Continuous Monitoring",
+      "SecOps",
+      "Asset Visibility"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1098",
+            "name": "Account Manipulation",
+            "reference": "https://attack.mitre.org/techniques/T1098/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0006",
+          "name": "Credential Access",
+          "reference": "https://attack.mitre.org/tactics/TA0006/"
+        },
+        "technique": []
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic",
+      "Austin Songer"
+    ],
+    "description": "Identifies when an AWS Route Table has been created.",
+    "false_positives": [
+      "Route Table being created may be done by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Route Table being created from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule.  Automated processes that uses Terraform may lead to false positives."
+    ],
+    "from": "now-60m",
+    "index": [
+      "filebeat-*",
+      "logs-aws*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "AWS Route Table Created",
+    "note": "## Config\n\nThe AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:aws.cloudtrail and event.provider:cloudtrail.amazonaws.com and event.action:(CreateRoute or CreateRouteTable) and \nevent.outcome:success\n",
+    "references": [
+      "https://docs.datadoghq.com/security_platform/default_rules/cloudtrail-aws-route-table-modified/",
+      "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateRoute.html",
+      "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateRouteTable"
+    ],
+    "risk_score": 21,
+    "rule_id": "e12c0318-99b1-44f2-830c-3a38a43207ca",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "AWS",
+      "Continuous Monitoring",
+      "SecOps",
+      "Network Security"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": []
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic",
+      "Austin Songer"
+    ],
+    "description": "Identifies when an AWS Route Table has been modified or deleted.",
+    "false_positives": [
+      "Route Table could be modified or deleted by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Route Table being modified from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.  Also automated processes that uses Terraform may lead to false positives."
+    ],
+    "from": "now-60m",
+    "index": [
+      "filebeat-*",
+      "logs-aws*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "AWS Route Table Modified or Deleted",
+    "note": "## Config\n\nThe AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:aws.cloudtrail and event.provider:cloudtrail.amazonaws.com and event.action:(ReplaceRoute or ReplaceRouteTableAssociation or\nDeleteRouteTable or DeleteRoute or DisassociateRouteTable) and event.outcome:success\n",
+    "references": [
+      "https://github.com/easttimor/aws-incident-response#network-routing",
+      "https://docs.datadoghq.com/security_platform/default_rules/cloudtrail-aws-route-table-modified",
+      "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ReplaceRoute.html",
+      "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ReplaceRouteTableAssociation",
+      "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteRouteTable.html",
+      "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteRoute.html",
+      "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DisassociateRouteTable.html"
+    ],
+    "risk_score": 21,
+    "rule_id": "e7cd5982-17c8-4959-874c-633acde7d426",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "AWS",
+      "Continuous Monitoring",
+      "SecOps",
+      "Network Security"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": []
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 1
+  },
+  {
+    "author": [
+      "Austin Songer"
+    ],
+    "description": "Identifies when a Route53 private hosted zone has been associated with VPC.",
+    "false_positives": [
+      "A private hosted zone may be asssociated with a VPC by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "from": "now-60m",
+    "index": [
+      "filebeat-*",
+      "logs-aws*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "AWS Route53 private hosted zone associated with a VPC",
+    "note": "## Config\n\nThe AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:aws.cloudtrail and event.provider:route53.amazonaws.com and event.action:AssociateVPCWithHostedZone and \nevent.outcome:success\n",
+    "references": [
+      "https://docs.aws.amazon.com/Route53/latest/APIReference/API_AssociateVPCWithHostedZone.html"
+    ],
+    "risk_score": 21,
+    "rule_id": "e3c27562-709a-42bd-82f2-3ed926cced19",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "AWS",
+      "Continuous Monitoring",
+      "SecOps",
+      "Asset Visibility"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1098",
+            "name": "Account Manipulation",
+            "reference": "https://attack.mitre.org/techniques/T1098/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the deletion of various Amazon Simple Storage Service (S3) bucket configuration components.",
+    "false_positives": [
+      "Bucket components may be deleted by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Bucket component deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "from": "now-60m",
+    "index": [
+      "filebeat-*",
+      "logs-aws*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "AWS S3 Bucket Configuration Deletion",
+    "note": "## Config\n\nThe AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:aws.cloudtrail and event.provider:s3.amazonaws.com and\n  event.action:(DeleteBucketPolicy or DeleteBucketReplication or DeleteBucketCors or\n                DeleteBucketEncryption or DeleteBucketLifecycle)\n  and event.outcome:success\n",
+    "references": [
+      "https://docs.aws.amazon.com/AmazonS3/latest/API/API_DeleteBucketPolicy.html",
+      "https://docs.aws.amazon.com/AmazonS3/latest/API/API_DeleteBucketReplication.html",
+      "https://docs.aws.amazon.com/AmazonS3/latest/API/API_DeleteBucketCors.html",
+      "https://docs.aws.amazon.com/AmazonS3/latest/API/API_DeleteBucketEncryption.html",
+      "https://docs.aws.amazon.com/AmazonS3/latest/API/API_DeleteBucketLifecycle.html"
+    ],
+    "risk_score": 21,
+    "rule_id": "227dc608-e558-43d9-b521-150772250bae",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "AWS",
+      "Continuous Monitoring",
+      "SecOps",
+      "Asset Visibility"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1070",
+            "name": "Indicator Removal on Host",
+            "reference": "https://attack.mitre.org/techniques/T1070/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 5
+  },
+  {
+    "author": [
+      "Austin Songer"
+    ],
+    "description": "Identifies when SAML activity has occurred in AWS. An adversary could manipulate SAML to maintain access to the target.",
+    "false_positives": [
+      "SAML Provider could be updated by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. SAML Provider being updated from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "from": "now-25m",
+    "index": [
+      "filebeat-*",
+      "logs-aws*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "AWS SAML Activity",
+    "note": "## Config\n\nThe AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:aws.cloudtrail and event.provider:(iam.amazonaws.com or sts.amazonaws.com) and event.action:(Assumerolewithsaml or \nUpdateSAMLProvider) and event.outcome:success\n",
+    "references": [
+      "https://docs.aws.amazon.com/IAM/latest/APIReference/API_UpdateSAMLProvider.html",
+      "https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRoleWithSAML.html"
+    ],
+    "risk_score": 21,
+    "rule_id": "979729e7-0c52-4c4c-b71e-88103304a79f",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "AWS",
+      "Continuous Monitoring",
+      "SecOps",
+      "Identity and Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1550",
+            "name": "Use Alternate Authentication Material",
+            "reference": "https://attack.mitre.org/techniques/T1550/",
+            "subtechnique": [
+              {
+                "id": "T1550.001",
+                "name": "Application Access Token",
+                "reference": "https://attack.mitre.org/techniques/T1550/001/"
+              }
+            ]
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0001",
+          "name": "Initial Access",
+          "reference": "https://attack.mitre.org/tactics/TA0001/"
+        },
+        "technique": [
+          {
+            "id": "T1078",
+            "name": "Valid Accounts",
+            "reference": "https://attack.mitre.org/techniques/T1078/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 1
+  },
+  {
+    "author": [
+      "Austin Songer"
+    ],
+    "description": "Identifies the suspicious use of GetSessionToken. Tokens could be created and used by attackers to move laterally and escalate privileges.",
+    "false_positives": [
+      "GetSessionToken may be done by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. GetSessionToken from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "index": [
+      "filebeat-*",
+      "logs-aws*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "AWS STS GetSessionToken Abuse",
+    "note": "## Config\n\nThe AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:aws.cloudtrail and event.provider:sts.amazonaws.com and event.action:GetSessionToken and \naws.cloudtrail.user_identity.type:IAMUser and event.outcome:success\n",
+    "references": [
+      "https://docs.aws.amazon.com/STS/latest/APIReference/API_GetSessionToken.html"
+    ],
+    "risk_score": 21,
+    "rule_id": "b45ab1d2-712f-4f01-a751-df3826969807",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "AWS",
+      "Continuous Monitoring",
+      "SecOps",
+      "Identity and Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0004",
+          "name": "Privilege Escalation",
+          "reference": "https://attack.mitre.org/tactics/TA0004/"
+        },
+        "technique": [
+          {
+            "id": "T1548",
+            "name": "Abuse Elevation Control Mechanism",
+            "reference": "https://attack.mitre.org/techniques/T1548/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0008",
+          "name": "Lateral Movement",
+          "reference": "https://attack.mitre.org/tactics/TA0008/"
+        },
+        "technique": [
+          {
+            "id": "T1550",
+            "name": "Use Alternate Authentication Material",
+            "reference": "https://attack.mitre.org/techniques/T1550/",
+            "subtechnique": [
+              {
+                "id": "T1550.001",
+                "name": "Application Access Token",
+                "reference": "https://attack.mitre.org/techniques/T1550/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic",
+      "Austin Songer"
+    ],
+    "description": "Identifies a change to an AWS Security Group Configuration. A security group is like a virtual firewall, and modifying configurations may allow unauthorized access. Threat actors may abuse this to establish persistence, exfiltrate data, or pivot in an AWS environment.",
+    "false_positives": [
+      "A security group may be created by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Security group creations from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "from": "now-30m",
+    "index": [
+      "filebeat-*",
+      "logs-aws*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "AWS Security Group Configuration Change Detection",
+    "note": "## Config\n\nThe AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.action:(AuthorizeSecurityGroupEgress or \nCreateSecurityGroup or ModifyInstanceAttribute or ModifySecurityGroupRules or RevokeSecurityGroupEgress or \nRevokeSecurityGroupIngress) and event.outcome:success\n",
+    "references": [
+      "https://docs.aws.amazon.com/AWSEC2/latest/WindowsGuide/ec2-security-groups.html"
+    ],
+    "risk_score": 21,
+    "rule_id": "29052c19-ff3e-42fd-8363-7be14d7c5469",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "AWS",
+      "Continuous Monitoring",
+      "SecOps",
+      "Network Security"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": []
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1562",
+            "name": "Impair Defenses",
+            "reference": "https://attack.mitre.org/techniques/T1562/",
+            "subtechnique": [
+              {
+                "id": "T1562.007",
+                "name": "Disable or Modify Cloud Firewall",
+                "reference": "https://attack.mitre.org/techniques/T1562/007/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 2
+  },
+  {
+    "author": [
+      "Austin Songer"
+    ],
+    "description": "Identifies the use of AssumeRole. AssumeRole returns a set of temporary security credentials that can be used to access AWS resources. An adversary could use those credentials to move laterally and escalate privileges.",
+    "false_positives": [
+      "Automated processes that uses Terraform may lead to false positives."
+    ],
+    "index": [
+      "filebeat-*",
+      "logs-aws*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "AWS Security Token Service (STS) AssumeRole Usage",
+    "note": "## Config\n\nThe AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:aws.cloudtrail and event.provider:sts.amazonaws.com and event.action:AssumedRole and \naws.cloudtrail.user_identity.session_context.session_issuer.type:Role and event.outcome:success\n",
+    "references": [
+      "https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html"
+    ],
+    "risk_score": 21,
+    "rule_id": "93075852-b0f5-4b8b-89c3-a226efae5726",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "AWS",
+      "Continuous Monitoring",
+      "SecOps",
+      "Identity and Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0004",
+          "name": "Privilege Escalation",
+          "reference": "https://attack.mitre.org/tactics/TA0004/"
+        },
+        "technique": [
+          {
+            "id": "T1548",
+            "name": "Abuse Elevation Control Mechanism",
+            "reference": "https://attack.mitre.org/techniques/T1548/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0008",
+          "name": "Lateral Movement",
+          "reference": "https://attack.mitre.org/tactics/TA0008/"
+        },
+        "technique": [
+          {
+            "id": "T1550",
+            "name": "Use Alternate Authentication Material",
+            "reference": "https://attack.mitre.org/techniques/T1550/",
+            "subtechnique": [
+              {
+                "id": "T1550.001",
+                "name": "Application Access Token",
+                "reference": "https://attack.mitre.org/techniques/T1550/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the deletion of a specified AWS Web Application Firewall (WAF) access control list.",
+    "false_positives": [
+      "Firewall ACL's may be deleted by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Web ACL deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "from": "now-60m",
+    "index": [
+      "filebeat-*",
+      "logs-aws*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "AWS WAF Access Control List Deletion",
+    "note": "## Config\n\nThe AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:aws.cloudtrail and event.action:DeleteWebACL and event.outcome:success\n",
+    "references": [
+      "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/waf-regional/delete-web-acl.html",
+      "https://docs.aws.amazon.com/waf/latest/APIReference/API_wafRegional_DeleteWebACL.html"
+    ],
+    "risk_score": 47,
+    "rule_id": "91d04cd4-47a9-4334-ab14-084abe274d49",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "AWS",
+      "Continuous Monitoring",
+      "SecOps",
+      "Network Security"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1562",
+            "name": "Impair Defenses",
+            "reference": "https://attack.mitre.org/techniques/T1562/",
+            "subtechnique": [
+              {
+                "id": "T1562.001",
+                "name": "Disable or Modify Tools",
+                "reference": "https://attack.mitre.org/techniques/T1562/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 6
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the deletion of a specified AWS Web Application Firewall (WAF) rule or rule group.",
+    "false_positives": [
+      "WAF rules or rule groups may be deleted by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Rule deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "from": "now-60m",
+    "index": [
+      "filebeat-*",
+      "logs-aws*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "AWS WAF Rule or Rule Group Deletion",
+    "note": "## Config\n\nThe AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:aws.cloudtrail and event.action:(DeleteRule or DeleteRuleGroup) and event.outcome:success\n",
+    "references": [
+      "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/waf/delete-rule-group.html",
+      "https://docs.aws.amazon.com/waf/latest/APIReference/API_waf_DeleteRuleGroup.html"
+    ],
+    "risk_score": 47,
+    "rule_id": "5beaebc1-cc13-4bfc-9949-776f9e0dc318",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "AWS",
+      "Continuous Monitoring",
+      "SecOps",
+      "Network Security"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1562",
+            "name": "Impair Defenses",
+            "reference": "https://attack.mitre.org/techniques/T1562/",
+            "subtechnique": [
+              {
+                "id": "T1562.001",
+                "name": "Disable or Modify Tools",
+                "reference": "https://attack.mitre.org/techniques/T1562/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 6
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Specially crafted DNS requests can manipulate a known overflow vulnerability in some Windows DNS servers which result in Remote Code Execution (RCE) or a Denial of Service (DoS) from crashing the service.",
+    "false_positives": [
+      "Environments that leverage DNS responses over 60k bytes will result in false positives - if this traffic is predictable and expected, it should be filtered out. Additionally, this detection rule could be triggered by an authorized vulnerability scan or compromise assessment."
+    ],
+    "index": [
+      "packetbeat-*",
+      "filebeat-*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Abnormally Large DNS Response",
+    "note": "## Triage and analysis\n\n### Investigating Large DNS Responses\nDetection alerts from this rule indicate possible anomalous activity around large byte DNS responses from a Windows DNS\nserver. This detection rule was created based on activity represented in exploitation of vulnerability (CVE-2020-1350)\nalso known as [SigRed](https://www.elastic.co/blog/detection-rules-for-sigred-vulnerability) during July 2020.\n\n#### Possible investigation steps:\n- This specific rule is sourced from network log activity such as DNS or network level data. It's important to validate\nthe source of the incoming traffic and determine if this activity has been observed previously within an environment.\n- Activity can be further investigated and validated by reviewing available corresponding Intrusion Detection Signatures (IDS) alerts associated with activity.\n- Further examination can be made by reviewing the `dns.question_type` network fieldset with a protocol analyzer, such as Zeek, Packetbeat, or Suricata, for `SIG` or `RRSIG` data.\n- Validate the patch level and OS of the targeted DNS server to validate the observed activity was not large-scale Internet vulnerability scanning.\n- Validate that the source of the network activity was not from an authorized vulnerability scan or compromise assessment.\n\n#### False Positive Analysis\n- Based on this rule which looks for a threshold of 60k bytes, it is possible for activity to be generated under 65k bytes\nand related to legitimate behavior.  In packet capture files received by the [SANS Internet Storm Center](https://isc.sans.edu/forums/diary/PATCH+NOW+SIGRed+CVE20201350+Microsoft+DNS+Server+Vulnerability/26356/), byte responses\nwere all observed as greater than 65k bytes.\n- This activity has the ability to be triggered from compliance/vulnerability scanning or compromise assessment, it's\nimportant to determine the source of the activity and potential whitelist the source host\n\n\n### Related Rules\n- Unusual Child Process of dns.exe\n- Unusual File Modification by dns.exe\n\n### Response and Remediation\n- Review and implement the above detection logic within your environment using technology such as Endpoint security, Winlogbeat, Packetbeat, or network security monitoring (NSM) platforms such as Zeek or Suricata.\n- Ensure that you have deployed the latest Microsoft [Security Update](https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1350) (Monthly Rollup or Security Only) and restart the\npatched machines. If unable to patch immediately: Microsoft [released](https://support.microsoft.com/en-us/help/4569509/windows-dns-server-remote-code-execution-vulnerability) a registry-based workaround that doesn\u2019t require a\nrestart. This can be used as a temporary solution before the patch is applied.\n- Maintain backups of your critical systems to aid in quick recovery.\n- Perform routine vulnerability scans of your systems, monitor [CISA advisories](https://us-cert.cisa.gov/ncas/current-activity) and patch identified vulnerabilities.\n- If observed true positive activity, implement a remediation plan and monitor host-based artifacts for additional post-exploitation behavior.\n",
+    "query": "event.category:(network or network_traffic) and destination.port:53 and\n  (event.dataset:zeek.dns or type:dns or event.type:connection) and network.bytes > 60000\n",
+    "references": [
+      "https://research.checkpoint.com/2020/resolving-your-way-into-domain-admin-exploiting-a-17-year-old-bug-in-windows-dns-servers/",
+      "https://msrc-blog.microsoft.com/2020/07/14/july-2020-security-update-cve-2020-1350-vulnerability-in-windows-domain-name-system-dns-server/",
+      "https://github.com/maxpl0it/CVE-2020-1350-DoS"
+    ],
+    "risk_score": 47,
+    "rule_id": "11013227-0301-4a8c-b150-4db924484475",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Network",
+      "Threat Detection",
+      "Lateral Movement"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0008",
+          "name": "Lateral Movement",
+          "reference": "https://attack.mitre.org/tactics/TA0008/"
+        },
+        "technique": [
+          {
+            "id": "T1210",
+            "name": "Exploitation of Remote Services",
+            "reference": "https://attack.mitre.org/techniques/T1210/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 5
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the execution of a process with arguments pointing to known browser files that store passwords and cookies. Adversaries may acquire credentials from web browsers by reading files specific to the target browser.",
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Access of Stored Browser Credentials",
+    "query": "process where event.type in (\"start\", \"process_started\") and\n  process.args :\n    (\n      \"/Users/*/Library/Application Support/Google/Chrome/Default/Login Data\", \n      \"/Users/*/Library/Application Support/Google/Chrome/Default/Cookies\", \n      \"/Users/*/Library/Cookies*\", \n      \"/Users/*/Library/Application Support/Firefox/Profiles/*.default/cookies.sqlite\", \n      \"/Users/*/Library/Application Support/Firefox/Profiles/*.default/key*.db\", \n      \"/Users/*/Library/Application Support/Firefox/Profiles/*.default/logins.json\", \n      \"Login Data\",\n      \"Cookies.binarycookies\", \n      \"key4.db\", \n      \"key3.db\", \n      \"logins.json\", \n      \"cookies.sqlite\"\n    )\n",
+    "references": [
+      "https://securelist.com/calisto-trojan-for-macos/86543/"
+    ],
+    "risk_score": 73,
+    "rule_id": "20457e4f-d1de-4b92-ae69-142e27a4342a",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "macOS",
+      "Threat Detection",
+      "Credential Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0006",
+          "name": "Credential Access",
+          "reference": "https://attack.mitre.org/tactics/TA0006/"
+        },
+        "technique": [
+          {
+            "id": "T1555",
+            "name": "Credentials from Password Stores",
+            "reference": "https://attack.mitre.org/techniques/T1555/",
+            "subtechnique": [
+              {
+                "id": "T1555.003",
+                "name": "Credentials from Web Browsers",
+                "reference": "https://attack.mitre.org/techniques/T1555/003/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Adversaries may collect the keychain storage data from a system to acquire credentials. Keychains are the built-in way for macOS to keep track of users' passwords and credentials for many services and features such as WiFi passwords, websites, secure notes and certificates.",
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Access to Keychain Credentials Directories",
+    "query": "process where event.type in (\"start\", \"process_started\") and\n  process.args :\n    (\n      \"/Users/*/Library/Keychains/*\",\n      \"/Library/Keychains/*\",\n      \"/Network/Library/Keychains/*\",\n      \"System.keychain\",\n      \"login.keychain-db\",\n      \"login.keychain\"\n    ) and\n    not process.args : (\"find-certificate\",\n                      \"add-trusted-cert\",\n                      \"set-keychain-settings\",\n                      \"delete-certificate\",\n                      \"/Users/*/Library/Keychains/openvpn.keychain-db\",\n                      \"show-keychain-info\",\n                      \"lock-keychain\",\n                      \"set-key-partition-list\",\n                      \"import\",\n                      \"find-identity\") and\n    not process.parent.executable : \"/Applications/OpenVPN Connect/OpenVPN Connect.app/Contents/MacOS/OpenVPN Connect\"\n",
+    "references": [
+      "https://objective-see.com/blog/blog_0x25.html",
+      "https://securelist.com/calisto-trojan-for-macos/86543/"
+    ],
+    "risk_score": 73,
+    "rule_id": "96e90768-c3b7-4df6-b5d9-6237f8bc36a8",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "macOS",
+      "Threat Detection",
+      "Credential Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0006",
+          "name": "Credential Access",
+          "reference": "https://attack.mitre.org/tactics/TA0006/"
+        },
+        "technique": [
+          {
+            "id": "T1555",
+            "name": "Credentials from Password Stores",
+            "reference": "https://attack.mitre.org/techniques/T1555/",
+            "subtechnique": [
+              {
+                "id": "T1555.001",
+                "name": "Keychain",
+                "reference": "https://attack.mitre.org/techniques/T1555/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 5
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies an attempt to reset an account password remotely. Adversaries may manipulate account passwords to maintain access or evade password duration policies and preserve compromised credentials.",
+    "false_positives": [
+      "Legitimate remote account administration."
+    ],
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Account Password Reset Remotely",
+    "query": "sequence by host.id with maxspan=5m\n  [authentication where event.action == \"logged-in\" and\n    /* event 4624 need to be logged */\n    winlog.logon.type : \"Network\" and event.outcome == \"success\" and source.ip != null and\n    not source.ip in (\"127.0.0.1\", \"::1\")] by winlog.event_data.TargetLogonId\n   /* event 4724 need to be logged */\n  [iam where event.action == \"reset-password\"] by winlog.event_data.SubjectLogonId\n",
+    "references": [
+      "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4724",
+      "https://stealthbits.com/blog/manipulating-user-passwords-with-mimikatz/",
+      "https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES/blob/master/Credential%20Access/remote_pwd_reset_rpc_mimikatz_postzerologon_target_DC.evtx"
+    ],
+    "risk_score": 47,
+    "rule_id": "2820c9c2-bcd7-4d6e-9eba-faf3891ba450",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Persistence"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1098",
+            "name": "Account Manipulation",
+            "reference": "https://attack.mitre.org/techniques/T1098/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "This rule detects the Active Directory query tool, AdFind.exe. AdFind has legitimate purposes, but it is frequently leveraged by threat actors to perform post-exploitation Active Directory reconnaissance. The AdFind tool has been observed in Trickbot, Ryuk, Maze, and FIN6 campaigns. For Winlogbeat, this rule requires Sysmon.",
+    "from": "now-9m",
+    "index": [
+      "logs-endpoint.events.*",
+      "winlogbeat-*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "AdFind Command Activity",
+    "note": "## Triage and analysis\n\n### Investigating AdFind Command Activity\n\n[AdFind](http://www.joeware.net/freetools/tools/adfind/) is a freely available command-line tool used to retrieve information from\nActivity Directory (AD). Network discovery and enumeration tools like `AdFind` are useful to adversaries in the same ways\nthey are effective for network administrators. This tool provides quick ability to scope AD person/computer objects and\nunderstand subnets and domain information. There are many [examples](https://thedfirreport.com/category/adfind/)\nobserved where this tool has been adopted by ransomware and criminal groups and used in compromises.\n\n#### Possible investigation steps:\n- `AdFind` is a legitimate Active Directory enumeration tool used by network administrators, it's important to understand\nthe source of the activity.  This could involve identifying the account using `AdFind` and determining based on the command-lines\nwhat information was retrieved, then further determining if these actions are in scope of that user's traditional responsibilities.\n- In multiple public references, `AdFind` is leveraged after initial access is achieved, review previous activity on impacted\nmachine looking for suspicious indicators such as previous anti-virus/EDR alerts, phishing emails received, or network traffic\nto suspicious infrastructure\n\n### False Positive Analysis\n- This rule has the high chance to produce false positives as it is a legitimate tool used by network administrators. One\noption could be whitelisting specific users or groups who use the tool as part of their daily responsibilities. This can\nbe done by leveraging the exception workflow in the Kibana Security App or Elasticsearch API to tune this rule to your environment\n- Malicious behavior with `AdFind` should be investigated as part of a step within an attack chain. It doesn't happen in\nisolation, so reviewing previous logs/activity from impacted machines could be very telling.\n\n### Related Rules\n- Windows Network Enumeration\n- Enumeration of Administrator Accounts\n- Enumeration Command Spawned via WMIPrvSE\n\n### Response and Remediation\n- Immediate response should be taken to validate activity, investigate and potentially isolate activity to prevent further\npost-compromise behavior\n- It's important to understand that `AdFind` is an Active Directory enumeration tool and can be used for malicious or legitimate\npurposes, so understanding the intent behind the activity will help determine the appropropriate response.\n",
+    "query": "process where event.type in (\"start\", \"process_started\") and \n  (process.name : \"AdFind.exe\" or process.pe.original_file_name == \"AdFind.exe\") and \n  process.args : (\"objectcategory=computer\", \"(objectcategory=computer)\", \n                  \"objectcategory=person\", \"(objectcategory=person)\",\n                  \"objectcategory=subnet\", \"(objectcategory=subnet)\",\n                  \"objectcategory=group\", \"(objectcategory=group)\", \n                  \"objectcategory=organizationalunit\", \"(objectcategory=organizationalunit)\",\n                  \"objectcategory=attributeschema\", \"(objectcategory=attributeschema)\",\n                  \"domainlist\", \"dcmodes\", \"adinfo\", \"dclist\", \"computers_pwnotreqd\", \"trustdmp\")\n",
+    "references": [
+      "http://www.joeware.net/freetools/tools/adfind/",
+      "https://thedfirreport.com/2020/05/08/adfind-recon/",
+      "https://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html",
+      "https://www.cybereason.com/blog/dropping-anchor-from-a-trickbot-infection-to-the-discovery-of-the-anchor-malware",
+      "https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html",
+      "https://usa.visa.com/dam/VCOM/global/support-legal/documents/fin6-cybercrime-group-expands-threat-To-ecommerce-merchants.pdf"
+    ],
+    "risk_score": 21,
+    "rule_id": "eda499b8-a073-4e35-9733-22ec71f57f3a",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Discovery"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0007",
+          "name": "Discovery",
+          "reference": "https://attack.mitre.org/tactics/TA0007/"
+        },
+        "technique": [
+          {
+            "id": "T1069",
+            "name": "Permission Groups Discovery",
+            "reference": "https://attack.mitre.org/techniques/T1069/",
+            "subtechnique": [
+              {
+                "id": "T1069.002",
+                "name": "Domain Groups",
+                "reference": "https://attack.mitre.org/techniques/T1069/002/"
+              }
+            ]
+          },
+          {
+            "id": "T1087",
+            "name": "Account Discovery",
+            "reference": "https://attack.mitre.org/techniques/T1087/",
+            "subtechnique": [
+              {
+                "id": "T1087.002",
+                "name": "Domain Account",
+                "reference": "https://attack.mitre.org/techniques/T1087/002/"
+              }
+            ]
+          },
+          {
+            "id": "T1482",
+            "name": "Domain Trust Discovery",
+            "reference": "https://attack.mitre.org/techniques/T1482/"
+          },
+          {
+            "id": "T1018",
+            "name": "Remote System Discovery",
+            "reference": "https://attack.mitre.org/techniques/T1018/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 5
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Adversaries can add the 'hidden' attribute to files to hide them from the user in an attempt to evade detection.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Adding Hidden File Attribute via Attrib",
+    "query": "process where event.type in (\"start\", \"process_started\") and\n  process.name : \"attrib.exe\" and process.args : \"+h\"\n",
+    "risk_score": 21,
+    "rule_id": "4630d948-40d4-4cef-ac69-4002e29bc3db",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1564",
+            "name": "Hide Artifacts",
+            "reference": "https://attack.mitre.org/techniques/T1564/",
+            "subtechnique": [
+              {
+                "id": "T1564.001",
+                "name": "Hidden Files and Directories",
+                "reference": "https://attack.mitre.org/techniques/T1564/001/"
+              }
+            ]
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": []
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 9
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Detects when an administrator role is assigned to an Okta group. An adversary may attempt to assign administrator privileges to an Okta group in order to assign additional permissions to compromised user accounts and maintain access to their target organization.",
+    "false_positives": [
+      "Administrator roles may be assigned to Okta users by a Super Admin user. Verify that the behavior was expected. Exceptions can be added to this rule to filter expected behavior."
+    ],
+    "index": [
+      "filebeat-*",
+      "logs-okta*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Administrator Privileges Assigned to an Okta Group",
+    "note": "## Config\n\nThe Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:okta.system and event.action:group.privilege.grant\n",
+    "references": [
+      "https://help.okta.com/en/prod/Content/Topics/Security/administrators-admin-comparison.htm",
+      "https://developer.okta.com/docs/reference/api/system-log/",
+      "https://developer.okta.com/docs/reference/api/event-types/"
+    ],
+    "risk_score": 47,
+    "rule_id": "b8075894-0b62-46e5-977c-31275da34419",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Identity",
+      "Okta",
+      "Continuous Monitoring",
+      "SecOps",
+      "Monitoring"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1098",
+            "name": "Account Manipulation",
+            "reference": "https://attack.mitre.org/techniques/T1098/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 6
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies when an administrator role is assigned to an Okta user. An adversary may attempt to assign an administrator role to an Okta user in order to assign additional permissions to a user account and maintain access to their target's environment.",
+    "false_positives": [
+      "Administrator roles may be assigned to Okta users by a Super Admin user. Verify that the behavior was expected. Exceptions can be added to this rule to filter expected behavior."
+    ],
+    "index": [
+      "filebeat-*",
+      "logs-okta*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Administrator Role Assigned to an Okta User",
+    "note": "## Config\n\nThe Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:okta.system and event.action:user.account.privilege.grant\n",
+    "references": [
+      "https://help.okta.com/en/prod/Content/Topics/Security/administrators-admin-comparison.htm",
+      "https://developer.okta.com/docs/reference/api/system-log/",
+      "https://developer.okta.com/docs/reference/api/event-types/"
+    ],
+    "risk_score": 47,
+    "rule_id": "f06414a6-f2a4-466d-8eba-10f85e8abf71",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Okta",
+      "SecOps",
+      "Monitoring",
+      "Continuous Monitoring"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1098",
+            "name": "Account Manipulation",
+            "reference": "https://attack.mitre.org/techniques/T1098/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 4
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Detects writing executable files that will be automatically launched by Adobe on launch.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Adobe Hijack Persistence",
+    "query": "file where event.type == \"creation\" and\n  file.path : (\"?:\\\\Program Files (x86)\\\\Adobe\\\\Acrobat Reader DC\\\\Reader\\\\AcroCEF\\\\RdrCEF.exe\",\n               \"?:\\\\Program Files\\\\Adobe\\\\Acrobat Reader DC\\\\Reader\\\\AcroCEF\\\\RdrCEF.exe\") and\n  not process.name : \"msiexec.exe\"\n",
+    "risk_score": 21,
+    "rule_id": "2bf78aa2-9c56-48de-b139-f169bf99cf86",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Persistence"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1574",
+            "name": "Hijack Execution Flow",
+            "reference": "https://attack.mitre.org/techniques/T1574/",
+            "subtechnique": [
+              {
+                "id": "T1574.010",
+                "name": "Services File Permissions Weakness",
+                "reference": "https://attack.mitre.org/techniques/T1574/010/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 9
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Elastic Endgame detected an Adversary Behavior. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information.",
+    "from": "now-15m",
+    "index": [
+      "endgame-*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "max_signals": 10000,
+    "name": "Adversary Behavior - Detected - Elastic Endgame",
+    "query": "event.kind:alert and event.module:endgame and (event.action:rules_engine_event or endgame.event_subtype_full:rules_engine_event)\n",
+    "risk_score": 47,
+    "rule_id": "77a3c3df-8ec4-4da4-b758-878f551dee69",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Elastic Endgame"
+    ],
+    "type": "query",
+    "version": 7
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Detects events which have a mismatch on the expected event agent ID. The status \"agent_id_mismatch\" occurs when the expected agent ID associated with the API key does not match the actual agent ID in an event. This could indicate attempts to spoof events in order to masquerade actual activity to evade detection.",
+    "false_positives": [
+      "This is meant to run only on datasources using agents v7.14+ since versions prior to that will be missing the necessary field, resulting in false positives."
+    ],
+    "from": "now-9m",
+    "index": [
+      "logs-*",
+      "metrics-*",
+      "traces-*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Agent Spoofing - Mismatched Agent ID",
+    "query": "event.agent_id_status:agent_id_mismatch\n",
+    "risk_score": 73,
+    "rule_id": "3115bd2c-0baa-4df0-80ea-45e474b5ef93",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1036",
+            "name": "Masquerading",
+            "reference": "https://attack.mitre.org/techniques/T1036/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Detects when multiple hosts are using the same agent ID. This could occur in the event of an agent being taken over and used to inject illegitimate documents into an instance as an attempt to spoof events in order to masquerade actual activity to evade detection.",
+    "false_positives": [
+      "This is meant to run only on datasources using agents v7.14+ since versions prior to that will be missing the necessary field, resulting in false positives."
+    ],
+    "from": "now-9m",
+    "index": [
+      "logs-*",
+      "metrics-*",
+      "traces-*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Agent Spoofing - Multiple Hosts Using Same Agent",
+    "query": "event.agent_id_status:*\n",
+    "risk_score": 73,
+    "rule_id": "493834ca-f861-414c-8602-150d5505b777",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1036",
+            "name": "Masquerading",
+            "reference": "https://attack.mitre.org/techniques/T1036/"
+          }
+        ]
+      }
+    ],
+    "threshold": {
+      "cardinality": [
+        {
+          "field": "host.id",
+          "value": 2
+        }
+      ],
+      "field": [
+        "agent.id"
+      ],
+      "value": 2
+    },
+    "timestamp_override": "event.ingested",
+    "type": "threshold",
+    "version": 1
+  },
+  {
+    "anomaly_threshold": 25,
+    "author": [
+      "Elastic"
+    ],
+    "description": "Looks for unusual kernel module activity. Kernel modules are sometimes used by malware and persistence mechanisms for stealth.",
+    "false_positives": [
+      "A Linux host running unusual device drivers or other kinds of kernel modules could trigger this detection. Troubleshooting or debugging activity using unusual arguments could also trigger this detection."
+    ],
+    "from": "now-45m",
+    "interval": "15m",
+    "license": "Elastic License v2",
+    "machine_learning_job_id": "linux_rare_kernel_module_arguments",
+    "name": "Anomalous Kernel Module Activity",
+    "risk_score": 21,
+    "rule_id": "37b0816d-af40-40b4-885f-bb162b3c88a9",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "Threat Detection",
+      "ML"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1547",
+            "name": "Boot or Logon Autostart Execution",
+            "reference": "https://attack.mitre.org/techniques/T1547/",
+            "subtechnique": [
+              {
+                "id": "T1547.006",
+                "name": "Kernel Modules and Extensions",
+                "reference": "https://attack.mitre.org/techniques/T1547/006/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "type": "machine_learning",
+    "version": 4
+  },
+  {
+    "anomaly_threshold": 50,
+    "author": [
+      "Elastic"
+    ],
+    "description": "Looks for compiler activity by a user context which does not normally run compilers. This can be the result of ad-hoc software changes or unauthorized software deployment. This can also be due to local privilege elevation via locally run exploits or malware activity.",
+    "false_positives": [
+      "Uncommon compiler activity can be due to an engineer running a local build on a production or staging instance in the course of troubleshooting or fixing a software issue."
+    ],
+    "from": "now-45m",
+    "interval": "15m",
+    "license": "Elastic License v2",
+    "machine_learning_job_id": "linux_rare_user_compiler",
+    "name": "Anomalous Linux Compiler Activity",
+    "risk_score": 21,
+    "rule_id": "cd66a419-9b3f-4f57-8ff8-ac4cd2d5f530",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "Threat Detection",
+      "ML"
+    ],
+    "type": "machine_learning",
+    "version": 3
+  },
+  {
+    "anomaly_threshold": 50,
+    "author": [
+      "Elastic"
+    ],
+    "description": "Searches for rare processes running on multiple Linux hosts in an entire fleet or network. This reduces the detection of false positives since automated maintenance processes usually only run occasionally on a single machine but are common to all or many hosts in a fleet.",
+    "false_positives": [
+      "A newly installed program or one that runs rarely as part of a monthly or quarterly workflow could trigger this alert."
+    ],
+    "from": "now-45m",
+    "interval": "15m",
+    "license": "Elastic License v2",
+    "machine_learning_job_id": [
+      "linux_anomalous_process_all_hosts_ecs",
+      "v2_linux_anomalous_process_all_hosts_ecs"
+    ],
+    "name": "Anomalous Process For a Linux Population",
+    "note": "## Triage and analysis\n\n### Investigating an Unusual Linux Process\nDetection alerts from this rule indicate the presence of a Linux process that is rare and unusual for all of the monitored Linux hosts for which Auditbeat data is available. Here are some possible avenues of investigation:\n- Consider the user as identified by the username field. Is this program part of an expected workflow for the user who ran this program on this host?\n- Examine the history of execution. If this process only manifested recently, it might be part of a new software package. If it has a consistent cadence (for example if it runs monthly or quarterly), it might be part of a monthly or quarterly business process.\n- Examine the process arguments, title and working directory. These may provide indications as to the source of the program or the nature of the tasks it is performing.",
+    "references": [
+      "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"
+    ],
+    "risk_score": 21,
+    "rule_id": "647fc812-7996-4795-8869-9c4ea595fe88",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "Threat Detection",
+      "ML"
+    ],
+    "type": "machine_learning",
+    "version": 7
+  },
+  {
+    "anomaly_threshold": 50,
+    "author": [
+      "Elastic"
+    ],
+    "description": "Searches for rare processes running on multiple hosts in an entire fleet or network. This reduces the detection of false positives since automated maintenance processes usually only run occasionally on a single machine but are common to all or many hosts in a fleet.",
+    "false_positives": [
+      "A newly installed program or one that runs rarely as part of a monthly or quarterly workflow could trigger this alert."
+    ],
+    "from": "now-45m",
+    "interval": "15m",
+    "license": "Elastic License v2",
+    "machine_learning_job_id": [
+      "windows_anomalous_process_all_hosts_ecs",
+      "v2_windows_anomalous_process_all_hosts_ecs"
+    ],
+    "name": "Anomalous Process For a Windows Population",
+    "note": "## Triage and analysis\n\n### Investigating an Unusual Windows Process\nDetection alerts from this rule indicate the presence of a Windows process that is rare and unusual for all of the Windows hosts for which Winlogbeat data is available. Here are some possible avenues of investigation:\n- Consider the user as identified by the username field. Is this program part of an expected workflow for the user who ran this program on this host?\n- Examine the history of execution. If this process only manifested recently, it might be part of a new software package. If it has a consistent cadence (for example if it runs monthly or quarterly), it might be part of a monthly or quarterly business process.\n- Examine the process metadata like the values of the Company, Description and Product fields which may indicate whether the program is associated with an expected software vendor or package.\n- Examine arguments and working directory. These may provide indications as to the source of the program or the nature of the tasks it is performing.\n- Consider the same for the parent process. If the parent process is a legitimate system utility or service, this could be related to software updates or system management. If the parent process is something user-facing like an Office application, this process could be more suspicious.\n- If you have file hash values in the event data, and you suspect malware, you can optionally run a search for the file hash to see if the file is identified as malware by anti-malware tools. ",
+    "references": [
+      "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"
+    ],
+    "risk_score": 21,
+    "rule_id": "6e40d56f-5c0e-4ac6-aece-bee96645b172",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "ML"
+    ],
+    "type": "machine_learning",
+    "version": 7
+  },
+  {
+    "anomaly_threshold": 50,
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies unusual parent-child process relationships that can indicate malware execution or persistence mechanisms. Malicious scripts often call on other applications and processes as part of their exploit payload. For example, when a malicious Office document runs scripts as part of an exploit payload, Excel or Word may start a script interpreter process, which, in turn, runs a script that downloads and executes malware. Another common scenario is Outlook running an unusual process when malware is downloaded in an email. Monitoring and identifying anomalous process relationships is a method of detecting new and emerging malware that is not yet recognized by anti-virus scanners.",
+    "false_positives": [
+      "Users running scripts in the course of technical support operations of software upgrades could trigger this alert. A newly installed program or one that runs rarely as part of a monthly or quarterly workflow could trigger this alert."
+    ],
+    "from": "now-45m",
+    "interval": "15m",
+    "license": "Elastic License v2",
+    "machine_learning_job_id": [
+      "windows_anomalous_process_creation",
+      "v2_windows_anomalous_process_creation"
+    ],
+    "name": "Anomalous Windows Process Creation",
+    "references": [
+      "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"
+    ],
+    "risk_score": 21,
+    "rule_id": "0b29cab4-dbbd-4a3f-9e8e-1287c7c11ae5",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "ML"
+    ],
+    "type": "machine_learning",
+    "version": 5
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Detects execution via the Apple script interpreter (osascript) followed by a network connection from the same process within a short time period. Adversaries may use malicious scripts for execution and command and control.",
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Apple Script Execution followed by Network Connection",
+    "query": "sequence by host.id, process.entity_id with maxspan=30s\n [process where event.type == \"start\" and process.name == \"osascript\"]\n [network where event.type != \"end\" and process.name == \"osascript\" and destination.ip != \"::1\" and\n  not cidrmatch(destination.ip,\n    \"10.0.0.0/8\", \"127.0.0.0/8\", \"169.254.0.0/16\", \"172.16.0.0/12\", \"192.0.0.0/24\", \"192.0.0.0/29\", \"192.0.0.8/32\",\n    \"192.0.0.9/32\", \"192.0.0.10/32\", \"192.0.0.170/32\", \"192.0.0.171/32\", \"192.0.2.0/24\", \"192.31.196.0/24\",\n    \"192.52.193.0/24\", \"192.168.0.0/16\", \"192.88.99.0/24\", \"224.0.0.0/4\", \"100.64.0.0/10\", \"192.175.48.0/24\",\n    \"198.18.0.0/15\", \"198.51.100.0/24\", \"203.0.113.0/24\", \"240.0.0.0/4\", \"::1\", \"FE80::/10\", \"FF00::/8\")]\n",
+    "references": [
+      "https://developer.apple.com/library/archive/documentation/LanguagesUtilities/Conceptual/MacAutomationScriptingGuide/index.html",
+      "https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml"
+    ],
+    "risk_score": 47,
+    "rule_id": "47f76567-d58a-4fed-b32b-21f571e28910",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "macOS",
+      "Threat Detection",
+      "Command and Control",
+      "Execution"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0002",
+          "name": "Execution",
+          "reference": "https://attack.mitre.org/tactics/TA0002/"
+        },
+        "technique": [
+          {
+            "id": "T1059",
+            "name": "Command and Scripting Interpreter",
+            "reference": "https://attack.mitre.org/techniques/T1059/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0011",
+          "name": "Command and Control",
+          "reference": "https://attack.mitre.org/tactics/TA0011/"
+        },
+        "technique": [
+          {
+            "id": "T1105",
+            "name": "Ingress Tool Transfer",
+            "reference": "https://attack.mitre.org/techniques/T1105/"
+          }
+        ]
+      }
+    ],
+    "type": "eql",
+    "version": 3
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies execution of the Apple script interpreter (osascript) without a password prompt and with administrator privileges.",
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Apple Scripting Execution with Administrator Privileges",
+    "query": "process where event.type in (\"start\", \"process_started\") and process.name : \"osascript\" and\n  process.command_line : \"osascript*with administrator privileges\"\n",
+    "references": [
+      "https://discussions.apple.com/thread/2266150"
+    ],
+    "risk_score": 47,
+    "rule_id": "827f8d8f-4117-4ae4-b551-f56d54b9da6b",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "macOS",
+      "Threat Detection",
+      "Execution",
+      "Privilege Escalation"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0004",
+          "name": "Privilege Escalation",
+          "reference": "https://attack.mitre.org/tactics/TA0004/"
+        },
+        "technique": [
+          {
+            "id": "T1078",
+            "name": "Valid Accounts",
+            "reference": "https://attack.mitre.org/techniques/T1078/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0002",
+          "name": "Execution",
+          "reference": "https://attack.mitre.org/tactics/TA0002/"
+        },
+        "technique": [
+          {
+            "id": "T1059",
+            "name": "Command and Scripting Interpreter",
+            "reference": "https://attack.mitre.org/techniques/T1059/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Detects when a Google marketplace application is added to the Google Workspace domain. An adversary may add a malicious application to an organization\u2019s Google Workspace domain in order to maintain a presence in their target\u2019s organization and steal data.",
+    "false_positives": [
+      "Applications can be added to a Google Workspace domain by system administrators. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior."
+    ],
+    "from": "now-130m",
+    "index": [
+      "filebeat-*",
+      "logs-google_workspace*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Application Added to Google Workspace Domain",
+    "note": "## Config\n\nThe Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\n\n### Important Information Regarding Google Workspace Event Lag Times\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information:\n  - https://support.google.com/a/answer/7061566\n  - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html",
+    "query": "event.dataset:google_workspace.admin and event.provider:admin and event.category:iam and event.action:ADD_APPLICATION\n",
+    "references": [
+      "https://support.google.com/a/answer/6328701?hl=en#"
+    ],
+    "risk_score": 47,
+    "rule_id": "785a404b-75aa-4ffd-8be5-3334a5a544dd",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "Google Workspace",
+      "Continuous Monitoring",
+      "SecOps",
+      "Configuration Audit"
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 6
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Detects attempts to create an Okta API token. An adversary may create an Okta API token to maintain access to an organization's network while they work to achieve their objectives. An attacker may abuse an API token to execute techniques such as creating user accounts or disabling security rules or policies.",
+    "false_positives": [
+      "If the behavior of creating Okta API tokens is expected, consider adding exceptions to this rule to filter false positives."
+    ],
+    "index": [
+      "filebeat-*",
+      "logs-okta*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Attempt to Create Okta API Token",
+    "note": "## Config\n\nThe Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:okta.system and event.action:system.api_token.create\n",
+    "references": [
+      "https://developer.okta.com/docs/reference/api/system-log/",
+      "https://developer.okta.com/docs/reference/api/event-types/"
+    ],
+    "risk_score": 47,
+    "rule_id": "96b9f4ea-0e8c-435b-8d53-2096e75fcac5",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Identity",
+      "Okta",
+      "Continuous Monitoring",
+      "SecOps",
+      "Monitoring"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1136",
+            "name": "Create Account",
+            "reference": "https://attack.mitre.org/techniques/T1136/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 6
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Detects attempts to deactivate multi-factor authentication (MFA) for an Okta user. An adversary may deactivate MFA for an Okta user account in order to weaken the authentication requirements for the account.",
+    "false_positives": [
+      "If the behavior of deactivating MFA for Okta user accounts is expected, consider adding exceptions to this rule to filter false positives."
+    ],
+    "index": [
+      "filebeat-*",
+      "logs-okta*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Attempt to Deactivate MFA for an Okta User Account",
+    "note": "## Config\n\nThe Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:okta.system and event.action:user.mfa.factor.deactivate\n",
+    "references": [
+      "https://developer.okta.com/docs/reference/api/system-log/",
+      "https://developer.okta.com/docs/reference/api/event-types/"
+    ],
+    "risk_score": 21,
+    "rule_id": "cd89602e-9db0-48e3-9391-ae3bf241acd8",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Identity",
+      "Okta",
+      "Continuous Monitoring",
+      "SecOps",
+      "Identity and Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1098",
+            "name": "Account Manipulation",
+            "reference": "https://attack.mitre.org/techniques/T1098/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 6
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Detects attempts to deactivate an Okta application. An adversary may attempt to modify, deactivate, or delete an Okta application in order to weaken an organization's security controls or disrupt their business operations.",
+    "false_positives": [
+      "Consider adding exceptions to this rule to filter false positives if your organization's Okta applications are regularly deactivated and the behavior is expected."
+    ],
+    "index": [
+      "filebeat-*",
+      "logs-okta*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Attempt to Deactivate an Okta Application",
+    "note": "## Config\n\nThe Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:okta.system and event.action:application.lifecycle.deactivate\n",
+    "references": [
+      "https://help.okta.com/en/prod/Content/Topics/Apps/Apps_Apps.htm",
+      "https://developer.okta.com/docs/reference/api/system-log/",
+      "https://developer.okta.com/docs/reference/api/event-types/"
+    ],
+    "risk_score": 21,
+    "rule_id": "edb91186-1c7e-4db8-b53e-bfa33a1a0a8a",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Identity",
+      "Okta",
+      "Continuous Monitoring",
+      "SecOps",
+      "Monitoring"
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 4
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Detects attempts to deactivate an Okta network zone. Okta network zones can be configured to limit or restrict access to a network based on IP addresses or geolocations. An adversary may attempt to modify, delete, or deactivate an Okta network zone in order to remove or weaken an organization's security controls.",
+    "false_positives": [
+      "Consider adding exceptions to this rule to filter false positives if your organization's Okta network zones are regularly modified."
+    ],
+    "index": [
+      "filebeat-*",
+      "logs-okta*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Attempt to Deactivate an Okta Network Zone",
+    "note": "## Config\n\nThe Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:okta.system and event.action:zone.deactivate\n",
+    "references": [
+      "https://help.okta.com/en/prod/Content/Topics/Security/network/network-zones.htm",
+      "https://developer.okta.com/docs/reference/api/system-log/",
+      "https://developer.okta.com/docs/reference/api/event-types/"
+    ],
+    "risk_score": 47,
+    "rule_id": "8a5c1e5f-ad63-481e-b53a-ef959230f7f1",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Identity",
+      "Okta",
+      "Continuous Monitoring",
+      "SecOps",
+      "Network Security"
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 4
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Detects attempts to deactivate an Okta policy. An adversary may attempt to deactivate an Okta policy in order to weaken an organization's security controls. For example, an adversary may attempt to deactivate an Okta multi-factor authentication (MFA) policy in order to weaken the authentication requirements for user accounts.",
+    "false_positives": [
+      "If the behavior of deactivating Okta policies is expected, consider adding exceptions to this rule to filter false positives."
+    ],
+    "index": [
+      "filebeat-*",
+      "logs-okta*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Attempt to Deactivate an Okta Policy",
+    "note": "## Config\n\nThe Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:okta.system and event.action:policy.lifecycle.deactivate\n",
+    "references": [
+      "https://help.okta.com/en/prod/Content/Topics/Security/Security_Policies.htm",
+      "https://developer.okta.com/docs/reference/api/system-log/",
+      "https://developer.okta.com/docs/reference/api/event-types/"
+    ],
+    "risk_score": 21,
+    "rule_id": "b719a170-3bdb-4141-b0e3-13e3cf627bfe",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Identity",
+      "Okta",
+      "Continuous Monitoring",
+      "SecOps",
+      "Monitoring"
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 6
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Detects attempts to deactivate a rule within an Okta policy. An adversary may attempt to deactivate a rule within an Okta policy in order to remove or weaken an organization's security controls.",
+    "false_positives": [
+      "Consider adding exceptions to this rule to filter false positives if Okta MFA rules are regularly deactivated in your organization."
+    ],
+    "index": [
+      "filebeat-*",
+      "logs-okta*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Attempt to Deactivate an Okta Policy Rule",
+    "note": "## Config\n\nThe Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:okta.system and event.action:policy.rule.deactivate\n",
+    "references": [
+      "https://help.okta.com/en/prod/Content/Topics/Security/Security_Policies.htm",
+      "https://developer.okta.com/docs/reference/api/system-log/",
+      "https://developer.okta.com/docs/reference/api/event-types/"
+    ],
+    "risk_score": 47,
+    "rule_id": "cc92c835-da92-45c9-9f29-b4992ad621a0",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Identity",
+      "Okta",
+      "Continuous Monitoring",
+      "SecOps",
+      "Identity and Access"
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 6
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Detects attempts to delete an Okta application. An adversary may attempt to modify, deactivate, or delete an Okta application in order to weaken an organization's security controls or disrupt their business operations.",
+    "false_positives": [
+      "Consider adding exceptions to this rule to filter false positives if your organization's Okta applications are regularly deleted and the behavior is expected."
+    ],
+    "index": [
+      "filebeat-*",
+      "logs-okta*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Attempt to Delete an Okta Application",
+    "note": "## Config\n\nThe Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:okta.system and event.action:application.lifecycle.delete\n",
+    "references": [
+      "https://developer.okta.com/docs/reference/api/system-log/",
+      "https://developer.okta.com/docs/reference/api/event-types/"
+    ],
+    "risk_score": 21,
+    "rule_id": "d48e1c13-4aca-4d1f-a7b1-a9161c0ad86f",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Identity",
+      "Okta",
+      "Continuous Monitoring",
+      "SecOps",
+      "Monitoring"
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 4
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Detects attempts to delete an Okta network zone. Okta network zones can be configured to limit or restrict access to a network based on IP addresses or geolocations. An adversary may attempt to modify, delete, or deactivate an Okta network zone in order to remove or weaken an organization's security controls.",
+    "false_positives": [
+      "Consider adding exceptions to this rule to filter false positives if Oyour organization's Okta network zones are regularly deleted."
+    ],
+    "index": [
+      "filebeat-*",
+      "logs-okta*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Attempt to Delete an Okta Network Zone",
+    "note": "## Config\n\nThe Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:okta.system and event.action:zone.delete\n",
+    "references": [
+      "https://help.okta.com/en/prod/Content/Topics/Security/network/network-zones.htm",
+      "https://developer.okta.com/docs/reference/api/system-log/",
+      "https://developer.okta.com/docs/reference/api/event-types/"
+    ],
+    "risk_score": 47,
+    "rule_id": "c749e367-a069-4a73-b1f2-43a3798153ad",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Identity",
+      "Okta",
+      "Continuous Monitoring",
+      "SecOps",
+      "Network Security"
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 4
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Detects attempts to delete an Okta policy. An adversary may attempt to delete an Okta policy in order to weaken an organization's security controls. For example, an adversary may attempt to delete an Okta multi-factor authentication (MFA) policy in order to weaken the authentication requirements for user accounts.",
+    "false_positives": [
+      "Consider adding exceptions to this rule to filter false positives if Okta policies are regularly deleted in your organization."
+    ],
+    "index": [
+      "filebeat-*",
+      "logs-okta*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Attempt to Delete an Okta Policy",
+    "note": "## Config\n\nThe Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:okta.system and event.action:policy.lifecycle.delete\n",
+    "references": [
+      "https://help.okta.com/en/prod/Content/Topics/Security/Security_Policies.htm",
+      "https://developer.okta.com/docs/reference/api/system-log/",
+      "https://developer.okta.com/docs/reference/api/event-types/"
+    ],
+    "risk_score": 47,
+    "rule_id": "b4bb1440-0fcb-4ed1-87e5-b06d58efc5e9",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Identity",
+      "Okta",
+      "Continuous Monitoring",
+      "SecOps",
+      "Monitoring"
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 6
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Detects attempts to delete a rule within an Okta policy. An adversary may attempt to delete an Okta policy rule in order to weaken an organization's security controls.",
+    "false_positives": [
+      "Consider adding exceptions to this rule to filter false positives if Okta MFA rules are regularly modified in your organization."
+    ],
+    "index": [
+      "filebeat-*",
+      "logs-okta*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Attempt to Delete an Okta Policy Rule",
+    "note": "## Config\n\nThe Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:okta.system and event.action:policy.rule.delete\n",
+    "references": [
+      "https://help.okta.com/en/prod/Content/Topics/Security/Security_Policies.htm",
+      "https://developer.okta.com/docs/reference/api/system-log/",
+      "https://developer.okta.com/docs/reference/api/event-types/"
+    ],
+    "risk_score": 21,
+    "rule_id": "d5d86bf5-cf0c-4c06-b688-53fdc072fdfd",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Identity",
+      "Okta",
+      "Continuous Monitoring",
+      "SecOps",
+      "Monitoring"
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 4
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Detects attempts to disable Gatekeeper on macOS. Gatekeeper is a security feature that's designed to ensure that only trusted software is run. Adversaries may attempt to disable Gatekeeper before executing malicious code.",
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Attempt to Disable Gatekeeper",
+    "query": "event.category:process and event.type:(start or process_started) and \n  process.args:(spctl and \"--master-disable\")\n",
+    "references": [
+      "https://support.apple.com/en-us/HT202491",
+      "https://www.carbonblack.com/blog/tau-threat-intelligence-notification-new-macos-malware-variant-of-shlayer-osx-discovered/"
+    ],
+    "risk_score": 47,
+    "rule_id": "4da13d6e-904f-4636-81d8-6ab14b4e6ae9",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "macOS",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1553",
+            "name": "Subvert Trust Controls",
+            "reference": "https://attack.mitre.org/techniques/T1553/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Adversaries may attempt to disable the iptables or firewall service in an attempt to affect how a host is allowed to receive or send network traffic.",
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Attempt to Disable IPTables or Firewall",
+    "query": "event.category:process and event.type:(start or process_started) and\n  process.name:ufw and process.args:(allow or disable or reset) or\n\n  (((process.name:service and process.args:stop) or\n     (process.name:chkconfig and process.args:off) or\n     (process.name:systemctl and process.args:(disable or stop or kill))) and\n   process.args:(firewalld or ip6tables or iptables))\n",
+    "risk_score": 47,
+    "rule_id": "125417b8-d3df-479f-8418-12d7e034fee3",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1562",
+            "name": "Impair Defenses",
+            "reference": "https://attack.mitre.org/techniques/T1562/",
+            "subtechnique": [
+              {
+                "id": "T1562.001",
+                "name": "Disable or Modify Tools",
+                "reference": "https://attack.mitre.org/techniques/T1562/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 7
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Adversaries may attempt to disable the syslog service in an attempt to an attempt to disrupt event logging and evade detection by security controls.",
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Attempt to Disable Syslog Service",
+    "query": "event.category:process and event.type:(start or process_started) and\n  ((process.name:service and process.args:stop) or\n     (process.name:chkconfig and process.args:off) or\n     (process.name:systemctl and process.args:(disable or stop or kill)))\n  and process.args:(syslog or rsyslog or \"syslog-ng\")\n",
+    "risk_score": 47,
+    "rule_id": "2f8a1226-5720-437d-9c20-e0029deb6194",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1562",
+            "name": "Impair Defenses",
+            "reference": "https://attack.mitre.org/techniques/T1562/",
+            "subtechnique": [
+              {
+                "id": "T1562.001",
+                "name": "Disable or Modify Tools",
+                "reference": "https://attack.mitre.org/techniques/T1562/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 7
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies attempts to enable the root account using the dsenableroot command. This command may be abused by adversaries for persistence, as the root account is disabled by default.",
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Attempt to Enable the Root Account",
+    "query": "event.category:process and event.type:(start or process_started) and\n process.name:dsenableroot and not process.args:\"-d\"\n",
+    "references": [
+      "https://ss64.com/osx/dsenableroot.html"
+    ],
+    "risk_score": 47,
+    "rule_id": "cc2fd2d0-ba3a-4939-b87f-2901764ed036",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "macOS",
+      "Threat Detection",
+      "Persistence"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1078",
+            "name": "Valid Accounts",
+            "reference": "https://attack.mitre.org/techniques/T1078/",
+            "subtechnique": [
+              {
+                "id": "T1078.003",
+                "name": "Local Accounts",
+                "reference": "https://attack.mitre.org/techniques/T1078/003/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to their command and control servers. Root certificates are used in public key cryptography to identify a root certificate authority (CA). When a root certificate is installed, the system or application will trust certificates in the root's chain of trust that have been signed by the root certificate.",
+    "false_positives": [
+      "Certain applications may install root certificates for the purpose of inspecting SSL traffic."
+    ],
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Attempt to Install Root Certificate",
+    "query": "event.category:process and event.type:(start or process_started) and\n  process.name:security and process.args:\"add-trusted-cert\"\n",
+    "references": [
+      "https://ss64.com/osx/security-cert.html"
+    ],
+    "risk_score": 47,
+    "rule_id": "bc1eeacf-2972-434f-b782-3a532b100d67",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "macOS",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1553",
+            "name": "Subvert Trust Controls",
+            "reference": "https://attack.mitre.org/techniques/T1553/",
+            "subtechnique": [
+              {
+                "id": "T1553.004",
+                "name": "Install Root Certificate",
+                "reference": "https://attack.mitre.org/techniques/T1553/004/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Detects attempts to modify an Okta application. An adversary may attempt to modify, deactivate, or delete an Okta application in order to weaken an organization's security controls or disrupt their business operations.",
+    "false_positives": [
+      "Consider adding exceptions to this rule to filter false positives if your organization's Okta applications are regularly modified and the behavior is expected."
+    ],
+    "index": [
+      "filebeat-*",
+      "logs-okta*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Attempt to Modify an Okta Application",
+    "note": "## Config\n\nThe Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:okta.system and event.action:application.lifecycle.update\n",
+    "references": [
+      "https://help.okta.com/en/prod/Content/Topics/Apps/Apps_Apps.htm",
+      "https://developer.okta.com/docs/reference/api/system-log/",
+      "https://developer.okta.com/docs/reference/api/event-types/"
+    ],
+    "risk_score": 21,
+    "rule_id": "c74fd275-ab2c-4d49-8890-e2943fa65c09",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Identity",
+      "Okta",
+      "Continuous Monitoring",
+      "SecOps",
+      "Monitoring"
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 4
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Detects attempts to modify an Okta network zone. Okta network zones can be configured to limit or restrict access to a network based on IP addresses or geolocations. An adversary may attempt to modify, delete, or deactivate an Okta network zone in order to remove or weaken an organization's security controls.",
+    "false_positives": [
+      "Consider adding exceptions to this rule to filter false positives if Oyour organization's Okta network zones are regularly modified."
+    ],
+    "index": [
+      "filebeat-*",
+      "logs-okta*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Attempt to Modify an Okta Network Zone",
+    "note": "## Config\n\nThe Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:okta.system and event.action:(zone.update or network_zone.rule.disabled or zone.remove_blacklist)\n",
+    "references": [
+      "https://help.okta.com/en/prod/Content/Topics/Security/network/network-zones.htm",
+      "https://developer.okta.com/docs/reference/api/system-log/",
+      "https://developer.okta.com/docs/reference/api/event-types/"
+    ],
+    "risk_score": 47,
+    "rule_id": "e48236ca-b67a-4b4e-840c-fdc7782bc0c3",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Identity",
+      "Okta",
+      "Continuous Monitoring",
+      "SecOps",
+      "Network Security"
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 6
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Detects attempts to modify an Okta policy. An adversary may attempt to modify an Okta policy in order to weaken an organization's security controls. For example, an adversary may attempt to modify an Okta multi-factor authentication (MFA) policy in order to weaken the authentication requirements for user accounts.",
+    "false_positives": [
+      "Consider adding exceptions to this rule to filter false positives if Okta policies are regularly modified in your organization."
+    ],
+    "index": [
+      "filebeat-*",
+      "logs-okta*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Attempt to Modify an Okta Policy",
+    "note": "## Config\n\nThe Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:okta.system and event.action:policy.lifecycle.update\n",
+    "references": [
+      "https://developer.okta.com/docs/reference/api/system-log/",
+      "https://developer.okta.com/docs/reference/api/event-types/"
+    ],
+    "risk_score": 21,
+    "rule_id": "6731fbf2-8f28-49ed-9ab9-9a918ceb5a45",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Identity",
+      "Okta",
+      "Continuous Monitoring",
+      "SecOps",
+      "Monitoring"
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 6
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Detects attempts to modify a rule within an Okta policy. An adversary may attempt to modify an Okta policy rule in order to weaken an organization's security controls.",
+    "false_positives": [
+      "Consider adding exceptions to this rule to filter false positives if Okta MFA rules are regularly modified in your organization."
+    ],
+    "index": [
+      "filebeat-*",
+      "logs-okta*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Attempt to Modify an Okta Policy Rule",
+    "note": "## Config\n\nThe Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:okta.system and event.action:policy.rule.update\n",
+    "references": [
+      "https://help.okta.com/en/prod/Content/Topics/Security/Security_Policies.htm",
+      "https://developer.okta.com/docs/reference/api/system-log/",
+      "https://developer.okta.com/docs/reference/api/event-types/"
+    ],
+    "risk_score": 21,
+    "rule_id": "000047bb-b27a-47ec-8b62-ef1a5d2c9e19",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Identity",
+      "Okta",
+      "Continuous Monitoring",
+      "SecOps",
+      "Identity and Access"
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 6
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the execution of macOS built-in commands to mount a Server Message Block (SMB) network share. Adversaries may use valid accounts to interact with a remote network share using SMB.",
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Attempt to Mount SMB Share via Command Line",
+    "query": "process where event.type in (\"start\", \"process_started\") and\n  (\n    process.name : \"mount_smbfs\" or\n    (process.name : \"open\" and process.args : \"smb://*\") or\n    (process.name : \"mount\" and process.args : \"smbfs\") or\n    (process.name : \"osascript\" and process.command_line : \"osascript*mount volume*smb://*\")\n  )\n",
+    "references": [
+      "https://www.freebsd.org/cgi/man.cgi?mount_smbfs",
+      "https://ss64.com/osx/mount.html"
+    ],
+    "risk_score": 21,
+    "rule_id": "661545b4-1a90-4f45-85ce-2ebd7c6a15d0",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "macOS",
+      "Threat Detection",
+      "Lateral Movement"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0008",
+          "name": "Lateral Movement",
+          "reference": "https://attack.mitre.org/tactics/TA0008/"
+        },
+        "technique": [
+          {
+            "id": "T1021",
+            "name": "Remote Services",
+            "reference": "https://attack.mitre.org/techniques/T1021/",
+            "subtechnique": [
+              {
+                "id": "T1021.002",
+                "name": "SMB/Windows Admin Shares",
+                "reference": "https://attack.mitre.org/techniques/T1021/002/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies a potential Gatekeeper bypass. In macOS, when applications or programs are downloaded from the internet, there is a quarantine flag set on the file. This attribute is read by Apple's Gatekeeper defense program at execution time. An adversary may disable this attribute to evade defenses.",
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Attempt to Remove File Quarantine Attribute",
+    "query": "process where event.type in (\"start\", \"process_started\") and\n  process.args : \"xattr\" and\n  (\n    (process.args : \"com.apple.quarantine\" and process.args : (\"-d\", \"-w\")) or\n    (process.args : \"-c\" and process.command_line :\n      (\n        \"/bin/bash -c xattr -c *\",\n        \"/bin/zsh -c xattr -c *\",\n        \"/bin/sh -c xattr -c *\"\n      )\n    )\n  )\n",
+    "references": [
+      "https://www.trendmicro.com/en_us/research/20/k/new-macos-backdoor-connected-to-oceanlotus-surfaces.html",
+      "https://ss64.com/osx/xattr.html"
+    ],
+    "risk_score": 47,
+    "rule_id": "f0b48bbc-549e-4bcf-8ee0-a7a72586c6a7",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "macOS",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1562",
+            "name": "Impair Defenses",
+            "reference": "https://attack.mitre.org/techniques/T1562/",
+            "subtechnique": [
+              {
+                "id": "T1562.001",
+                "name": "Disable or Modify Tools",
+                "reference": "https://attack.mitre.org/techniques/T1562/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 3
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Detects attempts to reset an Okta user's enrolled multi-factor authentication (MFA) factors. An adversary may attempt to reset the MFA factors for an Okta user's account in order to register new MFA factors and abuse the account to blend in with normal activity in the victim's environment.",
+    "false_positives": [
+      "Consider adding exceptions to this rule to filter false positives if the MFA factors for Okta user accounts are regularly reset in your organization."
+    ],
+    "index": [
+      "filebeat-*",
+      "logs-okta*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Attempt to Reset MFA Factors for an Okta User Account",
+    "note": "## Config\n\nThe Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:okta.system and event.action:user.mfa.factor.reset_all\n",
+    "references": [
+      "https://developer.okta.com/docs/reference/api/system-log/",
+      "https://developer.okta.com/docs/reference/api/event-types/"
+    ],
+    "risk_score": 21,
+    "rule_id": "729aa18d-06a6-41c7-b175-b65b739b1181",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Identity",
+      "Okta",
+      "Continuous Monitoring",
+      "SecOps",
+      "Identity and Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1098",
+            "name": "Account Manipulation",
+            "reference": "https://attack.mitre.org/techniques/T1098/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 6
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies attempts to revoke an Okta API token. An adversary may attempt to revoke or delete an Okta API token to disrupt an organization's business operations.",
+    "false_positives": [
+      "If the behavior of revoking Okta API tokens is expected, consider adding exceptions to this rule to filter false positives."
+    ],
+    "index": [
+      "filebeat-*",
+      "logs-okta*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Attempt to Revoke Okta API Token",
+    "note": "## Config\n\nThe Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:okta.system and event.action:system.api_token.revoke\n",
+    "references": [
+      "https://developer.okta.com/docs/reference/api/system-log/",
+      "https://developer.okta.com/docs/reference/api/event-types/"
+    ],
+    "risk_score": 21,
+    "rule_id": "676cff2b-450b-4cf1-8ed2-c0c58a4a2dd7",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Identity",
+      "Okta",
+      "Continuous Monitoring",
+      "SecOps",
+      "Monitoring"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0040",
+          "name": "Impact",
+          "reference": "https://attack.mitre.org/tactics/TA0040/"
+        },
+        "technique": [
+          {
+            "id": "T1531",
+            "name": "Account Access Removal",
+            "reference": "https://attack.mitre.org/techniques/T1531/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 6
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies attempts to unload the Elastic Endpoint Security kernel extension via the kextunload command.",
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Attempt to Unload Elastic Endpoint Security Kernel Extension",
+    "query": "event.category:process and event.type:(start or process_started) and\n process.name:kextunload and process.args:(\"/System/Library/Extensions/EndpointSecurity.kext\" or \"EndpointSecurity.kext\")\n",
+    "risk_score": 73,
+    "rule_id": "70fa1af4-27fd-4f26-bd03-50b6af6b9e24",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "macOS",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1562",
+            "name": "Impair Defenses",
+            "reference": "https://attack.mitre.org/techniques/T1562/",
+            "subtechnique": [
+              {
+                "id": "T1562.001",
+                "name": "Disable or Modify Tools",
+                "reference": "https://attack.mitre.org/techniques/T1562/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Detects attempts to bypass Okta multi-factor authentication (MFA). An adversary may attempt to bypass the Okta MFA policies configured for an organization in order to obtain unauthorized access to an application.",
+    "index": [
+      "filebeat-*",
+      "logs-okta*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Attempted Bypass of Okta MFA",
+    "note": "## Config\n\nThe Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:okta.system and event.action:user.mfa.attempt_bypass\n",
+    "references": [
+      "https://developer.okta.com/docs/reference/api/system-log/",
+      "https://developer.okta.com/docs/reference/api/event-types/"
+    ],
+    "risk_score": 73,
+    "rule_id": "3805c3dc-f82c-4f8d-891e-63c24d3102b0",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Identity",
+      "Okta",
+      "Continuous Monitoring",
+      "SecOps",
+      "Identity and Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0006",
+          "name": "Credential Access",
+          "reference": "https://attack.mitre.org/tactics/TA0006/"
+        },
+        "technique": [
+          {
+            "id": "T1111",
+            "name": "Two-Factor Authentication Interception",
+            "reference": "https://attack.mitre.org/techniques/T1111/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 6
+  },
+  {
+    "author": [
+      "Elastic",
+      "Willem D'Haese",
+      "Austin Songer"
+    ],
+    "description": "Identifies attempts to brute force a Microsoft 365 user account. An adversary may attempt a brute force attack to obtain unauthorized access to user accounts.",
+    "false_positives": [
+      "Automated processes that attempt to authenticate using expired credentials and unbounded retries may lead to false positives."
+    ],
+    "from": "now-30m",
+    "index": [
+      "filebeat-*",
+      "logs-o365*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Attempts to Brute Force a Microsoft 365 User Account",
+    "note": "## Config\n\nThe Microsoft 365 Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:o365.audit and event.provider:(AzureActiveDirectory or Exchange) and\n  event.category:authentication and event.action:(UserLoginFailed or PasswordLogonInitialAuthUsingPassword) and\n  not o365.audit.LogonError:(UserAccountNotFound or EntitlementGrantsNotFound or UserStrongAuthEnrollmentRequired or\n                             UserStrongAuthClientAuthNRequired or InvalidReplyTo) and event.outcome:failure\n",
+    "references": [
+      "https://blueteamblog.com/7-ways-to-monitor-your-office-365-logs-using-siem"
+    ],
+    "risk_score": 73,
+    "rule_id": "26f68dba-ce29-497b-8e13-b4fde1db5a2d",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "Microsoft 365",
+      "Continuous Monitoring",
+      "SecOps",
+      "Identity and Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0006",
+          "name": "Credential Access",
+          "reference": "https://attack.mitre.org/tactics/TA0006/"
+        },
+        "technique": [
+          {
+            "id": "T1110",
+            "name": "Brute Force",
+            "reference": "https://attack.mitre.org/techniques/T1110/"
+          }
+        ]
+      }
+    ],
+    "threshold": {
+      "field": [
+        "user.id"
+      ],
+      "value": 10
+    },
+    "type": "threshold",
+    "version": 5
+  },
+  {
+    "author": [
+      "Elastic",
+      "@BenB196",
+      "Austin Songer"
+    ],
+    "description": "Identifies when an Okta user account is locked out 3 times within a 3 hour window. An adversary may attempt a brute force or password spraying attack to obtain unauthorized access to user accounts. The default Okta authentication policy ensures that a user account is locked out after 10 failed authentication attempts.",
+    "from": "now-180m",
+    "index": [
+      "filebeat-*",
+      "logs-okta*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Attempts to Brute Force an Okta User Account",
+    "note": "## Config\n\nThe Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:okta.system and event.action:user.account.lock\n",
+    "references": [
+      "https://developer.okta.com/docs/reference/api/system-log/",
+      "https://developer.okta.com/docs/reference/api/event-types/"
+    ],
+    "risk_score": 47,
+    "rule_id": "e08ccd49-0380-4b2b-8d71-8000377d6e49",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Identity",
+      "Okta",
+      "Continuous Monitoring",
+      "SecOps",
+      "Identity and Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0006",
+          "name": "Credential Access",
+          "reference": "https://attack.mitre.org/tactics/TA0006/"
+        },
+        "technique": [
+          {
+            "id": "T1110",
+            "name": "Brute Force",
+            "reference": "https://attack.mitre.org/techniques/T1110/"
+          }
+        ]
+      }
+    ],
+    "threshold": {
+      "field": [
+        "okta.actor.alternate_id"
+      ],
+      "value": 3
+    },
+    "type": "threshold",
+    "version": 5
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies that a login attempt occurred at a forbidden time.",
+    "index": [
+      "auditbeat-*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Auditd Login Attempt at Forbidden Time",
+    "query": "event.module:auditd and event.action:\"attempted-log-in-during-unusual-hour-to\"\n",
+    "references": [
+      "https://github.com/linux-pam/linux-pam/blob/aac5a8fdc4aa3f7e56335a6343774cc1b63b408d/modules/pam_time/pam_time.c#L666"
+    ],
+    "risk_score": 47,
+    "rule_id": "90e28af7-1d96-4582-bf11-9a1eff21d0e5",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "Threat Detection",
+      "Initial Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0001",
+          "name": "Initial Access",
+          "reference": "https://attack.mitre.org/tactics/TA0001/"
+        },
+        "technique": [
+          {
+            "id": "T1078",
+            "name": "Valid Accounts",
+            "reference": "https://attack.mitre.org/techniques/T1078/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1078",
+            "name": "Valid Accounts",
+            "reference": "https://attack.mitre.org/techniques/T1078/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies that a login attempt has happened from a forbidden location.",
+    "index": [
+      "auditbeat-*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Auditd Login from Forbidden Location",
+    "query": "event.module:auditd and event.action:\"attempted-log-in-from-unusual-place-to\"\n",
+    "references": [
+      "https://github.com/linux-pam/linux-pam/blob/aac5a8fdc4aa3f7e56335a6343774cc1b63b408d/modules/pam_access/pam_access.c#L412"
+    ],
+    "risk_score": 73,
+    "rule_id": "cab4f01c-793f-4a54-a03e-e5d85b96d7af",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "Threat Detection",
+      "Initial Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0001",
+          "name": "Initial Access",
+          "reference": "https://attack.mitre.org/tactics/TA0001/"
+        },
+        "technique": [
+          {
+            "id": "T1078",
+            "name": "Valid Accounts",
+            "reference": "https://attack.mitre.org/techniques/T1078/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1078",
+            "name": "Valid Accounts",
+            "reference": "https://attack.mitre.org/techniques/T1078/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies that the maximum number of failed login attempts has been reached for a user.",
+    "index": [
+      "auditbeat-*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Auditd Max Failed Login Attempts",
+    "query": "event.module:auditd and event.action:\"failed-log-in-too-many-times-to\"\n",
+    "references": [
+      "https://github.com/linux-pam/linux-pam/blob/0adbaeb273da1d45213134aa271e95987103281c/modules/pam_faillock/pam_faillock.c#L574"
+    ],
+    "risk_score": 47,
+    "rule_id": "fb9937ce-7e21-46bf-831d-1ad96eac674d",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "Threat Detection",
+      "Initial Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0001",
+          "name": "Initial Access",
+          "reference": "https://attack.mitre.org/tactics/TA0001/"
+        },
+        "technique": [
+          {
+            "id": "T1078",
+            "name": "Valid Accounts",
+            "reference": "https://attack.mitre.org/techniques/T1078/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1078",
+            "name": "Valid Accounts",
+            "reference": "https://attack.mitre.org/techniques/T1078/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies that the maximum number login sessions has been reached for a user.",
+    "index": [
+      "auditbeat-*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Auditd Max Login Sessions",
+    "query": "event.module:auditd and event.action:\"opened-too-many-sessions-to\"\n",
+    "references": [
+      "https://github.com/linux-pam/linux-pam/blob/70c32cc6fca51338f92afa58eb75b1107a5c2430/modules/pam_limits/pam_limits.c#L1007"
+    ],
+    "risk_score": 47,
+    "rule_id": "20dc4620-3b68-4269-8124-ca5091e00ea8",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "Threat Detection",
+      "Initial Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0001",
+          "name": "Initial Access",
+          "reference": "https://attack.mitre.org/tactics/TA0001/"
+        },
+        "technique": [
+          {
+            "id": "T1078",
+            "name": "Valid Accounts",
+            "reference": "https://attack.mitre.org/techniques/T1078/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1078",
+            "name": "Valid Accounts",
+            "reference": "https://attack.mitre.org/techniques/T1078/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Authorization plugins are used to extend the authorization services API and implement mechanisms that are not natively supported by the OS, such as multi-factor authentication with third party software. Adversaries may abuse this feature to persist and/or collect clear text credentials as they traverse the registered plugins during user logon.",
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Authorization Plugin Modification",
+    "query": "event.category:file and not event.type:deletion and\n  file.path:(/Library/Security/SecurityAgentPlugins/* and\n  not /Library/Security/SecurityAgentPlugins/TeamViewerAuthPlugin.bundle/Contents/*)\n",
+    "references": [
+      "https://developer.apple.com/documentation/security/authorization_plug-ins",
+      "https://www.xorrior.com/persistent-credential-theft/"
+    ],
+    "risk_score": 47,
+    "rule_id": "e6c98d38-633d-4b3e-9387-42112cd5ac10",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "macOS",
+      "Threat Detection",
+      "Persistence"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1547",
+            "name": "Boot or Logon Autostart Execution",
+            "reference": "https://attack.mitre.org/techniques/T1547/",
+            "subtechnique": [
+              {
+                "id": "T1547.002",
+                "name": "Authentication Package",
+                "reference": "https://attack.mitre.org/techniques/T1547/002/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic",
+      "Willem D'Haese"
+    ],
+    "description": "Identifies high risk Azure Active Directory (AD) sign-ins by leveraging Microsoft's Identity Protection machine learning and heuristics. Identity Protection categorizes risk into three tiers: low, medium, and high. While Microsoft does not provide specific details about how risk is calculated, each level brings higher confidence that the user or sign-in is compromised.",
+    "from": "now-25m",
+    "index": [
+      "filebeat-*",
+      "logs-azure*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Azure Active Directory High Risk Sign-in",
+    "note": "## Config\n\nThe Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:azure.signinlogs and\n  (azure.signinlogs.properties.risk_level_during_signin:high or azure.signinlogs.properties.risk_level_aggregated:high) and\n  event.outcome:(success or Success)\n",
+    "references": [
+      "https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/howto-conditional-access-policy-risk",
+      "https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/overview-identity-protection",
+      "https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/howto-identity-protection-investigate-risk"
+    ],
+    "risk_score": 73,
+    "rule_id": "37994bca-0611-4500-ab67-5588afe73b77",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "Azure",
+      "Continuous Monitoring",
+      "SecOps",
+      "Identity and Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0001",
+          "name": "Initial Access",
+          "reference": "https://attack.mitre.org/tactics/TA0001/"
+        },
+        "technique": [
+          {
+            "id": "T1078",
+            "name": "Valid Accounts",
+            "reference": "https://attack.mitre.org/techniques/T1078/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 3
+  },
+  {
+    "author": [
+      "Austin Songer"
+    ],
+    "description": "Identifies high risk Azure Active Directory (AD) sign-ins by leveraging Microsoft Identity Protection machine learning and heuristics.",
+    "from": "now-25m",
+    "index": [
+      "filebeat-*",
+      "logs-azure*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Azure Active Directory High Risk User Sign-in Heuristic",
+    "note": "## Config\n\nThe Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:azure.signinlogs and\n  azure.signinlogs.properties.risk_state:(\"confirmedCompromised\" or \"atRisk\") and event.outcome:(success or Success)\n",
+    "references": [
+      "https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/reference-azure-monitor-sign-ins-log-schema",
+      "https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/overview-identity-protection",
+      "https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/howto-identity-protection-investigate-risk"
+    ],
+    "risk_score": 47,
+    "rule_id": "26edba02-6979-4bce-920a-70b080a7be81",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "Azure",
+      "Continuous Monitoring",
+      "SecOps",
+      "Identity and Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0001",
+          "name": "Initial Access",
+          "reference": "https://attack.mitre.org/tactics/TA0001/"
+        },
+        "technique": [
+          {
+            "id": "T1078",
+            "name": "Valid Accounts",
+            "reference": "https://attack.mitre.org/techniques/T1078/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies a sign-in using the Azure Active Directory PowerShell module. PowerShell for Azure Active Directory allows for managing settings from the command line, which is intended for users who are members of an admin role.",
+    "false_positives": [
+      "Sign-ins using PowerShell may be done by a system or network administrator. Verify whether the username, hostname, and/or resource name should be signing into your environment. Sign-ins from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "from": "now-25m",
+    "index": [
+      "filebeat-*",
+      "logs-azure*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Azure Active Directory PowerShell Sign-in",
+    "note": "## Config\n\nThe Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:azure.signinlogs and\n  azure.signinlogs.properties.app_display_name:\"Azure Active Directory PowerShell\" and\n  azure.signinlogs.properties.token_issuer_type:AzureAD and event.outcome:(success or Success)\n",
+    "references": [
+      "https://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber-attacks/",
+      "https://docs.microsoft.com/en-us/microsoft-365/enterprise/connect-to-microsoft-365-powershell?view=o365-worldwide"
+    ],
+    "risk_score": 21,
+    "rule_id": "a605c51a-73ad-406d-bf3a-f24cc41d5c97",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "Azure",
+      "Continuous Monitoring",
+      "SecOps",
+      "Identity and Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0001",
+          "name": "Initial Access",
+          "reference": "https://attack.mitre.org/tactics/TA0001/"
+        },
+        "technique": [
+          {
+            "id": "T1078",
+            "name": "Valid Accounts",
+            "reference": "https://attack.mitre.org/techniques/T1078/",
+            "subtechnique": [
+              {
+                "id": "T1078.004",
+                "name": "Cloud Accounts",
+                "reference": "https://attack.mitre.org/techniques/T1078/004/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 4
+  },
+  {
+    "author": [
+      "Austin Songer"
+    ],
+    "description": "Identifies the creation of suppression rules in Azure. Suppression rules are a mechanism used to suppress alerts previously identified as False Positives or too noisy to be in Production. This mechanism can be abused or mistakenly configured, resulting in defense evasions and loss of security visibility.",
+    "false_positives": [
+      "Suppression Rules can be created legitimately by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Suppression Rules created by unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "from": "now-25m",
+    "index": [
+      "filebeat-*",
+      "logs-azure*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Azure Alert Suppression Rule Created or Modified",
+    "note": "## Config\n\nThe Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:\"MICROSOFT.SECURITY/ALERTSSUPPRESSIONRULES/WRITE\" and \nevent.outcome: \"success\"\n",
+    "references": [
+      "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations",
+      "https://docs.microsoft.com/en-us/rest/api/securitycenter/alerts-suppression-rules/update"
+    ],
+    "risk_score": 21,
+    "rule_id": "f0bc081a-2346-4744-a6a4-81514817e888",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "Azure",
+      "Continuous Monitoring",
+      "SecOps",
+      "Configuration Audit"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1562",
+            "name": "Impair Defenses",
+            "reference": "https://attack.mitre.org/techniques/T1562/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies when a new credential is added to an application in Azure. An application may use a certificate or secret string to prove its identity when requesting a token. Multiple certificates and secrets can be added for an application and an adversary may abuse this by creating an additional authentication method to evade defenses or persist in an environment.",
+    "false_positives": [
+      "Application credential additions may be done by a system or network administrator. Verify whether the username, hostname, and/or resource name should be making changes in your environment. Application credential additions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "from": "now-25m",
+    "index": [
+      "filebeat-*",
+      "logs-azure*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Azure Application Credential Modification",
+    "note": "## Config\n\nThe Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:azure.auditlogs and azure.auditlogs.operation_name:\"Update application - Certificates and secrets management\" and event.outcome:(success or Success)\n",
+    "references": [
+      "https://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber-attacks/"
+    ],
+    "risk_score": 47,
+    "rule_id": "1a36cace-11a7-43a8-9a10-b497c5a02cd3",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "Azure",
+      "Continuous Monitoring",
+      "SecOps",
+      "Identity and Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1550",
+            "name": "Use Alternate Authentication Material",
+            "reference": "https://attack.mitre.org/techniques/T1550/",
+            "subtechnique": [
+              {
+                "id": "T1550.001",
+                "name": "Application Access Token",
+                "reference": "https://attack.mitre.org/techniques/T1550/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 4
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies when an Azure Automation account is created. Azure Automation accounts can be used to automate management tasks and orchestrate actions across systems. An adversary may create an Automation account in order to maintain persistence in their target's environment.",
+    "from": "now-25m",
+    "index": [
+      "filebeat-*",
+      "logs-azure*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Azure Automation Account Created",
+    "note": "## Config\n\nThe Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:\"MICROSOFT.AUTOMATION/AUTOMATIONACCOUNTS/WRITE\" and event.outcome:(Success or success)\n",
+    "references": [
+      "https://powerzure.readthedocs.io/en/latest/Functions/operational.html#create-backdoor",
+      "https://github.com/hausec/PowerZure",
+      "https://posts.specterops.io/attacking-azure-azure-ad-and-introducing-powerzure-ca70b330511a",
+      "https://azure.microsoft.com/en-in/blog/azure-automation-runbook-management/"
+    ],
+    "risk_score": 21,
+    "rule_id": "df26fd74-1baa-4479-b42e-48da84642330",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "Azure",
+      "Continuous Monitoring",
+      "SecOps",
+      "Identity and Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1078",
+            "name": "Valid Accounts",
+            "reference": "https://attack.mitre.org/techniques/T1078/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1078",
+            "name": "Valid Accounts",
+            "reference": "https://attack.mitre.org/techniques/T1078/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 5
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies when an Azure Automation runbook is created or modified. An adversary may create or modify an Azure Automation runbook to execute malicious code and maintain persistence in their target's environment.",
+    "from": "now-25m",
+    "index": [
+      "filebeat-*",
+      "logs-azure*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Azure Automation Runbook Created or Modified",
+    "note": "## Config\n\nThe Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:azure.activitylogs and\n  azure.activitylogs.operation_name:\n  (\n    \"MICROSOFT.AUTOMATION/AUTOMATIONACCOUNTS/RUNBOOKS/DRAFT/WRITE\" or\n    \"MICROSOFT.AUTOMATION/AUTOMATIONACCOUNTS/RUNBOOKS/WRITE\" or\n    \"MICROSOFT.AUTOMATION/AUTOMATIONACCOUNTS/RUNBOOKS/PUBLISH/ACTION\"\n  ) and\n  event.outcome:(Success or success)\n",
+    "references": [
+      "https://powerzure.readthedocs.io/en/latest/Functions/operational.html#create-backdoor",
+      "https://github.com/hausec/PowerZure",
+      "https://posts.specterops.io/attacking-azure-azure-ad-and-introducing-powerzure-ca70b330511a",
+      "https://azure.microsoft.com/en-in/blog/azure-automation-runbook-management/"
+    ],
+    "risk_score": 21,
+    "rule_id": "16280f1e-57e6-4242-aa21-bb4d16f13b2f",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "Azure",
+      "Continuous Monitoring",
+      "SecOps",
+      "Configuration Audit"
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 5
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies when an Azure Automation runbook is deleted. An adversary may delete an Azure Automation runbook in order to disrupt their target's automated business operations or to remove a malicious runbook that was used for persistence.",
+    "from": "now-25m",
+    "index": [
+      "filebeat-*",
+      "logs-azure*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Azure Automation Runbook Deleted",
+    "note": "## Config\n\nThe Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:\"MICROSOFT.AUTOMATION/AUTOMATIONACCOUNTS/RUNBOOKS/DELETE\" and event.outcome:(Success or success)\n",
+    "references": [
+      "https://powerzure.readthedocs.io/en/latest/Functions/operational.html#create-backdoor",
+      "https://github.com/hausec/PowerZure",
+      "https://posts.specterops.io/attacking-azure-azure-ad-and-introducing-powerzure-ca70b330511a",
+      "https://azure.microsoft.com/en-in/blog/azure-automation-runbook-management/"
+    ],
+    "risk_score": 21,
+    "rule_id": "8ddab73b-3d15-4e5d-9413-47f05553c1d7",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "Azure",
+      "Continuous Monitoring",
+      "SecOps",
+      "Configuration Audit"
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 5
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies when an Azure Automation webhook is created. Azure Automation runbooks can be configured to execute via a webhook. A webhook uses a custom URL passed to Azure Automation along with a data payload specific to the runbook. An adversary may create a webhook in order to trigger a runbook that contains malicious code.",
+    "from": "now-25m",
+    "index": [
+      "filebeat-*",
+      "logs-azure*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Azure Automation Webhook Created",
+    "note": "## Config\n\nThe Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:azure.activitylogs and\n  azure.activitylogs.operation_name:\n    (\n      \"MICROSOFT.AUTOMATION/AUTOMATIONACCOUNTS/WEBHOOKS/ACTION\" or\n      \"MICROSOFT.AUTOMATION/AUTOMATIONACCOUNTS/WEBHOOKS/WRITE\"\n    ) and\n  event.outcome:(Success or success)\n",
+    "references": [
+      "https://powerzure.readthedocs.io/en/latest/Functions/operational.html#create-backdoor",
+      "https://github.com/hausec/PowerZure",
+      "https://posts.specterops.io/attacking-azure-azure-ad-and-introducing-powerzure-ca70b330511a",
+      "https://www.ciraltos.com/webhooks-and-azure-automation-runbooks/"
+    ],
+    "risk_score": 21,
+    "rule_id": "e9ff9c1c-fe36-4d0d-b3fd-9e0bf4853a62",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "Azure",
+      "Continuous Monitoring",
+      "SecOps",
+      "Configuration Audit"
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 5
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies changes to container access levels in Azure. Anonymous public read access to containers and blobs in Azure is a way to share data broadly, but can present a security risk if access to sensitive data is not managed judiciously.",
+    "false_positives": [
+      "Access level modifications may be done by a system or network administrator. Verify whether the username, hostname, and/or resource name should be making changes in your environment. Access level modifications from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "from": "now-25m",
+    "index": [
+      "filebeat-*",
+      "logs-azure*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Azure Blob Container Access Level Modification",
+    "note": "## Config\n\nThe Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:\"MICROSOFT.STORAGE/STORAGEACCOUNTS/BLOBSERVICES/CONTAINERS/WRITE\" and event.outcome:(Success or success)\n",
+    "references": [
+      "https://docs.microsoft.com/en-us/azure/storage/blobs/anonymous-read-access-prevent"
+    ],
+    "risk_score": 21,
+    "rule_id": "2636aa6c-88b5-4337-9c31-8d0192a8ef45",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "Azure",
+      "Continuous Monitoring",
+      "SecOps",
+      "Asset Visibility"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0007",
+          "name": "Discovery",
+          "reference": "https://attack.mitre.org/tactics/TA0007/"
+        },
+        "technique": [
+          {
+            "id": "T1526",
+            "name": "Cloud Service Discovery",
+            "reference": "https://attack.mitre.org/techniques/T1526/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0001",
+          "name": "Initial Access",
+          "reference": "https://attack.mitre.org/tactics/TA0001/"
+        },
+        "technique": [
+          {
+            "id": "T1190",
+            "name": "Exploit Public-Facing Application",
+            "reference": "https://attack.mitre.org/techniques/T1190/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 5
+  },
+  {
+    "author": [
+      "Austin Songer"
+    ],
+    "description": "Identifies when the Azure role-based access control (Azure RBAC) permissions are modified for an Azure Blob. An adversary may modify the permissions on a blob to weaken their target's security controls or an administrator may inadvertently modify the permissions, which could lead to data exposure or loss.",
+    "false_positives": [
+      "Blob permissions may be modified by system administrators. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior."
+    ],
+    "index": [
+      "filebeat-*",
+      "logs-azure*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Azure Blob Permissions Modification",
+    "note": "## Config\n\nThe Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:(\n     \"MICROSOFT.STORAGE/STORAGEACCOUNTS/BLOBSERVICES/CONTAINERS/BLOBS/MANAGEOWNERSHIP/ACTION\" or\n     \"MICROSOFT.STORAGE/STORAGEACCOUNTS/BLOBSERVICES/CONTAINERS/BLOBS/MODIFYPERMISSIONS/ACTION\") and \n  event.outcome:(Success or success)\n",
+    "references": [
+      "https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles"
+    ],
+    "risk_score": 47,
+    "rule_id": "d79c4b2a-6134-4edd-86e6-564a92a933f9",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "Azure",
+      "Continuous Monitoring",
+      "SecOps",
+      "Identity and Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1222",
+            "name": "File and Directory Permissions Modification",
+            "reference": "https://attack.mitre.org/techniques/T1222/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies command execution on a virtual machine (VM) in Azure. A Virtual Machine Contributor role lets you manage virtual machines, but not access them, nor access the virtual network or storage account they\u2019re connected to. However, commands can be run via PowerShell on the VM, which execute as System. Other roles, such as certain Administrator roles may be able to execute commands on a VM as well.",
+    "false_positives": [
+      "Command execution on a virtual machine may be done by a system or network administrator. Verify whether the username, hostname, and/or resource name should be making changes in your environment. Command execution from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "from": "now-25m",
+    "index": [
+      "filebeat-*",
+      "logs-azure*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Azure Command Execution on Virtual Machine",
+    "note": "## Config\n\nThe Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:\"MICROSOFT.COMPUTE/VIRTUALMACHINES/RUNCOMMAND/ACTION\" and event.outcome:(Success or success)\n",
+    "references": [
+      "https://adsecurity.org/?p=4277",
+      "https://posts.specterops.io/attacking-azure-azure-ad-and-introducing-powerzure-ca70b330511a",
+      "https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#virtual-machine-contributor"
+    ],
+    "risk_score": 47,
+    "rule_id": "60884af6-f553-4a6c-af13-300047455491",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "Azure",
+      "Continuous Monitoring",
+      "SecOps",
+      "Log Auditing"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0002",
+          "name": "Execution",
+          "reference": "https://attack.mitre.org/tactics/TA0002/"
+        },
+        "technique": [
+          {
+            "id": "T1059",
+            "name": "Command and Scripting Interpreter",
+            "reference": "https://attack.mitre.org/techniques/T1059/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 5
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies when an Azure Conditional Access policy is modified. Azure Conditional Access policies control access to resources via if-then statements. For example, if a user wants to access a resource, then they must complete an action such as using multi-factor authentication to access it. An adversary may modify a Conditional Access policy in order to weaken their target's security controls.",
+    "from": "now-25m",
+    "index": [
+      "filebeat-*",
+      "logs-azure*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Azure Conditional Access Policy Modified",
+    "note": "## Config\n\nThe Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:(azure.activitylogs or azure.auditlogs) and\n  (\n    azure.activitylogs.operation_name:\"Update policy\" or\n    azure.auditlogs.operation_name:\"Update policy\"\n  ) and\n  event.outcome:(Success or success)\n",
+    "references": [
+      "https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/overview"
+    ],
+    "risk_score": 47,
+    "rule_id": "bc48bba7-4a23-4232-b551-eca3ca1e3f20",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "Azure",
+      "Continuous Monitoring",
+      "SecOps",
+      "Configuration Audit"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1098",
+            "name": "Account Manipulation",
+            "reference": "https://attack.mitre.org/techniques/T1098/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 5
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the deletion of diagnostic settings in Azure, which send platform logs and metrics to different destinations. An adversary may delete diagnostic settings in an attempt to evade defenses.",
+    "false_positives": [
+      "Deletion of diagnostic settings may be done by a system or network administrator. Verify whether the username, hostname, and/or resource name should be making changes in your environment. Diagnostic settings deletion from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "from": "now-25m",
+    "index": [
+      "filebeat-*",
+      "logs-azure*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Azure Diagnostic Settings Deletion",
+    "note": "## Config\n\nThe Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:\"MICROSOFT.INSIGHTS/DIAGNOSTICSETTINGS/DELETE\" and event.outcome:(Success or success)\n",
+    "references": [
+      "https://docs.microsoft.com/en-us/azure/azure-monitor/platform/diagnostic-settings"
+    ],
+    "risk_score": 47,
+    "rule_id": "5370d4cd-2bb3-4d71-abf5-1e1d0ff5a2de",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "Azure",
+      "Continuous Monitoring",
+      "SecOps",
+      "Monitoring"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1562",
+            "name": "Impair Defenses",
+            "reference": "https://attack.mitre.org/techniques/T1562/",
+            "subtechnique": [
+              {
+                "id": "T1562.001",
+                "name": "Disable or Modify Tools",
+                "reference": "https://attack.mitre.org/techniques/T1562/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 5
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies when an Event Hub Authorization Rule is created or updated in Azure. An authorization rule is associated with specific rights, and carries a pair of cryptographic keys. When you create an Event Hubs namespace, a policy rule named RootManageSharedAccessKey is created for the namespace. This has manage permissions for the entire namespace and it's recommended that you treat this rule like an administrative root account and don't use it in your application.",
+    "false_positives": [
+      "Authorization rule additions or modifications may be done by a system or network administrator. Verify whether the username, hostname, and/or resource name should be making changes in your environment. Authorization rule additions or modifications from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "from": "now-25m",
+    "index": [
+      "filebeat-*",
+      "logs-azure*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Azure Event Hub Authorization Rule Created or Updated",
+    "note": "## Config\n\nThe Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:\"MICROSOFT.EVENTHUB/NAMESPACES/AUTHORIZATIONRULES/WRITE\" and event.outcome:(Success or success)\n",
+    "references": [
+      "https://docs.microsoft.com/en-us/azure/event-hubs/authorize-access-shared-access-signature"
+    ],
+    "risk_score": 47,
+    "rule_id": "b6dce542-2b75-4ffb-b7d6-38787298ba9d",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "Azure",
+      "Continuous Monitoring",
+      "SecOps",
+      "Log Auditing"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0009",
+          "name": "Collection",
+          "reference": "https://attack.mitre.org/tactics/TA0009/"
+        },
+        "technique": [
+          {
+            "id": "T1530",
+            "name": "Data from Cloud Storage Object",
+            "reference": "https://attack.mitre.org/techniques/T1530/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0010",
+          "name": "Exfiltration",
+          "reference": "https://attack.mitre.org/tactics/TA0010/"
+        },
+        "technique": [
+          {
+            "id": "T1537",
+            "name": "Transfer Data to Cloud Account",
+            "reference": "https://attack.mitre.org/techniques/T1537/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 5
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies an Event Hub deletion in Azure. An Event Hub is an event processing service that ingests and processes large volumes of events and data. An adversary may delete an Event Hub in an attempt to evade detection.",
+    "false_positives": [
+      "Event Hub deletions may be done by a system or network administrator. Verify whether the username, hostname, and/or resource name should be making changes in your environment. Event Hub deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "from": "now-25m",
+    "index": [
+      "filebeat-*",
+      "logs-azure*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Azure Event Hub Deletion",
+    "note": "## Config\n\nThe Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:\"MICROSOFT.EVENTHUB/NAMESPACES/EVENTHUBS/DELETE\" and event.outcome:(Success or success)\n",
+    "references": [
+      "https://docs.microsoft.com/en-us/azure/event-hubs/event-hubs-about",
+      "https://azure.microsoft.com/en-in/services/event-hubs/",
+      "https://docs.microsoft.com/en-us/azure/event-hubs/event-hubs-features"
+    ],
+    "risk_score": 47,
+    "rule_id": "e0f36de1-0342-453d-95a9-a068b257b053",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "Azure",
+      "Continuous Monitoring",
+      "SecOps",
+      "Log Auditing"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1562",
+            "name": "Impair Defenses",
+            "reference": "https://attack.mitre.org/techniques/T1562/",
+            "subtechnique": [
+              {
+                "id": "T1562.001",
+                "name": "Disable or Modify Tools",
+                "reference": "https://attack.mitre.org/techniques/T1562/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 5
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies an invitation to an external user in Azure Active Directory (AD). Azure AD is extended to include collaboration, allowing you to invite people from outside your organization to be guest users in your cloud account. Unless there is a business need to provision guest access, it is best practice avoid creating guest users. Guest users could potentially be overlooked indefinitely leading to a potential vulnerability.",
+    "false_positives": [
+      "Guest user invitations may be sent out by a system or network administrator. Verify whether the username, hostname, and/or resource name should be making changes in your environment. Guest user invitations from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "from": "now-25m",
+    "index": [
+      "filebeat-*",
+      "logs-azure*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Azure External Guest User Invitation",
+    "note": "## Config\n\nThe Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:azure.auditlogs and azure.auditlogs.operation_name:\"Invite external user\" and azure.auditlogs.properties.target_resources.*.display_name:guest and event.outcome:(Success or success)\n",
+    "references": [
+      "https://docs.microsoft.com/en-us/azure/governance/policy/samples/cis-azure-1-1-0"
+    ],
+    "risk_score": 21,
+    "rule_id": "141e9b3a-ff37-4756-989d-05d7cbf35b0e",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "Azure",
+      "Continuous Monitoring",
+      "SecOps",
+      "Identity and Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0001",
+          "name": "Initial Access",
+          "reference": "https://attack.mitre.org/tactics/TA0001/"
+        },
+        "technique": [
+          {
+            "id": "T1078",
+            "name": "Valid Accounts",
+            "reference": "https://attack.mitre.org/techniques/T1078/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1078",
+            "name": "Valid Accounts",
+            "reference": "https://attack.mitre.org/techniques/T1078/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 5
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the deletion of a firewall policy in Azure. An adversary may delete a firewall policy in an attempt to evade defenses and/or to eliminate barriers in carrying out their initiative.",
+    "false_positives": [
+      "Firewall policy deletions may be done by a system or network administrator. Verify whether the username, hostname, and/or resource name should be making changes in your environment. Firewall policy deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "from": "now-25m",
+    "index": [
+      "filebeat-*",
+      "logs-azure*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Azure Firewall Policy Deletion",
+    "note": "## Config\n\nThe Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:\"MICROSOFT.NETWORK/FIREWALLPOLICIES/DELETE\" and event.outcome:(Success or success)\n",
+    "references": [
+      "https://docs.microsoft.com/en-us/azure/firewall-manager/policy-overview"
+    ],
+    "risk_score": 21,
+    "rule_id": "e02bd3ea-72c6-4181-ac2b-0f83d17ad969",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "Azure",
+      "Continuous Monitoring",
+      "SecOps",
+      "Network Security"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1562",
+            "name": "Impair Defenses",
+            "reference": "https://attack.mitre.org/techniques/T1562/",
+            "subtechnique": [
+              {
+                "id": "T1562.001",
+                "name": "Disable or Modify Tools",
+                "reference": "https://attack.mitre.org/techniques/T1562/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 5
+  },
+  {
+    "author": [
+      "Austin Songer"
+    ],
+    "description": "Identifies the deletion of a Frontdoor Web Application Firewall (WAF) Policy in Azure. An adversary may delete a Frontdoor Web Application Firewall (WAF) Policy in an attempt to evade defenses and/or to eliminate barriers in carrying out their initiative.",
+    "false_positives": [
+      "Azure Front Web Application Firewall (WAF) Policy deletions may be done by a system or network administrator. Verify whether the username, hostname, and/or resource name should be making changes in your environment. Azure Front Web Application Firewall (WAF) Policy deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "from": "now-25m",
+    "index": [
+      "filebeat-*",
+      "logs-azure*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Azure Frontdoor Web Application Firewall (WAF) Policy Deleted",
+    "note": "## Config\n\nThe Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:\"MICROSOFT.NETWORK/FRONTDOORWEBAPPLICATIONFIREWALLPOLICIES/DELETE\" and event.outcome:(Success or success)\n",
+    "references": [
+      "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#networking"
+    ],
+    "risk_score": 21,
+    "rule_id": "09d028a5-dcde-409f-8ae0-557cef1b7082",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "Azure",
+      "Continuous Monitoring",
+      "SecOps",
+      "Network Security"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1562",
+            "name": "Impair Defenses",
+            "reference": "https://attack.mitre.org/techniques/T1562/",
+            "subtechnique": [
+              {
+                "id": "T1562.001",
+                "name": "Disable or Modify Tools",
+                "reference": "https://attack.mitre.org/techniques/T1562/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 1
+  },
+  {
+    "author": [
+      "Austin Songer"
+    ],
+    "description": "Identifies potential full network packet capture in Azure. Packet Capture is an Azure Network Watcher feature that can be used to inspect network traffic. This feature can potentially be abused to read sensitive data from unencrypted internal traffic.",
+    "false_positives": [
+      "Full Network Packet Capture may be done by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Full Network Packet Capture from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "from": "now-25m",
+    "index": [
+      "filebeat-*",
+      "logs-azure*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Azure Full Network Packet Capture Detected",
+    "note": "## Config\n\nThe Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:\n    (\n        \"MICROSOFT.NETWORK/*/STARTPACKETCAPTURE/ACTION\" or\n        \"MICROSOFT.NETWORK/*/VPNCONNECTIONS/STARTPACKETCAPTURE/ACTION\" or\n        \"MICROSOFT.NETWORK/*/PACKETCAPTURES/WRITE\"\n    ) and \nevent.outcome:(Success or success)\n",
+    "references": [
+      "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"
+    ],
+    "risk_score": 47,
+    "rule_id": "3ad77ed4-4dcf-4c51-8bfc-e3f7ce316b2f",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "Azure",
+      "Continuous Monitoring",
+      "SecOps",
+      "Monitoring"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0006",
+          "name": "Credential Access",
+          "reference": "https://attack.mitre.org/tactics/TA0006/"
+        },
+        "technique": [
+          {
+            "id": "T1040",
+            "name": "Network Sniffing",
+            "reference": "https://attack.mitre.org/techniques/T1040/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies an Azure Active Directory (AD) Global Administrator role addition to a Privileged Identity Management (PIM) user account. PIM is a service that enables you to manage, control, and monitor access to important resources in an organization. Users who are assigned to the Global administrator role can read and modify any administrative setting in your Azure AD organization.",
+    "false_positives": [
+      "Global administrator additions may be done by a system or network administrator. Verify whether the username, hostname, and/or resource name should be making changes in your environment. Global administrator additions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "index": [
+      "filebeat-*",
+      "logs-azure*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Azure Global Administrator Role Addition to PIM User",
+    "note": "## Config\n\nThe Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:azure.auditlogs and azure.auditlogs.properties.category:RoleManagement and\n    azure.auditlogs.operation_name:(\"Add eligible member to role in PIM completed (permanent)\" or\n                                    \"Add member to role in PIM completed (timebound)\") and\n    azure.auditlogs.properties.target_resources.*.display_name:\"Global Administrator\" and\n    event.outcome:(Success or success)\n",
+    "references": [
+      "https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/directory-assign-admin-roles"
+    ],
+    "risk_score": 73,
+    "rule_id": "ed9ecd27-e3e6-4fd9-8586-7754803f7fc8",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "Azure",
+      "Continuous Monitoring",
+      "SecOps",
+      "Identity and Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1098",
+            "name": "Account Manipulation",
+            "reference": "https://attack.mitre.org/techniques/T1098/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 5
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies modifications to a Key Vault in Azure. The Key Vault is a service that safeguards encryption keys and secrets like certificates, connection strings, and passwords. Because this data is sensitive and business critical, access to key vaults should be secured to allow only authorized applications and users.",
+    "false_positives": [
+      "Key vault modifications may be done by a system or network administrator. Verify whether the username, hostname, and/or resource name should be making changes in your environment. Key vault modifications from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "from": "now-25m",
+    "index": [
+      "filebeat-*",
+      "logs-azure*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Azure Key Vault Modified",
+    "note": "## Config\n\nThe Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:\"MICROSOFT.KEYVAULT/VAULTS/WRITE\" and event.outcome:(Success or success)\n",
+    "references": [
+      "https://docs.microsoft.com/en-us/azure/key-vault/general/basic-concepts",
+      "https://docs.microsoft.com/en-us/azure/key-vault/general/secure-your-key-vault"
+    ],
+    "risk_score": 47,
+    "rule_id": "792dd7a6-7e00-4a0a-8a9a-a7c24720b5ec",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "Azure",
+      "Continuous Monitoring",
+      "SecOps",
+      "Data Protection"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0006",
+          "name": "Credential Access",
+          "reference": "https://attack.mitre.org/tactics/TA0006/"
+        },
+        "technique": [
+          {
+            "id": "T1552",
+            "name": "Unsecured Credentials",
+            "reference": "https://attack.mitre.org/techniques/T1552/",
+            "subtechnique": [
+              {
+                "id": "T1552.001",
+                "name": "Credentials In Files",
+                "reference": "https://attack.mitre.org/techniques/T1552/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 5
+  },
+  {
+    "author": [
+      "Austin Songer"
+    ],
+    "description": "Identifies when events are deleted in Azure Kubernetes. Kubernetes events are objects that log any state changes. Example events are a container creation, an image pull, or a pod scheduling on a node.  An adversary may delete events in Azure Kubernetes in an attempt to evade detection.",
+    "false_positives": [
+      "Events deletions may be done by a system or network administrator. Verify whether the username, hostname, and/or resource name should be making changes in your environment. Events deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "from": "now-25m",
+    "index": [
+      "filebeat-*",
+      "logs-azure*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Azure Kubernetes Events Deleted",
+    "note": "## Config\n\nThe Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:\"MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/EVENTS.K8S.IO/EVENTS/DELETE\" and \nevent.outcome:(Success or success)\n",
+    "references": [
+      "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes"
+    ],
+    "risk_score": 47,
+    "rule_id": "8b64d36a-1307-4b2e-a77b-a0027e4d27c8",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "Azure",
+      "Continuous Monitoring",
+      "SecOps",
+      "Log Auditing"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1562",
+            "name": "Impair Defenses",
+            "reference": "https://attack.mitre.org/techniques/T1562/",
+            "subtechnique": [
+              {
+                "id": "T1562.001",
+                "name": "Disable or Modify Tools",
+                "reference": "https://attack.mitre.org/techniques/T1562/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 2
+  },
+  {
+    "author": [
+      "Austin Songer"
+    ],
+    "description": "Identifies the deletion of Azure Kubernetes Pods. Adversaries may delete a Kubernetes pod to disrupt the normal behavior of the environment.",
+    "false_positives": [
+      "Pods may be deleted by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Pods deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "from": "now-25m",
+    "index": [
+      "filebeat-*",
+      "logs-azure*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Azure Kubernetes Pods Deleted",
+    "note": "## Config\n\nThe Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:\"MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/PODS/DELETE\" and \nevent.outcome:(Success or success)\n",
+    "references": [
+      "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes"
+    ],
+    "risk_score": 47,
+    "rule_id": "83a1931d-8136-46fc-b7b9-2db4f639e014",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "Azure",
+      "Continuous Monitoring",
+      "SecOps",
+      "Asset Visibility"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0040",
+          "name": "Impact",
+          "reference": "https://attack.mitre.org/tactics/TA0040/"
+        },
+        "technique": []
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 2
+  },
+  {
+    "author": [
+      "Austin Songer"
+    ],
+    "description": "Identifies the creation of role binding or cluster role bindings. You can assign these roles to Kubernetes subjects (users, groups, or service accounts) with role bindings and cluster role bindings. An adversary who has permissions to create bindings and cluster-bindings in the cluster can create a binding to the cluster-admin ClusterRole or to other high privileges roles.",
+    "from": "now-20m",
+    "index": [
+      "filebeat-*",
+      "logs-azure*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Azure Kubernetes Rolebindings Created",
+    "note": "## Config\n\nThe Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:\n\t(\"MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/RBAC.AUTHORIZATION.K8S.IO/ROLEBINDINGS/WRITE\" or\n\t \"MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/RBAC.AUTHORIZATION.K8S.IO/CLUSTERROLEBINDINGS/WRITE\") and \nevent.outcome:(Success or success)\n",
+    "references": [
+      "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes",
+      "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/"
+    ],
+    "risk_score": 21,
+    "rule_id": "1c966416-60c1-436b-bfd0-e002fddbfd89",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "Azure",
+      "Continuous Monitoring",
+      "SecOps",
+      "Identity and Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0004",
+          "name": "Privilege Escalation",
+          "reference": "https://attack.mitre.org/tactics/TA0004/"
+        },
+        "technique": []
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the deletion of a Network Watcher in Azure. Network Watchers are used to monitor, diagnose, view metrics, and enable or disable logs for resources in an Azure virtual network. An adversary may delete a Network Watcher in an attempt to evade defenses.",
+    "false_positives": [
+      "Network Watcher deletions may be done by a system or network administrator. Verify whether the username, hostname, and/or resource name should be making changes in your environment. Network Watcher deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "from": "now-25m",
+    "index": [
+      "filebeat-*",
+      "logs-azure*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Azure Network Watcher Deletion",
+    "note": "## Config\n\nThe Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:\"MICROSOFT.NETWORK/NETWORKWATCHERS/DELETE\" and event.outcome:(Success or success)\n",
+    "references": [
+      "https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-monitoring-overview"
+    ],
+    "risk_score": 47,
+    "rule_id": "323cb487-279d-4218-bcbd-a568efe930c6",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "Azure",
+      "Continuous Monitoring",
+      "SecOps",
+      "Network Security"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1562",
+            "name": "Impair Defenses",
+            "reference": "https://attack.mitre.org/techniques/T1562/",
+            "subtechnique": [
+              {
+                "id": "T1562.001",
+                "name": "Disable or Modify Tools",
+                "reference": "https://attack.mitre.org/techniques/T1562/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 5
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Azure Active Directory (AD) Privileged Identity Management (PIM) is a service that enables you to manage, control, and monitor access to important resources in an organization. PIM can be used to manage the built-in Azure resource roles such as Global Administrator and Application Administrator. An adversary may add a user to a PIM role in order to maintain persistence in their target's environment or modify a PIM role to weaken their target's security controls.",
+    "from": "now-25m",
+    "index": [
+      "filebeat-*",
+      "logs-azure*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Azure Privilege Identity Management Role Modified",
+    "note": "## Config\n\nThe Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:azure.auditlogs and azure.auditlogs.operation_name:\"Update role setting in PIM\" and event.outcome:(Success or success)\n",
+    "references": [
+      "https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-resource-roles-assign-roles",
+      "https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-configure"
+    ],
+    "risk_score": 47,
+    "rule_id": "7882cebf-6cf1-4de3-9662-213aa13e8b80",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "Azure",
+      "Continuous Monitoring",
+      "SecOps",
+      "Identity and Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1078",
+            "name": "Valid Accounts",
+            "reference": "https://attack.mitre.org/techniques/T1078/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1078",
+            "name": "Valid Accounts",
+            "reference": "https://attack.mitre.org/techniques/T1078/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 5
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the deletion of a resource group in Azure, which includes all resources within the group. Deletion is permanent and irreversible. An adversary may delete a resource group in an attempt to evade defenses or intentionally destroy data.",
+    "false_positives": [
+      "Deletion of a resource group may be done by a system or network administrator. Verify whether the username, hostname, and/or resource name should be making changes in your environment. Resource group deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "from": "now-25m",
+    "index": [
+      "filebeat-*",
+      "logs-azure*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Azure Resource Group Deletion",
+    "note": "## Config\n\nThe Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:\"MICROSOFT.RESOURCES/SUBSCRIPTIONS/RESOURCEGROUPS/DELETE\" and event.outcome:(Success or success)\n",
+    "references": [
+      "https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/manage-resource-groups-portal"
+    ],
+    "risk_score": 47,
+    "rule_id": "bb4fe8d2-7ae2-475c-8b5d-55b449e4264f",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "Azure",
+      "Continuous Monitoring",
+      "SecOps",
+      "Log Auditing"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0040",
+          "name": "Impact",
+          "reference": "https://attack.mitre.org/tactics/TA0040/"
+        },
+        "technique": [
+          {
+            "id": "T1485",
+            "name": "Data Destruction",
+            "reference": "https://attack.mitre.org/techniques/T1485/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1562",
+            "name": "Impair Defenses",
+            "reference": "https://attack.mitre.org/techniques/T1562/",
+            "subtechnique": [
+              {
+                "id": "T1562.001",
+                "name": "Disable or Modify Tools",
+                "reference": "https://attack.mitre.org/techniques/T1562/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 5
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies when a new service principal is added in Azure. An application, hosted service, or automated tool that accesses or modifies resources needs an identity created. This identity is known as a service principal. For security reasons, it's always recommended to use service principals with automated tools rather than allowing them to log in with a user identity.",
+    "false_positives": [
+      "A service principal may be created by a system or network administrator. Verify whether the username, hostname, and/or resource name should be making changes in your environment. Service principal additions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "from": "now-25m",
+    "index": [
+      "filebeat-*",
+      "logs-azure*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Azure Service Principal Addition",
+    "note": "## Config\n\nThe Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:azure.auditlogs and azure.auditlogs.operation_name:\"Add service principal\" and event.outcome:(success or Success)\n",
+    "references": [
+      "https://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber-attacks/",
+      "https://docs.microsoft.com/en-us/azure/active-directory/develop/howto-create-service-principal-portal"
+    ],
+    "risk_score": 47,
+    "rule_id": "60b6b72f-0fbc-47e7-9895-9ba7627a8b50",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "Azure",
+      "Continuous Monitoring",
+      "SecOps",
+      "Identity and Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1550",
+            "name": "Use Alternate Authentication Material",
+            "reference": "https://attack.mitre.org/techniques/T1550/",
+            "subtechnique": [
+              {
+                "id": "T1550.001",
+                "name": "Application Access Token",
+                "reference": "https://attack.mitre.org/techniques/T1550/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 4
+  },
+  {
+    "author": [
+      "Elastic",
+      "Austin Songer"
+    ],
+    "description": "Identifies when new Service Principal credentials have been added in Azure. In most organizations, credentials will be added to service principals infrequently. Hijacking an application (by adding a rogue secret or certificate) with granted permissions will allow the attacker to access data that is normally protected by MFA requirements.",
+    "false_positives": [
+      "Service principal credential additions may be done by a system or network administrator. Verify whether the username, hostname, and/or resource name should be making changes in your environment. Credential additions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "from": "now-25m",
+    "index": [
+      "filebeat-*",
+      "logs-azure*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Azure Service Principal Credentials Added",
+    "note": "## Config\n\nThe Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:azure.auditlogs and azure.auditlogs.operation_name:\"Add service principal credentials.\" and event.outcome:(success or Success)\n",
+    "references": [
+      "https://www.fireeye.com/content/dam/collateral/en/wp-m-unc2452.pdf"
+    ],
+    "risk_score": 47,
+    "rule_id": "f766ffaf-9568-4909-b734-75d19b35cbf4",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "Azure",
+      "Continuous Monitoring",
+      "SecOps",
+      "Identity and Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0040",
+          "name": "Impact",
+          "reference": "https://attack.mitre.org/tactics/TA0040/"
+        },
+        "technique": [
+          {
+            "id": "T1496",
+            "name": "Resource Hijacking",
+            "reference": "https://attack.mitre.org/techniques/T1496/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies a rotation to storage account access keys in Azure. Regenerating access keys can affect any applications or Azure services that are dependent on the storage account key. Adversaries may regenerate a key as a means of acquiring credentials to access systems and resources.",
+    "false_positives": [
+      "It's recommended that you rotate your access keys periodically to help keep your storage account secure. Normal key rotation can be exempted from the rule. An abnormal time frame and/or a key rotation from unfamiliar users, hosts, or locations should be investigated."
+    ],
+    "from": "now-25m",
+    "index": [
+      "filebeat-*",
+      "logs-azure*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Azure Storage Account Key Regenerated",
+    "note": "## Config\n\nThe Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:\"MICROSOFT.STORAGE/STORAGEACCOUNTS/REGENERATEKEY/ACTION\" and event.outcome:(Success or success)\n",
+    "references": [
+      "https://docs.microsoft.com/en-us/azure/storage/common/storage-account-keys-manage?tabs=azure-portal"
+    ],
+    "risk_score": 21,
+    "rule_id": "1e0b832e-957e-43ae-b319-db82d228c908",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "Azure",
+      "Continuous Monitoring",
+      "SecOps",
+      "Identity and Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0006",
+          "name": "Credential Access",
+          "reference": "https://attack.mitre.org/tactics/TA0006/"
+        },
+        "technique": [
+          {
+            "id": "T1528",
+            "name": "Steal Application Access Token",
+            "reference": "https://attack.mitre.org/techniques/T1528/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 5
+  },
+  {
+    "author": [
+      "Austin Songer"
+    ],
+    "description": "Identifies when a virtual network device is being modified or deleted. This can be a network virtual appliance, virtual hub, or virtual router.",
+    "false_positives": [
+      "Virtual Network Device being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Virtual Network Device modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "from": "now-25m",
+    "index": [
+      "filebeat-*",
+      "logs-azure*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Azure Virtual Network Device Modified or Deleted",
+    "note": "## Config\n\nThe Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:(\"MICROSOFT.NETWORK/NETWORKINTERFACES/TAPCONFIGURATIONS/WRITE\" or\n\"MICROSOFT.NETWORK/NETWORKINTERFACES/TAPCONFIGURATIONS/DELETE\" or \"MICROSOFT.NETWORK/NETWORKINTERFACES/WRITE\" or\n\"MICROSOFT.NETWORK/NETWORKINTERFACES/JOIN/ACTION\" or \"MICROSOFT.NETWORK/NETWORKINTERFACES/DELETE\"or\n\"MICROSOFT.NETWORK/NETWORKVIRTUALAPPLIANCES/DELETE\" or \"MICROSOFT.NETWORK/NETWORKVIRTUALAPPLIANCES/WRITE\" or\n\"MICROSOFT.NETWORK/VIRTUALHUBS/DELETE\" or \"MICROSOFT.NETWORK/VIRTUALHUBS/WRITE\" or\n\"MICROSOFT.NETWORK/VIRTUALROUTERS/WRITE\" or \"MICROSOFT.NETWORK/VIRTUALROUTERS/DELETE\") and \nevent.outcome:(Success or success)\n",
+    "references": [
+      "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"
+    ],
+    "risk_score": 21,
+    "rule_id": "573f6e7a-7acf-4bcd-ad42-c4969124d3c0",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "Azure",
+      "Continuous Monitoring",
+      "SecOps",
+      "Network Security"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0040",
+          "name": "Impact",
+          "reference": "https://attack.mitre.org/tactics/TA0040/"
+        },
+        "technique": []
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Adversaries may encode/decode data in an attempt to evade detection by host- or network-based security controls.",
+    "false_positives": [
+      "Automated tools such as Jenkins may encode or decode files as part of their normal behavior. These events can be filtered by the process executable or username values."
+    ],
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Base16 or Base32 Encoding/Decoding Activity",
+    "query": "event.category:process and event.type:(start or process_started) and\n  process.name:(base16 or base32 or base32plain or base32hex)\n",
+    "risk_score": 21,
+    "rule_id": "debff20a-46bc-4a4d-bae5-5cdd14222795",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1140",
+            "name": "Deobfuscate/Decode Files or Information",
+            "reference": "https://attack.mitre.org/techniques/T1140/"
+          },
+          {
+            "id": "T1027",
+            "name": "Obfuscated Files or Information",
+            "reference": "https://attack.mitre.org/techniques/T1027/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 7
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Both ~/.bash_profile and ~/.bashrc are files containing shell commands that are run when Bash is invoked. These files are executed in a user's context, either interactively or non-interactively, when a user logs in so that their environment is set correctly. Adversaries may abuse this to establish persistence by executing malicious content triggered by a user\u2019s shell.",
+    "false_positives": [
+      "Changes to the Shell Profile tend to be noisy, a tuning per your environment will be required."
+    ],
+    "from": "now-9m",
+    "index": [
+      "logs-endpoint.events.*",
+      "auditbeat-*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Bash Shell Profile Modification",
+    "query": "event.category:file and event.type:change and\n  process.name:(* and not (sudo or\n                           vim or\n                           zsh or\n                           env or\n                           nano or\n                           bash or\n                           Terminal or\n                           xpcproxy or\n                           login or\n                           cat or\n                           cp or\n                           launchctl or\n                           java)) and\n  not process.executable:(/Applications/* or /private/var/folders/* or /usr/local/*) and\n  file.path:(/private/etc/rc.local or\n             /etc/rc.local or\n             /home/*/.profile or\n             /home/*/.profile1 or\n             /home/*/.bash_profile or\n             /home/*/.bash_profile1 or\n             /home/*/.bashrc or\n             /Users/*/.bash_profile or\n             /Users/*/.zshenv)\n",
+    "references": [
+      "https://www.anomali.com/blog/pulling-linux-rabbit-rabbot-malware-out-of-a-hat"
+    ],
+    "risk_score": 47,
+    "rule_id": "e6c1a552-7776-44ad-ae0f-8746cc07773c",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "macOS",
+      "Linux",
+      "Threat Detection",
+      "Persistence"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1546",
+            "name": "Event Triggered Execution",
+            "reference": "https://attack.mitre.org/techniques/T1546/",
+            "subtechnique": [
+              {
+                "id": "T1546.004",
+                "name": "Unix Shell Configuration Modification",
+                "reference": "https://attack.mitre.org/techniques/T1546/004/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 2
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies User Account Control (UAC) bypass via eventvwr.exe. Attackers bypass UAC to stealthily execute code with elevated permissions.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Bypass UAC via Event Viewer",
+    "query": "process where event.type in (\"start\", \"process_started\") and\n  process.parent.name : \"eventvwr.exe\" and\n  not process.executable : \n            (\"?:\\\\Windows\\\\SysWOW64\\\\mmc.exe\", \n             \"?:\\\\Windows\\\\System32\\\\mmc.exe\",\n             \"?:\\\\Windows\\\\SysWOW64\\\\WerFault.exe\",\n             \"?:\\\\Windows\\\\System32\\\\WerFault.exe\")\n",
+    "risk_score": 73,
+    "rule_id": "31b4c719-f2b4-41f6-a9bd-fce93c2eaf62",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Privilege Escalation"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0004",
+          "name": "Privilege Escalation",
+          "reference": "https://attack.mitre.org/tactics/TA0004/"
+        },
+        "technique": [
+          {
+            "id": "T1548",
+            "name": "Abuse Elevation Control Mechanism",
+            "reference": "https://attack.mitre.org/techniques/T1548/",
+            "subtechnique": [
+              {
+                "id": "T1548.002",
+                "name": "Bypass User Account Control",
+                "reference": "https://attack.mitre.org/techniques/T1548/002/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 9
+  },
+  {
+    "author": [
+      "Austin Songer"
+    ],
+    "description": "Identifies when a user attempts to clear console history. An adversary may clear the command history of a compromised account to conceal the actions undertaken during an intrusion.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Clearing Windows Console History",
+    "query": "process where event.action == \"start\" and\n  (process.name : (\"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\") or process.pe.original_file_name == \"PowerShell.EXE\") and\n     (process.args : \"*Clear-History*\" or\n     (process.args : (\"*Remove-Item*\", \"rm\") and process.args : (\"*ConsoleHost_history.txt*\", \"*(Get-PSReadlineOption).HistorySavePath*\")) or\n     (process.args : \"*Set-PSReadlineOption*\" and process.args : \"*SaveNothing*\"))\n",
+    "references": [
+      "https://stefanos.cloud/blog/kb/how-to-clear-the-powershell-command-history/",
+      "https://www.shellhacks.com/clear-history-powershell/",
+      "https://community.sophos.com/sophos-labs/b/blog/posts/powershell-command-history-forensics"
+    ],
+    "risk_score": 47,
+    "rule_id": "b5877334-677f-4fb9-86d5-a9721274223b",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1070",
+            "name": "Indicator Removal on Host",
+            "reference": "https://attack.mitre.org/techniques/T1070/",
+            "subtechnique": [
+              {
+                "id": "T1070.003",
+                "name": "Clear Command History",
+                "reference": "https://attack.mitre.org/techniques/T1070/003/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies attempts to clear or disable Windows event log stores using Windows wevetutil command. This is often done by attackers in an attempt to evade detection or destroy forensic evidence on a system.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Clearing Windows Event Logs",
+    "query": "process where event.type in (\"process_started\", \"start\") and\n  (process.name : \"wevtutil.exe\" or process.pe.original_file_name == \"wevtutil.exe\") and\n    process.args : (\"/e:false\", \"cl\", \"clear-log\") or\n  process.name : (\"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\") and process.args : \"Clear-EventLog\"\n",
+    "risk_score": 21,
+    "rule_id": "d331bbe2-6db4-4941-80a5-8270db72eb61",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1070",
+            "name": "Indicator Removal on Host",
+            "reference": "https://attack.mitre.org/techniques/T1070/",
+            "subtechnique": [
+              {
+                "id": "T1070.001",
+                "name": "Clear Windows Event Logs",
+                "reference": "https://attack.mitre.org/techniques/T1070/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 11
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Cobalt Strike is a threat emulation platform commonly modified and used by adversaries to conduct network attack and exploitation campaigns. This rule detects a network activity algorithm leveraged by Cobalt Strike implant beacons for command and control.",
+    "false_positives": [
+      "This rule should be tailored to either exclude systems, as sources or destinations, in which this behavior is expected."
+    ],
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "filebeat-*",
+      "packetbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "lucene",
+    "license": "Elastic License v2",
+    "name": "Cobalt Strike Command and Control Beacon",
+    "note": "## Threat intel\n\nThis activity has been observed in FIN7 campaigns.",
+    "query": "event.category:(network OR network_traffic) AND type:(tls OR http) AND network.transport:tcp AND destination.domain:/[a-z]{3}.stage.[0-9]{8}\\..*/\n",
+    "references": [
+      "https://blog.morphisec.com/fin7-attacks-restaurant-industry",
+      "https://www.fireeye.com/blog/threat-research/2017/04/fin7-phishing-lnk.html"
+    ],
+    "risk_score": 73,
+    "rule_id": "cf53f532-9cc9-445a-9ae7-fced307ec53c",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Network",
+      "Threat Detection",
+      "Command and Control",
+      "Host"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0011",
+          "name": "Command and Control",
+          "reference": "https://attack.mitre.org/tactics/TA0011/"
+        },
+        "technique": [
+          {
+            "id": "T1071",
+            "name": "Application Layer Protocol",
+            "reference": "https://attack.mitre.org/techniques/T1071/"
+          },
+          {
+            "id": "T1568",
+            "name": "Dynamic Resolution",
+            "reference": "https://attack.mitre.org/techniques/T1568/",
+            "subtechnique": [
+              {
+                "id": "T1568.002",
+                "name": "Domain Generation Algorithms",
+                "reference": "https://attack.mitre.org/techniques/T1568/002/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 6
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "A suspicious SolarWinds child process (Cmd.exe or Powershell.exe) was detected.",
+    "false_positives": [
+      "Trusted SolarWinds child processes. Verify process details such as network connections and file writes."
+    ],
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Command Execution via SolarWinds Process",
+    "query": "process where event.type in (\"start\", \"process_started\") and process.name: (\"cmd.exe\", \"powershell.exe\") and\nprocess.parent.name: (\n     \"ConfigurationWizard*.exe\",\n     \"NetflowDatabaseMaintenance*.exe\",\n     \"NetFlowService*.exe\",\n     \"SolarWinds.Administration*.exe\",\n     \"SolarWinds.Collector.Service*.exe\",\n     \"SolarwindsDiagnostics*.exe\"\n     )\n",
+    "references": [
+      "https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html",
+      "https://github.com/fireeye/sunburst_countermeasures/blob/main/rules/SUNBURST/hxioc/SOLARWINDS%20SUSPICIOUS%20FILEWRITES%20(METHODOLOGY).ioc"
+    ],
+    "risk_score": 47,
+    "rule_id": "d72e33fc-6e91-42ff-ac8b-e573268c5a87",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Execution"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0002",
+          "name": "Execution",
+          "reference": "https://attack.mitre.org/tactics/TA0002/"
+        },
+        "technique": [
+          {
+            "id": "T1059",
+            "name": "Command and Scripting Interpreter",
+            "reference": "https://attack.mitre.org/techniques/T1059/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0001",
+          "name": "Initial Access",
+          "reference": "https://attack.mitre.org/tactics/TA0001/"
+        },
+        "technique": [
+          {
+            "id": "T1195",
+            "name": "Supply Chain Compromise",
+            "reference": "https://attack.mitre.org/techniques/T1195/",
+            "subtechnique": [
+              {
+                "id": "T1195.002",
+                "name": "Compromise Software Supply Chain",
+                "reference": "https://attack.mitre.org/techniques/T1195/002/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 3
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies cmd.exe making a network connection. Adversaries could abuse cmd.exe to download or execute malware from a remote URL.",
+    "false_positives": [
+      "Administrators may use the command prompt for regular administrative tasks. It's important to baseline your environment for network connections being made from the command prompt to determine any abnormal use of this tool."
+    ],
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Command Prompt Network Connection",
+    "query": "sequence by process.entity_id\n  [process where process.name : \"cmd.exe\" and event.type == \"start\"]\n  [network where process.name : \"cmd.exe\" and\n     not cidrmatch(destination.ip, \"10.0.0.0/8\", \"127.0.0.0/8\", \"169.254.0.0/16\", \"172.16.0.0/12\", \"192.0.0.0/24\",\n                                  \"192.0.0.0/29\", \"192.0.0.8/32\", \"192.0.0.9/32\", \"192.0.0.10/32\", \"192.0.0.170/32\",\n                                  \"192.0.0.171/32\", \"192.0.2.0/24\", \"192.31.196.0/24\", \"192.52.193.0/24\",\n                                  \"192.168.0.0/16\", \"192.88.99.0/24\", \"224.0.0.0/4\", \"100.64.0.0/10\", \"192.175.48.0/24\",\n                                  \"198.18.0.0/15\", \"198.51.100.0/24\", \"203.0.113.0/24\", \"240.0.0.0/4\", \"::1\",\n                                  \"FE80::/10\", \"FF00::/8\")]\n",
+    "references": [
+      "https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml"
+    ],
+    "risk_score": 21,
+    "rule_id": "89f9a4b0-9f8f-4ee0-8823-c4751a6d6696",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Execution"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0002",
+          "name": "Execution",
+          "reference": "https://attack.mitre.org/tactics/TA0002/"
+        },
+        "technique": [
+          {
+            "id": "T1059",
+            "name": "Command and Scripting Interpreter",
+            "reference": "https://attack.mitre.org/techniques/T1059/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0011",
+          "name": "Command and Control",
+          "reference": "https://attack.mitre.org/tactics/TA0011/"
+        },
+        "technique": [
+          {
+            "id": "T1105",
+            "name": "Ingress Tool Transfer",
+            "reference": "https://attack.mitre.org/techniques/T1105/"
+          }
+        ]
+      }
+    ],
+    "type": "eql",
+    "version": 7
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies command shell activity started via RunDLL32, which is commonly abused by attackers to host malicious code.",
+    "false_positives": [
+      "Microsoft Windows installers leveraging RunDLL32 for installation."
+    ],
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Command Shell Activity Started via RunDLL32",
+    "query": "process where event.type == \"start\" and\n process.name : (\"cmd.exe\", \"powershell.exe\") and\n  process.parent.name : \"rundll32.exe\" and process.parent.command_line != null and\n  /* common FPs can be added here */\n  not process.parent.args : (\"C:\\\\Windows\\\\System32\\\\SHELL32.dll,RunAsNewUser_RunDLL\",\n                             \"C:\\\\WINDOWS\\\\*.tmp,zzzzInvokeManagedCustomActionOutOfProc\")\n",
+    "risk_score": 21,
+    "rule_id": "9ccf3ce0-0057-440a-91f5-870c6ad39093",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Execution"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0002",
+          "name": "Execution",
+          "reference": "https://attack.mitre.org/tactics/TA0002/"
+        },
+        "technique": [
+          {
+            "id": "T1059",
+            "name": "Command and Scripting Interpreter",
+            "reference": "https://attack.mitre.org/techniques/T1059/",
+            "subtechnique": [
+              {
+                "id": "T1059.001",
+                "name": "PowerShell",
+                "reference": "https://attack.mitre.org/techniques/T1059/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 4
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies Component Object Model (COM) hijacking via registry modification. Adversaries may establish persistence by executing malicious content triggered by hijacked references to COM objects.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Component Object Model Hijacking",
+    "query": "registry where\n /* uncomment once length is stable length(bytes_written_string) > 0 and */\n (registry.path : \"HK*}\\\\InprocServer32\\\\\" and registry.data.strings: (\"scrobj.dll\", \"C:\\\\*\\\\scrobj.dll\") and\n not registry.path : \"*\\\\{06290BD*-48AA-11D2-8432-006008C3FBFC}\\\\*\") \n or\n /* in general COM Registry changes on Users Hive is less noisy and worth alerting */\n (registry.path : (\"HKEY_USERS\\\\*Classes\\\\*\\\\InprocServer32\\\\\",\n                   \"HKEY_USERS\\\\*Classes\\\\*\\\\LocalServer32\\\\\",\n                   \"HKEY_USERS\\\\*Classes\\\\*\\\\DelegateExecute\\\\\", \n                   \"HKEY_USERS\\\\*Classes\\\\*\\\\TreatAs\\\\\", \n                   \"HKEY_USERS\\\\*Classes\\\\CLSID\\\\*\\\\ScriptletURL\\\\\") and\n not (process.executable : \"?:\\\\Program Files*\\\\Veeam\\\\Backup and Replication\\\\Console\\\\veeam.backup.shell.exe\" and\n      registry.path : \"HKEY_USERS\\\\S-1-5-21-*_Classes\\\\CLSID\\\\*\\\\LocalServer32\\\\\") and\n /* not necessary but good for filtering privileged installations */\n user.domain != \"NT AUTHORITY\")\n",
+    "references": [
+      "https://bohops.com/2018/08/18/abusing-the-com-registry-structure-part-2-loading-techniques-for-evasion-and-persistence/"
+    ],
+    "risk_score": 47,
+    "rule_id": "16a52c14-7883-47af-8745-9357803f0d4c",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Persistence"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1546",
+            "name": "Event Triggered Execution",
+            "reference": "https://attack.mitre.org/techniques/T1546/",
+            "subtechnique": [
+              {
+                "id": "T1546.015",
+                "name": "Component Object Model Hijacking",
+                "reference": "https://attack.mitre.org/techniques/T1546/015/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 5
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Detects when the Console Window Host (conhost.exe) process is spawned by a suspicious parent process, which could be indicative of code injection.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Conhost Spawned By Suspicious Parent Process",
+    "query": "process where event.type in (\"start\", \"process_started\") and\n  process.name : \"conhost.exe\" and\n  process.parent.name : (\"svchost.exe\", \"lsass.exe\", \"services.exe\", \"smss.exe\", \"winlogon.exe\", \"explorer.exe\",\n                         \"dllhost.exe\", \"rundll32.exe\", \"regsvr32.exe\", \"userinit.exe\", \"wininit.exe\", \"spoolsv.exe\",\n                         \"wermgr.exe\", \"csrss.exe\", \"ctfmon.exe\")\n",
+    "references": [
+      "https://www.fireeye.com/blog/threat-research/2017/08/monitoring-windows-console-activity-part-one.html"
+    ],
+    "risk_score": 73,
+    "rule_id": "05b358de-aa6d-4f6c-89e6-78f74018b43b",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Execution"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0002",
+          "name": "Execution",
+          "reference": "https://attack.mitre.org/tactics/TA0002/"
+        },
+        "technique": [
+          {
+            "id": "T1059",
+            "name": "Command and Scripting Interpreter",
+            "reference": "https://attack.mitre.org/techniques/T1059/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 4
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies unusual processes connecting to domains using known free SSL certificates. Adversaries may employ a known encryption algorithm to conceal command and control traffic.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Connection to Commonly Abused Free SSL Certificate Providers",
+    "query": "network where network.protocol == \"dns\" and\n  /* Add new free SSL certificate provider domains here */\n  dns.question.name : (\"*letsencrypt.org\", \"*.sslforfree.com\", \"*.zerossl.com\", \"*.freessl.org\") and\n  \n  /* Native Windows process paths that are unlikely to have network connections to domains secured using free SSL certificates */\n  process.executable : (\"C:\\\\Windows\\\\System32\\\\*.exe\",\n                        \"C:\\\\Windows\\\\System\\\\*.exe\",\n\t                  \"C:\\\\Windows\\\\SysWOW64\\\\*.exe\",\n\t\t          \"C:\\\\Windows\\\\Microsoft.NET\\\\Framework*\\\\*.exe\",\n\t\t          \"C:\\\\Windows\\\\explorer.exe\",\n\t\t          \"C:\\\\Windows\\\\notepad.exe\") and\n  \n  /* Insert noisy false positives here */\n  not process.name : (\"svchost.exe\", \"MicrosoftEdge*.exe\", \"msedge.exe\")\n",
+    "risk_score": 21,
+    "rule_id": "e3cf38fa-d5b8-46cc-87f9-4a7513e4281d",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Command and Control"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0011",
+          "name": "Command and Control",
+          "reference": "https://attack.mitre.org/tactics/TA0011/"
+        },
+        "technique": [
+          {
+            "id": "T1573",
+            "name": "Encrypted Channel",
+            "reference": "https://attack.mitre.org/techniques/T1573/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 3
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Adversaries may implement command and control communications that use common web services in order to hide their activity. This attack technique is typically targeted to an organization and uses web services common to the victim network which allows the adversary to blend into legitimate traffic. activity. These popular services are typically targeted since they have most likely been used before a compromise and allow adversaries to blend in the network.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Connection to Commonly Abused Web Services",
+    "query": "network where network.protocol == \"dns\" and\n    process.name != null and user.id not in (\"S-1-5-18\", \"S-1-5-19\", \"S-1-5-20\") and\n    /* Add new WebSvc domains here */\n    dns.question.name :\n    (\n        \"raw.githubusercontent.*\",\n        \"*.pastebin.*\",\n        \"*drive.google.*\",\n        \"*docs.live.*\",\n        \"*api.dropboxapi.*\",\n        \"*dropboxusercontent.*\",\n        \"*onedrive.*\",\n        \"*4shared.*\",\n        \"*.file.io\",\n        \"*filebin.net\",\n        \"*slack-files.com\",\n        \"*ghostbin.*\",\n        \"*ngrok.*\",\n        \"*portmap.*\",\n        \"*serveo.net\",\n        \"*localtunnel.me\",\n        \"*pagekite.me\",\n        \"*localxpose.io\",\n        \"*notabug.org\",\n        \"rawcdn.githack.*\",\n        \"paste.nrecom.net\",\n        \"zerobin.net\",\n        \"controlc.com\",\n        \"requestbin.net\",\n        \"cdn.discordapp.com\",\n        \"discordapp.com\",\n        \"discord.com\"\n    ) and\n    /* Insert noisy false positives here */\n    not process.executable :\n    (\n      \"?:\\\\Program Files\\\\*.exe\",\n      \"?:\\\\Program Files (x86)\\\\*.exe\",\n      \"?:\\\\Windows\\\\System32\\\\WWAHost.exe\",\n      \"?:\\\\Windows\\\\System32\\\\smartscreen.exe\",\n      \"?:\\\\Windows\\\\System32\\\\MicrosoftEdgeCP.exe\",\n      \"?:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\Platform\\\\*\\\\MsMpEng.exe\",\n      \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe\",\n      \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Programs\\\\Fiddler\\\\Fiddler.exe\",\n      \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Programs\\\\Microsoft VS Code\\\\Code.exe\",\n      \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Microsoft\\\\OneDrive\\\\OneDrive.exe\",\n      \"?:\\\\Windows\\\\system32\\\\mobsync.exe\",\n      \"?:\\\\Windows\\\\SysWOW64\\\\mobsync.exe\",\n      \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Discord\\\\-*\\\\Discord.exe\"\n    )\n",
+    "risk_score": 21,
+    "rule_id": "66883649-f908-4a5b-a1e0-54090a1d3a32",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Command and Control"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0011",
+          "name": "Command and Control",
+          "reference": "https://attack.mitre.org/tactics/TA0011/"
+        },
+        "technique": [
+          {
+            "id": "T1102",
+            "name": "Web Service",
+            "reference": "https://attack.mitre.org/techniques/T1102/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0010",
+          "name": "Exfiltration",
+          "reference": "https://attack.mitre.org/tactics/TA0010/"
+        },
+        "technique": [
+          {
+            "id": "T1567",
+            "name": "Exfiltration Over Web Service",
+            "reference": "https://attack.mitre.org/techniques/T1567/",
+            "subtechnique": [
+              {
+                "id": "T1567.001",
+                "name": "Exfiltration to Code Repository",
+                "reference": "https://attack.mitre.org/techniques/T1567/001/"
+              },
+              {
+                "id": "T1567.002",
+                "name": "Exfiltration to Cloud Storage",
+                "reference": "https://attack.mitre.org/techniques/T1567/002/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 6
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Telnet provides a command line interface for communication with a remote device or server. This rule identifies Telnet network connections to publicly routable IP addresses.",
+    "false_positives": [
+      "Telnet can be used for both benign or malicious purposes. Telnet is included by default in some Linux distributions, so its presence is not inherently suspicious. The use of Telnet to manage devices remotely has declined in recent years in favor of more secure protocols such as SSH. Telnet usage by non-automated tools or frameworks may be suspicious."
+    ],
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Connection to External Network via Telnet",
+    "query": "sequence by process.entity_id\n  [process where process.name == \"telnet\" and event.type == \"start\"]\n  [network where process.name == \"telnet\" and\n    not cidrmatch(destination.ip, \"10.0.0.0/8\", \"127.0.0.0/8\", \"169.254.0.0/16\", \"172.16.0.0/12\", \"192.0.0.0/24\",\n                                  \"192.0.0.0/29\", \"192.0.0.8/32\", \"192.0.0.9/32\", \"192.0.0.10/32\", \"192.0.0.170/32\",\n                                  \"192.0.0.171/32\", \"192.0.2.0/24\", \"192.31.196.0/24\", \"192.52.193.0/24\",\n                                  \"192.168.0.0/16\", \"192.88.99.0/24\", \"224.0.0.0/4\", \"100.64.0.0/10\", \"192.175.48.0/24\",\n                                  \"198.18.0.0/15\", \"198.51.100.0/24\", \"203.0.113.0/24\", \"240.0.0.0/4\", \"::1\",\n                                  \"FE80::/10\", \"FF00::/8\")]\n",
+    "references": [
+      "https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml"
+    ],
+    "risk_score": 47,
+    "rule_id": "e19e64ee-130e-4c07-961f-8a339f0b8362",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "Threat Detection",
+      "Lateral Movement"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0008",
+          "name": "Lateral Movement",
+          "reference": "https://attack.mitre.org/tactics/TA0008/"
+        },
+        "technique": [
+          {
+            "id": "T1021",
+            "name": "Remote Services",
+            "reference": "https://attack.mitre.org/techniques/T1021/"
+          }
+        ]
+      }
+    ],
+    "type": "eql",
+    "version": 6
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Telnet provides a command line interface for communication with a remote device or server. This rule identifies Telnet network connections to non-publicly routable IP addresses.",
+    "false_positives": [
+      "Telnet can be used for both benign or malicious purposes. Telnet is included by default in some Linux distributions, so its presence is not inherently suspicious. The use of Telnet to manage devices remotely has declined in recent years in favor of more secure protocols such as SSH. Telnet usage by non-automated tools or frameworks may be suspicious."
+    ],
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Connection to Internal Network via Telnet",
+    "query": "sequence by process.entity_id\n  [process where process.name == \"telnet\" and event.type == \"start\"]\n  [network where process.name == \"telnet\" and\n    cidrmatch(destination.ip, \"10.0.0.0/8\", \"127.0.0.0/8\", \"169.254.0.0/16\", \"172.16.0.0/12\", \"192.0.0.0/24\",\n                              \"192.0.0.0/29\", \"192.0.0.8/32\", \"192.0.0.9/32\", \"192.0.0.10/32\", \"192.0.0.170/32\",\n                              \"192.0.0.171/32\", \"192.0.2.0/24\", \"192.31.196.0/24\", \"192.52.193.0/24\",\n                              \"192.168.0.0/16\", \"192.88.99.0/24\", \"224.0.0.0/4\", \"100.64.0.0/10\", \"192.175.48.0/24\",\n                              \"198.18.0.0/15\", \"198.51.100.0/24\", \"203.0.113.0/24\", \"240.0.0.0/4\", \"::1\",\n                              \"FE80::/10\", \"FF00::/8\")]\n",
+    "references": [
+      "https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml"
+    ],
+    "risk_score": 47,
+    "rule_id": "1b21abcc-4d9f-4b08-a7f5-316f5f94b973",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "Threat Detection",
+      "Lateral Movement"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0008",
+          "name": "Lateral Movement",
+          "reference": "https://attack.mitre.org/tactics/TA0008/"
+        },
+        "technique": [
+          {
+            "id": "T1021",
+            "name": "Remote Services",
+            "reference": "https://attack.mitre.org/techniques/T1021/"
+          }
+        ]
+      }
+    ],
+    "type": "eql",
+    "version": 6
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies unusual instances of Control Panel with suspicious keywords or paths in the process command line value. Adversaries may abuse control.exe to proxy execution of malicious code.",
+    "from": "now-9m",
+    "index": [
+      "logs-endpoint.events.*",
+      "winlogbeat-*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Control Panel Process with Unusual Arguments",
+    "query": "process where event.type in (\"start\", \"process_started\") and\n process.executable : (\"?:\\\\Windows\\\\SysWOW64\\\\control.exe\", \"?:\\\\Windows\\\\System32\\\\control.exe\") and\n process.command_line :\n          (\"*.jpg*\",\n           \"*.png*\",\n           \"*.gif*\",\n           \"*.bmp*\",\n           \"*.jpeg*\",\n           \"*.TIFF*\",\n           \"*.inf*\",\n           \"*.dat*\",\n           \"*.cpl:*/*\",\n           \"*../../..*\",\n           \"*/AppData/Local/*\",\n           \"*:\\\\Users\\\\Public\\\\*\",\n           \"*\\\\AppData\\\\Local\\\\*\")\n",
+    "references": [
+      "https://www.joesandbox.com/analysis/476188/1/html"
+    ],
+    "risk_score": 73,
+    "rule_id": "416697ae-e468-4093-a93d-59661fa619ec",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1218",
+            "name": "Signed Binary Proxy Execution",
+            "reference": "https://attack.mitre.org/techniques/T1218/",
+            "subtechnique": [
+              {
+                "id": "T1218.002",
+                "name": "Control Panel",
+                "reference": "https://attack.mitre.org/techniques/T1218/002/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 2
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Users can mark specific files as hidden simply by putting a \".\" as the first character in the file or folder name. Adversaries can use this to their advantage to hide files and folders on the system for persistence and defense evasion. This rule looks for hidden files or folders in common writable directories.",
+    "false_positives": [
+      "Certain tools may create hidden temporary files or directories upon installation or as part of their normal behavior. These events can be filtered by the process arguments, username, or process name values."
+    ],
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "max_signals": 33,
+    "name": "Creation of Hidden Files and Directories",
+    "query": "process where event.type in (\"start\", \"process_started\") and\n  process.working_directory in (\"/tmp\", \"/var/tmp\", \"/dev/shm\") and\n  process.args regex~ \"\"\"\\.[a-z0-9_\\-][a-z0-9_\\-\\.]{1,254}\"\"\" and\n  not process.name in (\"ls\", \"find\")\n",
+    "risk_score": 47,
+    "rule_id": "b9666521-4742-49ce-9ddc-b8e84c35acae",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1564",
+            "name": "Hide Artifacts",
+            "reference": "https://attack.mitre.org/techniques/T1564/",
+            "subtechnique": [
+              {
+                "id": "T1564.001",
+                "name": "Hidden Files and Directories",
+                "reference": "https://attack.mitre.org/techniques/T1564/001/"
+              }
+            ]
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": []
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 7
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the creation of a hidden launch agent or daemon. An adversary may establish persistence by installing a new launch agent or daemon which executes at login.",
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Creation of Hidden Launch Agent or Daemon",
+    "query": "file where event.type != \"deletion\" and\n  file.path : \n  (\n    \"/System/Library/LaunchAgents/.*.plist\",\n    \"/Library/LaunchAgents/.*.plist\",\n    \"/Users/*/Library/LaunchAgents/.*.plist\",\n    \"/System/Library/LaunchDaemons/.*.plist\",\n    \"/Library/LaunchDaemons/.*.plist\"\n  )\n",
+    "references": [
+      "https://developer.apple.com/library/archive/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/CreatingLaunchdJobs.html"
+    ],
+    "risk_score": 47,
+    "rule_id": "092b068f-84ac-485d-8a55-7dd9e006715f",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "macOS",
+      "Threat Detection",
+      "Persistence",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1543",
+            "name": "Create or Modify System Process",
+            "reference": "https://attack.mitre.org/techniques/T1543/",
+            "subtechnique": [
+              {
+                "id": "T1543.001",
+                "name": "Launch Agent",
+                "reference": "https://attack.mitre.org/techniques/T1543/001/"
+              }
+            ]
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1564",
+            "name": "Hide Artifacts",
+            "reference": "https://attack.mitre.org/techniques/T1564/",
+            "subtechnique": [
+              {
+                "id": "T1564.001",
+                "name": "Hidden Files and Directories",
+                "reference": "https://attack.mitre.org/techniques/T1564/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the execution of osascript to create a hidden login item. This may indicate an attempt to persist a malicious program while concealing its presence.",
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Creation of Hidden Login Item via Apple Script",
+    "query": "process where event.type in (\"start\", \"process_started\") and process.name : \"osascript\" and\n process.command_line : \"osascript*login item*hidden:true*\"\n",
+    "risk_score": 47,
+    "rule_id": "f24bcae1-8980-4b30-b5dd-f851b055c9e7",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "macOS",
+      "Threat Detection",
+      "Persistence",
+      "Execution"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1547",
+            "name": "Boot or Logon Autostart Execution",
+            "reference": "https://attack.mitre.org/techniques/T1547/",
+            "subtechnique": [
+              {
+                "id": "T1547.011",
+                "name": "Plist Modification",
+                "reference": "https://attack.mitre.org/techniques/T1547/011/"
+              }
+            ]
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0002",
+          "name": "Execution",
+          "reference": "https://attack.mitre.org/tactics/TA0002/"
+        },
+        "technique": [
+          {
+            "id": "T1059",
+            "name": "Command and Scripting Interpreter",
+            "reference": "https://attack.mitre.org/techniques/T1059/",
+            "subtechnique": [
+              {
+                "id": "T1059.002",
+                "name": "AppleScript",
+                "reference": "https://attack.mitre.org/techniques/T1059/002/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the creation of a hidden local user account by appending the dollar sign to the account name. This is sometimes done by attackers to increase access to a system and avoid appearing in the results of accounts listing using the net users command.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Creation of a Hidden Local User Account",
+    "query": "registry where registry.path : \"HKLM\\\\SAM\\\\SAM\\\\Domains\\\\Account\\\\Users\\\\Names\\\\*$\\\\\"\n",
+    "references": [
+      "https://blog.menasec.net/2019/02/threat-hunting-6-hiding-in-plain-sights_8.html",
+      "https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/tree/master/2020/2020.12.15.Lazarus_Campaign"
+    ],
+    "risk_score": 73,
+    "rule_id": "2edc8076-291e-41e9-81e4-e3fcbc97ae5e",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Persistence"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1136",
+            "name": "Create Account",
+            "reference": "https://attack.mitre.org/techniques/T1136/",
+            "subtechnique": [
+              {
+                "id": "T1136.001",
+                "name": "Local Account",
+                "reference": "https://attack.mitre.org/techniques/T1136/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 2
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the creation or modification of Domain Backup private keys. Adversaries may extract the Data Protection API (DPAPI) domain backup key from a Domain Controller (DC) to be able to decrypt any domain user master key file.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Creation or Modification of Domain Backup DPAPI private key",
+    "note": "## Triage and analysis\n\nDomain DPAPI Backup keys are stored on domain controllers and can be dumped remotely with tools such as Mimikatz. The resulting .pvk private key can be used to decrypt ANY domain user masterkeys, which then can be used to decrypt any secrets protected by those keys.",
+    "query": "file where event.type != \"deletion\" and file.name : (\"ntds_capi_*.pfx\", \"ntds_capi_*.pvk\")\n",
+    "references": [
+      "https://www.dsinternals.com/en/retrieving-dpapi-backup-keys-from-active-directory/",
+      "https://www.harmj0y.net/blog/redteaming/operational-guidance-for-offensive-user-dpapi-abuse/"
+    ],
+    "risk_score": 73,
+    "rule_id": "b83a7e96-2eb3-4edf-8346-427b6858d3bd",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Credential Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0006",
+          "name": "Credential Access",
+          "reference": "https://attack.mitre.org/tactics/TA0006/"
+        },
+        "technique": [
+          {
+            "id": "T1552",
+            "name": "Unsecured Credentials",
+            "reference": "https://attack.mitre.org/techniques/T1552/",
+            "subtechnique": [
+              {
+                "id": "T1552.004",
+                "name": "Private Keys",
+                "reference": "https://attack.mitre.org/techniques/T1552/004/"
+              }
+            ]
+          },
+          {
+            "id": "T1555",
+            "name": "Credentials from Password Stores",
+            "reference": "https://attack.mitre.org/techniques/T1555/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 6
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the creation or modification of a local trusted root certificate in Windows. The install of a malicious root certificate would allow an attacker the ability to masquerade malicious files as valid signed components from any entity (e.g. Microsoft). It could also allow an attacker to decrypt SSL traffic.",
+    "false_positives": [
+      "Certain applications may install root certificates for the purpose of inspecting SSL traffic."
+    ],
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Creation or Modification of Root Certificate",
+    "query": "registry where event.type in (\"creation\", \"change\") and\n  registry.path :\n    (\n      \"HKLM\\\\Software\\\\Microsoft\\\\SystemCertificates\\\\Root\\\\Certificates\\\\*\\\\Blob\",\n      \"HKLM\\\\Software\\\\Microsoft\\\\SystemCertificates\\\\AuthRoot\\\\Certificates\\\\*\\\\Blob\",\n      \"HKLM\\\\Software\\\\Policies\\\\Microsoft\\\\SystemCertificates\\\\Root\\\\Certificates\\\\*\\\\Blob\",\n      \"HKLM\\\\Software\\\\Policies\\\\Microsoft\\\\SystemCertificates\\\\AuthRoot\\\\Certificates\\\\*\\\\Blob\"\n    )\n",
+    "references": [
+      "https://posts.specterops.io/code-signing-certificate-cloning-attacks-and-defenses-6f98657fc6ec",
+      "https://www.ired.team/offensive-security/persistence/t1130-install-root-certificate"
+    ],
+    "risk_score": 21,
+    "rule_id": "203ab79b-239b-4aa5-8e54-fc50623ee8e4",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1553",
+            "name": "Subvert Trust Controls",
+            "reference": "https://attack.mitre.org/techniques/T1553/",
+            "subtechnique": [
+              {
+                "id": "T1553.004",
+                "name": "Install Root Certificate",
+                "reference": "https://attack.mitre.org/techniques/T1553/004/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Detects the creation or modification of a new Group Policy based scheduled task or service. These methods are used for legitimate system administration, but can also be abused by an attacker with domain admin permissions to execute a malicious payload remotely on all or a subset of the domain joined machines.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Creation or Modification of a new GPO Scheduled Task or Service",
+    "query": "file where event.type != \"deletion\" and\n  file.path : (\"?:\\\\Windows\\\\SYSVOL\\\\domain\\\\Policies\\\\*\\\\MACHINE\\\\Preferences\\\\ScheduledTasks\\\\ScheduledTasks.xml\",\n               \"?:\\\\Windows\\\\SYSVOL\\\\domain\\\\Policies\\\\*\\\\MACHINE\\\\Preferences\\\\Preferences\\\\Services\\\\Services.xml\") and\n  not process.name : \"dfsrs.exe\"\n",
+    "risk_score": 21,
+    "rule_id": "c0429aa8-9974-42da-bfb6-53a0a515a145",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Persistence"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1053",
+            "name": "Scheduled Task/Job",
+            "reference": "https://attack.mitre.org/techniques/T1053/",
+            "subtechnique": [
+              {
+                "id": "T1053.005",
+                "name": "Scheduled Task",
+                "reference": "https://attack.mitre.org/techniques/T1053/005/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 6
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies attempts to export a registry hive which may contain credentials using the Windows reg.exe tool.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Credential Acquisition via Registry Hive Dumping",
+    "query": "process where event.type in (\"start\", \"process_started\") and\n process.pe.original_file_name == \"reg.exe\" and\n process.args : (\"save\", \"export\") and\n process.args : (\"hklm\\\\sam\", \"hklm\\\\security\")\n",
+    "references": [
+      "https://medium.com/threatpunter/detecting-attempts-to-steal-passwords-from-the-registry-7512674487f8"
+    ],
+    "risk_score": 73,
+    "rule_id": "a7e7bfa3-088e-4f13-b29e-3986e0e756b8",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Credential Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0006",
+          "name": "Credential Access",
+          "reference": "https://attack.mitre.org/tactics/TA0006/"
+        },
+        "technique": [
+          {
+            "id": "T1003",
+            "name": "OS Credential Dumping",
+            "reference": "https://attack.mitre.org/techniques/T1003/",
+            "subtechnique": [
+              {
+                "id": "T1003.002",
+                "name": "Security Account Manager",
+                "reference": "https://attack.mitre.org/techniques/T1003/002/"
+              },
+              {
+                "id": "T1003.004",
+                "name": "LSA Secrets",
+                "reference": "https://attack.mitre.org/techniques/T1003/004/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 4
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Elastic Endgame detected Credential Dumping. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information.",
+    "from": "now-15m",
+    "index": [
+      "endgame-*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "max_signals": 10000,
+    "name": "Credential Dumping - Detected - Elastic Endgame",
+    "query": "event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:cred_theft_event or endgame.event_subtype_full:cred_theft_event)\n",
+    "risk_score": 73,
+    "rule_id": "571afc56-5ed9-465d-a2a9-045f099f6e7e",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Elastic Endgame"
+    ],
+    "type": "query",
+    "version": 7
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Elastic Endgame prevented Credential Dumping. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information.",
+    "from": "now-15m",
+    "index": [
+      "endgame-*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "max_signals": 10000,
+    "name": "Credential Dumping - Prevented - Elastic Endgame",
+    "query": "event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:cred_theft_event or endgame.event_subtype_full:cred_theft_event)\n",
+    "risk_score": 47,
+    "rule_id": "db8c33a8-03cd-4988-9e2c-d0a4863adb13",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Elastic Endgame"
+    ],
+    "type": "query",
+    "version": 7
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Elastic Endgame detected Credential Manipulation. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information.",
+    "from": "now-15m",
+    "index": [
+      "endgame-*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "max_signals": 10000,
+    "name": "Credential Manipulation - Detected - Elastic Endgame",
+    "query": "event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:token_manipulation_event or endgame.event_subtype_full:token_manipulation_event)\n",
+    "risk_score": 73,
+    "rule_id": "c0be5f31-e180-48ed-aa08-96b36899d48f",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Elastic Endgame"
+    ],
+    "type": "query",
+    "version": 7
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Elastic Endgame prevented Credential Manipulation. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information.",
+    "from": "now-15m",
+    "index": [
+      "endgame-*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "max_signals": 10000,
+    "name": "Credential Manipulation - Prevented - Elastic Endgame",
+    "query": "event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:token_manipulation_event or endgame.event_subtype_full:token_manipulation_event)\n",
+    "risk_score": 47,
+    "rule_id": "c9e38e64-3f4c-4bf3-ad48-0e61a60ea1fa",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Elastic Endgame"
+    ],
+    "type": "query",
+    "version": 7
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the occurrence of a CyberArk Privileged Access Security (PAS) error level audit event. The event.code correlates to the CyberArk Vault Audit Action Code.",
+    "false_positives": [
+      "To tune this rule, add exceptions to exclude any event.code which should not trigger this rule."
+    ],
+    "from": "now-30m",
+    "index": [
+      "filebeat-*",
+      "logs-cyberarkpas.audit*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "CyberArk Privileged Access Security Error",
+    "note": "## Config\n\nThe CyberArk Privileged Access Security (PAS) Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\n\n## Triage and analysis\n\nThis is a promotion rule for CyberArk error events, which are alertable events per the vendor.\nConsult vendor documentation on interpreting specific events.\n",
+    "query": "event.dataset:cyberarkpas.audit and event.type:error\n",
+    "references": [
+      "https://docs.cyberark.com/Product-Doc/OnlineHelp/PAS/Latest/en/Content/PASREF/Vault%20Audit%20Action%20Codes.htm?tocpath=Administration%7CReferences%7C_____3"
+    ],
+    "risk_score": 73,
+    "rule_id": "3f0e5410-a4bf-4e8c-bcfc-79d67a285c54",
+    "rule_name_override": "event.action",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "cyberarkpas",
+      "SecOps",
+      "Log Auditing",
+      "Threat Detection",
+      "Privilege Escalation"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0004",
+          "name": "Privilege Escalation",
+          "reference": "https://attack.mitre.org/tactics/TA0004/"
+        },
+        "technique": [
+          {
+            "id": "T1078",
+            "name": "Valid Accounts",
+            "reference": "https://attack.mitre.org/techniques/T1078/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0001",
+          "name": "Initial Access",
+          "reference": "https://attack.mitre.org/tactics/TA0001/"
+        },
+        "technique": []
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the occurrence of a CyberArk Privileged Access Security (PAS) non-error level audit event which is recommended for monitoring by the vendor. The event.code correlates to the CyberArk Vault Audit Action Code.",
+    "false_positives": [
+      "To tune this rule, add exceptions to exclude any event.code which should not trigger this rule."
+    ],
+    "from": "now-30m",
+    "index": [
+      "filebeat-*",
+      "logs-cyberarkpas.audit*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "CyberArk Privileged Access Security Recommended Monitor",
+    "note": "## Config\n\nThe CyberArk Privileged Access Security (PAS) Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\n\n## Triage and analysis\n\nThis is a promotion rule for CyberArk events, which the vendor recommends should be monitored.\nConsult vendor documentation on interpreting specific events.\n",
+    "query": "event.dataset:cyberarkpas.audit and\n  event.code:(4 or 22 or 24 or 31 or 38 or 57 or 60 or 130 or 295 or 300 or 302 or\n              308 or 319 or 344 or 346 or 359 or 361 or 378 or 380 or 411) and\n  not event.type:error\n",
+    "references": [
+      "https://docs.cyberark.com/Product-Doc/OnlineHelp/PAS/Latest/en/Content/PASREF/Vault%20Audit%20Action%20Codes.htm?tocpath=Administration%7CReferences%7C_____3#RecommendedActionCodesforMonitoring"
+    ],
+    "risk_score": 73,
+    "rule_id": "c5f81243-56e0-47f9-b5bb-55a5ed89ba57",
+    "rule_name_override": "event.action",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "cyberarkpas",
+      "SecOps",
+      "Log Auditing",
+      "Threat Detection",
+      "Privilege Escalation"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0004",
+          "name": "Privilege Escalation",
+          "reference": "https://attack.mitre.org/tactics/TA0004/"
+        },
+        "technique": [
+          {
+            "id": "T1078",
+            "name": "Valid Accounts",
+            "reference": "https://attack.mitre.org/techniques/T1078/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0001",
+          "name": "Initial Access",
+          "reference": "https://attack.mitre.org/tactics/TA0001/"
+        },
+        "technique": []
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "This rule detects when an internal network client sends DNS traffic directly to the Internet. This is atypical behavior for a managed network and can be indicative of malware, exfiltration, command and control, or simply misconfiguration. This DNS activity also impacts your organization's ability to provide enterprise monitoring and logging of DNS, and it opens your network to a variety of abuses and malicious communications.",
+    "false_positives": [
+      "Exclude DNS servers from this rule as this is expected behavior. Endpoints usually query local DNS servers defined in their DHCP scopes, but this may be overridden if a user configures their endpoint to use a remote DNS server. This is uncommon in managed enterprise networks because it could break intranet name resolution when split horizon DNS is utilized. Some consumer VPN services and browser plug-ins may send DNS traffic to remote Internet destinations. In that case, such devices or networks can be excluded from this rule when this is expected behavior."
+    ],
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "filebeat-*",
+      "packetbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "DNS Activity to the Internet",
+    "query": "event.category:(network or network_traffic) and (event.type:connection or type:dns) and (destination.port:53 or event.dataset:zeek.dns)\n  and source.ip:(\n    10.0.0.0/8 or\n    172.16.0.0/12 or\n    192.168.0.0/16\n  ) and\n  not destination.ip:(\n    10.0.0.0/8 or\n    127.0.0.0/8 or\n    169.254.0.0/16 or\n    172.16.0.0/12 or\n    192.0.0.0/24 or\n    192.0.0.0/29 or\n    192.0.0.8/32 or\n    192.0.0.9/32 or\n    192.0.0.10/32 or\n    192.0.0.170/32 or\n    192.0.0.171/32 or\n    192.0.2.0/24 or\n    192.31.196.0/24 or\n    192.52.193.0/24 or\n    192.168.0.0/16 or\n    192.88.99.0/24 or\n    224.0.0.0/4 or\n    100.64.0.0/10 or\n    192.175.48.0/24 or\n    198.18.0.0/15 or\n    198.51.100.0/24 or\n    203.0.113.0/24 or\n    240.0.0.0/4 or\n    \"::1\" or\n    \"FE80::/10\" or\n    \"FF00::/8\"\n  )\n",
+    "references": [
+      "https://www.us-cert.gov/ncas/alerts/TA15-240A",
+      "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-81-2.pdf",
+      "https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml"
+    ],
+    "risk_score": 47,
+    "rule_id": "6ea71ff0-9e95-475b-9506-2580d1ce6154",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Network",
+      "Threat Detection",
+      "Command and Control",
+      "Host"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0011",
+          "name": "Command and Control",
+          "reference": "https://attack.mitre.org/tactics/TA0011/"
+        },
+        "technique": []
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 12
+  },
+  {
+    "anomaly_threshold": 50,
+    "author": [
+      "Elastic"
+    ],
+    "description": "A machine learning job detected unusually large numbers of DNS queries for a single top-level DNS domain, which is often used for DNS tunneling. DNS tunneling can be used for command-and-control, persistence, or data exfiltration activity. For example, dnscat tends to generate many DNS questions for a top-level domain as it uses the DNS protocol to tunnel data.",
+    "false_positives": [
+      "DNS domains that use large numbers of child domains, such as software or content distribution networks, can trigger this alert and such parent domains can be excluded."
+    ],
+    "from": "now-45m",
+    "interval": "15m",
+    "license": "Elastic License v2",
+    "machine_learning_job_id": "packetbeat_dns_tunneling",
+    "name": "DNS Tunneling",
+    "references": [
+      "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"
+    ],
+    "risk_score": 21,
+    "rule_id": "91f02f01-969f-4167-8f66-07827ac3bdd9",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Network",
+      "Threat Detection",
+      "ML"
+    ],
+    "type": "machine_learning",
+    "version": 4
+  },
+  {
+    "author": [
+      "Austin Songer"
+    ],
+    "description": "Identifies when a user enables DNS-over-HTTPS. This can be used to hide internet activity or the process of exfiltrating data. With this enabled, an organization will lose visibility into data such as query type, response, and originating IP, which are used to determine bad actors.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "DNS-over-HTTPS Enabled via Registry",
+    "query": "registry where event.type in (\"creation\", \"change\") and\n  (registry.path : \"*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Edge\\\\BuiltInDnsClientEnabled\" and\n  registry.data.strings : \"1\") or\n  (registry.path : \"*\\\\SOFTWARE\\\\Google\\\\Chrome\\\\DnsOverHttpsMode\" and\n  registry.data.strings : \"secure\") or\n  (registry.path : \"*\\\\SOFTWARE\\\\Policies\\\\Mozilla\\\\Firefox\\\\DNSOverHTTPS\" and\n  registry.data.strings : \"1\")\n",
+    "references": [
+      "https://www.tenforums.com/tutorials/151318-how-enable-disable-dns-over-https-doh-microsoft-edge.html",
+      "https://chromeenterprise.google/policies/?policy=DnsOverHttpsMode"
+    ],
+    "risk_score": 21,
+    "rule_id": "a22a09c2-2162-4df0-a356-9aacbeb56a04",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1562",
+            "name": "Impair Defenses",
+            "reference": "https://attack.mitre.org/techniques/T1562/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 2
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "This rule detects the use of the default Cobalt Strike Team Server TLS certificate. Cobalt Strike is software for Adversary Simulations and Red Team Operations which are security assessments that replicate the tactics and techniques of an advanced adversary in a network. Modifications to the Packetbeat configuration can be made to include MD5 and SHA256 hashing algorithms (the default is SHA1). See the References section for additional information on module configuration.",
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "filebeat-*",
+      "packetbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Default Cobalt Strike Team Server Certificate",
+    "note": "## Threat intel\n\nWhile Cobalt Strike is intended to be used for penetration tests and IR training, it is frequently used by actual threat actors (TA) such as APT19, APT29, APT32, APT41, FIN6, DarkHydrus, CopyKittens, Cobalt Group, Leviathan, and many other unnamed criminal TAs. This rule uses high-confidence atomic indicators, so alerts should be investigated rapidly.",
+    "query": "event.category:(network or network_traffic) and (tls.server.hash.md5:950098276A495286EB2A2556FBAB6D83 or\n  tls.server.hash.sha1:6ECE5ECE4192683D2D84E25B0BA7E04F9CB7EB7C or\n  tls.server.hash.sha256:87F2085C32B6A2CC709B365F55873E207A9CAA10BFFECF2FD16D3CF9D94D390C)\n",
+    "references": [
+      "https://attack.mitre.org/software/S0154/",
+      "https://www.cobaltstrike.com/help-setup-collaboration",
+      "https://www.elastic.co/guide/en/beats/packetbeat/current/configuration-tls.html",
+      "https://www.elastic.co/guide/en/beats/filebeat/7.9/filebeat-module-suricata.html",
+      "https://www.elastic.co/guide/en/beats/filebeat/7.9/filebeat-module-zeek.html"
+    ],
+    "risk_score": 99,
+    "rule_id": "e7075e8d-a966-458e-a183-85cd331af255",
+    "severity": "critical",
+    "tags": [
+      "Command and Control",
+      "Post-Execution",
+      "Threat Detection",
+      "Elastic",
+      "Network",
+      "Host"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0011",
+          "name": "Command and Control",
+          "reference": "https://attack.mitre.org/tactics/TA0011/"
+        },
+        "technique": [
+          {
+            "id": "T1071",
+            "name": "Application Layer Protocol",
+            "reference": "https://attack.mitre.org/techniques/T1071/",
+            "subtechnique": [
+              {
+                "id": "T1071.001",
+                "name": "Web Protocols",
+                "reference": "https://attack.mitre.org/techniques/T1071/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 6
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies use of the fsutil.exe to delete the volume USNJRNL. This technique is used by attackers to eliminate evidence of files created during post-exploitation activities.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Delete Volume USN Journal with Fsutil",
+    "query": "process where event.type in (\"start\", \"process_started\") and\n  (process.name : \"fsutil.exe\" or process.pe.original_file_name == \"fsutil.exe\") and \n  process.args : \"deletejournal\" and process.args : \"usn\"\n",
+    "risk_score": 21,
+    "rule_id": "f675872f-6d85-40a3-b502-c0d2ef101e92",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1070",
+            "name": "Indicator Removal on Host",
+            "reference": "https://attack.mitre.org/techniques/T1070/",
+            "subtechnique": [
+              {
+                "id": "T1070.004",
+                "name": "File Deletion",
+                "reference": "https://attack.mitre.org/techniques/T1070/004/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 9
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies use of the wbadmin.exe to delete the backup catalog. Ransomware and other malware may do this to prevent system recovery.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Deleting Backup Catalogs with Wbadmin",
+    "query": "process where event.type in (\"start\", \"process_started\") and\n  (process.name : \"wbadmin.exe\" or process.pe.original_file_name == \"WBADMIN.EXE\") and\n  process.args : \"catalog\" and process.args : \"delete\"\n",
+    "risk_score": 21,
+    "rule_id": "581add16-df76-42bb-af8e-c979bfb39a59",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Impact"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0040",
+          "name": "Impact",
+          "reference": "https://attack.mitre.org/tactics/TA0040/"
+        },
+        "technique": [
+          {
+            "id": "T1490",
+            "name": "Inhibit System Recovery",
+            "reference": "https://attack.mitre.org/techniques/T1490/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 10
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies unexpected processes making network connections over port 445. Windows File Sharing is typically implemented over Server Message Block (SMB), which communicates between hosts using port 445. When legitimate, these network connections are established by the kernel. Processes making 445/tcp connections may be port scanners, exploits, or suspicious user-level processes moving laterally.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Direct Outbound SMB Connection",
+    "query": "sequence by process.entity_id\n  [process where event.type == \"start\" and process.pid != 4]\n  [network where destination.port == 445 and process.pid != 4 and\n     not cidrmatch(destination.ip, \"127.0.0.1\", \"::1\")]\n",
+    "risk_score": 47,
+    "rule_id": "c82c7d8f-fb9e-4874-a4bd-fd9e3f9becf1",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Lateral Movement"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0008",
+          "name": "Lateral Movement",
+          "reference": "https://attack.mitre.org/tactics/TA0008/"
+        },
+        "technique": [
+          {
+            "id": "T1021",
+            "name": "Remote Services",
+            "reference": "https://attack.mitre.org/techniques/T1021/",
+            "subtechnique": [
+              {
+                "id": "T1021.002",
+                "name": "SMB/Windows Admin Shares",
+                "reference": "https://attack.mitre.org/techniques/T1021/002/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "type": "eql",
+    "version": 7
+  },
+  {
+    "author": [
+      "Elastic",
+      "Ivan Ninichuck",
+      "Austin Songer"
+    ],
+    "description": "Identifies attempts to disable EventLog via the logman Windows utility, PowerShell, or auditpol. This is often done by attackers in an attempt to evade detection on a system.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Disable Windows Event and Security Logs Using Built-in Tools",
+    "query": "process where event.type in (\"start\", \"process_started\") and\n\n  ((process.name:\"logman.exe\" or process.pe.original_file_name == \"Logman.exe\") and\n      process.args : \"EventLog-*\" and process.args : (\"stop\", \"delete\")) or\n\n  ((process.name : (\"pwsh.exe\", \"powershell.exe\", \"powershell_ise.exe\") or process.pe.original_file_name in\n      (\"pwsh.exe\", \"powershell.exe\", \"powershell_ise.exe\")) and\n\tprocess.args : \"Set-Service\" and process.args: \"EventLog\" and process.args : \"Disabled\")  or\n\t\n  ((process.name:\"auditpol.exe\" or process.pe.original_file_name == \"AUDITPOL.EXE\") and process.args : \"/success:disable\")\n",
+    "references": [
+      "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/logman"
+    ],
+    "risk_score": 21,
+    "rule_id": "4de76544-f0e5-486a-8f84-eae0b6063cdc",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1070",
+            "name": "Indicator Removal on Host",
+            "reference": "https://attack.mitre.org/techniques/T1070/",
+            "subtechnique": [
+              {
+                "id": "T1070.001",
+                "name": "Clear Windows Event Logs",
+                "reference": "https://attack.mitre.org/techniques/T1070/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 2
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies use of the netsh.exe to disable or weaken the local firewall. Attackers will use this command line tool to disable the firewall during troubleshooting or to enable network mobility.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Disable Windows Firewall Rules via Netsh",
+    "query": "process where event.type in (\"start\", \"process_started\") and\n  process.name : \"netsh.exe\" and\n  (process.args : \"disable\" and process.args : \"firewall\" and process.args : \"set\") or\n  (process.args : \"advfirewall\" and process.args : \"off\" and process.args : \"state\")\n",
+    "risk_score": 47,
+    "rule_id": "4b438734-3793-4fda-bd42-ceeada0be8f9",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1562",
+            "name": "Impair Defenses",
+            "reference": "https://attack.mitre.org/techniques/T1562/",
+            "subtechnique": [
+              {
+                "id": "T1562.004",
+                "name": "Disable or Modify System Firewall",
+                "reference": "https://attack.mitre.org/techniques/T1562/004/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 10
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "User Account Control (UAC) can help mitigate the impact of malware on Windows hosts. With UAC, apps and tasks always run in the security context of a non-administrator account, unless an administrator specifically authorizes administrator-level access to the system. This rule identifies registry value changes to bypass User Access Control (UAC) protection.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Disabling User Account Control via Registry Modification",
+    "query": "registry where event.type == \"change\" and\n  registry.path :\n    (\n      \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\EnableLUA\",\n      \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\ConsentPromptBehaviorAdmin\",\n      \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\PromptOnSecureDesktop\"\n    ) and\n  registry.data.strings : \"0\"\n",
+    "references": [
+      "https://www.greyhathacker.net/?p=796",
+      "https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/user-account-control-group-policy-and-registry-key-settings",
+      "https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/user-account-control-overview"
+    ],
+    "risk_score": 47,
+    "rule_id": "d31f183a-e5b1-451b-8534-ba62bca0b404",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Privilege Escalation"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0004",
+          "name": "Privilege Escalation",
+          "reference": "https://attack.mitre.org/tactics/TA0004/"
+        },
+        "technique": [
+          {
+            "id": "T1548",
+            "name": "Abuse Elevation Control Mechanism",
+            "reference": "https://attack.mitre.org/techniques/T1548/",
+            "subtechnique": [
+              {
+                "id": "T1548.002",
+                "name": "Bypass User Account Control",
+                "reference": "https://attack.mitre.org/techniques/T1548/002/"
+              }
+            ]
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1548",
+            "name": "Abuse Elevation Control Mechanism",
+            "reference": "https://attack.mitre.org/techniques/T1548/",
+            "subtechnique": [
+              {
+                "id": "T1548.002",
+                "name": "Bypass User Account Control",
+                "reference": "https://attack.mitre.org/techniques/T1548/002/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 2
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies use of the Set-MpPreference PowerShell command to disable or weaken certain Windows Defender settings.",
+    "false_positives": [
+      "Planned Windows Defender configuration changes."
+    ],
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Disabling Windows Defender Security Settings via PowerShell",
+    "query": "process where event.type == \"start\" and\n (process.name : (\"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\") or process.pe.original_file_name in (\"powershell.exe\", \"pwsh.dll\", \"powershell_ise.exe\")) and\n process.args : \"Set-MpPreference\" and process.args : (\"-Disable*\", \"Disabled\", \"NeverSend\", \"-Exclusion*\")\n",
+    "references": [
+      "https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2019-ps"
+    ],
+    "risk_score": 47,
+    "rule_id": "c8cccb06-faf2-4cd5-886e-2c9636cfcb87",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1562",
+            "name": "Impair Defenses",
+            "reference": "https://attack.mitre.org/techniques/T1562/",
+            "subtechnique": [
+              {
+                "id": "T1562.001",
+                "name": "Disable or Modify Tools",
+                "reference": "https://attack.mitre.org/techniques/T1562/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 2
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Detects when a domain is added to the list of trusted Google Workspace domains. An adversary may add a trusted domain in order to collect and exfiltrate data from their target\u2019s organization with less restrictive security controls.",
+    "false_positives": [
+      "Trusted domains may be added by system administrators. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior."
+    ],
+    "from": "now-130m",
+    "index": [
+      "filebeat-*",
+      "logs-google_workspace*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Domain Added to Google Workspace Trusted Domains",
+    "note": "## Config\n\nThe Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\n\n### Important Information Regarding Google Workspace Event Lag Times\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information:\n  - https://support.google.com/a/answer/7061566\n  - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html",
+    "query": "event.dataset:google_workspace.admin and event.provider:admin and event.category:iam and event.action:ADD_TRUSTED_DOMAINS\n",
+    "references": [
+      "https://support.google.com/a/answer/6160020?hl=en"
+    ],
+    "risk_score": 73,
+    "rule_id": "cf549724-c577-4fd6-8f9b-d1b8ec519ec0",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "Google Workspace",
+      "Continuous Monitoring",
+      "SecOps",
+      "Configuration Audit"
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 6
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the execution of macOS built-in commands used to dump user account hashes. Adversaries may attempt to dump credentials to obtain account login information in the form of a hash. These hashes can be cracked or leveraged for lateral movement.",
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Dumping Account Hashes via Built-In Commands",
+    "query": "event.category:process and event.type:start and\n process.name:(defaults or mkpassdb) and process.args:(ShadowHashData or \"-dump\")\n",
+    "references": [
+      "https://apple.stackexchange.com/questions/186893/os-x-10-9-where-are-password-hashes-stored",
+      "https://www.unix.com/man-page/osx/8/mkpassdb/"
+    ],
+    "risk_score": 73,
+    "rule_id": "02ea4563-ec10-4974-b7de-12e65aa4f9b3",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "macOS",
+      "Threat Detection",
+      "Credential Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0006",
+          "name": "Credential Access",
+          "reference": "https://attack.mitre.org/tactics/TA0006/"
+        },
+        "technique": [
+          {
+            "id": "T1003",
+            "name": "OS Credential Dumping",
+            "reference": "https://attack.mitre.org/techniques/T1003/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Adversaries may dump the content of the keychain storage data from a system to acquire credentials. Keychains are the built-in way for macOS to keep track of users' passwords and credentials for many services and features, including Wi-Fi and website passwords, secure notes, certificates, and Kerberos.",
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Dumping of Keychain Content via Security Command",
+    "query": "process where event.type in (\"start\", \"process_started\") and process.args : \"dump-keychain\" and process.args : \"-d\"\n",
+    "references": [
+      "https://ss64.com/osx/security.html"
+    ],
+    "risk_score": 73,
+    "rule_id": "565d6ca5-75ba-4c82-9b13-add25353471c",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "macOS",
+      "Threat Detection",
+      "Credential Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0006",
+          "name": "Credential Access",
+          "reference": "https://attack.mitre.org/tactics/TA0006/"
+        },
+        "technique": [
+          {
+            "id": "T1555",
+            "name": "Credentials from Password Stores",
+            "reference": "https://attack.mitre.org/techniques/T1555/",
+            "subtechnique": [
+              {
+                "id": "T1555.001",
+                "name": "Keychain",
+                "reference": "https://attack.mitre.org/techniques/T1555/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the execution of and EggShell Backdoor. EggShell is a known post exploitation tool for macOS and Linux.",
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "EggShell Backdoor Execution",
+    "query": "event.category:process and event.type:(start or process_started) and process.name:espl and process.args:eyJkZWJ1ZyI6*\n",
+    "references": [
+      "https://github.com/neoneggplant/EggShell"
+    ],
+    "risk_score": 73,
+    "rule_id": "41824afb-d68c-4d0e-bfee-474dac1fa56e",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "macOS",
+      "Threat Detection",
+      "Execution"
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the creation or modification of the Event Monitor Daemon (emond) rules. Adversaries may abuse this service by writing a rule to execute commands when a defined event occurs, such as system start up or user authentication.",
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Emond Rules Creation or Modification",
+    "query": "file where event.type != \"deletion\" and\n file.path : (\"/private/etc/emond.d/rules/*.plist\", \"/etc/emon.d/rules/*.plist\")\n",
+    "references": [
+      "https://www.xorrior.com/emond-persistence/"
+    ],
+    "risk_score": 47,
+    "rule_id": "a6bf4dd4-743e-4da8-8c03-3ebd753a6c90",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "macOS",
+      "Threat Detection",
+      "Persistence"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1546",
+            "name": "Event Triggered Execution",
+            "reference": "https://attack.mitre.org/techniques/T1546/",
+            "subtechnique": [
+              {
+                "id": "T1546.014",
+                "name": "Emond",
+                "reference": "https://attack.mitre.org/techniques/T1546/014/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies use of the netsh.exe program to enable host discovery via the network. Attackers can use this command-line tool to weaken the host firewall settings.",
+    "false_positives": [
+      "Host Windows Firewall planned system administration changes."
+    ],
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Enable Host Network Discovery via Netsh",
+    "query": "process where event.type == \"start\" and\nprocess.name : \"netsh.exe\" and\nprocess.args : (\"firewall\", \"advfirewall\") and process.args : \"group=Network Discovery\" and process.args : \"enable=Yes\"\n",
+    "risk_score": 47,
+    "rule_id": "8b4f0816-6a65-4630-86a6-c21c179c0d09",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1562",
+            "name": "Impair Defenses",
+            "reference": "https://attack.mitre.org/techniques/T1562/",
+            "subtechnique": [
+              {
+                "id": "T1562.004",
+                "name": "Disable or Modify System Firewall",
+                "reference": "https://attack.mitre.org/techniques/T1562/004/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 2
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies registry write modifications to hide an encoded portable executable. This could be indicative of adversary defense evasion by avoiding the storing of malicious content directly on disk.",
+    "from": "now-9m",
+    "index": [
+      "logs-endpoint.events.*",
+      "winlogbeat-*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Encoded Executable Stored in the Registry",
+    "query": "registry where\n/* update here with encoding combinations */\n registry.data.strings : \"TVqQAAMAAAAEAAAA*\"\n",
+    "risk_score": 47,
+    "rule_id": "93c1ce76-494c-4f01-8167-35edfb52f7b1",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1140",
+            "name": "Deobfuscate/Decode Files or Information",
+            "reference": "https://attack.mitre.org/techniques/T1140/"
+          },
+          {
+            "id": "T1112",
+            "name": "Modify Registry",
+            "reference": "https://attack.mitre.org/techniques/T1112/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 4
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies use of WinRar or 7z to create an encrypted files. Adversaries will often compress and encrypt data in preparation for exfiltration.",
+    "from": "now-9m",
+    "index": [
+      "logs-endpoint.events.*",
+      "winlogbeat-*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Encrypting Files with WinRar or 7z",
+    "query": "process where event.type in (\"start\", \"process_started\") and\n  ((process.name:\"rar.exe\" or process.code_signature.subject_name == \"win.rar GmbH\" or\n      process.pe.original_file_name == \"Command line RAR\") and\n    process.args == \"a\" and process.args : (\"-hp*\", \"-p*\", \"-dw\", \"-tb\", \"-ta\", \"/hp*\", \"/p*\", \"/dw\", \"/tb\", \"/ta\"))\n\n  or\n  (process.pe.original_file_name in (\"7z.exe\", \"7za.exe\") and\n     process.args == \"a\" and process.args : (\"-p*\", \"-sdel\"))\n\n  /* uncomment if noisy for backup software related FPs */\n  /* not process.parent.executable : (\"C:\\\\Program Files\\\\*.exe\", \"C:\\\\Program Files (x86)\\\\*.exe\") */\n",
+    "references": [
+      "https://www.welivesecurity.com/2020/12/02/turla-crutch-keeping-back-door-open/"
+    ],
+    "risk_score": 47,
+    "rule_id": "45d273fb-1dca-457d-9855-bcb302180c21",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Collection"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0009",
+          "name": "Collection",
+          "reference": "https://attack.mitre.org/tactics/TA0009/"
+        },
+        "technique": [
+          {
+            "id": "T1560",
+            "name": "Archive Collected Data",
+            "reference": "https://attack.mitre.org/techniques/T1560/",
+            "subtechnique": [
+              {
+                "id": "T1560.001",
+                "name": "Archive via Utility",
+                "reference": "https://attack.mitre.org/techniques/T1560/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 4
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Generates a detection alert each time an Elastic Endpoint Security alert is received. Enabling this rule allows you to immediately begin investigating your Endpoint alerts.",
+    "enabled": true,
+    "exceptions_list": [
+      {
+        "id": "endpoint_list",
+        "list_id": "endpoint_list",
+        "namespace_type": "agnostic",
+        "type": "endpoint"
+      }
+    ],
+    "from": "now-10m",
+    "index": [
+      "logs-endpoint.alerts-*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "max_signals": 10000,
+    "name": "Endpoint Security",
+    "query": "event.kind:alert and event.module:(endpoint and not endgame)\n",
+    "risk_score": 47,
+    "risk_score_mapping": [
+      {
+        "field": "event.risk_score",
+        "operator": "equals",
+        "value": ""
+      }
+    ],
+    "rule_id": "9a1a2dae-0b5f-4c3d-8305-a268d404c306",
+    "rule_name_override": "message",
+    "severity": "medium",
+    "severity_mapping": [
+      {
+        "field": "event.severity",
+        "operator": "equals",
+        "severity": "low",
+        "value": "21"
+      },
+      {
+        "field": "event.severity",
+        "operator": "equals",
+        "severity": "medium",
+        "value": "47"
+      },
+      {
+        "field": "event.severity",
+        "operator": "equals",
+        "severity": "high",
+        "value": "73"
+      },
+      {
+        "field": "event.severity",
+        "operator": "equals",
+        "severity": "critical",
+        "value": "99"
+      }
+    ],
+    "tags": [
+      "Elastic",
+      "Endpoint Security"
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 3
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies native Windows host and network enumeration commands spawned by the Windows Management Instrumentation Provider Service (WMIPrvSE).",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Enumeration Command Spawned via WMIPrvSE",
+    "query": "process where event.type in (\"start\", \"process_started\") and\n  process.name:\n  (\n    \"arp.exe\",\n    \"dsquery.exe\",\n    \"dsget.exe\",\n    \"gpresult.exe\",\n    \"hostname.exe\",\n    \"ipconfig.exe\",\n    \"nbtstat.exe\",\n    \"net.exe\",\n    \"net1.exe\",\n    \"netsh.exe\",\n    \"netstat.exe\",\n    \"nltest.exe\",\n    \"ping.exe\",\n    \"qprocess.exe\",\n    \"quser.exe\",\n    \"qwinsta.exe\",\n    \"reg.exe\",\n    \"sc.exe\",\n    \"systeminfo.exe\",\n    \"tasklist.exe\",\n    \"tracert.exe\",\n    \"whoami.exe\"\n  ) and\n  process.parent.name:\"wmiprvse.exe\"\n",
+    "risk_score": 21,
+    "rule_id": "770e0c4d-b998-41e5-a62e-c7901fd7f470",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Execution"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0002",
+          "name": "Execution",
+          "reference": "https://attack.mitre.org/tactics/TA0002/"
+        },
+        "technique": [
+          {
+            "id": "T1047",
+            "name": "Windows Management Instrumentation",
+            "reference": "https://attack.mitre.org/techniques/T1047/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0007",
+          "name": "Discovery",
+          "reference": "https://attack.mitre.org/tactics/TA0007/"
+        },
+        "technique": [
+          {
+            "id": "T1518",
+            "name": "Software Discovery",
+            "reference": "https://attack.mitre.org/techniques/T1518/"
+          },
+          {
+            "id": "T1087",
+            "name": "Account Discovery",
+            "reference": "https://attack.mitre.org/techniques/T1087/"
+          },
+          {
+            "id": "T1018",
+            "name": "Remote System Discovery",
+            "reference": "https://attack.mitre.org/techniques/T1018/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 2
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies instances of lower privilege accounts enumerating Administrator accounts or groups using built-in Windows tools.",
+    "from": "now-9m",
+    "index": [
+      "logs-endpoint.events.*",
+      "winlogbeat-*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Enumeration of Administrator Accounts",
+    "query": "process where event.type in (\"start\", \"process_started\") and\n  (((process.name : \"net.exe\" or process.pe.original_file_name == \"net.exe\") or\n    ((process.name : \"net1.exe\" or process.pe.original_file_name == \"net1.exe\") and\n        not process.parent.name : \"net.exe\")) and\n   process.args : (\"group\", \"user\", \"localgroup\") and\n   process.args : (\"admin\", \"Domain Admins\", \"Remote Desktop Users\", \"Enterprise Admins\", \"Organization Management\") and\n   not process.args : \"/add\")\n\n   or\n\n  ((process.name : \"wmic.exe\" or process.pe.original_file_name == \"wmic.exe\") and\n     process.args : (\"group\", \"useraccount\"))\n",
+    "risk_score": 21,
+    "rule_id": "871ea072-1b71-4def-b016-6278b505138d",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Discovery"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0007",
+          "name": "Discovery",
+          "reference": "https://attack.mitre.org/tactics/TA0007/"
+        },
+        "technique": [
+          {
+            "id": "T1069",
+            "name": "Permission Groups Discovery",
+            "reference": "https://attack.mitre.org/techniques/T1069/",
+            "subtechnique": [
+              {
+                "id": "T1069.002",
+                "name": "Domain Groups",
+                "reference": "https://attack.mitre.org/techniques/T1069/002/"
+              }
+            ]
+          },
+          {
+            "id": "T1087",
+            "name": "Account Discovery",
+            "reference": "https://attack.mitre.org/techniques/T1087/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 4
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Loadable Kernel Modules (or LKMs) are pieces of code that can be loaded and unloaded into the kernel upon demand. They extend the functionality of the kernel without the need to reboot the system. This identifies attempts to enumerate information about a kernel module.",
+    "false_positives": [
+      "Security tools and device drivers may run these programs in order to enumerate kernel modules. Use of these programs by ordinary users is uncommon. These can be exempted by process name or username."
+    ],
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Enumeration of Kernel Modules",
+    "query": "event.category:process and event.type:(start or process_started) and\n  process.args:(kmod and list and sudo or sudo and (depmod or lsmod or modinfo))\n",
+    "risk_score": 47,
+    "rule_id": "2d8043ed-5bda-4caf-801c-c1feb7410504",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "Threat Detection",
+      "Discovery"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0007",
+          "name": "Discovery",
+          "reference": "https://attack.mitre.org/tactics/TA0007/"
+        },
+        "technique": [
+          {
+            "id": "T1082",
+            "name": "System Information Discovery",
+            "reference": "https://attack.mitre.org/techniques/T1082/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 6
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies instances of an unusual process enumerating built-in Windows privileged local groups membership like Administrators or Remote Desktop users.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Enumeration of Privileged Local Groups Membership",
+    "note": "## Config\n\nThis will require Windows security event 4799 by enabling audit success for the windows Account Management category and\nthe Security Group Management subcategory.\n",
+    "query": "iam where event.action == \"user-member-enumerated\" and\n\n /* noisy and usual legit processes excluded */\n not winlog.event_data.CallerProcessName:\n              (\"?:\\\\Windows\\\\System32\\\\VSSVC.exe\",\n               \"?:\\\\Windows\\\\System32\\\\SearchIndexer.exe\",\n               \"?:\\\\Windows\\\\System32\\\\CompatTelRunner.exe\",\n               \"?:\\\\Windows\\\\System32\\\\oobe\\\\msoobe.exe\",\n               \"?:\\\\Windows\\\\System32\\\\net1.exe\",\n               \"?:\\\\Windows\\\\System32\\\\svchost.exe\",\n               \"?:\\\\Windows\\\\System32\\\\Netplwiz.exe\",\n               \"?:\\\\Windows\\\\System32\\\\msiexec.exe\",\n               \"?:\\\\Windows\\\\System32\\\\CloudExperienceHostBroker.exe\",\n               \"?:\\\\Windows\\\\System32\\\\wbem\\\\WmiPrvSE.exe\",\n               \"?:\\\\Windows\\\\System32\\\\SrTasks.exe\",\n               \"?:\\\\Windows\\\\System32\\\\lsass.exe\",\n               \"?:\\\\Windows\\\\System32\\\\diskshadow.exe\",\n               \"?:\\\\Windows\\\\System32\\\\dfsrs.exe\",\n               \"?:\\\\Program Files\\\\*.exe\",\n               \"?:\\\\Program Files (x86)\\\\*.exe\") and\n  /* privileged local groups */\n (group.name:(\"admin*\",\"RemoteDesktopUsers\") or\n  winlog.event_data.TargetSid:(\"S-1-5-32-544\",\"S-1-5-32-555\"))\n",
+    "risk_score": 43,
+    "rule_id": "291a0de9-937a-4189-94c0-3e847c8b13e4",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Discovery"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0007",
+          "name": "Discovery",
+          "reference": "https://attack.mitre.org/tactics/TA0007/"
+        },
+        "technique": [
+          {
+            "id": "T1069",
+            "name": "Permission Groups Discovery",
+            "reference": "https://attack.mitre.org/techniques/T1069/",
+            "subtechnique": [
+              {
+                "id": "T1069.001",
+                "name": "Local Groups",
+                "reference": "https://attack.mitre.org/techniques/T1069/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the execution of macOS built-in commands related to account or group enumeration.",
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Enumeration of Users or Groups via Built-in Commands",
+    "query": "process where event.type in (\"start\", \"process_started\") and\n  not process.parent.executable : (\"/Applications/NoMAD.app/Contents/MacOS/NoMAD\", \n    \"/Applications/ZoomPresence.app/Contents/MacOS/ZoomPresence\",\n     \"/Applications/Sourcetree.app/Contents/MacOS/Sourcetree\",\n     \"/Library/Application Support/JAMF/Jamf.app/Contents/MacOS/JamfDaemon.app/Contents/MacOS/JamfDaemon\",\n     \"/usr/local/jamf/bin/jamf\"\n    ) and \n  process.name : (\"ldapsearch\", \"dsmemberutil\") or\n  (process.name : \"dscl\" and \n     process.args : (\"read\", \"-read\", \"list\", \"-list\", \"ls\", \"search\", \"-search\") and \n     process.args : (\"/Active Directory/*\", \"/Users*\", \"/Groups*\"))\n",
+    "risk_score": 21,
+    "rule_id": "6e9b351e-a531-4bdc-b73e-7034d6eed7ff",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "macOS",
+      "Threat Detection",
+      "Discovery"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0007",
+          "name": "Discovery",
+          "reference": "https://attack.mitre.org/tactics/TA0007/"
+        },
+        "technique": [
+          {
+            "id": "T1069",
+            "name": "Permission Groups Discovery",
+            "reference": "https://attack.mitre.org/techniques/T1069/"
+          },
+          {
+            "id": "T1087",
+            "name": "Account Discovery",
+            "reference": "https://attack.mitre.org/techniques/T1087/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 2
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Masquerading can allow an adversary to evade defenses and better blend in with the environment. One way it occurs is when the name or location of a file is manipulated as a means of tricking a user into executing what they think is a benign file type but is actually executable code.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Executable File Creation with Multiple Extensions",
+    "query": "file where event.type == \"creation\" and file.extension : \"exe\" and\n  file.name regex~ \"\"\".*\\.(vbs|vbe|bat|js|cmd|wsh|ps1|pdf|docx?|xlsx?|pptx?|txt|rtf|gif|jpg|png|bmp|hta|txt|img|iso)\\.exe\"\"\"\n",
+    "risk_score": 47,
+    "rule_id": "8b2b3a62-a598-4293-bc14-3d5fa22bb98f",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1036",
+            "name": "Masquerading",
+            "reference": "https://attack.mitre.org/techniques/T1036/",
+            "subtechnique": [
+              {
+                "id": "T1036.004",
+                "name": "Masquerade Task or Service",
+                "reference": "https://attack.mitre.org/techniques/T1036/004/"
+              }
+            ]
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0002",
+          "name": "Execution",
+          "reference": "https://attack.mitre.org/tactics/TA0002/"
+        },
+        "technique": [
+          {
+            "id": "T1204",
+            "name": "User Execution",
+            "reference": "https://attack.mitre.org/techniques/T1204/",
+            "subtechnique": [
+              {
+                "id": "T1204.002",
+                "name": "Malicious File",
+                "reference": "https://attack.mitre.org/techniques/T1204/002/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 3
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies process execution from suspicious default Windows directories. This may be abused by adversaries to hide malware in trusted paths.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Execution from Unusual Directory - Command Line",
+    "note": "## Triage and analysis\n\nThis is related to the `Process Execution from an Unusual Directory rule`.",
+    "query": "process where event.type in (\"start\", \"process_started\", \"info\") and\n  process.name : (\"wscript.exe\", \n                  \"cscript.exe\", \n                  \"rundll32.exe\", \n                  \"regsvr32.exe\", \n                  \"cmstp.exe\",\n                  \"RegAsm.exe\",\n                  \"installutil.exe\",\n                  \"mshta.exe\",\n                  \"RegSvcs.exe\", \n                  \"powershell.exe\", \n                  \"pwsh.exe\", \n                  \"cmd.exe\") and\n                  \n  /* add suspicious execution paths here */\n  process.args : (\"C:\\\\PerfLogs\\\\*\",\n                  \"C:\\\\Users\\\\Public\\\\*\",\n                  \"C:\\\\Users\\\\Default\\\\*\",\n                  \"C:\\\\Windows\\\\Tasks\\\\*\",\n                  \"C:\\\\Intel\\\\*\", \n                  \"C:\\\\AMD\\\\Temp\\\\*\", \n                  \"C:\\\\Windows\\\\AppReadiness\\\\*\", \n                  \"C:\\\\Windows\\\\ServiceState\\\\*\",\n                  \"C:\\\\Windows\\\\security\\\\*\",\n                  \"C:\\\\Windows\\\\IdentityCRL\\\\*\",\n                  \"C:\\\\Windows\\\\Branding\\\\*\",\n                  \"C:\\\\Windows\\\\csc\\\\*\",\n                  \"C:\\\\Windows\\\\DigitalLocker\\\\*\",\n                  \"C:\\\\Windows\\\\en-US\\\\*\",\n                  \"C:\\\\Windows\\\\wlansvc\\\\*\",\n                  \"C:\\\\Windows\\\\Prefetch\\\\*\",\n                  \"C:\\\\Windows\\\\Fonts\\\\*\",\n                  \"C:\\\\Windows\\\\diagnostics\\\\*\",\n                  \"C:\\\\Windows\\\\TAPI\\\\*\",\n                  \"C:\\\\Windows\\\\INF\\\\*\",\n                  \"C:\\\\Windows\\\\System32\\\\Speech\\\\*\",\n                  \"C:\\\\windows\\\\tracing\\\\*\",\n                  \"c:\\\\windows\\\\IME\\\\*\",\n                  \"c:\\\\Windows\\\\Performance\\\\*\",\n                  \"c:\\\\windows\\\\intel\\\\*\",\n                  \"c:\\\\windows\\\\ms\\\\*\",\n                  \"C:\\\\Windows\\\\dot3svc\\\\*\",\n                  \"C:\\\\Windows\\\\ServiceProfiles\\\\*\",\n                  \"C:\\\\Windows\\\\panther\\\\*\",\n                  \"C:\\\\Windows\\\\RemotePackages\\\\*\",\n                  \"C:\\\\Windows\\\\OCR\\\\*\",\n                  \"C:\\\\Windows\\\\appcompat\\\\*\",\n                  \"C:\\\\Windows\\\\apppatch\\\\*\",\n                  \"C:\\\\Windows\\\\addins\\\\*\",\n                  \"C:\\\\Windows\\\\Setup\\\\*\",\n                  \"C:\\\\Windows\\\\Help\\\\*\",\n                  \"C:\\\\Windows\\\\SKB\\\\*\",\n                  \"C:\\\\Windows\\\\Vss\\\\*\",\n                  \"C:\\\\Windows\\\\Web\\\\*\",\n                  \"C:\\\\Windows\\\\servicing\\\\*\",\n                  \"C:\\\\Windows\\\\CbsTemp\\\\*\",\n                  \"C:\\\\Windows\\\\Logs\\\\*\",\n                  \"C:\\\\Windows\\\\WaaS\\\\*\",\n                  \"C:\\\\Windows\\\\twain_32\\\\*\",\n                  \"C:\\\\Windows\\\\ShellExperiences\\\\*\",\n                  \"C:\\\\Windows\\\\ShellComponents\\\\*\",\n                  \"C:\\\\Windows\\\\PLA\\\\*\",\n                  \"C:\\\\Windows\\\\Migration\\\\*\",\n                  \"C:\\\\Windows\\\\debug\\\\*\",\n                  \"C:\\\\Windows\\\\Cursors\\\\*\",\n                  \"C:\\\\Windows\\\\Containers\\\\*\",\n                  \"C:\\\\Windows\\\\Boot\\\\*\",\n                  \"C:\\\\Windows\\\\bcastdvr\\\\*\",\n                  \"C:\\\\Windows\\\\assembly\\\\*\",\n                  \"C:\\\\Windows\\\\TextInput\\\\*\",\n                  \"C:\\\\Windows\\\\security\\\\*\",\n                  \"C:\\\\Windows\\\\schemas\\\\*\",\n                  \"C:\\\\Windows\\\\SchCache\\\\*\",\n                  \"C:\\\\Windows\\\\Resources\\\\*\",\n                  \"C:\\\\Windows\\\\rescache\\\\*\",\n                  \"C:\\\\Windows\\\\Provisioning\\\\*\",\n                  \"C:\\\\Windows\\\\PrintDialog\\\\*\",\n                  \"C:\\\\Windows\\\\PolicyDefinitions\\\\*\",\n                  \"C:\\\\Windows\\\\media\\\\*\",\n                  \"C:\\\\Windows\\\\Globalization\\\\*\",\n                  \"C:\\\\Windows\\\\L2Schemas\\\\*\",\n                  \"C:\\\\Windows\\\\LiveKernelReports\\\\*\",\n                  \"C:\\\\Windows\\\\ModemLogs\\\\*\",\n                  \"C:\\\\Windows\\\\ImmersiveControlPanel\\\\*\",\n                  \"C:\\\\$Recycle.Bin\\\\*\") and\n  not process.parent.executable : (\"C:\\\\WINDOWS\\\\System32\\\\DriverStore\\\\FileRepository\\\\*\\\\igfxCUIService*.exe\",\n                                   \"C:\\\\Windows\\\\System32\\\\spacedeskService.exe\",\n                                   \"C:\\\\Program Files\\\\Dell\\\\SupportAssistAgent\\\\SRE\\\\SRE.exe\") and\n  not (process.name : \"rundll32.exe\" and process.args : (\"uxtheme.dll,#64\", \"PRINTUI.DLL,PrintUIEntry\"))\n",
+    "risk_score": 47,
+    "rule_id": "cff92c41-2225-4763-b4ce-6f71e5bda5e6",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Execution"
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 4
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Windows Component Object Model (COM) is an inter-process communication (IPC) component of the native Windows application programming interface (API) that enables interaction between software objects or executable code. Xwizard can be used to run a COM object created in registry to evade defensive counter measures.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Execution of COM object via Xwizard",
+    "query": "process where event.type in (\"start\", \"process_started\") and\n process.pe.original_file_name : \"xwizard.exe\" and\n (\n   (process.args : \"RunWizard\" and process.args : \"{*}\") or\n   (process.executable != null and\n     not process.executable : (\"C:\\\\Windows\\\\SysWOW64\\\\xwizard.exe\", \"C:\\\\Windows\\\\System32\\\\xwizard.exe\")\n   )\n )\n",
+    "references": [
+      "https://lolbas-project.github.io/lolbas/Binaries/Xwizard/",
+      "http://www.hexacorn.com/blog/2017/07/31/the-wizard-of-x-oppa-plugx-style/"
+    ],
+    "risk_score": 47,
+    "rule_id": "1a6075b0-7479-450e-8fe7-b8b8438ac570",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Execution"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0002",
+          "name": "Execution",
+          "reference": "https://attack.mitre.org/tactics/TA0002/"
+        },
+        "technique": [
+          {
+            "id": "T1559",
+            "name": "Inter-Process Communication",
+            "reference": "https://attack.mitre.org/techniques/T1559/",
+            "subtechnique": [
+              {
+                "id": "T1559.001",
+                "name": "Component Object Model",
+                "reference": "https://attack.mitre.org/techniques/T1559/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies an executable created by a Microsoft Office application and subsequently executed. These processes are often launched via scripts inside documents or during exploitation of Microsoft Office applications.",
+    "from": "now-120m",
+    "index": [
+      "logs-endpoint.events.*",
+      "winlogbeat-*",
+      "logs-windows.*"
+    ],
+    "interval": "60m",
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Execution of File Written or Modified by Microsoft Office",
+    "query": "sequence with maxspan=2h\n  [file where event.type != \"deletion\" and file.extension : \"exe\" and\n     (process.name : \"WINWORD.EXE\" or\n      process.name : \"EXCEL.EXE\" or\n      process.name : \"OUTLOOK.EXE\" or\n      process.name : \"POWERPNT.EXE\" or\n      process.name : \"eqnedt32.exe\" or\n      process.name : \"fltldr.exe\" or\n      process.name : \"MSPUB.EXE\" or\n      process.name : \"MSACCESS.EXE\")\n  ] by host.id, file.path\n  [process where event.type in (\"start\", \"process_started\")] by host.id, process.executable\n",
+    "risk_score": 21,
+    "rule_id": "0d8ad79f-9025-45d8-80c1-4f0cd3c5e8e5",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Execution"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0002",
+          "name": "Execution",
+          "reference": "https://attack.mitre.org/tactics/TA0002/"
+        },
+        "technique": []
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0001",
+          "name": "Initial Access",
+          "reference": "https://attack.mitre.org/tactics/TA0001/"
+        },
+        "technique": [
+          {
+            "id": "T1566",
+            "name": "Phishing",
+            "reference": "https://attack.mitre.org/techniques/T1566/",
+            "subtechnique": [
+              {
+                "id": "T1566.001",
+                "name": "Spearphishing Attachment",
+                "reference": "https://attack.mitre.org/techniques/T1566/001/"
+              },
+              {
+                "id": "T1566.002",
+                "name": "Spearphishing Link",
+                "reference": "https://attack.mitre.org/techniques/T1566/002/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "type": "eql",
+    "version": 5
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies a suspicious file that was written by a PDF reader application and subsequently executed. These processes are often launched via exploitation of PDF applications.",
+    "from": "now-120m",
+    "index": [
+      "logs-endpoint.events.*",
+      "winlogbeat-*",
+      "logs-windows.*"
+    ],
+    "interval": "60m",
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Execution of File Written or Modified by PDF Reader",
+    "query": "sequence with maxspan=2h\n  [file where event.type != \"deletion\" and file.extension : \"exe\" and\n     (process.name : \"AcroRd32.exe\" or\n      process.name : \"rdrcef.exe\" or\n      process.name : \"FoxitPhantomPDF.exe\" or\n      process.name : \"FoxitReader.exe\") and\n     not (file.name : \"FoxitPhantomPDF.exe\" or\n          file.name : \"FoxitPhantomPDFUpdater.exe\" or\n          file.name : \"FoxitReader.exe\" or\n          file.name : \"FoxitReaderUpdater.exe\" or\n          file.name : \"AcroRd32.exe\" or\n          file.name : \"rdrcef.exe\")\n  ] by host.id, file.path\n  [process where event.type in (\"start\", \"process_started\")] by host.id, process.executable\n",
+    "risk_score": 21,
+    "rule_id": "1defdd62-cd8d-426e-a246-81a37751bb2b",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Execution"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0002",
+          "name": "Execution",
+          "reference": "https://attack.mitre.org/tactics/TA0002/"
+        },
+        "technique": []
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0001",
+          "name": "Initial Access",
+          "reference": "https://attack.mitre.org/tactics/TA0001/"
+        },
+        "technique": [
+          {
+            "id": "T1566",
+            "name": "Phishing",
+            "reference": "https://attack.mitre.org/techniques/T1566/",
+            "subtechnique": [
+              {
+                "id": "T1566.001",
+                "name": "Spearphishing Attachment",
+                "reference": "https://attack.mitre.org/techniques/T1566/001/"
+              },
+              {
+                "id": "T1566.002",
+                "name": "Spearphishing Link",
+                "reference": "https://attack.mitre.org/techniques/T1566/002/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "type": "eql",
+    "version": 4
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies execution of suspicious persistent programs (scripts, rundll32, etc.) by looking at process lineage and command line usage.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Execution of Persistent Suspicious Program",
+    "query": "/* userinit followed by explorer followed by early child process of explorer (unlikely to be launched interactively) within 1m */\nsequence by host.id, user.name with maxspan=1m\n  [process where event.type in (\"start\", \"process_started\") and process.name : \"userinit.exe\" and process.parent.name : \"winlogon.exe\"]\n  [process where event.type in (\"start\", \"process_started\") and process.name : \"explorer.exe\"]\n  [process where event.type in (\"start\", \"process_started\") and process.parent.name : \"explorer.exe\" and\n   /* add suspicious programs here */\n   process.pe.original_file_name in (\"cscript.exe\",\n                                     \"wscript.exe\",\n                                     \"PowerShell.EXE\",\n                                     \"MSHTA.EXE\",\n                                     \"RUNDLL32.EXE\",\n                                     \"REGSVR32.EXE\",\n                                     \"RegAsm.exe\",\n                                     \"MSBuild.exe\",\n                                     \"InstallUtil.exe\") and\n    /* add potential suspicious paths here */\n    process.args : (\"C:\\\\Users\\\\*\", \"C:\\\\ProgramData\\\\*\", \"C:\\\\Windows\\\\Temp\\\\*\", \"C:\\\\Windows\\\\Tasks\\\\*\", \"C:\\\\PerfLogs\\\\*\", \"C:\\\\Intel\\\\*\")\n   ]\n",
+    "risk_score": 47,
+    "rule_id": "e7125cea-9fe1-42a5-9a05-b0792cf86f5a",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Persistence"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1547",
+            "name": "Boot or Logon Autostart Execution",
+            "reference": "https://attack.mitre.org/techniques/T1547/",
+            "subtechnique": [
+              {
+                "id": "T1547.001",
+                "name": "Registry Run Keys / Startup Folder",
+                "reference": "https://attack.mitre.org/techniques/T1547/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "type": "eql",
+    "version": 2
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies attempts to execute a child process from within the context of an Electron application using the child_process Node.js module. Adversaries may abuse this technique to inherit permissions from parent processes.",
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Execution via Electron Child Process Node.js Module",
+    "query": "event.category:process and event.type:(start or process_started) and process.args:(\"-e\" and const*require*child_process*)\n",
+    "references": [
+      "https://www.matthewslipper.com/2019/09/22/everything-you-wanted-electron-child-process.html",
+      "https://www.trustedsec.com/blog/macos-injection-via-third-party-frameworks/",
+      "https://nodejs.org/api/child_process.html"
+    ],
+    "risk_score": 47,
+    "rule_id": "35330ba2-c859-4c98-8b7f-c19159ea0e58",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "macOS",
+      "Threat Detection",
+      "Defense Evasion",
+      "Execution"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0002",
+          "name": "Execution",
+          "reference": "https://attack.mitre.org/tactics/TA0002/"
+        },
+        "technique": [
+          {
+            "id": "T1059",
+            "name": "Command and Scripting Interpreter",
+            "reference": "https://attack.mitre.org/techniques/T1059/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1548",
+            "name": "Abuse Elevation Control Mechanism",
+            "reference": "https://attack.mitre.org/techniques/T1548/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies execution via MSSQL xp_cmdshell stored procedure. Malicious users may attempt to elevate their privileges by using xp_cmdshell, which is disabled by default, thus, it's important to review the context of it's use.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Execution via MSSQL xp_cmdshell Stored Procedure",
+    "query": "process where event.type in (\"start\", \"process_started\") and\n  process.name : \"cmd.exe\" and process.parent.name : \"sqlservr.exe\"\n",
+    "risk_score": 73,
+    "rule_id": "4ed493fc-d637-4a36-80ff-ac84937e5461",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Execution"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0002",
+          "name": "Execution",
+          "reference": "https://attack.mitre.org/tactics/TA0002/"
+        },
+        "technique": [
+          {
+            "id": "T1059",
+            "name": "Command and Scripting Interpreter",
+            "reference": "https://attack.mitre.org/techniques/T1059/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 4
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies execution from the Remote Desktop Protocol (RDP) shared mountpoint tsclient on the target host. This may indicate a lateral movement attempt.",
+    "from": "now-9m",
+    "index": [
+      "logs-endpoint.events.*",
+      "winlogbeat-*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Execution via TSClient Mountpoint",
+    "query": "process where event.type in (\"start\", \"process_started\") and process.executable : \"\\\\Device\\\\Mup\\\\tsclient\\\\*.exe\"\n",
+    "references": [
+      "https://posts.specterops.io/revisiting-remote-desktop-lateral-movement-8fb905cb46c3"
+    ],
+    "risk_score": 73,
+    "rule_id": "4fe9d835-40e1-452d-8230-17c147cafad8",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Lateral Movement"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0008",
+          "name": "Lateral Movement",
+          "reference": "https://attack.mitre.org/tactics/TA0008/"
+        },
+        "technique": [
+          {
+            "id": "T1021",
+            "name": "Remote Services",
+            "reference": "https://attack.mitre.org/techniques/T1021/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 3
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the creation, change, or deletion of a DLL module within a Windows SxS local folder. Adversaries may abuse shared modules to execute malicious payloads by instructing the Windows module loader to load DLLs from arbitrary local paths.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Execution via local SxS Shared Module",
+    "note": "## Triage and analysis\n\nThe SxS DotLocal folder is a legitimate feature that can be abused to hijack standard modules loading order by forcing an executable on the same application.exe.local folder to load a malicious DLL module from the same directory.",
+    "query": "file where file.extension : \"dll\" and file.path : \"C:\\\\*\\\\*.exe.local\\\\*.dll\"\n",
+    "references": [
+      "https://docs.microsoft.com/en-us/windows/win32/dlls/dynamic-link-library-redirection"
+    ],
+    "risk_score": 47,
+    "rule_id": "a3ea12f3-0d4e-4667-8b44-4230c63f3c75",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Execution"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0002",
+          "name": "Execution",
+          "reference": "https://attack.mitre.org/tactics/TA0002/"
+        },
+        "technique": [
+          {
+            "id": "T1129",
+            "name": "Shared Modules",
+            "reference": "https://attack.mitre.org/techniques/T1129/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 4
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies execution of the security_authtrampoline process via a scripting interpreter. This occurs when programs use AuthorizationExecute-WithPrivileges from the Security.framework to run another program with root privileges. It should not be run by itself, as this is a sign of execution with explicit logon credentials.",
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Execution with Explicit Credentials via Scripting",
+    "query": "event.category:process and event.type:(start or process_started) and\n process.name:\"security_authtrampoline\" and\n process.parent.name:(osascript or com.apple.automator.runner or sh or bash or dash or zsh or python* or perl* or php* or ruby or pwsh)\n",
+    "references": [
+      "https://objectivebythesea.com/v2/talks/OBTS_v2_Thomas.pdf",
+      "https://www.manpagez.com/man/8/security_authtrampoline/"
+    ],
+    "risk_score": 47,
+    "rule_id": "f0eb70e9-71e9-40cd-813f-bf8e8c812cb1",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "macOS",
+      "Threat Detection",
+      "Execution",
+      "Privilege Escalation"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0004",
+          "name": "Privilege Escalation",
+          "reference": "https://attack.mitre.org/tactics/TA0004/"
+        },
+        "technique": [
+          {
+            "id": "T1078",
+            "name": "Valid Accounts",
+            "reference": "https://attack.mitre.org/techniques/T1078/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0002",
+          "name": "Execution",
+          "reference": "https://attack.mitre.org/tactics/TA0002/"
+        },
+        "technique": [
+          {
+            "id": "T1059",
+            "name": "Command and Scripting Interpreter",
+            "reference": "https://attack.mitre.org/techniques/T1059/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 2
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Elastic Endgame detected an Exploit. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information.",
+    "from": "now-15m",
+    "index": [
+      "endgame-*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "max_signals": 10000,
+    "name": "Exploit - Detected - Elastic Endgame",
+    "query": "event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:exploit_event or endgame.event_subtype_full:exploit_event)\n",
+    "risk_score": 73,
+    "rule_id": "2003cdc8-8d83-4aa5-b132-1f9a8eb48514",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Elastic Endgame"
+    ],
+    "type": "query",
+    "version": 7
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Elastic Endgame prevented an Exploit. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information.",
+    "from": "now-15m",
+    "index": [
+      "endgame-*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "max_signals": 10000,
+    "name": "Exploit - Prevented - Elastic Endgame",
+    "query": "event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:exploit_event or endgame.event_subtype_full:exploit_event)\n",
+    "risk_score": 47,
+    "rule_id": "2863ffeb-bf77-44dd-b7a5-93ef94b72036",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Elastic Endgame"
+    ],
+    "type": "query",
+    "version": 7
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the use of the Exchange PowerShell cmdlet, New-MailBoxExportRequest, to export the contents of a primary mailbox or archive to a .pst file. Adversaries may target user email to collect sensitive information.",
+    "false_positives": [
+      "Legitimate exchange system administration activity."
+    ],
+    "from": "now-9m",
+    "index": [
+      "logs-endpoint.events.*",
+      "winlogbeat-*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Exporting Exchange Mailbox via PowerShell",
+    "query": "process where event.type in (\"start\", \"process_started\") and\n  process.name: (\"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\") and process.args : \"New-MailboxExportRequest*\"\n",
+    "references": [
+      "https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/",
+      "https://docs.microsoft.com/en-us/powershell/module/exchange/new-mailboxexportrequest?view=exchange-ps"
+    ],
+    "risk_score": 47,
+    "rule_id": "6aace640-e631-4870-ba8e-5fdda09325db",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Collection"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0009",
+          "name": "Collection",
+          "reference": "https://attack.mitre.org/tactics/TA0009/"
+        },
+        "technique": [
+          {
+            "id": "T1114",
+            "name": "Email Collection",
+            "reference": "https://attack.mitre.org/techniques/T1114/",
+            "subtechnique": [
+              {
+                "id": "T1114.002",
+                "name": "Remote Email Collection",
+                "reference": "https://attack.mitre.org/techniques/T1114/002/"
+              }
+            ]
+          },
+          {
+            "id": "T1005",
+            "name": "Data from Local System",
+            "reference": "https://attack.mitre.org/techniques/T1005/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 6
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Generates a detection alert for each external alert written to the configured indices. Enabling this rule allows you to immediately begin investigating external alerts in the app.",
+    "index": [
+      "apm-*-transaction*",
+      "traces-apm*",
+      "auditbeat-*",
+      "filebeat-*",
+      "logs-*",
+      "packetbeat-*",
+      "winlogbeat-*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "max_signals": 10000,
+    "name": "External Alerts",
+    "query": "event.kind:alert and not event.module:(endgame or endpoint)\n",
+    "risk_score": 47,
+    "risk_score_mapping": [
+      {
+        "field": "event.risk_score",
+        "operator": "equals",
+        "value": ""
+      }
+    ],
+    "rule_id": "eb079c62-4481-4d6e-9643-3ca499df7aaa",
+    "rule_name_override": "message",
+    "severity": "medium",
+    "severity_mapping": [
+      {
+        "field": "event.severity",
+        "operator": "equals",
+        "severity": "low",
+        "value": "21"
+      },
+      {
+        "field": "event.severity",
+        "operator": "equals",
+        "severity": "medium",
+        "value": "47"
+      },
+      {
+        "field": "event.severity",
+        "operator": "equals",
+        "severity": "high",
+        "value": "73"
+      },
+      {
+        "field": "event.severity",
+        "operator": "equals",
+        "severity": "critical",
+        "value": "99"
+      }
+    ],
+    "tags": [
+      "Elastic",
+      "Network",
+      "Windows",
+      "APM",
+      "macOS",
+      "Linux"
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 4
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies domains commonly used by adversaries for post-exploitation IP lookups. It is common for adversaries to test for Internet access and acquire their external IP address after they have gained access to a system. Among others, this has been observed in campaigns leveraging the information stealer, Trickbot.",
+    "false_positives": [
+      "If the domains listed in this rule are used as part of an authorized workflow, this rule will be triggered by those events. Validate that this is expected activity and tune the rule to fit your environment variables."
+    ],
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "External IP Lookup from Non-Browser Process",
+    "query": "network where network.protocol == \"dns\" and\n    process.name != null and user.id not in (\"S-1-5-19\", \"S-1-5-20\") and\n    event.action == \"lookup_requested\" and\n    /* Add new external IP lookup services here */\n    dns.question.name :\n    (\n        \"*api.ipify.org\",\n        \"*freegeoip.app\",\n        \"*checkip.amazonaws.com\",\n        \"*checkip.dyndns.org\",\n        \"*freegeoip.app\",\n        \"*icanhazip.com\",\n        \"*ifconfig.*\",\n        \"*ipecho.net\",\n        \"*ipgeoapi.com\",\n        \"*ipinfo.io\",\n        \"*ip.anysrc.net\",\n        \"*myexternalip.com\",\n        \"*myipaddress.com\",\n        \"*showipaddress.com\",\n        \"*whatismyipaddress.com\",\n        \"*wtfismyip.com\",\n        \"*ipapi.co\",\n        \"*ip-lookup.net\",\n        \"*ipstack.com\"\n    ) and\n    /* Insert noisy false positives here */\n    not process.executable :\n    (\n      \"?:\\\\Program Files\\\\*.exe\",\n      \"?:\\\\Program Files (x86)\\\\*.exe\",\n      \"?:\\\\Windows\\\\System32\\\\WWAHost.exe\",\n      \"?:\\\\Windows\\\\System32\\\\smartscreen.exe\",\n      \"?:\\\\Windows\\\\System32\\\\MicrosoftEdgeCP.exe\",\n      \"?:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\Platform\\\\*\\\\MsMpEng.exe\",\n      \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe\",\n      \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Programs\\\\Fiddler\\\\Fiddler.exe\",\n      \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Programs\\\\Microsoft VS Code\\\\Code.exe\",\n      \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Microsoft\\\\OneDrive\\\\OneDrive.exe\"\n    )\n",
+    "references": [
+      "https://community.jisc.ac.uk/blogs/csirt/article/trickbot-analysis-and-mitigation",
+      "https://www.cybereason.com/blog/dropping-anchor-from-a-trickbot-infection-to-the-discovery-of-the-anchor-malware"
+    ],
+    "risk_score": 21,
+    "rule_id": "1d72d014-e2ab-4707-b056-9b96abe7b511",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Discovery"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0007",
+          "name": "Discovery",
+          "reference": "https://attack.mitre.org/tactics/TA0007/"
+        },
+        "technique": [
+          {
+            "id": "T1016",
+            "name": "System Network Configuration Discovery",
+            "reference": "https://attack.mitre.org/techniques/T1016/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 6
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Malware or other files dropped or created on a system by an adversary may leave traces behind as to what was done within a network and how. Adversaries may remove these files over the course of an intrusion to keep their footprint low or remove them at the end as part of the post-intrusion cleanup process.",
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "File Deletion via Shred",
+    "query": "event.category:process and event.type:(start or process_started) and process.name:shred and\n  process.args:(\"-u\" or \"--remove\" or \"-z\" or \"--zero\")\n",
+    "risk_score": 21,
+    "rule_id": "a1329140-8de3-4445-9f87-908fb6d824f4",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1070",
+            "name": "Indicator Removal on Host",
+            "reference": "https://attack.mitre.org/techniques/T1070/",
+            "subtechnique": [
+              {
+                "id": "T1070.004",
+                "name": "File Deletion",
+                "reference": "https://attack.mitre.org/techniques/T1070/004/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 7
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies file permission modifications in common writable directories by a non-root user. Adversaries often drop files or payloads into a writable directory and change permissions prior to execution.",
+    "false_positives": [
+      "Certain programs or applications may modify files or change ownership in writable directories. These can be exempted by username."
+    ],
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "File Permission Modification in Writable Directory",
+    "query": "event.category:process and event.type:(start or process_started) and\n  process.name:(chmod or chown or chattr or chgrp) and\n  process.working_directory:(/tmp or /var/tmp or /dev/shm) and\n  not user.name:root\n",
+    "risk_score": 21,
+    "rule_id": "9f9a2a82-93a8-4b1a-8778-1780895626d4",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1222",
+            "name": "File and Directory Permissions Modification",
+            "reference": "https://attack.mitre.org/techniques/T1222/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 6
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Enumeration of files and directories using built-in tools. Adversaries may use the information discovered to plan follow-on activity.",
+    "false_positives": [
+      "Enumeration of files and directories may not be inherently malicious and noise may come from scripts, automation tools, or normal command line usage. It's important to baseline your environment to determine the amount of expected noise and exclude any known FP's from the rule."
+    ],
+    "from": "now-9m",
+    "index": [
+      "logs-endpoint.events.*",
+      "winlogbeat-*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "File and Directory Discovery",
+    "query": "sequence by agent.id, user.name with maxspan=1m\n[process where event.type in (\"start\", \"process_started\") and\n  ((process.name : \"cmd.exe\" or process.pe.original_file_name == \"Cmd.Exe\") and process.args : \"dir\") or\n    process.name : \"tree.com\"]\n[process where event.type in (\"start\", \"process_started\") and\n  ((process.name : \"cmd.exe\" or process.pe.original_file_name == \"Cmd.Exe\") and process.args : \"dir\") or\n    process.name : \"tree.com\"]\n[process where event.type in (\"start\", \"process_started\") and\n  ((process.name : \"cmd.exe\" or process.pe.original_file_name == \"Cmd.Exe\") and process.args : \"dir\") or\n    process.name : \"tree.com\"]\n",
+    "risk_score": 21,
+    "rule_id": "7b08314d-47a0-4b71-ae4e-16544176924f",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Discovery"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0007",
+          "name": "Discovery",
+          "reference": "https://attack.mitre.org/tactics/TA0007/"
+        },
+        "technique": [
+          {
+            "id": "T1083",
+            "name": "File and Directory Discovery",
+            "reference": "https://attack.mitre.org/techniques/T1083/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 3
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Finder Sync plugins enable users to extend Finder\u2019s functionality by modifying the user interface. Adversaries may abuse this feature by adding a rogue Finder Plugin to repeatedly execute malicious payloads for persistence.",
+    "false_positives": [
+      "Trusted Finder Sync Plugins"
+    ],
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Finder Sync Plugin Registered and Enabled",
+    "query": "sequence by host.id, user.id with maxspan = 5s\n  [process where event.type in (\"start\", \"process_started\") and process.name : \"pluginkit\" and process.args : \"-a\"]\n  [process where event.type in (\"start\", \"process_started\") and process.name : \"pluginkit\" and\n    process.args : \"-e\" and process.args : \"use\" and process.args : \"-i\" and\n    not process.args :\n    (\n      \"com.google.GoogleDrive.FinderSyncAPIExtension\",\n      \"com.google.drivefs.findersync\",\n      \"com.boxcryptor.osx.Rednif\",\n      \"com.adobe.accmac.ACCFinderSync\",\n      \"com.microsoft.OneDrive.FinderSync\",\n      \"com.insynchq.Insync.Insync-Finder-Integration\",\n      \"com.box.desktop.findersyncext\"\n    )\n  ]\n",
+    "references": [
+      "https://github.com/specterops/presentations/raw/master/Leo%20Pitt/Hey_Im_Still_in_Here_Modern_macOS_Persistence_SO-CON2020.pdf"
+    ],
+    "risk_score": 47,
+    "rule_id": "37f638ea-909d-4f94-9248-edd21e4a9906",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "macOS",
+      "Threat Detection",
+      "Persistence"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1543",
+            "name": "Create or Modify System Process",
+            "reference": "https://attack.mitre.org/techniques/T1543/"
+          }
+        ]
+      }
+    ],
+    "type": "eql",
+    "version": 2
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies when a firewall rule is created in Google Cloud Platform (GCP). Virtual Private Cloud (VPC) firewall rules can be configured to allow or deny connections to or from virtual machine (VM) instances. An adversary may create a new firewall rule in order to weaken their target's security controls and allow more permissive ingress or egress traffic flows for their benefit.",
+    "false_positives": [
+      "Firewall rules may be created by system administrators. Verify that the firewall configuration change was expected. Exceptions can be added to this rule to filter expected behavior."
+    ],
+    "index": [
+      "filebeat-*",
+      "logs-gcp*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "GCP Firewall Rule Creation",
+    "note": "## Config\n\nThe GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:(googlecloud.audit or gcp.audit) and event.action:v*.compute.firewalls.insert\n",
+    "references": [
+      "https://cloud.google.com/vpc/docs/firewalls"
+    ],
+    "risk_score": 21,
+    "rule_id": "30562697-9859-4ae0-a8c5-dab45d664170",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "GCP",
+      "Continuous Monitoring",
+      "SecOps",
+      "Configuration Audit"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1562",
+            "name": "Impair Defenses",
+            "reference": "https://attack.mitre.org/techniques/T1562/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 5
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies when a firewall rule is deleted in Google Cloud Platform (GCP). Virtual Private Cloud (VPC) firewall rules can be configured to allow or deny connections to or from virtual machine (VM) instances. An adversary may delete a firewall rule in order to weaken their target's security controls.",
+    "false_positives": [
+      "Firewall rules may be deleted by system administrators. Verify that the firewall configuration change was expected. Exceptions can be added to this rule to filter expected behavior."
+    ],
+    "index": [
+      "filebeat-*",
+      "logs-gcp*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "GCP Firewall Rule Deletion",
+    "note": "## Config\n\nThe GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:(googlecloud.audit or gcp.audit) and event.action:v*.compute.firewalls.delete\n",
+    "references": [
+      "https://cloud.google.com/vpc/docs/firewalls"
+    ],
+    "risk_score": 47,
+    "rule_id": "ff9b571e-61d6-4f6c-9561-eb4cca3bafe1",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "GCP",
+      "Continuous Monitoring",
+      "SecOps",
+      "Configuration Audit"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1562",
+            "name": "Impair Defenses",
+            "reference": "https://attack.mitre.org/techniques/T1562/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 5
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies when a firewall rule is modified in Google Cloud Platform (GCP). Virtual Private Cloud (VPC) firewall rules can be configured to allow or deny connections to or from virtual machine (VM) instances. An adversary may modify a firewall rule in order to weaken their target's security controls.",
+    "false_positives": [
+      "Firewall rules may be modified by system administrators. Verify that the firewall configuration change was expected. Exceptions can be added to this rule to filter expected behavior."
+    ],
+    "index": [
+      "filebeat-*",
+      "logs-gcp*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "GCP Firewall Rule Modification",
+    "note": "## Config\n\nThe GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:(googlecloud.audit or gcp.audit) and event.action:v*.compute.firewalls.patch\n",
+    "references": [
+      "https://cloud.google.com/vpc/docs/firewalls"
+    ],
+    "risk_score": 47,
+    "rule_id": "2783d84f-5091-4d7d-9319-9fceda8fa71b",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "GCP",
+      "Continuous Monitoring",
+      "SecOps",
+      "Configuration Audit"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1562",
+            "name": "Impair Defenses",
+            "reference": "https://attack.mitre.org/techniques/T1562/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 5
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies an Identity and Access Management (IAM) custom role creation in Google Cloud Platform (GCP). Custom roles are user-defined, and allow for the bundling of one or more supported permissions to meet specific needs. Custom roles will not be updated automatically and could lead to privilege creep if not carefully scrutinized.",
+    "false_positives": [
+      "Custom role creations may be done by a system or network administrator. Verify whether the user email, resource name, and/or hostname should be making changes in your environment. Role creations from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "index": [
+      "filebeat-*",
+      "logs-gcp*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "GCP IAM Custom Role Creation",
+    "note": "## Config\n\nThe GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:(googlecloud.audit or gcp.audit) and event.action:google.iam.admin.v*.CreateRole and event.outcome:success\n",
+    "references": [
+      "https://cloud.google.com/iam/docs/understanding-custom-roles"
+    ],
+    "risk_score": 47,
+    "rule_id": "aa8007f0-d1df-49ef-8520-407857594827",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "GCP",
+      "Continuous Monitoring",
+      "SecOps",
+      "Identity and Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0001",
+          "name": "Initial Access",
+          "reference": "https://attack.mitre.org/tactics/TA0001/"
+        },
+        "technique": [
+          {
+            "id": "T1078",
+            "name": "Valid Accounts",
+            "reference": "https://attack.mitre.org/techniques/T1078/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1078",
+            "name": "Valid Accounts",
+            "reference": "https://attack.mitre.org/techniques/T1078/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 5
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies an Identity and Access Management (IAM) role deletion in Google Cloud Platform (GCP). A role contains a set of permissions that allows you to perform specific actions on Google Cloud resources. An adversary may delete an IAM role to inhibit access to accounts utilized by legitimate users.",
+    "false_positives": [
+      "Role deletions may be done by a system or network administrator. Verify whether the user email, resource name, and/or hostname should be making changes in your environment. Role deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "index": [
+      "filebeat-*",
+      "logs-gcp*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "GCP IAM Role Deletion",
+    "note": "## Config\n\nThe GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:(googlecloud.audit or gcp.audit) and event.action:google.iam.admin.v*.DeleteRole and event.outcome:success\n",
+    "references": [
+      "https://cloud.google.com/iam/docs/understanding-roles"
+    ],
+    "risk_score": 21,
+    "rule_id": "e2fb5b18-e33c-4270-851e-c3d675c9afcd",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "GCP",
+      "Continuous Monitoring",
+      "SecOps",
+      "Identity and Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0040",
+          "name": "Impact",
+          "reference": "https://attack.mitre.org/tactics/TA0040/"
+        },
+        "technique": [
+          {
+            "id": "T1531",
+            "name": "Account Access Removal",
+            "reference": "https://attack.mitre.org/techniques/T1531/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 5
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the deletion of an Identity and Access Management (IAM) service account key in Google Cloud Platform (GCP). Each service account is associated with two sets of public/private RSA key pairs that are used to authenticate. If a key is deleted, the application will no longer be able to access Google Cloud resources using that key. A security best practice is to rotate your service account keys regularly.",
+    "false_positives": [
+      "Service account key deletions may be done by a system or network administrator. Verify whether the user email, resource name, and/or hostname should be making changes in your environment. Key deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "index": [
+      "filebeat-*",
+      "logs-gcp*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "GCP IAM Service Account Key Deletion",
+    "note": "## Config\n\nThe GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:(googlecloud.audit or gcp.audit) and event.action:google.iam.admin.v*.DeleteServiceAccountKey and event.outcome:success\n",
+    "references": [
+      "https://cloud.google.com/iam/docs/service-accounts",
+      "https://cloud.google.com/iam/docs/creating-managing-service-account-keys"
+    ],
+    "risk_score": 21,
+    "rule_id": "9890ee61-d061-403d-9bf6-64934c51f638",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "GCP",
+      "Continuous Monitoring",
+      "SecOps",
+      "Identity and Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1098",
+            "name": "Account Manipulation",
+            "reference": "https://attack.mitre.org/techniques/T1098/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 5
+  },
+  {
+    "author": [
+      "Elastic",
+      "Austin Songer"
+    ],
+    "description": "Identifies the creation or patching of potential malicious rolebinding. You can assign these roles to Kubernetes subjects (users, groups, or service accounts) with role bindings and cluster role bindings.",
+    "from": "now-20m",
+    "index": [
+      "filebeat-*",
+      "logs-gcp*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "GCP Kubernetes Rolebindings Created or Patched",
+    "note": "## Config\n\nThe GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:(googlecloud.audit or gcp.audit) and event.action:(io.k8s.authorization.rbac.v*.clusterrolebindings.create or \nio.k8s.authorization.rbac.v*.rolebindings.create or io.k8s.authorization.rbac.v*.clusterrolebindings.patch or \nio.k8s.authorization.rbac.v*.rolebindings.patch) and event.outcome:success\n",
+    "references": [
+      "https://cloud.google.com/kubernetes-engine/docs/how-to/audit-logging",
+      "https://unofficial-kubernetes.readthedocs.io/en/latest/admin/authorization/rbac/",
+      "https://cloud.google.com/kubernetes-engine/docs/how-to/role-based-access-control"
+    ],
+    "risk_score": 47,
+    "rule_id": "2f0bae2d-bf20-4465-be86-1311addebaa3",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "GCP",
+      "Continuous Monitoring",
+      "SecOps",
+      "Configuration Audit"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0004",
+          "name": "Privilege Escalation",
+          "reference": "https://attack.mitre.org/tactics/TA0004/"
+        },
+        "technique": []
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies a Logging bucket deletion in Google Cloud Platform (GCP). Log buckets are containers that store and organize log data. A deleted bucket stays in a pending state for 7 days, and Logging continues to route logs to the bucket during that time. To stop routing logs to a deleted bucket, the log sinks can be deleted that have the bucket as a destination, or the filter for the sinks can be modified to stop routing logs to the deleted bucket. An adversary may delete a log bucket to evade detection.",
+    "false_positives": [
+      "Logging bucket deletions may be done by a system or network administrator. Verify whether the user email, resource name, and/or hostname should be making changes in your environment. Logging bucket deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "index": [
+      "filebeat-*",
+      "logs-gcp*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "GCP Logging Bucket Deletion",
+    "note": "## Config\n\nThe GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:(googlecloud.audit or gcp.audit) and event.action:google.logging.v*.ConfigServiceV*.DeleteBucket and event.outcome:success\n",
+    "references": [
+      "https://cloud.google.com/logging/docs/buckets",
+      "https://cloud.google.com/logging/docs/storage"
+    ],
+    "risk_score": 47,
+    "rule_id": "5663b693-0dea-4f2e-8275-f1ae5ff2de8e",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "GCP",
+      "Continuous Monitoring",
+      "SecOps",
+      "Log Auditing"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1562",
+            "name": "Impair Defenses",
+            "reference": "https://attack.mitre.org/techniques/T1562/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 5
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies a Logging sink deletion in Google Cloud Platform (GCP). Every time a log entry arrives, Logging compares the log entry to the sinks in that resource. Each sink whose filter matches the log entry writes a copy of the log entry to the sink's export destination. An adversary may delete a Logging sink to evade detection.",
+    "false_positives": [
+      "Logging sink deletions may be done by a system or network administrator. Verify whether the user email, resource name, and/or hostname should be making changes in your environment. Logging sink deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "index": [
+      "filebeat-*",
+      "logs-gcp*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "GCP Logging Sink Deletion",
+    "note": "## Config\n\nThe GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:(googlecloud.audit or gcp.audit) and event.action:google.logging.v*.ConfigServiceV*.DeleteSink and event.outcome:success\n",
+    "references": [
+      "https://cloud.google.com/logging/docs/export"
+    ],
+    "risk_score": 47,
+    "rule_id": "51859fa0-d86b-4214-bf48-ebb30ed91305",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "GCP",
+      "Continuous Monitoring",
+      "SecOps",
+      "Log Auditing"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1562",
+            "name": "Impair Defenses",
+            "reference": "https://attack.mitre.org/techniques/T1562/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 5
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies a modification to a Logging sink in Google Cloud Platform (GCP). Logging compares the log entry to the sinks in that resource. Each sink whose filter matches the log entry writes a copy of the log entry to the sink's export destination. An adversary may update a Logging sink to exfiltrate logs to a different export destination.",
+    "false_positives": [
+      "Logging sink modifications may be done by a system or network administrator. Verify whether the user email, resource name, and/or hostname should be making changes in your environment. Sink modifications from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "index": [
+      "filebeat-*",
+      "logs-gcp*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "GCP Logging Sink Modification",
+    "note": "## Config\n\nThe GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:(googlecloud.audit or gcp.audit) and event.action:google.logging.v*.ConfigServiceV*.UpdateSink and event.outcome:success\n",
+    "references": [
+      "https://cloud.google.com/logging/docs/export#how_sinks_work"
+    ],
+    "risk_score": 21,
+    "rule_id": "184dfe52-2999-42d9-b9d1-d1ca54495a61",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "GCP",
+      "Continuous Monitoring",
+      "SecOps",
+      "Log Auditing"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0010",
+          "name": "Exfiltration",
+          "reference": "https://attack.mitre.org/tactics/TA0010/"
+        },
+        "technique": [
+          {
+            "id": "T1537",
+            "name": "Transfer Data to Cloud Account",
+            "reference": "https://attack.mitre.org/techniques/T1537/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 5
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the creation of a subscription in Google Cloud Platform (GCP). In GCP, the publisher-subscriber relationship (Pub/Sub) is an asynchronous messaging service that decouples event-producing and event-processing services. A subscription is a named resource representing the stream of messages to be delivered to the subscribing application.",
+    "false_positives": [
+      "Subscription creations may be done by a system or network administrator. Verify whether the user email, resource name, and/or hostname should be making changes in your environment. Subscription creations from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "index": [
+      "filebeat-*",
+      "logs-gcp*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "GCP Pub/Sub Subscription Creation",
+    "note": "## Config\n\nThe GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:(googlecloud.audit or gcp.audit) and event.action:google.pubsub.v*.Subscriber.CreateSubscription and event.outcome:success\n",
+    "references": [
+      "https://cloud.google.com/pubsub/docs/overview"
+    ],
+    "risk_score": 21,
+    "rule_id": "d62b64a8-a7c9-43e5-aee3-15a725a794e7",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "GCP",
+      "Continuous Monitoring",
+      "SecOps",
+      "Log Auditing"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0009",
+          "name": "Collection",
+          "reference": "https://attack.mitre.org/tactics/TA0009/"
+        },
+        "technique": [
+          {
+            "id": "T1530",
+            "name": "Data from Cloud Storage Object",
+            "reference": "https://attack.mitre.org/techniques/T1530/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 5
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the deletion of a subscription in Google Cloud Platform (GCP). In GCP, the publisher-subscriber relationship (Pub/Sub) is an asynchronous messaging service that decouples event-producing and event-processing services. A subscription is a named resource representing the stream of messages to be delivered to the subscribing application.",
+    "false_positives": [
+      "Subscription deletions may be done by a system or network administrator. Verify whether the user email, resource name, and/or hostname should be making changes in your environment. Subscription deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "index": [
+      "filebeat-*",
+      "logs-gcp*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "GCP Pub/Sub Subscription Deletion",
+    "note": "## Config\n\nThe GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:(googlecloud.audit or gcp.audit) and event.action:google.pubsub.v*.Subscriber.DeleteSubscription and event.outcome:success\n",
+    "references": [
+      "https://cloud.google.com/pubsub/docs/overview"
+    ],
+    "risk_score": 21,
+    "rule_id": "cc89312d-6f47-48e4-a87c-4977bd4633c3",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "GCP",
+      "Continuous Monitoring",
+      "SecOps",
+      "Log Auditing"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1562",
+            "name": "Impair Defenses",
+            "reference": "https://attack.mitre.org/techniques/T1562/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 5
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the creation of a topic in Google Cloud Platform (GCP). In GCP, the publisher-subscriber relationship (Pub/Sub) is an asynchronous messaging service that decouples event-producing and event-processing services. A topic is used to forward messages from publishers to subscribers.",
+    "false_positives": [
+      "Topic creations may be done by a system or network administrator. Verify whether the user email, resource name, and/or hostname should be making changes in your environment. Topic creations from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "index": [
+      "filebeat-*",
+      "logs-gcp*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "GCP Pub/Sub Topic Creation",
+    "note": "## Config\n\nThe GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:(googlecloud.audit or gcp.audit) and event.action:google.pubsub.v*.Publisher.CreateTopic and event.outcome:success\n",
+    "references": [
+      "https://cloud.google.com/pubsub/docs/admin"
+    ],
+    "risk_score": 21,
+    "rule_id": "a10d3d9d-0f65-48f1-8b25-af175e2594f5",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "GCP",
+      "Continuous Monitoring",
+      "SecOps",
+      "Log Auditing"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0009",
+          "name": "Collection",
+          "reference": "https://attack.mitre.org/tactics/TA0009/"
+        },
+        "technique": [
+          {
+            "id": "T1530",
+            "name": "Data from Cloud Storage Object",
+            "reference": "https://attack.mitre.org/techniques/T1530/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 5
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the deletion of a topic in Google Cloud Platform (GCP). In GCP, the publisher-subscriber relationship (Pub/Sub) is an asynchronous messaging service that decouples event-producing and event-processing services. A publisher application creates and sends messages to a topic. Deleting a topic can interrupt message flow in the Pub/Sub pipeline.",
+    "false_positives": [
+      "Topic deletions may be done by a system or network administrator. Verify whether the user email, resource name, and/or hostname should be making changes in your environment. Topic deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "index": [
+      "filebeat-*",
+      "logs-gcp*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "GCP Pub/Sub Topic Deletion",
+    "note": "## Config\n\nThe GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:(googlecloud.audit or gcp.audit) and event.action:google.pubsub.v*.Publisher.DeleteTopic and event.outcome:success\n",
+    "references": [
+      "https://cloud.google.com/pubsub/docs/overview"
+    ],
+    "risk_score": 21,
+    "rule_id": "3202e172-01b1-4738-a932-d024c514ba72",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "GCP",
+      "Continuous Monitoring",
+      "SecOps",
+      "Log Auditing"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1562",
+            "name": "Impair Defenses",
+            "reference": "https://attack.mitre.org/techniques/T1562/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 5
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies when a new service account is created in Google Cloud Platform (GCP). A service account is a special type of account used by an application or a virtual machine (VM) instance, not a person. Applications use service accounts to make authorized API calls, authorized as either the service account itself, or as G Suite or Cloud Identity users through domain-wide delegation. If service accounts are not tracked and managed properly, they can present a security risk. An adversary may create a new service account to use during their operations in order to avoid using a standard user account and attempt to evade detection.",
+    "false_positives": [
+      "Service accounts can be created by system administrators. Verify that the behavior was expected. Exceptions can be added to this rule to filter expected behavior."
+    ],
+    "index": [
+      "filebeat-*",
+      "logs-gcp*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "GCP Service Account Creation",
+    "note": "## Config\n\nThe GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:(googlecloud.audit or gcp.audit) and event.action:google.iam.admin.v*.CreateServiceAccount and event.outcome:success\n",
+    "references": [
+      "https://cloud.google.com/iam/docs/service-accounts"
+    ],
+    "risk_score": 21,
+    "rule_id": "7ceb2216-47dd-4e64-9433-cddc99727623",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "GCP",
+      "Continuous Monitoring",
+      "SecOps",
+      "Identity and Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1136",
+            "name": "Create Account",
+            "reference": "https://attack.mitre.org/techniques/T1136/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 5
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies when a service account is deleted in Google Cloud Platform (GCP). A service account is a special type of account used by an application or a virtual machine (VM) instance, not a person. Applications use service accounts to make authorized API calls, authorized as either the service account itself, or as G Suite or Cloud Identity users through domain-wide delegation. An adversary may delete a service account in order to disrupt their target's business operations.",
+    "false_positives": [
+      "Service accounts may be deleted by system administrators. Verify that the behavior was expected. Exceptions can be added to this rule to filter expected behavior."
+    ],
+    "index": [
+      "filebeat-*",
+      "logs-gcp*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "GCP Service Account Deletion",
+    "note": "## Config\n\nThe GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:(googlecloud.audit or gcp.audit) and event.action:google.iam.admin.v*.DeleteServiceAccount and event.outcome:success\n",
+    "references": [
+      "https://cloud.google.com/iam/docs/service-accounts"
+    ],
+    "risk_score": 47,
+    "rule_id": "8fb75dda-c47a-4e34-8ecd-34facf7aad13",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "GCP",
+      "Continuous Monitoring",
+      "SecOps",
+      "Identity and Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0040",
+          "name": "Impact",
+          "reference": "https://attack.mitre.org/tactics/TA0040/"
+        },
+        "technique": [
+          {
+            "id": "T1531",
+            "name": "Account Access Removal",
+            "reference": "https://attack.mitre.org/techniques/T1531/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 5
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies when a service account is disabled in Google Cloud Platform (GCP). A service account is a special type of account used by an application or a virtual machine (VM) instance, not a person. Applications use service accounts to make authorized API calls, authorized as either the service account itself, or as G Suite or Cloud Identity users through domain-wide delegation. An adversary may disable a service account in order to disrupt to disrupt their target's business operations.",
+    "false_positives": [
+      "Service accounts may be disabled by system administrators. Verify that the behavior was expected. Exceptions can be added to this rule to filter expected behavior."
+    ],
+    "index": [
+      "filebeat-*",
+      "logs-gcp*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "GCP Service Account Disabled",
+    "note": "## Config\n\nThe GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:(googlecloud.audit or gcp.audit) and event.action:google.iam.admin.v*.DisableServiceAccount and event.outcome:success\n",
+    "references": [
+      "https://cloud.google.com/iam/docs/service-accounts"
+    ],
+    "risk_score": 47,
+    "rule_id": "bca7d28e-4a48-47b1-adb7-5074310e9a61",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "GCP",
+      "Continuous Monitoring",
+      "SecOps",
+      "Identity and Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0040",
+          "name": "Impact",
+          "reference": "https://attack.mitre.org/tactics/TA0040/"
+        },
+        "technique": [
+          {
+            "id": "T1531",
+            "name": "Account Access Removal",
+            "reference": "https://attack.mitre.org/techniques/T1531/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 5
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies when a new key is created for a service account in Google Cloud Platform (GCP). A service account is a special type of account used by an application or a virtual machine (VM) instance, not a person. Applications use service accounts to make authorized API calls, authorized as either the service account itself, or as G Suite or Cloud Identity users through domain-wide delegation. If private keys are not tracked and managed properly, they can present a security risk. An adversary may create a new key for a service account in order to attempt to abuse the permissions assigned to that account and evade detection.",
+    "false_positives": [
+      "Service account keys may be created by system administrators. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior."
+    ],
+    "index": [
+      "filebeat-*",
+      "logs-gcp*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "GCP Service Account Key Creation",
+    "note": "## Config\n\nThe GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:(googlecloud.audit or gcp.audit) and event.action:google.iam.admin.v*.CreateServiceAccountKey and event.outcome:success\n",
+    "references": [
+      "https://cloud.google.com/iam/docs/service-accounts",
+      "https://cloud.google.com/iam/docs/creating-managing-service-account-keys"
+    ],
+    "risk_score": 21,
+    "rule_id": "0e5acaae-6a64-4bbc-adb8-27649c03f7e1",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "GCP",
+      "Continuous Monitoring",
+      "SecOps",
+      "Identity and Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1098",
+            "name": "Account Manipulation",
+            "reference": "https://attack.mitre.org/techniques/T1098/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 5
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies when the configuration is modified for a storage bucket in Google Cloud Platform (GCP). An adversary may modify the configuration of a storage bucket in order to weaken the security controls of their target's environment.",
+    "false_positives": [
+      "Storage bucket configuration may be modified by system administrators. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior."
+    ],
+    "index": [
+      "filebeat-*",
+      "logs-gcp*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "GCP Storage Bucket Configuration Modification",
+    "note": "## Config\n\nThe GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:(googlecloud.audit or gcp.audit) and event.action:\"storage.buckets.update\" and event.outcome:success\n",
+    "references": [
+      "https://cloud.google.com/storage/docs/key-terms#buckets"
+    ],
+    "risk_score": 47,
+    "rule_id": "97359fd8-757d-4b1d-9af1-ef29e4a8680e",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "GCP",
+      "Continuous Monitoring",
+      "SecOps",
+      "Identity and Access"
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 5
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies when a Google Cloud Platform (GCP) storage bucket is deleted. An adversary may delete a storage bucket in order to disrupt their target's business operations.",
+    "false_positives": [
+      "Storage buckets may be deleted by a system or network administrator. Verify whether the user email, resource name, and/or hostname should be making changes in your environment. Bucket deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "index": [
+      "filebeat-*",
+      "logs-gcp*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "GCP Storage Bucket Deletion",
+    "note": "## Config\n\nThe GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:(googlecloud.audit or gcp.audit) and event.action:\"storage.buckets.delete\"\n",
+    "references": [
+      "https://cloud.google.com/storage/docs/key-terms#buckets"
+    ],
+    "risk_score": 47,
+    "rule_id": "bc0f2d83-32b8-4ae2-b0e6-6a45772e9331",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "GCP",
+      "Continuous Monitoring",
+      "SecOps",
+      "Monitoring"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0040",
+          "name": "Impact",
+          "reference": "https://attack.mitre.org/tactics/TA0040/"
+        },
+        "technique": [
+          {
+            "id": "T1485",
+            "name": "Data Destruction",
+            "reference": "https://attack.mitre.org/techniques/T1485/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 5
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies when the Identity and Access Management (IAM) permissions are modified for a Google Cloud Platform (GCP) storage bucket. An adversary may modify the permissions on a storage bucket to weaken their target's security controls or an administrator may inadvertently modify the permissions, which could lead to data exposure or loss.",
+    "false_positives": [
+      "Storage bucket permissions may be modified by system administrators. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior."
+    ],
+    "index": [
+      "filebeat-*",
+      "logs-gcp*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "GCP Storage Bucket Permissions Modification",
+    "note": "## Config\n\nThe GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:(googlecloud.audit or gcp.audit) and event.action:\"storage.setIamPermissions\" and event.outcome:success\n",
+    "references": [
+      "https://cloud.google.com/storage/docs/access-control/iam-permissions"
+    ],
+    "risk_score": 47,
+    "rule_id": "2326d1b2-9acf-4dee-bd21-867ea7378b4d",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "GCP",
+      "Continuous Monitoring",
+      "SecOps",
+      "Identity and Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1222",
+            "name": "File and Directory Permissions Modification",
+            "reference": "https://attack.mitre.org/techniques/T1222/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 5
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies when a Virtual Private Cloud (VPC) network is deleted in Google Cloud Platform (GCP). A VPC network is a virtual version of a physical network within a GCP project. Each VPC network has its own subnets, routes, and firewall, as well as other elements. An adversary may delete a VPC network in order to disrupt their target's network and business operations.",
+    "false_positives": [
+      "Virtual Private Cloud networks may be deleted by system administrators. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior."
+    ],
+    "index": [
+      "filebeat-*",
+      "logs-gcp*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "GCP Virtual Private Cloud Network Deletion",
+    "note": "## Config\n\nThe GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:(googlecloud.audit or gcp.audit) and event.action:v*.compute.networks.delete and event.outcome:success\n",
+    "references": [
+      "https://cloud.google.com/vpc/docs/vpc"
+    ],
+    "risk_score": 47,
+    "rule_id": "c58c3081-2e1d-4497-8491-e73a45d1a6d6",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "GCP",
+      "Continuous Monitoring",
+      "SecOps",
+      "Configuration Audit"
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 5
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies when a Virtual Private Cloud a virtual private cloud (VPC) route is created in Google Cloud Platform (GCP). Google Cloud routes define the paths that network traffic takes from a virtual machine (VM) instance to other destinations. These destinations can be inside a Google VPC network or outside it. An adversary may create a route in order to impact the flow of network traffic in their target's cloud environment.",
+    "false_positives": [
+      "Virtual Private Cloud routes may be created by system administrators. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior."
+    ],
+    "index": [
+      "filebeat-*",
+      "logs-gcp*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "GCP Virtual Private Cloud Route Creation",
+    "note": "## Config\n\nThe GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:(googlecloud.audit or gcp.audit) and event.action:(v*.compute.routes.insert or \"beta.compute.routes.insert\")\n",
+    "references": [
+      "https://cloud.google.com/vpc/docs/routes",
+      "https://cloud.google.com/vpc/docs/using-routes"
+    ],
+    "risk_score": 21,
+    "rule_id": "9180ffdf-f3d0-4db3-bf66-7a14bcff71b8",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "GCP",
+      "Continuous Monitoring",
+      "SecOps",
+      "Configuration Audit"
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 6
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies when a Virtual Private Cloud (VPC) route is deleted in Google Cloud Platform (GCP). Google Cloud routes define the paths that network traffic takes from a virtual machine (VM) instance to other destinations. These destinations can be inside a Google VPC network or outside it. An adversary may delete a route in order to impact the flow of network traffic in their target's cloud environment.",
+    "false_positives": [
+      "Virtual Private Cloud routes may be deleted by system administrators. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior."
+    ],
+    "index": [
+      "filebeat-*",
+      "logs-gcp*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "GCP Virtual Private Cloud Route Deletion",
+    "note": "## Config\n\nThe GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:(googlecloud.audit or gcp.audit) and event.action:v*.compute.routes.delete and event.outcome:success\n",
+    "references": [
+      "https://cloud.google.com/vpc/docs/routes",
+      "https://cloud.google.com/vpc/docs/using-routes"
+    ],
+    "risk_score": 47,
+    "rule_id": "a17bcc91-297b-459b-b5ce-bc7460d8f82a",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "GCP",
+      "Continuous Monitoring",
+      "SecOps",
+      "Configuration Audit"
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 5
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Detects when a domain-wide delegation of authority is granted to a service account. Domain-wide delegation can be configured to grant third-party and internal applications to access the data of Google Workspace users. An adversary may configure domain-wide delegation to maintain access to their target\u2019s data.",
+    "false_positives": [
+      "Domain-wide delegation of authority may be granted to service accounts by system administrators. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior."
+    ],
+    "from": "now-130m",
+    "index": [
+      "filebeat-*",
+      "logs-google_workspace*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Google Workspace API Access Granted via Domain-Wide Delegation of Authority",
+    "note": "## Config\n\nThe Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\n\n### Important Information Regarding Google Workspace Event Lag Times\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information:\n  - https://support.google.com/a/answer/7061566\n  - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html",
+    "query": "event.dataset:google_workspace.admin and event.provider:admin and event.category:iam and event.action:AUTHORIZE_API_CLIENT_ACCESS\n",
+    "references": [
+      "https://developers.google.com/admin-sdk/directory/v1/guides/delegation"
+    ],
+    "risk_score": 47,
+    "rule_id": "acbc8bb9-2486-49a8-8779-45fb5f9a93ee",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "Google Workspace",
+      "Continuous Monitoring",
+      "SecOps",
+      "Identity and Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1098",
+            "name": "Account Manipulation",
+            "reference": "https://attack.mitre.org/techniques/T1098/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 6
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Detects when an admin role is assigned to a Google Workspace user. An adversary may assign an admin role to a user in order to elevate the permissions of another user account and persist in their target\u2019s environment.",
+    "false_positives": [
+      "Google Workspace admin role assignments may be modified by system administrators. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior."
+    ],
+    "from": "now-130m",
+    "index": [
+      "filebeat-*",
+      "logs-google_workspace*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Google Workspace Admin Role Assigned to a User",
+    "note": "## Config\n\nThe Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\n\n### Important Information Regarding Google Workspace Event Lag Times\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information:\n  - https://support.google.com/a/answer/7061566\n  - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html",
+    "query": "event.dataset:google_workspace.admin and event.provider:admin and event.category:iam and event.action:ASSIGN_ROLE\n",
+    "references": [
+      "https://support.google.com/a/answer/172176?hl=en"
+    ],
+    "risk_score": 47,
+    "rule_id": "68994a6c-c7ba-4e82-b476-26a26877adf6",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "Google Workspace",
+      "Continuous Monitoring",
+      "SecOps",
+      "Identity and Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1098",
+            "name": "Account Manipulation",
+            "reference": "https://attack.mitre.org/techniques/T1098/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 6
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Detects when a custom admin role is deleted. An adversary may delete a custom admin role in order to impact the permissions or capabilities of system administrators.",
+    "false_positives": [
+      "Google Workspace admin roles may be deleted by system administrators. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior."
+    ],
+    "from": "now-130m",
+    "index": [
+      "filebeat-*",
+      "logs-google_workspace*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Google Workspace Admin Role Deletion",
+    "note": "## Config\n\nThe Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\n\n### Important Information Regarding Google Workspace Event Lag Times\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information:\n  - https://support.google.com/a/answer/7061566\n  - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html",
+    "query": "event.dataset:google_workspace.admin and event.provider:admin and event.category:iam and event.action:DELETE_ROLE\n",
+    "references": [
+      "https://support.google.com/a/answer/2406043?hl=en"
+    ],
+    "risk_score": 47,
+    "rule_id": "93e63c3e-4154-4fc6-9f86-b411e0987bbf",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "Google Workspace",
+      "Continuous Monitoring",
+      "SecOps",
+      "Identity and Access"
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 6
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Detects when a custom admin role is created in Google Workspace. An adversary may create a custom admin role in order to elevate the permissions of other user accounts and persist in their target\u2019s environment.",
+    "false_positives": [
+      "Custom Google Workspace admin roles may be created by system administrators. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior."
+    ],
+    "from": "now-130m",
+    "index": [
+      "filebeat-*",
+      "logs-google_workspace*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Google Workspace Custom Admin Role Created",
+    "note": "## Config\n\nThe Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\n\n### Important Information Regarding Google Workspace Event Lag Times\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information:\n  - https://support.google.com/a/answer/7061566\n  - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html",
+    "query": "event.dataset:google_workspace.admin and event.provider:admin and event.category:iam and event.action:CREATE_ROLE\n",
+    "references": [
+      "https://support.google.com/a/answer/2406043?hl=en"
+    ],
+    "risk_score": 47,
+    "rule_id": "ad3f2807-2b3e-47d7-b282-f84acbbe14be",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "Google Workspace",
+      "Continuous Monitoring",
+      "SecOps",
+      "Identity and Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1098",
+            "name": "Account Manipulation",
+            "reference": "https://attack.mitre.org/techniques/T1098/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 6
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Detects when multi-factor authentication (MFA) enforcement is disabled for Google Workspace users. An adversary may disable MFA enforcement in order to weaken an organization\u2019s security controls.",
+    "false_positives": [
+      "MFA policies may be modified by system administrators. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior."
+    ],
+    "from": "now-130m",
+    "index": [
+      "filebeat-*",
+      "logs-google_workspace*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Google Workspace MFA Enforcement Disabled",
+    "note": "## Config\n\nThe Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\n\n### Important Information Regarding Google Workspace Event Lag Times\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information:\n  - https://support.google.com/a/answer/7061566\n  - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html",
+    "query": "event.dataset:google_workspace.admin and event.provider:admin and event.category:iam and event.action:ENFORCE_STRONG_AUTHENTICATION and google_workspace.admin.new_value:false\n",
+    "references": [
+      "https://support.google.com/a/answer/9176657?hl=en#"
+    ],
+    "risk_score": 47,
+    "rule_id": "cad4500a-abd7-4ef3-b5d3-95524de7cfe1",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "Google Workspace",
+      "Continuous Monitoring",
+      "SecOps",
+      "Configuration Audit"
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 7
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Detects when a Google Workspace password policy is modified. An adversary may attempt to modify a password policy in order to weaken an organization\u2019s security controls.",
+    "false_positives": [
+      "Password policies may be modified by system administrators. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior."
+    ],
+    "from": "now-130m",
+    "index": [
+      "filebeat-*",
+      "logs-google_workspace*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Google Workspace Password Policy Modified",
+    "note": "## Config\n\nThe Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\n\n### Important Information Regarding Google Workspace Event Lag Times\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information:\n  - https://support.google.com/a/answer/7061566\n  - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html",
+    "query": "event.dataset:google_workspace.admin and event.provider:admin and event.category:iam and\n  event.action:(CHANGE_APPLICATION_SETTING or CREATE_APPLICATION_SETTING) and\n  google_workspace.admin.setting.name:(\n    \"Password Management - Enforce strong password\" or\n    \"Password Management - Password reset frequency\" or\n    \"Password Management - Enable password reuse\" or\n    \"Password Management - Enforce password policy at next login\" or\n    \"Password Management - Minimum password length\" or\n    \"Password Management - Maximum password length\"\n  )\n",
+    "risk_score": 47,
+    "rule_id": "a99f82f5-8e77-4f8b-b3ce-10c0f6afbc73",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "Google Workspace",
+      "Continuous Monitoring",
+      "SecOps",
+      "Identity and Access"
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 7
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Detects when a custom admin role or its permissions are modified. An adversary may modify a custom admin role in order to elevate the permissions of other user accounts and persist in their target\u2019s environment.",
+    "false_positives": [
+      "Google Workspace admin roles may be modified by system administrators. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior."
+    ],
+    "from": "now-130m",
+    "index": [
+      "filebeat-*",
+      "logs-google_workspace*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Google Workspace Role Modified",
+    "note": "## Config\n\nThe Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\n\n### Important Information Regarding Google Workspace Event Lag Times\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information:\n  - https://support.google.com/a/answer/7061566\n  - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html",
+    "query": "event.dataset:google_workspace.admin and event.provider:admin and event.category:iam and event.action:(ADD_PRIVILEGE or UPDATE_ROLE)\n",
+    "references": [
+      "https://support.google.com/a/answer/2406043?hl=en"
+    ],
+    "risk_score": 47,
+    "rule_id": "6f435062-b7fc-4af9-acea-5b1ead65c5a5",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "Google Workspace",
+      "Continuous Monitoring",
+      "SecOps",
+      "Identity and Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1098",
+            "name": "Account Manipulation",
+            "reference": "https://attack.mitre.org/techniques/T1098/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 6
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "This rule detects the first occurrence of a modification to Group Policy Object Attributes to add privileges to user accounts or use them to add users as local admins.",
+    "index": [
+      "winlogbeat-*",
+      "logs-system.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Group Policy Abuse for Privilege Addition",
+    "note": "## Triage and analysis\n\n### Investigating Group Policy Abuse for Privilege Addition\n\nGroup Policy Objects can be used to add rights and/or modify Group Membership on GPOs by changing the contents of an INF file named\nGptTmpl.inf, which is responsible for storing every setting under the Security Settings container in the GPO, this file is unique\nfor each GPO, and only exists if the GPO contains security settings.\nExample Path: \"\\\\DC.com\\SysVol\\DC.com\\Policies\\{21B9B880-B2FB-4836-9C2D-2013E0D832E9}\\Machine\\Microsoft\\Windows NT\\SecEdit\\GptTmpl.inf\"\n\n#### Possible investigation steps:\n- This attack abuses a legitimate mechanism of the Active Directory, so it is important to determine whether the activity is legitimate\nand the administrator is authorized to perform this operation.\n- Retrieve the contents of the `GptTmpl.inf` file, under the `Privilege Rights` section, look for potentially dangerous high privileges,\nfor example: SeTakeOwnershipPrivilege, SeEnableDelegationPrivilege, etc.\n- Inspect the user SIDs associated with these privileges\n\n### False Positive Analysis\n- Verify if these User SIDs should have these privileges enabled.\n- Inspect whether the user that has done these modifications should be allowed to do it. The user name can be found in the\n`winlog.event_data.SubjectUserName` field\n\n### Related Rules\n- Scheduled Task Execution at Scale via GPO\n- Startup/Logon Script added to Group Policy Object\n\n### Response and Remediation\n- Immediate response should be taken to validate activity, investigate and potentially isolate activity to prevent further\npost-compromise behavior.\n\n## Config\n\nThe 'Audit Directory Service Changes' audit policy is required be configured (Success Failure).\nSteps to implement the logging policy with with Advanced Audit Configuration:\n```\nComputer Configuration > \nPolicies > \nWindows Settings > \nSecurity Settings > \nAdvanced Audit Policies Configuration > \nAudit Policies > \nDS Access > \nAudit Directory Service Changes (Success,Failure)\n```\n",
+    "query": "event.code: \"5136\" and winlog.event_data.AttributeLDAPDisplayName:\"gPCMachineExtensionNames\" and \nwinlog.event_data.AttributeValue:(*827D319E-6EAC-11D2-A4EA-00C04F79F83A* and *803E14A0-B4FB-11D0-A0D0-00A0C90F574B*)\n",
+    "references": [
+      "https://github.com/atc-project/atc-data/blob/master/docs/Logging_Policies/LP_0025_windows_audit_directory_service_changes.md",
+      "https://labs.f-secure.com/tools/sharpgpoabuse"
+    ],
+    "risk_score": 73,
+    "rule_id": "b9554892-5e0e-424b-83a0-5aef95aa43bf",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Privilege Escalation",
+      "Active Directory"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0004",
+          "name": "Privilege Escalation",
+          "reference": "https://attack.mitre.org/tactics/TA0004/"
+        },
+        "technique": [
+          {
+            "id": "T1484",
+            "name": "Domain Policy Modification",
+            "reference": "https://attack.mitre.org/techniques/T1484/",
+            "subtechnique": [
+              {
+                "id": "T1484.001",
+                "name": "Group Policy Modification",
+                "reference": "https://attack.mitre.org/techniques/T1484/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Halfbaked is a malware family used to establish persistence in a contested network. This rule detects a network activity algorithm leveraged by Halfbaked implant beacons for command and control.",
+    "false_positives": [
+      "This rule should be tailored to exclude systems, either as sources or destinations, in which this behavior is expected."
+    ],
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "filebeat-*",
+      "packetbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "lucene",
+    "license": "Elastic License v2",
+    "name": "Halfbaked Command and Control Beacon",
+    "note": "## Threat intel\n\nThis activity has been observed in FIN7 campaigns.",
+    "query": "event.category:(network OR network_traffic) AND network.protocol:http AND\n  network.transport:tcp AND url.full:/http:\\/\\/[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}\\/cd/ AND\n  destination.port:(53 OR 80 OR 8080 OR 443)\n",
+    "references": [
+      "https://www.fireeye.com/blog/threat-research/2017/04/fin7-phishing-lnk.html",
+      "https://attack.mitre.org/software/S0151/"
+    ],
+    "risk_score": 73,
+    "rule_id": "2e580225-2a58-48ef-938b-572933be06fe",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Network",
+      "Threat Detection",
+      "Command and Control",
+      "Host"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0011",
+          "name": "Command and Control",
+          "reference": "https://attack.mitre.org/tactics/TA0011/"
+        },
+        "technique": [
+          {
+            "id": "T1071",
+            "name": "Application Layer Protocol",
+            "reference": "https://attack.mitre.org/techniques/T1071/"
+          },
+          {
+            "id": "T1568",
+            "name": "Dynamic Resolution",
+            "reference": "https://attack.mitre.org/techniques/T1568/",
+            "subtechnique": [
+              {
+                "id": "T1568.002",
+                "name": "Domain Generation Algorithms",
+                "reference": "https://attack.mitre.org/techniques/T1568/002/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 6
+  },
+  {
+    "author": [
+      "Elastic",
+      "@BenB196",
+      "Austin Songer"
+    ],
+    "description": "Identifies a high number of Okta user password reset or account unlock attempts. An adversary may attempt to obtain unauthorized access to Okta user accounts using these methods and attempt to blend in with normal activity in their target's environment and evade detection.",
+    "false_positives": [
+      "The number of Okta user password reset or account unlock attempts will likely vary between organizations. To fit this rule to their organization, users can duplicate this rule and edit the schedule and threshold values in the new rule."
+    ],
+    "from": "now-60m",
+    "index": [
+      "filebeat-*",
+      "logs-okta*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "High Number of Okta User Password Reset or Unlock Attempts",
+    "note": "## Config\n\nThe Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:okta.system and\n  event.action:(system.email.account_unlock.sent_message or system.email.password_reset.sent_message or\n                system.sms.send_account_unlock_message or system.sms.send_password_reset_message or\n                system.voice.send_account_unlock_call or system.voice.send_password_reset_call or\n                user.account.unlock_token)\n",
+    "references": [
+      "https://developer.okta.com/docs/reference/api/system-log/",
+      "https://developer.okta.com/docs/reference/api/event-types/"
+    ],
+    "risk_score": 47,
+    "rule_id": "e90ee3af-45fc-432e-a850-4a58cf14a457",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Identity",
+      "Okta",
+      "Continuous Monitoring",
+      "SecOps",
+      "Identity and Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1078",
+            "name": "Valid Accounts",
+            "reference": "https://attack.mitre.org/techniques/T1078/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1078",
+            "name": "Valid Accounts",
+            "reference": "https://attack.mitre.org/techniques/T1078/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0001",
+          "name": "Initial Access",
+          "reference": "https://attack.mitre.org/tactics/TA0001/"
+        },
+        "technique": [
+          {
+            "id": "T1078",
+            "name": "Valid Accounts",
+            "reference": "https://attack.mitre.org/techniques/T1078/"
+          }
+        ]
+      }
+    ],
+    "threshold": {
+      "field": [
+        "okta.actor.alternate_id"
+      ],
+      "value": 5
+    },
+    "type": "threshold",
+    "version": 5
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "This rule identifies a high number (10) of process terminations (stop, delete, or suspend) from the same host within a short time period.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "High Number of Process and/or Service Terminations",
+    "query": "event.category:process and event.type:start and process.name:(net.exe or sc.exe or taskkill.exe) and\n process.args:(stop or pause or delete or \"/PID\" or \"/IM\" or \"/T\" or \"/F\" or \"/t\" or \"/f\" or \"/im\" or \"/pid\")\n",
+    "risk_score": 47,
+    "rule_id": "035889c4-2686-4583-a7df-67f89c292f2c",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Impact"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0040",
+          "name": "Impact",
+          "reference": "https://attack.mitre.org/tactics/TA0040/"
+        },
+        "technique": [
+          {
+            "id": "T1489",
+            "name": "Service Stop",
+            "reference": "https://attack.mitre.org/techniques/T1489/"
+          }
+        ]
+      }
+    ],
+    "threshold": {
+      "field": [
+        "host.id"
+      ],
+      "value": 10
+    },
+    "type": "threshold",
+    "version": 3
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "The hosts file on endpoints is used to control manual IP address to hostname resolutions. The hosts file is the first point of lookup for DNS hostname resolution so if adversaries can modify the endpoint hosts file, they can route traffic to malicious infrastructure. This rule detects modifications to the hosts file on Microsoft Windows, Linux (Ubuntu or RHEL) and macOS systems.",
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Hosts File Modified",
+    "note": "## Config\n\nFor Windows systems using Auditbeat, this rule requires adding `C:/Windows/System32/drivers/etc` as an additional path in the 'file_integrity' module of auditbeat.yml.",
+    "query": "any where\n\n  /* file events for creation; file change events are not captured by some of the included sources for linux and so may\n     miss this, which is the purpose of the process + command line args logic below */\n  (\n   event.category == \"file\" and event.type in (\"change\", \"creation\") and\n     file.path : (\"/private/etc/hosts\", \"/etc/hosts\", \"?:\\\\Windows\\\\System32\\\\drivers\\\\etc\\\\hosts\")\n  )\n  or\n\n  /* process events for change targeting linux only */\n  (\n   event.category == \"process\" and event.type in (\"start\") and\n     process.name in (\"nano\", \"vim\", \"vi\", \"emacs\", \"echo\", \"sed\") and\n     process.args : (\"/etc/hosts\")\n  )\n",
+    "references": [
+      "https://www.elastic.co/guide/en/beats/auditbeat/current/auditbeat-reference-yml.html"
+    ],
+    "risk_score": 47,
+    "rule_id": "9c260313-c811-4ec8-ab89-8f6530e0246c",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "Windows",
+      "macOS",
+      "Threat Detection",
+      "Impact"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0040",
+          "name": "Impact",
+          "reference": "https://attack.mitre.org/tactics/TA0040/"
+        },
+        "technique": [
+          {
+            "id": "T1565",
+            "name": "Data Manipulation",
+            "reference": "https://attack.mitre.org/techniques/T1565/",
+            "subtechnique": [
+              {
+                "id": "T1565.001",
+                "name": "Stored Data Manipulation",
+                "reference": "https://attack.mitre.org/techniques/T1565/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 6
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Hping ran on a Linux host. Hping is a FOSS command-line packet analyzer and has the ability to construct network packets for a wide variety of network security testing applications, including scanning and firewall auditing.",
+    "false_positives": [
+      "Normal use of hping is uncommon apart from security testing and research. Use by non-security engineers is very uncommon."
+    ],
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Hping Process Activity",
+    "query": "event.category:process and event.type:(start or process_started) and process.name:(hping or hping2 or hping3)\n",
+    "references": [
+      "https://en.wikipedia.org/wiki/Hping"
+    ],
+    "risk_score": 73,
+    "rule_id": "90169566-2260-4824-b8e4-8615c3b4ed52",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "Threat Detection"
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 7
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies when Internet Information Services (IIS) HTTP Logging is disabled on a server. An attacker with IIS server access via a webshell or other mechanism can disable HTTP Logging as an effective anti-forensics measure.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "max_signals": 33,
+    "name": "IIS HTTP Logging Disabled",
+    "query": "process where event.type in (\"start\", \"process_started\") and\n  (process.name : \"appcmd.exe\" or process.pe.original_file_name == \"appcmd.exe\") and\n  process.args : \"/dontLog*:*True\" and\n  not process.parent.name : \"iissetup.exe\"\n",
+    "risk_score": 73,
+    "rule_id": "ebf1adea-ccf2-4943-8b96-7ab11ca173a5",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1562",
+            "name": "Impair Defenses",
+            "reference": "https://attack.mitre.org/techniques/T1562/",
+            "subtechnique": [
+              {
+                "id": "T1562.002",
+                "name": "Disable Windows Event Logging",
+                "reference": "https://attack.mitre.org/techniques/T1562/002/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 6
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "This rule detects events that could be describing IPSEC NAT Traversal traffic. IPSEC is a VPN technology that allows one system to talk to another using encrypted tunnels. NAT Traversal enables these tunnels to communicate over the Internet where one of the sides is behind a NAT router gateway. This may be common on your network, but this technique is also used by threat actors to avoid detection.",
+    "false_positives": [
+      "Some networks may utilize these protocols but usage that is unfamiliar to local network administrators can be unexpected and suspicious. Because this port is in the ephemeral range, this rule may false under certain conditions, such as when an application server with a public IP address replies to a client which has used a UDP port in the range by coincidence. This is uncommon but such servers can be excluded."
+    ],
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "filebeat-*",
+      "packetbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "IPSEC NAT Traversal Port Activity",
+    "query": "event.category:(network or network_traffic) and network.transport:udp and destination.port:4500\n",
+    "risk_score": 21,
+    "rule_id": "a9cb3641-ff4b-4cdc-a063-b4b8d02a67c7",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Network",
+      "Threat Detection",
+      "Command and Control",
+      "Host"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0011",
+          "name": "Command and Control",
+          "reference": "https://attack.mitre.org/tactics/TA0011/"
+        },
+        "technique": []
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 8
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "The Debugger and SilentProcessExit registry keys can allow an adversary to intercept the execution of files, causing a different process to be executed. This functionality can be abused by an adversary to establish persistence.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Image File Execution Options Injection",
+    "query": "registry where length(registry.data.strings) > 0 and\n registry.path : (\"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\*.exe\\\\Debugger\", \n                  \"HKLM\\\\SOFTWARE\\\\WOW6432Node\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\*\\\\Debugger\", \n                  \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\SilentProcessExit\\\\*\\\\MonitorProcess\", \n                  \"HKLM\\\\SOFTWARE\\\\WOW6432Node\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\SilentProcessExit\\\\*\\\\MonitorProcess\") and\n   /* add FPs here */\n not registry.data.strings regex~ (\"\"\"C:\\\\Program Files( \\(x86\\))?\\\\ThinKiosk\\\\thinkiosk\\.exe\"\"\", \"\"\".*\\\\PSAppDeployToolkit\\\\.*\"\"\")\n",
+    "references": [
+      "https://oddvar.moe/2018/04/10/persistence-using-globalflags-in-image-file-execution-options-hidden-from-autoruns-exe/"
+    ],
+    "risk_score": 41,
+    "rule_id": "6839c821-011d-43bd-bd5b-acff00257226",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Persistence"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1546",
+            "name": "Event Triggered Execution",
+            "reference": "https://attack.mitre.org/techniques/T1546/",
+            "subtechnique": [
+              {
+                "id": "T1546.012",
+                "name": "Image File Execution Options Injection",
+                "reference": "https://attack.mitre.org/techniques/T1546/012/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 4
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies abuse of the Windows Update Auto Update Client (wuauclt.exe) to load an arbitrary DLL. This behavior is used as a defense evasion technique to blend-in malicious activity with legitimate Windows software.",
+    "from": "now-9m",
+    "index": [
+      "logs-endpoint.events.*",
+      "winlogbeat-*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "ImageLoad via Windows Update Auto Update Client",
+    "query": "process where event.type in (\"start\", \"process_started\") and\n  (process.pe.original_file_name == \"wuauclt.exe\" or process.name : \"wuauclt.exe\") and\n   /* necessary windows update client args to load a dll */\n   process.args : \"/RunHandlerComServer\" and process.args : \"/UpdateDeploymentProvider\" and\n   /* common paths writeable by a standard user where the target DLL can be placed */\n   process.args : (\"C:\\\\Users\\\\*.dll\", \"C:\\\\ProgramData\\\\*.dll\", \"C:\\\\Windows\\\\Temp\\\\*.dll\", \"C:\\\\Windows\\\\Tasks\\\\*.dll\")\n",
+    "references": [
+      "https://dtm.uk/wuauclt/"
+    ],
+    "risk_score": 47,
+    "rule_id": "edf8ee23-5ea7-4123-ba19-56b41e424ae3",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1218",
+            "name": "Signed Binary Proxy Execution",
+            "reference": "https://attack.mitre.org/techniques/T1218/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 3
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies Elasticsearch nodes that do not have Transport Layer Security (TLS), and/or lack authentication, and are accepting inbound network connections over the default Elasticsearch port.",
+    "false_positives": [
+      "If you have front-facing proxies that provide authentication and TLS, this rule would need to be tuned to eliminate the source IP address of your reverse-proxy."
+    ],
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "filebeat-*",
+      "packetbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "lucene",
+    "license": "Elastic License v2",
+    "name": "Inbound Connection to an Unsecure Elasticsearch Node",
+    "note": "## Config\n\nThis rule requires the addition of port `9200` and `send_all_headers` to the `HTTP` protocol configuration in `packetbeat.yml`. See the References section for additional configuration documentation.",
+    "query": "event.category:network_traffic AND network.protocol:http AND status:OK AND destination.port:9200 AND network.direction:inbound AND NOT http.response.headers.content-type:\"image/x-icon\" AND NOT _exists_:http.request.headers.authorization\n",
+    "references": [
+      "https://www.elastic.co/guide/en/elasticsearch/reference/current/configuring-security.html",
+      "https://www.elastic.co/guide/en/beats/packetbeat/current/packetbeat-http-options.html#_send_all_headers"
+    ],
+    "risk_score": 47,
+    "rule_id": "31295df3-277b-4c56-a1fb-84e31b4222a9",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Network",
+      "Threat Detection",
+      "Initial Access",
+      "Host"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0001",
+          "name": "Initial Access",
+          "reference": "https://attack.mitre.org/tactics/TA0001/"
+        },
+        "technique": [
+          {
+            "id": "T1190",
+            "name": "Exploit Public-Facing Application",
+            "reference": "https://attack.mitre.org/techniques/T1190/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 5
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the use of Distributed Component Object Model (DCOM) to execute commands from a remote host, which are launched via the HTA Application COM Object. This behavior may indicate an attacker abusing a DCOM application to move laterally while attempting to evading detection.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Incoming DCOM Lateral Movement via MSHTA",
+    "query": "sequence with maxspan=1m\n  [process where event.type in (\"start\", \"process_started\") and\n     process.name : \"mshta.exe\" and process.args : \"-Embedding\"\n  ] by host.id, process.entity_id\n  [network where event.type == \"start\" and process.name : \"mshta.exe\" and \n     network.direction : (\"incoming\", \"ingress\") and network.transport == \"tcp\" and\n     source.port > 49151 and destination.port > 49151 and source.ip != \"127.0.0.1\" and source.ip != \"::1\"\n  ] by host.id, process.entity_id\n",
+    "references": [
+      "https://codewhitesec.blogspot.com/2018/07/lethalhta.html"
+    ],
+    "risk_score": 73,
+    "rule_id": "622ecb68-fa81-4601-90b5-f8cd661e4520",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Lateral Movement"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0008",
+          "name": "Lateral Movement",
+          "reference": "https://attack.mitre.org/tactics/TA0008/"
+        },
+        "technique": [
+          {
+            "id": "T1021",
+            "name": "Remote Services",
+            "reference": "https://attack.mitre.org/techniques/T1021/",
+            "subtechnique": [
+              {
+                "id": "T1021.003",
+                "name": "Distributed Component Object Model",
+                "reference": "https://attack.mitre.org/techniques/T1021/003/"
+              }
+            ]
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1218",
+            "name": "Signed Binary Proxy Execution",
+            "reference": "https://attack.mitre.org/techniques/T1218/",
+            "subtechnique": [
+              {
+                "id": "T1218.005",
+                "name": "Mshta",
+                "reference": "https://attack.mitre.org/techniques/T1218/005/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "type": "eql",
+    "version": 5
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the use of Distributed Component Object Model (DCOM) to run commands from a remote host, which are launched via the MMC20 Application COM Object. This behavior may indicate an attacker abusing a DCOM application to move laterally.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Incoming DCOM Lateral Movement with MMC",
+    "query": "sequence by host.id with maxspan=1m\n [network where event.type == \"start\" and process.name : \"mmc.exe\" and source.port >= 49152 and\n destination.port >= 49152 and source.ip != \"127.0.0.1\" and source.ip != \"::1\" and\n  network.direction : (\"incoming\", \"ingress\") and network.transport == \"tcp\"\n ] by process.entity_id\n [process where event.type in (\"start\", \"process_started\") and process.parent.name : \"mmc.exe\"\n ] by process.parent.entity_id\n",
+    "references": [
+      "https://enigma0x3.net/2017/01/05/lateral-movement-using-the-mmc20-application-com-object/"
+    ],
+    "risk_score": 73,
+    "rule_id": "51ce96fb-9e52-4dad-b0ba-99b54440fc9a",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Lateral Movement"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0008",
+          "name": "Lateral Movement",
+          "reference": "https://attack.mitre.org/tactics/TA0008/"
+        },
+        "technique": [
+          {
+            "id": "T1021",
+            "name": "Remote Services",
+            "reference": "https://attack.mitre.org/techniques/T1021/",
+            "subtechnique": [
+              {
+                "id": "T1021.003",
+                "name": "Distributed Component Object Model",
+                "reference": "https://attack.mitre.org/techniques/T1021/003/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "type": "eql",
+    "version": 5
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies use of Distributed Component Object Model (DCOM) to run commands from a remote host, which are launched via the ShellBrowserWindow or ShellWindows Application COM Object. This behavior may indicate an attacker abusing a DCOM application to stealthily move laterally.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Incoming DCOM Lateral Movement with ShellBrowserWindow or ShellWindows",
+    "query": "sequence by host.id with maxspan=5s\n [network where event.type == \"start\" and process.name : \"explorer.exe\" and\n  network.direction : (\"incoming\", \"ingress\") and network.transport == \"tcp\" and\n  source.port > 49151 and destination.port > 49151 and source.ip != \"127.0.0.1\" and source.ip != \"::1\"\n ] by process.entity_id\n [process where event.type in (\"start\", \"process_started\") and\n  process.parent.name : \"explorer.exe\"\n ] by process.parent.entity_id\n",
+    "references": [
+      "https://enigma0x3.net/2017/01/23/lateral-movement-via-dcom-round-2/"
+    ],
+    "risk_score": 47,
+    "rule_id": "8f919d4b-a5af-47ca-a594-6be59cd924a4",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Lateral Movement"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0008",
+          "name": "Lateral Movement",
+          "reference": "https://attack.mitre.org/tactics/TA0008/"
+        },
+        "technique": [
+          {
+            "id": "T1021",
+            "name": "Remote Services",
+            "reference": "https://attack.mitre.org/techniques/T1021/",
+            "subtechnique": [
+              {
+                "id": "T1021.003",
+                "name": "Distributed Component Object Model",
+                "reference": "https://attack.mitre.org/techniques/T1021/003/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "type": "eql",
+    "version": 5
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies remote execution via Windows PowerShell remoting. Windows PowerShell remoting allows for running any Windows PowerShell command on one or more remote computers. This could be an indication of lateral movement.",
+    "false_positives": [
+      "PowerShell remoting is a dual-use protocol that can be used for benign or malicious activity. It's important to baseline your environment to determine the amount of noise to expect from this tool."
+    ],
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Incoming Execution via PowerShell Remoting",
+    "query": "sequence by host.id with maxspan = 30s\n   [network where network.direction : (\"incoming\", \"ingress\") and destination.port in (5985, 5986) and\n    network.protocol == \"http\" and source.ip != \"127.0.0.1\" and source.ip != \"::1\"\n   ]\n   [process where event.type == \"start\" and process.parent.name : \"wsmprovhost.exe\" and not process.name : \"conhost.exe\"]\n",
+    "references": [
+      "https://docs.microsoft.com/en-us/powershell/scripting/learn/remoting/running-remote-commands?view=powershell-7.1"
+    ],
+    "risk_score": 47,
+    "rule_id": "2772264c-6fb9-4d9d-9014-b416eed21254",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Lateral Movement"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0008",
+          "name": "Lateral Movement",
+          "reference": "https://attack.mitre.org/tactics/TA0008/"
+        },
+        "technique": [
+          {
+            "id": "T1021",
+            "name": "Remote Services",
+            "reference": "https://attack.mitre.org/techniques/T1021/"
+          }
+        ]
+      }
+    ],
+    "type": "eql",
+    "version": 4
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies remote execution via Windows Remote Management (WinRM) remote shell on a target host. This could be an indication of lateral movement.",
+    "false_positives": [
+      "WinRM is a dual-use protocol that can be used for benign or malicious activity. It's important to baseline your environment to determine the amount of noise to expect from this tool."
+    ],
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Incoming Execution via WinRM Remote Shell",
+    "query": "sequence by host.id with maxspan=30s\n   [network where process.pid == 4 and network.direction : (\"incoming\", \"ingress\") and\n    destination.port in (5985, 5986) and network.protocol == \"http\" and source.ip != \"127.0.0.1\" and source.ip != \"::1\"\n   ]\n   [process where event.type == \"start\" and process.parent.name : \"winrshost.exe\" and not process.name : \"conhost.exe\"]\n",
+    "risk_score": 47,
+    "rule_id": "1cd01db9-be24-4bef-8e7c-e923f0ff78ab",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Lateral Movement"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0008",
+          "name": "Lateral Movement",
+          "reference": "https://attack.mitre.org/tactics/TA0008/"
+        },
+        "technique": [
+          {
+            "id": "T1021",
+            "name": "Remote Services",
+            "reference": "https://attack.mitre.org/techniques/T1021/"
+          }
+        ]
+      }
+    ],
+    "type": "eql",
+    "version": 4
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies InstallUtil.exe making outbound network connections. This may indicate adversarial activity as InstallUtil is often leveraged by adversaries to execute code and evade detection.",
+    "from": "now-9m",
+    "index": [
+      "logs-endpoint.events.*",
+      "winlogbeat-*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "InstallUtil Process Making Network Connections",
+    "query": "/* the benefit of doing this as an eql sequence vs kql is this will limit to alerting only on the first network connection */\n\nsequence by process.entity_id\n  [process where event.type in (\"start\", \"process_started\") and process.name : \"installutil.exe\"]\n  [network where process.name : \"installutil.exe\" and network.direction : (\"outgoing\", \"egress\")]\n",
+    "risk_score": 21,
+    "rule_id": "a13167f1-eec2-4015-9631-1fee60406dcf",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1218",
+            "name": "Signed Binary Proxy Execution",
+            "reference": "https://attack.mitre.org/techniques/T1218/",
+            "subtechnique": [
+              {
+                "id": "T1218.004",
+                "name": "InstallUtil",
+                "reference": "https://attack.mitre.org/techniques/T1218/004/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "type": "eql",
+    "version": 4
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the installation of custom Application Compatibility Shim databases. This Windows functionality has been abused by attackers to stealthily gain persistence and arbitrary code execution in legitimate Windows processes.",
+    "from": "now-9m",
+    "index": [
+      "logs-endpoint.events.*",
+      "winlogbeat-*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Installation of Custom Shim Databases",
+    "query": "sequence by process.entity_id with maxspan = 5m\n  [process where event.type in (\"start\", \"process_started\") and\n    not (process.name : \"sdbinst.exe\" and process.parent.name : \"msiexec.exe\")]\n  [registry where event.type in (\"creation\", \"change\") and\n    registry.path : \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\AppCompatFlags\\\\Custom\\\\*.sdb\"]\n",
+    "risk_score": 21,
+    "rule_id": "c5ce48a6-7f57-4ee8-9313-3d0024caee10",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Persistence"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1546",
+            "name": "Event Triggered Execution",
+            "reference": "https://attack.mitre.org/techniques/T1546/",
+            "subtechnique": [
+              {
+                "id": "T1546.011",
+                "name": "Application Shimming",
+                "reference": "https://attack.mitre.org/techniques/T1546/011/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "type": "eql",
+    "version": 3
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies registry modifications related to the Windows Security Support Provider (SSP) configuration. Adversaries may abuse this to establish persistence in an environment.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Installation of Security Support Provider",
+    "query": "registry where\n   registry.path : (\"HKLM\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\Lsa\\\\Security Packages*\", \n                    \"HKLM\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\Lsa\\\\OSConfig\\\\Security Packages*\") and\n   not process.executable : (\"C:\\\\Windows\\\\System32\\\\msiexec.exe\", \"C:\\\\Windows\\\\SysWOW64\\\\msiexec.exe\")\n",
+    "risk_score": 47,
+    "rule_id": "e86da94d-e54b-4fb5-b96c-cecff87e8787",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Persistence"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1547",
+            "name": "Boot or Logon Autostart Execution",
+            "reference": "https://attack.mitre.org/techniques/T1547/",
+            "subtechnique": [
+              {
+                "id": "T1547.005",
+                "name": "Security Support Provider",
+                "reference": "https://attack.mitre.org/techniques/T1547/005/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 3
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies when a terminal (tty) is spawned via Perl. Attackers may upgrade a simple reverse shell to a fully interactive tty after obtaining initial access to a host.",
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Interactive Terminal Spawned via Perl",
+    "query": "event.category:process and event.type:(start or process_started) and process.name:perl and\n  process.args:(\"exec \\\"/bin/sh\\\";\" or \"exec \\\"/bin/dash\\\";\" or \"exec \\\"/bin/bash\\\";\")\n",
+    "risk_score": 73,
+    "rule_id": "05e5a668-7b51-4a67-93ab-e9af405c9ef3",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "Threat Detection",
+      "Execution"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0002",
+          "name": "Execution",
+          "reference": "https://attack.mitre.org/tactics/TA0002/"
+        },
+        "technique": [
+          {
+            "id": "T1059",
+            "name": "Command and Scripting Interpreter",
+            "reference": "https://attack.mitre.org/techniques/T1059/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 6
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies when a terminal (tty) is spawned via Python. Attackers may upgrade a simple reverse shell to a fully interactive tty after obtaining initial access to a host.",
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Interactive Terminal Spawned via Python",
+    "query": "event.category:process and event.type:(start or process_started) and process.name:python and\n  process.args:(\"import pty; pty.spawn(\\\"/bin/sh\\\")\" or\n                \"import pty; pty.spawn(\\\"/bin/dash\\\")\" or\n                \"import pty; pty.spawn(\\\"/bin/bash\\\")\")\n",
+    "risk_score": 73,
+    "rule_id": "d76b02ef-fc95-4001-9297-01cb7412232f",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "Threat Detection",
+      "Execution"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0002",
+          "name": "Execution",
+          "reference": "https://attack.mitre.org/tactics/TA0002/"
+        },
+        "technique": [
+          {
+            "id": "T1059",
+            "name": "Command and Scripting Interpreter",
+            "reference": "https://attack.mitre.org/techniques/T1059/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 6
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the use of the Kerberos credential cache (kcc) utility to dump locally cached Kerberos tickets.",
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Kerberos Cached Credentials Dumping",
+    "query": "event.category:process and event.type:(start or process_started) and\n  process.name:kcc and\n  process.args:copy_cred_cache\n",
+    "references": [
+      "https://github.com/EmpireProject/EmPyre/blob/master/lib/modules/collection/osx/kerberosdump.py",
+      "https://opensource.apple.com/source/Heimdal/Heimdal-323.12/kuser/kcc-commands.in.auto.html"
+    ],
+    "risk_score": 73,
+    "rule_id": "ad88231f-e2ab-491c-8fc6-64746da26cfe",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "macOS",
+      "Threat Detection",
+      "Credential Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0006",
+          "name": "Credential Access",
+          "reference": "https://attack.mitre.org/tactics/TA0006/"
+        },
+        "technique": [
+          {
+            "id": "T1003",
+            "name": "OS Credential Dumping",
+            "reference": "https://attack.mitre.org/techniques/T1003/"
+          },
+          {
+            "id": "T1558",
+            "name": "Steal or Forge Kerberos Tickets",
+            "reference": "https://attack.mitre.org/techniques/T1558/",
+            "subtechnique": [
+              {
+                "id": "T1558.003",
+                "name": "Kerberoasting",
+                "reference": "https://attack.mitre.org/techniques/T1558/003/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 4
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies network connections to the standard Kerberos port from an unusual process. On Windows, the only process that normally performs Kerberos traffic from a domain joined host is lsass.exe.",
+    "false_positives": [
+      "HTTP traffic on a non standard port. Verify that the destination IP address is not related to a Domain Controller."
+    ],
+    "from": "now-9m",
+    "index": [
+      "logs-endpoint.events.*",
+      "winlogbeat-*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Kerberos Traffic from Unusual Process",
+    "query": "network where event.type == \"start\" and network.direction : (\"outgoing\", \"egress\") and\n destination.port == 88 and source.port >= 49152 and\n process.executable != \"C:\\\\Windows\\\\System32\\\\lsass.exe\" and destination.address !=\"127.0.0.1\" and destination.address !=\"::1\" and\n /* insert False Positives here */\n not process.name in (\"swi_fc.exe\", \"fsIPcam.exe\", \"IPCamera.exe\", \"MicrosoftEdgeCP.exe\", \"MicrosoftEdge.exe\", \"iexplore.exe\", \"chrome.exe\", \"msedge.exe\", \"opera.exe\", \"firefox.exe\")\n",
+    "risk_score": 47,
+    "rule_id": "897dc6b5-b39f-432a-8d75-d3730d50c782",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Credential Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0006",
+          "name": "Credential Access",
+          "reference": "https://attack.mitre.org/tactics/TA0006/"
+        },
+        "technique": [
+          {
+            "id": "T1558",
+            "name": "Steal or Forge Kerberos Tickets",
+            "reference": "https://attack.mitre.org/techniques/T1558/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 4
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Kernel modules are pieces of code that can be loaded and unloaded into the kernel upon demand. They extend the functionality of the kernel without the need to reboot the system. This rule identifies attempts to remove a kernel module.",
+    "false_positives": [
+      "There is usually no reason to remove modules, but some buggy modules require it. These can be exempted by username. Note that some Linux distributions are not built to support the removal of modules at all."
+    ],
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Kernel Module Removal",
+    "query": "event.category:process and event.type:(start or process_started) and\n  process.args:((rmmod and sudo) or (modprobe and sudo and (\"--remove\" or \"-r\")))\n",
+    "references": [
+      "http://man7.org/linux/man-pages/man8/modprobe.8.html"
+    ],
+    "risk_score": 73,
+    "rule_id": "cd66a5af-e34b-4bb0-8931-57d0a043f2ef",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1562",
+            "name": "Impair Defenses",
+            "reference": "https://attack.mitre.org/techniques/T1562/",
+            "subtechnique": [
+              {
+                "id": "T1562.001",
+                "name": "Disable or Modify Tools",
+                "reference": "https://attack.mitre.org/techniques/T1562/001/"
+              }
+            ]
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1547",
+            "name": "Boot or Logon Autostart Execution",
+            "reference": "https://attack.mitre.org/techniques/T1547/",
+            "subtechnique": [
+              {
+                "id": "T1547.006",
+                "name": "Kernel Modules and Extensions",
+                "reference": "https://attack.mitre.org/techniques/T1547/006/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 7
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Adversaries may collect keychain storage data from a system to in order to acquire credentials. Keychains are the built-in way for macOS to keep track of users' passwords and credentials for many services and features, including Wi-Fi and website passwords, secure notes, certificates, and Kerberos.",
+    "false_positives": [
+      "Applications for password management."
+    ],
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Keychain Password Retrieval via Command Line",
+    "query": "process where event.type == \"start\" and\n process.name : \"security\" and process.args : \"-wa\" and process.args : (\"find-generic-password\", \"find-internet-password\") and\n process.args : (\"Chrome*\", \"Chromium\", \"Opera\", \"Safari*\", \"Brave\", \"Microsoft Edge\", \"Edge\", \"Firefox*\") and\n not process.parent.executable : \"/Applications/Keeper Password Manager.app/Contents/Frameworks/Keeper Password Manager Helper*/Contents/MacOS/Keeper Password Manager Helper*\"\n",
+    "references": [
+      "https://www.netmeister.org/blog/keychain-passwords.html",
+      "https://github.com/priyankchheda/chrome_password_grabber/blob/master/chrome.py",
+      "https://ss64.com/osx/security.html",
+      "https://www.intezer.com/blog/research/operation-electrorat-attacker-creates-fake-companies-to-drain-your-crypto-wallets/"
+    ],
+    "risk_score": 73,
+    "rule_id": "9092cd6c-650f-4fa3-8a8a-28256c7489c9",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "macOS",
+      "Threat Detection",
+      "Credential Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0006",
+          "name": "Credential Access",
+          "reference": "https://attack.mitre.org/tactics/TA0006/"
+        },
+        "technique": [
+          {
+            "id": "T1555",
+            "name": "Credentials from Password Stores",
+            "reference": "https://attack.mitre.org/techniques/T1555/",
+            "subtechnique": [
+              {
+                "id": "T1555.001",
+                "name": "Keychain",
+                "reference": "https://attack.mitre.org/techniques/T1555/001/"
+              }
+            ]
+          },
+          {
+            "id": "T1555",
+            "name": "Credentials from Password Stores",
+            "reference": "https://attack.mitre.org/techniques/T1555/",
+            "subtechnique": [
+              {
+                "id": "T1555.003",
+                "name": "Credentials from Web Browsers",
+                "reference": "https://attack.mitre.org/techniques/T1555/003/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 2
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the creation of a Local Security Authority Subsystem Service (lsass.exe) default memory dump. This may indicate a credential access attempt via trusted system utilities such as Task Manager (taskmgr.exe) and SQL Dumper (sqldumper.exe) or known pentesting tools such as Dumpert and AndrewSpecial.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "LSASS Memory Dump Creation",
+    "query": "file where file.name : (\"lsass*.dmp\", \"dumpert.dmp\", \"Andrew.dmp\", \"SQLDmpr*.mdmp\", \"Coredump.dmp\")\n",
+    "references": [
+      "https://github.com/outflanknl/Dumpert",
+      "https://github.com/hoangprod/AndrewSpecial"
+    ],
+    "risk_score": 73,
+    "rule_id": "f2f46686-6f3c-4724-bd7d-24e31c70f98f",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Credential Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0006",
+          "name": "Credential Access",
+          "reference": "https://attack.mitre.org/tactics/TA0006/"
+        },
+        "technique": [
+          {
+            "id": "T1003",
+            "name": "OS Credential Dumping",
+            "reference": "https://attack.mitre.org/techniques/T1003/",
+            "subtechnique": [
+              {
+                "id": "T1003.001",
+                "name": "LSASS Memory",
+                "reference": "https://attack.mitre.org/techniques/T1003/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 5
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies suspicious file creations in the startup folder of a remote system. An adversary could abuse this to move laterally by dropping a malicious script or executable that will be executed after a reboot or user logon.",
+    "from": "now-9m",
+    "index": [
+      "logs-endpoint.events.*",
+      "winlogbeat-*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Lateral Movement via Startup Folder",
+    "query": "file where event.type in (\"creation\", \"change\") and\n /* via RDP TSClient mounted share or SMB */\n  (process.name : \"mstsc.exe\" or process.pid == 4) and\n   file.path : \"C:\\\\*\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\\\\*\"\n",
+    "references": [
+      "https://www.mdsec.co.uk/2017/06/rdpinception/"
+    ],
+    "risk_score": 73,
+    "rule_id": "25224a80-5a4a-4b8a-991e-6ab390465c4f",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Lateral Movement"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0008",
+          "name": "Lateral Movement",
+          "reference": "https://attack.mitre.org/tactics/TA0008/"
+        },
+        "technique": [
+          {
+            "id": "T1021",
+            "name": "Remote Services",
+            "reference": "https://attack.mitre.org/techniques/T1021/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1547",
+            "name": "Boot or Logon Autostart Execution",
+            "reference": "https://attack.mitre.org/techniques/T1547/",
+            "subtechnique": [
+              {
+                "id": "T1547.001",
+                "name": "Registry Run Keys / Startup Folder",
+                "reference": "https://attack.mitre.org/techniques/T1547/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 3
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the creation or change of a Windows executable file over network shares. Adversaries may transfer tools or other files between systems in a compromised environment.",
+    "from": "now-9m",
+    "index": [
+      "logs-endpoint.events.*",
+      "winlogbeat-*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Lateral Tool Transfer",
+    "query": "sequence by host.id with maxspan=30s\n  [network where event.type == \"start\" and process.pid == 4 and destination.port == 445 and\n   network.direction : (\"incoming\", \"ingress\") and\n   network.transport == \"tcp\" and source.ip != \"127.0.0.1\" and source.ip != \"::1\"\n  ] by process.entity_id\n  /* add more executable extensions here if they are not noisy in your environment */\n  [file where event.type in (\"creation\", \"change\") and process.pid == 4 and file.extension : (\"exe\", \"dll\", \"bat\", \"cmd\")] by process.entity_id\n",
+    "risk_score": 47,
+    "rule_id": "58bc134c-e8d2-4291-a552-b4b3e537c60b",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Lateral Movement"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0008",
+          "name": "Lateral Movement",
+          "reference": "https://attack.mitre.org/tactics/TA0008/"
+        },
+        "technique": [
+          {
+            "id": "T1570",
+            "name": "Lateral Tool Transfer",
+            "reference": "https://attack.mitre.org/techniques/T1570/"
+          }
+        ]
+      }
+    ],
+    "type": "eql",
+    "version": 4
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "An adversary can establish persistence by installing a new launch agent that executes at login by using launchd or launchctl to load a plist into the appropriate directories.",
+    "false_positives": [
+      "Trusted applications persisting via LaunchAgent"
+    ],
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Launch Agent Creation or Modification and Immediate Loading",
+    "query": "sequence by host.id with maxspan=1m\n [file where event.type != \"deletion\" and \n  file.path : (\"/System/Library/LaunchAgents/*\", \"/Library/LaunchAgents/*\", \"/Users/*/Library/LaunchAgents/*\")\n ]\n [process where event.type in (\"start\", \"process_started\") and process.name == \"launchctl\" and process.args == \"load\"]\n",
+    "references": [
+      "https://developer.apple.com/library/archive/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/CreatingLaunchdJobs.html"
+    ],
+    "risk_score": 21,
+    "rule_id": "082e3f8c-6f80-485c-91eb-5b112cb79b28",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "macOS",
+      "Threat Detection",
+      "Persistence"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1543",
+            "name": "Create or Modify System Process",
+            "reference": "https://attack.mitre.org/techniques/T1543/",
+            "subtechnique": [
+              {
+                "id": "T1543.001",
+                "name": "Launch Agent",
+                "reference": "https://attack.mitre.org/techniques/T1543/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "type": "eql",
+    "version": 2
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Adversaries may create or modify launch daemons to repeatedly execute malicious payloads as part of persistence.",
+    "false_positives": [
+      "Trusted applications persisting via LaunchDaemons"
+    ],
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "LaunchDaemon Creation or Modification and Immediate Loading",
+    "query": "sequence by host.id with maxspan=1m\n [file where event.type != \"deletion\" and file.path in (\"/System/Library/LaunchDaemons/*\", \"/Library/LaunchDaemons/*\")]\n [process where event.type in (\"start\", \"process_started\") and process.name == \"launchctl\" and process.args == \"load\"]\n",
+    "references": [
+      "https://developer.apple.com/library/archive/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/CreatingLaunchdJobs.html"
+    ],
+    "risk_score": 21,
+    "rule_id": "9d19ece6-c20e-481a-90c5-ccca596537de",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "macOS",
+      "Threat Detection",
+      "Persistence"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1543",
+            "name": "Create or Modify System Process",
+            "reference": "https://attack.mitre.org/techniques/T1543/"
+          }
+        ]
+      }
+    ],
+    "type": "eql",
+    "version": 3
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "A scheduled task can be used by an adversary to establish persistence, move laterally, and/or escalate privileges.",
+    "false_positives": [
+      "Legitimate scheduled tasks may be created during installation of new software."
+    ],
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Local Scheduled Task Creation",
+    "query": "sequence with maxspan=1m\n  [process where event.type != \"end\" and\n    ((process.name : (\"cmd.exe\", \"wscript.exe\", \"rundll32.exe\", \"regsvr32.exe\", \"wmic.exe\", \"mshta.exe\",\n                      \"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\", \"WmiPrvSe.exe\", \"wsmprovhost.exe\", \"winrshost.exe\") or\n    process.pe.original_file_name : (\"cmd.exe\", \"wscript.exe\", \"rundll32.exe\", \"regsvr32.exe\", \"wmic.exe\", \"mshta.exe\",\n                                     \"powershell.exe\", \"pwsh.dll\", \"powershell_ise.exe\", \"WmiPrvSe.exe\", \"wsmprovhost.exe\",\n                                     \"winrshost.exe\")) or\n    process.code_signature.trusted == false)] by process.entity_id\n  [process where event.type == \"start\" and\n    (process.name : \"schtasks.exe\" or process.pe.original_file_name == \"schtasks.exe\") and\n    process.args : (\"/create\", \"-create\") and process.args : (\"/RU\", \"/SC\", \"/TN\", \"/TR\", \"/F\", \"/XML\") and\n    /* exclude SYSTEM SIDs - look for task creations by non-SYSTEM user */\n    not user.id : (\"S-1-5-18\", \"S-1-5-19\", \"S-1-5-20\")] by process.parent.entity_id\n",
+    "risk_score": 21,
+    "rule_id": "afcce5ad-65de-4ed2-8516-5e093d3ac99a",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Persistence"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1053",
+            "name": "Scheduled Task/Job",
+            "reference": "https://attack.mitre.org/techniques/T1053/",
+            "subtechnique": [
+              {
+                "id": "T1053.005",
+                "name": "Scheduled Task",
+                "reference": "https://attack.mitre.org/techniques/T1053/005/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 9
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Detects when multi-factor authentication (MFA) is disabled for a Google Workspace organization. An adversary may attempt to modify a password policy in order to weaken an organization\u2019s security controls.",
+    "false_positives": [
+      "MFA settings may be modified by system administrators. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior."
+    ],
+    "from": "now-130m",
+    "index": [
+      "filebeat-*",
+      "logs-google_workspace*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "MFA Disabled for Google Workspace Organization",
+    "note": "## Config\n\nThe Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\n\n### Important Information Regarding Google Workspace Event Lag Times\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information:\n  - https://support.google.com/a/answer/7061566\n  - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html",
+    "query": "event.dataset:google_workspace.admin and event.provider:admin and event.category:iam and event.action:(ENFORCE_STRONG_AUTHENTICATION or ALLOW_STRONG_AUTHENTICATION) and google_workspace.admin.new_value:false\n",
+    "risk_score": 47,
+    "rule_id": "e555105c-ba6d-481f-82bb-9b633e7b4827",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "Google Workspace",
+      "Continuous Monitoring",
+      "SecOps",
+      "Identity and Access"
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 7
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Elastic Endgame detected Malware. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information.",
+    "from": "now-15m",
+    "index": [
+      "endgame-*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "max_signals": 10000,
+    "name": "Malware - Detected - Elastic Endgame",
+    "query": "event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:file_classification_event or endgame.event_subtype_full:file_classification_event)\n",
+    "risk_score": 99,
+    "rule_id": "0a97b20f-4144-49ea-be32-b540ecc445de",
+    "severity": "critical",
+    "tags": [
+      "Elastic",
+      "Elastic Endgame"
+    ],
+    "type": "query",
+    "version": 7
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Elastic Endgame prevented Malware. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information.",
+    "from": "now-15m",
+    "index": [
+      "endgame-*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "max_signals": 10000,
+    "name": "Malware - Prevented - Elastic Endgame",
+    "query": "event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:file_classification_event or endgame.event_subtype_full:file_classification_event)\n",
+    "risk_score": 73,
+    "rule_id": "3b382770-efbb-44f4-beed-f5e0a051b895",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Elastic Endgame"
+    ],
+    "type": "query",
+    "version": 7
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the deletion of an anti-phishing policy in Microsoft 365. By default, Microsoft 365 includes built-in features that help protect users from phishing attacks. Anti-phishing polices increase this protection by refining settings to better detect and prevent attacks.",
+    "false_positives": [
+      "An anti-phishing policy may be deleted by a system or network administrator. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior."
+    ],
+    "from": "now-30m",
+    "index": [
+      "filebeat-*",
+      "logs-o365*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Microsoft 365 Exchange Anti-Phish Policy Deletion",
+    "note": "## Config\n\nThe Microsoft 365 Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:\"Remove-AntiPhishPolicy\" and event.outcome:success\n",
+    "references": [
+      "https://docs.microsoft.com/en-us/powershell/module/exchange/remove-antiphishpolicy?view=exchange-ps",
+      "https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/set-up-anti-phishing-policies?view=o365-worldwide"
+    ],
+    "risk_score": 47,
+    "rule_id": "d68eb1b5-5f1c-4b6d-9e63-5b6b145cd4aa",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "Microsoft 365",
+      "Continuous Monitoring",
+      "SecOps",
+      "Configuration Audit"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0001",
+          "name": "Initial Access",
+          "reference": "https://attack.mitre.org/tactics/TA0001/"
+        },
+        "technique": [
+          {
+            "id": "T1566",
+            "name": "Phishing",
+            "reference": "https://attack.mitre.org/techniques/T1566/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 4
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the modification of an anti-phishing rule in Microsoft 365. By default, Microsoft 365 includes built-in features that help protect users from phishing attacks. Anti-phishing rules increase this protection by refining settings to better detect and prevent attacks.",
+    "false_positives": [
+      "An anti-phishing rule may be deleted by a system or network administrator. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior."
+    ],
+    "from": "now-30m",
+    "index": [
+      "filebeat-*",
+      "logs-o365*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Microsoft 365 Exchange Anti-Phish Rule Modification",
+    "note": "## Config\n\nThe Microsoft 365 Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:(\"Remove-AntiPhishRule\" or \"Disable-AntiPhishRule\") and event.outcome:success\n",
+    "references": [
+      "https://docs.microsoft.com/en-us/powershell/module/exchange/remove-antiphishrule?view=exchange-ps",
+      "https://docs.microsoft.com/en-us/powershell/module/exchange/disable-antiphishrule?view=exchange-ps"
+    ],
+    "risk_score": 47,
+    "rule_id": "97314185-2568-4561-ae81-f3e480e5e695",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "Microsoft 365",
+      "Continuous Monitoring",
+      "SecOps",
+      "Configuration Audit"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0001",
+          "name": "Initial Access",
+          "reference": "https://attack.mitre.org/tactics/TA0001/"
+        },
+        "technique": [
+          {
+            "id": "T1566",
+            "name": "Phishing",
+            "reference": "https://attack.mitre.org/techniques/T1566/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 4
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies when a DomainKeys Identified Mail (DKIM) signing configuration is disabled in Microsoft 365. With DKIM in Microsoft 365, messages that are sent from Exchange Online will be cryptographically signed. This will allow the receiving email system to validate that the messages were generated by a server that the organization authorized and not being spoofed.",
+    "false_positives": [
+      "Disabling a DKIM configuration may be done by a system or network administrator. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior."
+    ],
+    "from": "now-30m",
+    "index": [
+      "filebeat-*",
+      "logs-o365*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Microsoft 365 Exchange DKIM Signing Configuration Disabled",
+    "note": "## Config\n\nThe Microsoft 365 Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:\"Set-DkimSigningConfig\" and o365.audit.Parameters.Enabled:False and event.outcome:success\n",
+    "references": [
+      "https://docs.microsoft.com/en-us/powershell/module/exchange/set-dkimsigningconfig?view=exchange-ps"
+    ],
+    "risk_score": 47,
+    "rule_id": "514121ce-c7b6-474a-8237-68ff71672379",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "Microsoft 365",
+      "Continuous Monitoring",
+      "SecOps",
+      "Data Protection"
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 4
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies when a Data Loss Prevention (DLP) policy is removed in Microsoft 365. An adversary may remove a DLP policy to evade existing DLP monitoring.",
+    "false_positives": [
+      "A DLP policy may be removed by a system or network administrator. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior."
+    ],
+    "from": "now-30m",
+    "index": [
+      "filebeat-*",
+      "logs-o365*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Microsoft 365 Exchange DLP Policy Removed",
+    "note": "## Config\n\nThe Microsoft 365 Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:\"Remove-DlpPolicy\" and event.outcome:success\n",
+    "references": [
+      "https://docs.microsoft.com/en-us/powershell/module/exchange/remove-dlppolicy?view=exchange-ps",
+      "https://docs.microsoft.com/en-us/microsoft-365/compliance/data-loss-prevention-policies?view=o365-worldwide"
+    ],
+    "risk_score": 47,
+    "rule_id": "60f3adec-1df9-4104-9c75-b97d9f078b25",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "Microsoft 365",
+      "Continuous Monitoring",
+      "SecOps",
+      "Configuration Audit"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1562",
+            "name": "Impair Defenses",
+            "reference": "https://attack.mitre.org/techniques/T1562/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 4
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies when a malware filter policy has been deleted in Microsoft 365. A malware filter policy is used to alert administrators that an internal user sent a message that contained malware. This may indicate an account or machine compromise that would need to be investigated. Deletion of a malware filter policy may be done to evade detection.",
+    "false_positives": [
+      "A malware filter policy may be deleted by a system or network administrator. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior."
+    ],
+    "from": "now-30m",
+    "index": [
+      "filebeat-*",
+      "logs-o365*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Microsoft 365 Exchange Malware Filter Policy Deletion",
+    "note": "## Config\n\nThe Microsoft 365 Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:\"Remove-MalwareFilterPolicy\" and event.outcome:success\n",
+    "references": [
+      "https://docs.microsoft.com/en-us/powershell/module/exchange/remove-malwarefilterpolicy?view=exchange-ps"
+    ],
+    "risk_score": 47,
+    "rule_id": "d743ff2a-203e-4a46-a3e3-40512cfe8fbb",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "Microsoft 365",
+      "Continuous Monitoring",
+      "SecOps",
+      "Configuration Audit"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1562",
+            "name": "Impair Defenses",
+            "reference": "https://attack.mitre.org/techniques/T1562/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 4
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies when a malware filter rule has been deleted or disabled in Microsoft 365. An adversary or insider threat may want to modify a malware filter rule to evade detection.",
+    "false_positives": [
+      "A malware filter rule may be deleted by a system or network administrator. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior."
+    ],
+    "from": "now-30m",
+    "index": [
+      "filebeat-*",
+      "logs-o365*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Microsoft 365 Exchange Malware Filter Rule Modification",
+    "note": "## Config\n\nThe Microsoft 365 Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:(\"Remove-MalwareFilterRule\" or \"Disable-MalwareFilterRule\") and event.outcome:success\n",
+    "references": [
+      "https://docs.microsoft.com/en-us/powershell/module/exchange/remove-malwarefilterrule?view=exchange-ps",
+      "https://docs.microsoft.com/en-us/powershell/module/exchange/disable-malwarefilterrule?view=exchange-ps"
+    ],
+    "risk_score": 47,
+    "rule_id": "ca79768e-40e1-4e45-a097-0e5fbc876ac2",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "Microsoft 365",
+      "Continuous Monitoring",
+      "SecOps",
+      "Configuration Audit"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1562",
+            "name": "Impair Defenses",
+            "reference": "https://attack.mitre.org/techniques/T1562/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 4
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies when a new role is assigned to a management group in Microsoft 365. An adversary may attempt to add a role in order to maintain persistence in an environment.",
+    "false_positives": [
+      "A new role may be assigned to a management group by a system or network administrator. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior."
+    ],
+    "from": "now-30m",
+    "index": [
+      "filebeat-*",
+      "logs-o365*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Microsoft 365 Exchange Management Group Role Assignment",
+    "note": "## Config\n\nThe Microsoft 365 Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:\"New-ManagementRoleAssignment\" and event.outcome:success\n",
+    "references": [
+      "https://docs.microsoft.com/en-us/powershell/module/exchange/new-managementroleassignment?view=exchange-ps",
+      "https://docs.microsoft.com/en-us/microsoft-365/admin/add-users/about-admin-roles?view=o365-worldwide"
+    ],
+    "risk_score": 47,
+    "rule_id": "98995807-5b09-4e37-8a54-5cae5dc932d7",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "Microsoft 365",
+      "Continuous Monitoring",
+      "SecOps",
+      "Identity and Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1098",
+            "name": "Account Manipulation",
+            "reference": "https://attack.mitre.org/techniques/T1098/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 4
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies when a safe attachment rule is disabled in Microsoft 365. Safe attachment rules can extend malware protections to include routing all messages and attachments without a known malware signature to a special hypervisor environment. An adversary or insider threat may disable a safe attachment rule to exfiltrate data or evade defenses.",
+    "false_positives": [
+      "A safe attachment rule may be disabled by a system or network administrator. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior."
+    ],
+    "from": "now-30m",
+    "index": [
+      "filebeat-*",
+      "logs-o365*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Microsoft 365 Exchange Safe Attachment Rule Disabled",
+    "note": "## Config\n\nThe Microsoft 365 Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:\"Disable-SafeAttachmentRule\" and event.outcome:success\n",
+    "references": [
+      "https://docs.microsoft.com/en-us/powershell/module/exchange/disable-safeattachmentrule?view=exchange-ps"
+    ],
+    "risk_score": 21,
+    "rule_id": "03024bd9-d23f-4ec1-8674-3cf1a21e130b",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "Microsoft 365",
+      "Continuous Monitoring",
+      "SecOps",
+      "Configuration Audit"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1562",
+            "name": "Impair Defenses",
+            "reference": "https://attack.mitre.org/techniques/T1562/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 4
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies when a Safe Link policy is disabled in Microsoft 365. Safe Link policies for Office applications extend phishing protection to documents that contain hyperlinks, even after they have been delivered to a user.",
+    "false_positives": [
+      "Disabling safe links may be done by a system or network administrator. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior."
+    ],
+    "from": "now-30m",
+    "index": [
+      "filebeat-*",
+      "logs-o365*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Microsoft 365 Exchange Safe Link Policy Disabled",
+    "note": "## Config\n\nThe Microsoft 365 Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:\"Disable-SafeLinksRule\" and event.outcome:success\n",
+    "references": [
+      "https://docs.microsoft.com/en-us/powershell/module/exchange/disable-safelinksrule?view=exchange-ps",
+      "https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/atp-safe-links?view=o365-worldwide"
+    ],
+    "risk_score": 47,
+    "rule_id": "a989fa1b-9a11-4dd8-a3e9-f0de9c6eb5f2",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "Microsoft 365",
+      "Continuous Monitoring",
+      "SecOps",
+      "Identity and Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0001",
+          "name": "Initial Access",
+          "reference": "https://attack.mitre.org/tactics/TA0001/"
+        },
+        "technique": [
+          {
+            "id": "T1566",
+            "name": "Phishing",
+            "reference": "https://attack.mitre.org/techniques/T1566/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 4
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies a transport rule creation in Microsoft 365. Exchange Online mail transport rules should be set to not forward email to domains outside of your organization as a best practice. An adversary may create transport rules to exfiltrate data.",
+    "false_positives": [
+      "A new transport rule may be created by a system or network administrator. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior."
+    ],
+    "from": "now-30m",
+    "index": [
+      "filebeat-*",
+      "logs-o365*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Microsoft 365 Exchange Transport Rule Creation",
+    "note": "## Config\n\nThe Microsoft 365 Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:\"New-TransportRule\" and event.outcome:success\n",
+    "references": [
+      "https://docs.microsoft.com/en-us/powershell/module/exchange/new-transportrule?view=exchange-ps",
+      "https://docs.microsoft.com/en-us/exchange/security-and-compliance/mail-flow-rules/mail-flow-rules"
+    ],
+    "risk_score": 47,
+    "rule_id": "ff4dd44a-0ac6-44c4-8609-3f81bc820f02",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "Microsoft 365",
+      "Continuous Monitoring",
+      "SecOps",
+      "Configuration Audit"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0010",
+          "name": "Exfiltration",
+          "reference": "https://attack.mitre.org/tactics/TA0010/"
+        },
+        "technique": [
+          {
+            "id": "T1537",
+            "name": "Transfer Data to Cloud Account",
+            "reference": "https://attack.mitre.org/techniques/T1537/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 4
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies when a transport rule has been disabled or deleted in Microsoft 365. Mail flow rules (also known as transport rules) are used to identify and take action on messages that flow through your organization. An adversary or insider threat may modify a transport rule to exfiltrate data or evade defenses.",
+    "false_positives": [
+      "A transport rule may be modified by a system or network administrator. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior."
+    ],
+    "from": "now-30m",
+    "index": [
+      "filebeat-*",
+      "logs-o365*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Microsoft 365 Exchange Transport Rule Modification",
+    "note": "## Config\n\nThe Microsoft 365 Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:(\"Remove-TransportRule\" or \"Disable-TransportRule\") and event.outcome:success\n",
+    "references": [
+      "https://docs.microsoft.com/en-us/powershell/module/exchange/remove-transportrule?view=exchange-ps",
+      "https://docs.microsoft.com/en-us/powershell/module/exchange/disable-transportrule?view=exchange-ps",
+      "https://docs.microsoft.com/en-us/exchange/security-and-compliance/mail-flow-rules/mail-flow-rules"
+    ],
+    "risk_score": 47,
+    "rule_id": "272a6484-2663-46db-a532-ef734bf9a796",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "Microsoft 365",
+      "Continuous Monitoring",
+      "SecOps",
+      "Configuration Audit"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0010",
+          "name": "Exfiltration",
+          "reference": "https://attack.mitre.org/tactics/TA0010/"
+        },
+        "technique": [
+          {
+            "id": "T1537",
+            "name": "Transfer Data to Cloud Account",
+            "reference": "https://attack.mitre.org/techniques/T1537/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 4
+  },
+  {
+    "author": [
+      "Elastic",
+      "Gary Blackwell",
+      "Austin Songer"
+    ],
+    "description": "Identifies when a new Inbox rule is created in Microsoft 365. Inbox rules process messages in the Inbox based on conditions and take actions, such as moving a message to a specified folder or deleting a message. Adequate permissions are required on the mailbox to create an Inbox rule.",
+    "false_positives": [
+      "An inbox rule may be created by a system or network administrator. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior."
+    ],
+    "from": "now-30m",
+    "index": [
+      "filebeat-*",
+      "logs-o365*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Microsoft 365 New Inbox Rule Created",
+    "note": "## Config\n\nThe Microsoft 365 Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:\"New-InboxRule\" and event.outcome:success\n",
+    "references": [
+      "https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/responding-to-a-compromised-email-account?view=o365-worldwide",
+      "https://docs.microsoft.com/en-us/powershell/module/exchange/new-inboxrule?view=exchange-ps",
+      "https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/detect-and-remediate-outlook-rules-forms-attack?view=o365-worldwide"
+    ],
+    "risk_score": 21,
+    "rule_id": "ec8efb0c-604d-42fa-ac46-ed1cfbc38f78",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "Microsoft 365",
+      "Continuous Monitoring",
+      "SecOps",
+      "Configuration Audit"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0009",
+          "name": "Collection",
+          "reference": "https://attack.mitre.org/tactics/TA0009/"
+        },
+        "technique": [
+          {
+            "id": "T1114",
+            "name": "Email Collection",
+            "reference": "https://attack.mitre.org/techniques/T1114/",
+            "subtechnique": [
+              {
+                "id": "T1114.003",
+                "name": "Email Forwarding Rule",
+                "reference": "https://attack.mitre.org/techniques/T1114/003/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 1
+  },
+  {
+    "author": [
+      "Austin Songer"
+    ],
+    "description": "Identifies when Microsoft Cloud App Security reports that a user has uploaded files to the cloud that might be infected with ransomware.",
+    "false_positives": [
+      "If Cloud App Security identifies, for example, a high rate of file uploads or file deletion activities it may represent an adverse encryption process."
+    ],
+    "from": "now-30m",
+    "index": [
+      "filebeat-*",
+      "logs-o365*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Microsoft 365 Potential ransomware activity",
+    "note": "## Config\n\nThe Microsoft 365 Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\n",
+    "query": "event.dataset:o365.audit and event.provider:SecurityComplianceCenter and event.category:web and event.action:\"Potential ransomware activity\" and event.outcome:success\n",
+    "references": [
+      "https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy",
+      "https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference"
+    ],
+    "risk_score": 47,
+    "rule_id": "721999d0-7ab2-44bf-b328-6e63367b9b29",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "Microsoft 365",
+      "Continuous Monitoring",
+      "SecOps",
+      "Configuration Audit"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0040",
+          "name": "Impact",
+          "reference": "https://attack.mitre.org/tactics/TA0040/"
+        },
+        "technique": [
+          {
+            "id": "T1486",
+            "name": "Data Encrypted for Impact",
+            "reference": "https://attack.mitre.org/techniques/T1486/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 2
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies when custom applications are allowed in Microsoft Teams. If an organization requires applications other than those available in the Teams app store, custom applications can be developed as packages and uploaded. An adversary may abuse this behavior to establish persistence in an environment.",
+    "false_positives": [
+      "Custom applications may be allowed by a system or network administrator. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior."
+    ],
+    "from": "now-30m",
+    "index": [
+      "filebeat-*",
+      "logs-o365*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Microsoft 365 Teams Custom Application Interaction Allowed",
+    "note": "## Config\n\nThe Microsoft 365 Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:o365.audit and event.provider:MicrosoftTeams and\nevent.category:web and event.action:TeamsTenantSettingChanged and\no365.audit.Name:\"Allow sideloading and interaction of custom apps\" and\no365.audit.NewValue:True and event.outcome:success\n",
+    "references": [
+      "https://docs.microsoft.com/en-us/microsoftteams/platform/concepts/deploy-and-publish/apps-upload"
+    ],
+    "risk_score": 47,
+    "rule_id": "bbd1a775-8267-41fa-9232-20e5582596ac",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "Microsoft 365",
+      "Continuous Monitoring",
+      "SecOps",
+      "Configuration Audit"
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 4
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies when external access is enabled in Microsoft Teams. External access lets Teams and Skype for Business users communicate with other users that are outside their organization. An adversary may enable external access or add an allowed domain to exfiltrate data or maintain persistence in an environment.",
+    "false_positives": [
+      "Teams external access may be enabled by a system or network administrator. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior."
+    ],
+    "from": "now-30m",
+    "index": [
+      "filebeat-*",
+      "logs-o365*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Microsoft 365 Teams External Access Enabled",
+    "note": "## Config\n\nThe Microsoft 365 Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:o365.audit and event.provider:(SkypeForBusiness or MicrosoftTeams) and\nevent.category:web and event.action:\"Set-CsTenantFederationConfiguration\" and\no365.audit.Parameters.AllowFederatedUsers:True and event.outcome:success\n",
+    "references": [
+      "https://docs.microsoft.com/en-us/microsoftteams/manage-external-access"
+    ],
+    "risk_score": 47,
+    "rule_id": "27f7c15a-91f8-4c3d-8b9e-1f99cc030a51",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "Microsoft 365",
+      "Continuous Monitoring",
+      "SecOps",
+      "Configuration Audit"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1098",
+            "name": "Account Manipulation",
+            "reference": "https://attack.mitre.org/techniques/T1098/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 4
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies when guest access is enabled in Microsoft Teams. Guest access in Teams allows people outside the organization to access teams and channels. An adversary may enable guest access to maintain persistence in an environment.",
+    "false_positives": [
+      "Teams guest access may be enabled by a system or network administrator. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior."
+    ],
+    "from": "now-30m",
+    "index": [
+      "filebeat-*",
+      "logs-o365*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Microsoft 365 Teams Guest Access Enabled",
+    "note": "## Config\n\nThe Microsoft 365 Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:o365.audit and event.provider:(SkypeForBusiness or MicrosoftTeams) and\nevent.category:web and event.action:\"Set-CsTeamsClientConfiguration\" and\no365.audit.Parameters.AllowGuestUser:True and event.outcome:success\n",
+    "references": [
+      "https://docs.microsoft.com/en-us/powershell/module/skype/get-csteamsclientconfiguration?view=skype-ps"
+    ],
+    "risk_score": 47,
+    "rule_id": "5e552599-ddec-4e14-bad1-28aa42404388",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "Microsoft 365",
+      "Continuous Monitoring",
+      "SecOps",
+      "Configuration Audit"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1098",
+            "name": "Account Manipulation",
+            "reference": "https://attack.mitre.org/techniques/T1098/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 4
+  },
+  {
+    "author": [
+      "Austin Songer"
+    ],
+    "description": "Identifies that a user has deleted an unusually large volume of files  as reported by Microsoft Cloud App Security.",
+    "false_positives": [
+      "Users or System Administrator cleaning out folders."
+    ],
+    "from": "now-30m",
+    "index": [
+      "filebeat-*",
+      "logs-o365*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Microsoft 365 Unusual Volume of File Deletion",
+    "note": "## Config\n\nThe Microsoft 365 Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\n",
+    "query": "event.dataset:o365.audit and event.provider:SecurityComplianceCenter and event.category:web and event.action:\"Unusual volume of file deletion\" and event.outcome:success\n",
+    "references": [
+      "https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy",
+      "https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference"
+    ],
+    "risk_score": 47,
+    "rule_id": "b2951150-658f-4a60-832f-a00d1e6c6745",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "Microsoft 365",
+      "Continuous Monitoring",
+      "SecOps",
+      "Configuration Audit"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0040",
+          "name": "Impact",
+          "reference": "https://attack.mitre.org/tactics/TA0040/"
+        },
+        "technique": [
+          {
+            "id": "T1485",
+            "name": "Data Destruction",
+            "reference": "https://attack.mitre.org/techniques/T1485/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 1
+  },
+  {
+    "author": [
+      "Austin Songer"
+    ],
+    "description": "Identifies when a user has been restricted from sending email due to exceeding sending limits of the service policies per the Security Compliance Center.",
+    "false_positives": [
+      "A user sending emails using personal distribution folders may trigger the event."
+    ],
+    "from": "now-30m",
+    "index": [
+      "filebeat-*",
+      "logs-o365*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Microsoft 365 User Restricted from Sending Email",
+    "note": "## Config\n\nThe Microsoft 365 Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\n",
+    "query": "event.dataset:o365.audit and event.provider:SecurityComplianceCenter and event.category:web and event.action:\"User restricted from sending email\" and event.outcome:success\n",
+    "references": [
+      "https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy",
+      "https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference"
+    ],
+    "risk_score": 47,
+    "rule_id": "0136b315-b566-482f-866c-1d8e2477ba16",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "Microsoft 365",
+      "Continuous Monitoring",
+      "SecOps",
+      "Configuration Audit"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0001",
+          "name": "Initial Access",
+          "reference": "https://attack.mitre.org/tactics/TA0001/"
+        },
+        "technique": [
+          {
+            "id": "T1078",
+            "name": "Valid Accounts",
+            "reference": "https://attack.mitre.org/techniques/T1078/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "An instance of MSBuild, the Microsoft Build Engine, loaded DLLs (dynamically linked libraries) responsible for Windows credential management. This technique is sometimes used for credential dumping.",
+    "false_positives": [
+      "The Build Engine is commonly used by Windows developers but use by non-engineers is unusual."
+    ],
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Microsoft Build Engine Loading Windows Credential Libraries",
+    "query": "sequence by process.entity_id\n [process where event.type == \"start\" and (process.name : \"MSBuild.exe\" or process.pe.original_file_name == \"MSBuild.exe\")]\n [library where dll.name : (\"vaultcli.dll\", \"SAMLib.DLL\")]\n",
+    "risk_score": 73,
+    "rule_id": "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae5",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Credential Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0006",
+          "name": "Credential Access",
+          "reference": "https://attack.mitre.org/tactics/TA0006/"
+        },
+        "technique": [
+          {
+            "id": "T1003",
+            "name": "OS Credential Dumping",
+            "reference": "https://attack.mitre.org/techniques/T1003/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 8
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "An instance of MSBuild, the Microsoft Build Engine, started a PowerShell script or the Visual C# Command Line Compiler. This technique is sometimes used to deploy a malicious payload using the Build Engine.",
+    "false_positives": [
+      "The Build Engine is commonly used by Windows developers but use by non-engineers is unusual. If a build system triggers this rule it can be exempted by process, user or host name."
+    ],
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Microsoft Build Engine Started an Unusual Process",
+    "query": "process where event.type in (\"start\", \"process_started\") and\n  process.parent.name : \"MSBuild.exe\" and\n  process.name : (\"csc.exe\", \"iexplore.exe\", \"powershell.exe\")\n",
+    "references": [
+      "https://blog.talosintelligence.com/2020/02/building-bypass-with-msbuild.html"
+    ],
+    "risk_score": 21,
+    "rule_id": "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae6",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1027",
+            "name": "Obfuscated Files or Information",
+            "reference": "https://attack.mitre.org/techniques/T1027/",
+            "subtechnique": [
+              {
+                "id": "T1027.004",
+                "name": "Compile After Delivery",
+                "reference": "https://attack.mitre.org/techniques/T1027/004/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 8
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "An instance of MSBuild, the Microsoft Build Engine, was started by a script or the Windows command interpreter. This behavior is unusual and is sometimes used by malicious payloads.",
+    "false_positives": [
+      "The Build Engine is commonly used by Windows developers but use by non-engineers is unusual."
+    ],
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Microsoft Build Engine Started by a Script Process",
+    "query": "process where event.type == \"start\" and\n  (process.name : \"MSBuild.exe\" or process.pe.original_file_name == \"MSBuild.exe\") and\n  process.parent.name : (\"cmd.exe\", \"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\", \"cscript.exe\", \"wscript.exe\", \"mshta.exe\")\n",
+    "risk_score": 21,
+    "rule_id": "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae2",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1127",
+            "name": "Trusted Developer Utilities Proxy Execution",
+            "reference": "https://attack.mitre.org/techniques/T1127/",
+            "subtechnique": [
+              {
+                "id": "T1127.001",
+                "name": "MSBuild",
+                "reference": "https://attack.mitre.org/techniques/T1127/001/"
+              }
+            ]
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0002",
+          "name": "Execution",
+          "reference": "https://attack.mitre.org/tactics/TA0002/"
+        },
+        "technique": []
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 10
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "An instance of MSBuild, the Microsoft Build Engine, was started by Explorer or the WMI (Windows Management Instrumentation) subsystem. This behavior is unusual and is sometimes used by malicious payloads.",
+    "false_positives": [
+      "The Build Engine is commonly used by Windows developers but use by non-engineers is unusual."
+    ],
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Microsoft Build Engine Started by a System Process",
+    "query": "process where event.type in (\"start\", \"process_started\") and\n  process.name : \"MSBuild.exe\" and\n  process.parent.name : (\"explorer.exe\", \"wmiprvse.exe\")\n",
+    "risk_score": 47,
+    "rule_id": "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae3",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1127",
+            "name": "Trusted Developer Utilities Proxy Execution",
+            "reference": "https://attack.mitre.org/techniques/T1127/",
+            "subtechnique": [
+              {
+                "id": "T1127.001",
+                "name": "MSBuild",
+                "reference": "https://attack.mitre.org/techniques/T1127/001/"
+              }
+            ]
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0002",
+          "name": "Execution",
+          "reference": "https://attack.mitre.org/tactics/TA0002/"
+        },
+        "technique": []
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 9
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "An instance of MSBuild, the Microsoft Build Engine, was started by Excel or Word. This is unusual behavior for the Build Engine and could have been caused by an Excel or Word document executing a malicious script payload.",
+    "false_positives": [
+      "The Build Engine is commonly used by Windows developers but use by non-engineers is unusual. It is quite unusual for this program to be started by an Office application like Word or Excel."
+    ],
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Microsoft Build Engine Started by an Office Application",
+    "query": "process where event.type in (\"start\", \"process_started\") and\n  process.name : \"MSBuild.exe\" and\n  process.parent.name : (\"eqnedt32.exe\",\n                         \"excel.exe\",\n                         \"fltldr.exe\",\n                         \"msaccess.exe\",\n                         \"mspub.exe\",\n                         \"outlook.exe\",\n                         \"powerpnt.exe\",\n                         \"winword.exe\" )\n",
+    "references": [
+      "https://blog.talosintelligence.com/2020/02/building-bypass-with-msbuild.html"
+    ],
+    "risk_score": 73,
+    "rule_id": "c5dc3223-13a2-44a2-946c-e9dc0aa0449c",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1127",
+            "name": "Trusted Developer Utilities Proxy Execution",
+            "reference": "https://attack.mitre.org/techniques/T1127/",
+            "subtechnique": [
+              {
+                "id": "T1127.001",
+                "name": "MSBuild",
+                "reference": "https://attack.mitre.org/techniques/T1127/001/"
+              }
+            ]
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0002",
+          "name": "Execution",
+          "reference": "https://attack.mitre.org/tactics/TA0002/"
+        },
+        "technique": []
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 9
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "An instance of MSBuild, the Microsoft Build Engine, was started after being renamed. This is uncommon behavior and may indicate an attempt to run unnoticed or undetected.",
+    "false_positives": [
+      "The Build Engine is commonly used by Windows developers but use by non-engineers is unusual."
+    ],
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Microsoft Build Engine Using an Alternate Name",
+    "query": "process where event.type in (\"start\", \"process_started\") and\n  process.pe.original_file_name == \"MSBuild.exe\" and\n  not process.name : \"MSBuild.exe\"\n",
+    "risk_score": 21,
+    "rule_id": "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae4",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1036",
+            "name": "Masquerading",
+            "reference": "https://attack.mitre.org/techniques/T1036/",
+            "subtechnique": [
+              {
+                "id": "T1036.003",
+                "name": "Rename System Utilities",
+                "reference": "https://attack.mitre.org/techniques/T1036/003/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 9
+  },
+  {
+    "author": [
+      "Elastic",
+      "Austin Songer"
+    ],
+    "description": "Identifies suspicious processes being spawned by the Microsoft Exchange Server Unified Messaging (UM) service. This activity has been observed exploiting CVE-2021-26857.",
+    "false_positives": [
+      "Legitimate processes may be spawned from the Microsoft Exchange Server Unified Messaging (UM) service. If known processes are causing false positives, they can be exempted from the rule."
+    ],
+    "from": "now-9m",
+    "index": [
+      "logs-endpoint.events.*",
+      "winlogbeat-*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Microsoft Exchange Server UM Spawning Suspicious Processes",
+    "query": "process where event.type == \"start\" and\n  process.parent.name : (\"UMService.exe\", \"UMWorkerProcess.exe\") and\n    not process.name : (\"werfault.exe\", \"wermgr.exe\")\n",
+    "references": [
+      "https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers",
+      "https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities"
+    ],
+    "risk_score": 47,
+    "rule_id": "483c4daf-b0c6-49e0-adf3-0bfa93231d6b",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Initial Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0001",
+          "name": "Initial Access",
+          "reference": "https://attack.mitre.org/tactics/TA0001/"
+        },
+        "technique": [
+          {
+            "id": "T1190",
+            "name": "Exploit Public-Facing Application",
+            "reference": "https://attack.mitre.org/techniques/T1190/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic",
+      "Austin Songer"
+    ],
+    "description": "Identifies suspicious files being written by the Microsoft Exchange Server Unified Messaging (UM) service. This activity has been observed exploiting CVE-2021-26858.",
+    "false_positives": [
+      "Files generated during installation will generate a lot of noise, so the rule should only be enabled after the fact.",
+      "This rule was tuned using the following baseline: https://raw.githubusercontent.com/microsoft/CSS-Exchange/main/Security/Baselines/baseline_15.2.792.5.csv from Microsoft. Depending on version, consult https://github.com/microsoft/CSS-Exchange/tree/main/Security/Baselines to help determine normalcy."
+    ],
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Microsoft Exchange Server UM Writing Suspicious Files",
+    "note": "## Triage and analysis\n\nPositive hits can be checked against the established Microsoft [baselines](https://github.com/microsoft/CSS-Exchange/tree/main/Security/Baselines).\n\nMicrosoft highly recommends that the best course of action is patching, but this may not protect already compromised systems\nfrom existing intrusions. Other tools for detecting and mitigating can be found within their Exchange support\n[repository](https://github.com/microsoft/CSS-Exchange/tree/main/Security)\n",
+    "query": "file where event.type == \"creation\" and\n  process.name : (\"UMWorkerProcess.exe\", \"umservice.exe\") and\n  file.extension : (\"php\", \"jsp\", \"js\", \"aspx\", \"asmx\", \"asax\", \"cfm\", \"shtml\") and\n  (\n    file.path : \"?:\\\\inetpub\\\\wwwroot\\\\aspnet_client\\\\*\" or\n\n    (file.path : \"?:\\\\*\\\\Microsoft\\\\Exchange Server*\\\\FrontEnd\\\\HttpProxy\\\\owa\\\\auth\\\\*\" and\n       not (file.path : \"?:\\\\*\\\\Microsoft\\\\Exchange Server*\\\\FrontEnd\\\\HttpProxy\\\\owa\\\\auth\\\\version\\\\*\" or\n            file.name : (\"errorFE.aspx\", \"expiredpassword.aspx\", \"frowny.aspx\", \"GetIdToken.htm\", \"logoff.aspx\",\n                        \"logon.aspx\", \"OutlookCN.aspx\", \"RedirSuiteServiceProxy.aspx\", \"signout.aspx\"))) or\n\n    (file.path : \"?:\\\\*\\\\Microsoft\\\\Exchange Server*\\\\FrontEnd\\\\HttpProxy\\\\ecp\\\\auth\\\\*\" and\n       not file.name : \"TimeoutLogoff.aspx\")\n  )\n",
+    "references": [
+      "https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers",
+      "https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities"
+    ],
+    "risk_score": 47,
+    "rule_id": "6cd1779c-560f-4b68-a8f1-11009b27fe63",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Initial Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0001",
+          "name": "Initial Access",
+          "reference": "https://attack.mitre.org/tactics/TA0001/"
+        },
+        "technique": [
+          {
+            "id": "T1190",
+            "name": "Exploit Public-Facing Application",
+            "reference": "https://attack.mitre.org/techniques/T1190/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 2
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies suspicious processes being spawned by the Microsoft Exchange Server worker process (w3wp). This activity may indicate exploitation activity or access to an existing web shell backdoor.",
+    "from": "now-9m",
+    "index": [
+      "logs-endpoint.events.*",
+      "winlogbeat-*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Microsoft Exchange Worker Spawning Suspicious Processes",
+    "query": "process where event.type == \"start\" and\n  process.parent.name : \"w3wp.exe\" and process.parent.args : \"MSExchange*AppPool\" and\n  (process.name : (\"cmd.exe\", \"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\") or\n  process.pe.original_file_name in (\"cmd.exe\", \"powershell.exe\", \"pwsh.dll\", \"powershell_ise.exe\"))\n",
+    "references": [
+      "https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers",
+      "https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities",
+      "https://discuss.elastic.co/t/detection-and-response-for-hafnium-activity/266289"
+    ],
+    "risk_score": 73,
+    "rule_id": "f81ee52c-297e-46d9-9205-07e66931df26",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Initial Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0001",
+          "name": "Initial Access",
+          "reference": "https://attack.mitre.org/tactics/TA0001/"
+        },
+        "technique": [
+          {
+            "id": "T1190",
+            "name": "Exploit Public-Facing Application",
+            "reference": "https://attack.mitre.org/techniques/T1190/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 2
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies use of aspnet_regiis to decrypt Microsoft IIS connection strings. An attacker with Microsoft IIS web server access via a webshell or alike can decrypt and dump any hardcoded connection strings, such as the MSSQL service account password using aspnet_regiis command.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "max_signals": 33,
+    "name": "Microsoft IIS Connection Strings Decryption",
+    "query": "process where event.type in (\"start\", \"process_started\") and\n  (process.name : \"aspnet_regiis.exe\" or process.pe.original_file_name == \"aspnet_regiis.exe\") and\n  process.args : \"connectionStrings\" and process.args : \"-pdf\"\n",
+    "references": [
+      "https://blog.netspi.com/decrypting-iis-passwords-to-break-out-of-the-dmz-part-1/",
+      "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/greenbug-espionage-telco-south-asia"
+    ],
+    "risk_score": 73,
+    "rule_id": "c25e9c87-95e1-4368-bfab-9fd34cf867ec",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Credential Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0006",
+          "name": "Credential Access",
+          "reference": "https://attack.mitre.org/tactics/TA0006/"
+        },
+        "technique": [
+          {
+            "id": "T1003",
+            "name": "OS Credential Dumping",
+            "reference": "https://attack.mitre.org/techniques/T1003/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 4
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the Internet Information Services (IIS) command-line tool, AppCmd, being used to list passwords. An attacker with IIS web server access via a web shell can decrypt and dump the IIS AppPool service account password using AppCmd.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "max_signals": 33,
+    "name": "Microsoft IIS Service Account Password Dumped",
+    "query": "process where event.type in (\"start\", \"process_started\") and\n   (process.name : \"appcmd.exe\" or process.pe.original_file_name == \"appcmd.exe\") and \n   process.args : \"/list\" and process.args : \"/text*password\"\n",
+    "references": [
+      "https://blog.netspi.com/decrypting-iis-passwords-to-break-out-of-the-dmz-part-1/"
+    ],
+    "risk_score": 73,
+    "rule_id": "0564fb9d-90b9-4234-a411-82a546dc1343",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Credential Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0006",
+          "name": "Credential Access",
+          "reference": "https://attack.mitre.org/tactics/TA0006/"
+        },
+        "technique": [
+          {
+            "id": "T1003",
+            "name": "OS Credential Dumping",
+            "reference": "https://attack.mitre.org/techniques/T1003/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 4
+  },
+  {
+    "author": [
+      "Austin Songer"
+    ],
+    "description": "Identifies when one or more features on Microsoft Defender are disabled. Adversaries may disable or tamper Microsoft Defender features to evade detection and conceal malicious behavior.",
+    "false_positives": [
+      "Legitimate Windows Defender configuration changes"
+    ],
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Microsoft Windows Defender Tampering",
+    "query": "registry where event.type in (\"creation\", \"change\") and\n  (registry.path : \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\PUAProtection\" and\n  registry.data.strings : \"0\") or\n  (registry.path : \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender Security Center\\\\App and Browser protection\\\\DisallowExploitProtectionOverride\" and\n  registry.data.strings : \"1\") or\n  (registry.path : \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\DisableAntiSpyware\" and\n  registry.data.strings : \"1\") or\n  (registry.path : \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\Features\\\\TamperProtection\" and\n  registry.data.strings : \"0\") or\n  (registry.path : \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\Real-Time Protection\\\\DisableRealtimeMonitoring\" and\n  registry.data.strings : \"1\") or\n  (registry.path : \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\Real-Time Protection\\\\DisableIntrusionPreventionSystem\" and\n  registry.data.strings : \"1\") or\n  (registry.path : \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\Real-Time Protection\\\\DisableScriptScanning\" and\n  registry.data.strings : \"1\") or\n  (registry.path : \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\Windows Defender Exploit Guard\\\\Controlled Folder Access\\\\EnableControlledFolderAccess\" and\n  registry.data.strings : \"0\") or\n  (registry.path : \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\Real-Time Protection\\\\DisableIOAVProtection\" and\n  registry.data.strings : \"1\") or\n  (registry.path : \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\Reporting\\\\DisableEnhancedNotifications\" and\n  registry.data.strings : \"1\") or\n  (registry.path : \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\SpyNet\\\\DisableBlockAtFirstSeen\" and\n  registry.data.strings : \"1\") or\n  (registry.path : \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\SpyNet\\\\SpynetReporting\" and\n  registry.data.strings : \"0\") or\n  (registry.path : \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\SpyNet\\\\SubmitSamplesConsent\" and\n  registry.data.strings : \"0\") or\n  (registry.path : \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\Real-Time Protection\\\\DisableBehaviorMonitoring\" and\n  registry.data.strings : \"1\")\n",
+    "references": [
+      "https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/",
+      "https://www.tenforums.com/tutorials/32236-enable-disable-microsoft-defender-pua-protection-windows-10-a.html",
+      "https://www.tenforums.com/tutorials/104025-turn-off-core-isolation-memory-integrity-windows-10-a.html",
+      "https://www.tenforums.com/tutorials/105533-enable-disable-windows-defender-exploit-protection-settings.html",
+      "https://www.tenforums.com/tutorials/123792-turn-off-tamper-protection-microsoft-defender-antivirus.html",
+      "https://www.tenforums.com/tutorials/51514-turn-off-microsoft-defender-periodic-scanning-windows-10-a.html",
+      "https://www.tenforums.com/tutorials/3569-turn-off-real-time-protection-microsoft-defender-antivirus.html",
+      "https://www.tenforums.com/tutorials/99576-how-schedule-scan-microsoft-defender-antivirus-windows-10-a.html"
+    ],
+    "risk_score": 47,
+    "rule_id": "fe794edd-487f-4a90-b285-3ee54f2af2d3",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1562",
+            "name": "Impair Defenses",
+            "reference": "https://attack.mitre.org/techniques/T1562/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the password log file from the default Mimikatz memssp module.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Mimikatz Memssp Log File Detected",
+    "query": "file where file.name : \"mimilsa.log\" and process.name : \"lsass.exe\"\n",
+    "risk_score": 73,
+    "rule_id": "ebb200e8-adf0-43f8-a0bb-4ee5b5d852c6",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Credential Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0006",
+          "name": "Credential Access",
+          "reference": "https://attack.mitre.org/tactics/TA0006/"
+        },
+        "technique": [
+          {
+            "id": "T1003",
+            "name": "OS Credential Dumping",
+            "reference": "https://attack.mitre.org/techniques/T1003/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 4
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "JScript tries to query the AmsiEnable registry key from the HKEY_USERS registry hive before initializing Antimalware Scan Interface (AMSI). If this key is set to 0, AMSI is not enabled for the JScript process. An adversary can modify this key to disable AMSI protections.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Modification of AmsiEnable Registry Key",
+    "query": "registry where event.type in (\"creation\", \"change\") and\n  registry.path: \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows Script\\\\Settings\\\\AmsiEnable\" and\n  registry.data.strings: \"0\"\n",
+    "references": [
+      "https://hackinparis.com/data/slides/2019/talks/HIP2019-Dominic_Chell-Cracking_The_Perimeter_With_Sharpshooter.pdf",
+      "https://docs.microsoft.com/en-us/windows/win32/amsi/antimalware-scan-interface-portal"
+    ],
+    "risk_score": 73,
+    "rule_id": "f874315d-5188-4b4a-8521-d1c73093a7e4",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1562",
+            "name": "Impair Defenses",
+            "reference": "https://attack.mitre.org/techniques/T1562/",
+            "subtechnique": [
+              {
+                "id": "T1562.001",
+                "name": "Disable or Modify Tools",
+                "reference": "https://attack.mitre.org/techniques/T1562/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 2
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies use of bcdedit.exe to delete boot configuration data. This tactic is sometimes used as by malware or an attacker as a destructive technique.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Modification of Boot Configuration",
+    "query": "process where event.type in (\"start\", \"process_started\") and\n  (process.name : \"bcdedit.exe\" or process.pe.original_file_name == \"bcdedit.exe\") and\n  (process.args : \"/set\" and process.args : \"bootstatuspolicy\" and process.args : \"ignoreallfailures\") or\n  (process.args : \"no\" and process.args : \"recoveryenabled\")\n",
+    "risk_score": 21,
+    "rule_id": "69c251fb-a5d6-4035-b5ec-40438bd829ff",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Impact"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0040",
+          "name": "Impact",
+          "reference": "https://attack.mitre.org/tactics/TA0040/"
+        },
+        "technique": [
+          {
+            "id": "T1490",
+            "name": "Inhibit System Recovery",
+            "reference": "https://attack.mitre.org/techniques/T1490/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 9
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies modification of the dynamic linker preload shared object (ld.so.preload). Adversaries may execute malicious payloads by hijacking the dynamic linker used to load libraries.",
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Modification of Dynamic Linker Preload Shared Object",
+    "query": "event.category:file and not event.type:deletion and file.path:/etc/ld.so.preload\n",
+    "references": [
+      "https://www.anomali.com/blog/rocke-evolves-its-arsenal-with-a-new-malware-family-written-in-golang"
+    ],
+    "risk_score": 47,
+    "rule_id": "717f82c2-7741-4f9b-85b8-d06aeb853f4f",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "Threat Detection",
+      "Privilege Escalation"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0004",
+          "name": "Privilege Escalation",
+          "reference": "https://attack.mitre.org/tactics/TA0004/"
+        },
+        "technique": [
+          {
+            "id": "T1574",
+            "name": "Hijack Execution Flow",
+            "reference": "https://attack.mitre.org/techniques/T1574/",
+            "subtechnique": [
+              {
+                "id": "T1574.006",
+                "name": "Dynamic Linker Hijacking",
+                "reference": "https://attack.mitre.org/techniques/T1574/006/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 2
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies modifications to an environment variable using the built-in launchctl command. Adversaries may execute their own malicious payloads by hijacking certain environment variables to load arbitrary libraries or bypass certain restrictions.",
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Modification of Environment Variable via Launchctl",
+    "query": "event.category:process and event.type:start and\n  process.name:launchctl and\n  process.args:(setenv and not (JAVA*_HOME or\n                                RUNTIME_JAVA_HOME or\n                                DBUS_LAUNCHD_SESSION_BUS_SOCKET or\n                                ANT_HOME or\n                                LG_WEBOS_TV_SDK_HOME or\n                                WEBOS_CLI_TV or\n                                EDEN_ENV)\n                ) and\n  not process.parent.executable:(\"/Applications/NoMachine.app/Contents/Frameworks/bin/nxserver.bin\" or\n                                 \"/usr/local/bin/kr\" or\n                                 \"/Applications/NoMachine.app/Contents/Frameworks/bin/nxserver.bin\" or\n                                 \"/Applications/IntelliJ IDEA CE.app/Contents/jbr/Contents/Home/lib/jspawnhelper\")\n",
+    "references": [
+      "https://github.com/rapid7/metasploit-framework/blob/master//modules/post/osx/escalate/tccbypass.rb"
+    ],
+    "risk_score": 47,
+    "rule_id": "7453e19e-3dbf-4e4e-9ae0-33d6c6ed15e1",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "macOS",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1574",
+            "name": "Hijack Execution Flow",
+            "reference": "https://attack.mitre.org/techniques/T1574/",
+            "subtechnique": [
+              {
+                "id": "T1574.007",
+                "name": "Path Interception by PATH Environment Variable",
+                "reference": "https://attack.mitre.org/techniques/T1574/007/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 2
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Adversaries may modify SSH related binaries for persistence or credential access by patching sensitive functions to enable unauthorized access or by logging SSH credentials for exfiltration.",
+    "false_positives": [
+      "Trusted OpenSSH executable updates. It's recommended to verify the integrity of OpenSSH binary changes."
+    ],
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Modification of OpenSSH Binaries",
+    "query": "event.category:file and event.type:change and \n process.name:* and\n (file.path:(/usr/sbin/sshd or /usr/bin/ssh or /usr/bin/sftp or /usr/bin/scp) or file.name:libkeyutils.so) and\n not process.executable:/usr/bin/dpkg\n",
+    "references": [
+      "https://blog.angelalonso.es/2016/09/anatomy-of-real-linux-intrusion-part-ii.html"
+    ],
+    "risk_score": 47,
+    "rule_id": "0415f22a-2336-45fa-ba07-618a5942e22c",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "Threat Detection",
+      "Credential Access",
+      "Persistence"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1543",
+            "name": "Create or Modify System Process",
+            "reference": "https://attack.mitre.org/techniques/T1543/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0006",
+          "name": "Credential Access",
+          "reference": "https://attack.mitre.org/tactics/TA0006/"
+        },
+        "technique": [
+          {
+            "id": "T1556",
+            "name": "Modify Authentication Process",
+            "reference": "https://attack.mitre.org/techniques/T1556/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies changes to the Safari configuration using the built-in defaults command. Adversaries may attempt to enable or disable certain Safari settings, such as enabling JavaScript from Apple Events to ease in the hijacking of the users browser.",
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Modification of Safari Settings via Defaults Command",
+    "query": "event.category:process and event.type:start and\n  process.name:defaults and process.args:\n    (com.apple.Safari and write and not\n      (\n      UniversalSearchEnabled or\n      SuppressSearchSuggestions or\n      WebKitTabToLinksPreferenceKey or\n      ShowFullURLInSmartSearchField or\n      com.apple.Safari.ContentPageGroupIdentifier.WebKit2TabsToLinks\n      )\n    )\n",
+    "references": [
+      "https://objectivebythesea.com/v2/talks/OBTS_v2_Zohar.pdf"
+    ],
+    "risk_score": 47,
+    "rule_id": "6482255d-f468-45ea-a5b3-d3a7de1331ae",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "macOS",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1562",
+            "name": "Impair Defenses",
+            "reference": "https://attack.mitre.org/techniques/T1562/",
+            "subtechnique": [
+              {
+                "id": "T1562.001",
+                "name": "Disable or Modify Tools",
+                "reference": "https://attack.mitre.org/techniques/T1562/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Adversaries may modify the standard authentication module for persistence via patching the normal authorization process or modifying the login configuration to allow unauthorized access or elevate privileges.",
+    "false_positives": [
+      "Trusted system module updates or allowed Pluggable Authentication Module (PAM) daemon configuration changes."
+    ],
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Modification of Standard Authentication Module or Configuration",
+    "query": "event.category:file and event.type:change and \n  (file.name:pam_*.so or file.path:(/etc/pam.d/* or /private/etc/pam.d/*)) and \n  process.executable:\n    (* and \n      not \n      (\n        /bin/yum or \n        \"/usr/sbin/pam-auth-update\" or \n        /usr/libexec/packagekitd or \n        /usr/bin/dpkg or \n        /usr/bin/vim or \n        /usr/libexec/xpcproxy or \n        /usr/bin/bsdtar or \n        /usr/local/bin/brew or\n        /usr/bin/rsync or\n        /usr/bin/yum or\n        /var/lib/docker/*/bin/yum or\n        /var/lib/docker/*/bin/dpkg or\n        ./merged/var/lib/docker/*/bin/dpkg or\n        \"/System/Library/PrivateFrameworks/PackageKit.framework/Versions/A/XPCServices/package_script_service.xpc/Contents/MacOS/package_script_service\"\n      )\n    ) and\n  not file.path:\n         (\n           /tmp/snap.rootfs_*/pam_*.so or\n           /tmp/newroot/lib/*/pam_*.so or\n           /private/var/folders/*/T/com.apple.fileprovider.ArchiveService/TemporaryItems/*/lib/security/pam_*.so or\n           /tmp/newroot/usr/lib64/security/pam_*.so\n         )\n",
+    "references": [
+      "https://github.com/zephrax/linux-pam-backdoor",
+      "https://github.com/eurialo/pambd",
+      "http://0x90909090.blogspot.com/2016/06/creating-backdoor-in-pam-in-5-line-of.html",
+      "https://www.trendmicro.com/en_us/research/19/i/skidmap-linux-malware-uses-rootkit-capabilities-to-hide-cryptocurrency-mining-payload.html"
+    ],
+    "risk_score": 47,
+    "rule_id": "93f47b6f-5728-4004-ba00-625083b3dcb0",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "macOS",
+      "Linux",
+      "Threat Detection",
+      "Credential Access",
+      "Persistence"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1543",
+            "name": "Create or Modify System Process",
+            "reference": "https://attack.mitre.org/techniques/T1543/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0006",
+          "name": "Credential Access",
+          "reference": "https://attack.mitre.org/tactics/TA0006/"
+        },
+        "technique": [
+          {
+            "id": "T1556",
+            "name": "Modify Authentication Process",
+            "reference": "https://attack.mitre.org/techniques/T1556/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 2
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies attempts to modify the WDigest security provider in the registry to force the user's password to be stored in clear text in memory. This behavior can be indicative of an adversary attempting to weaken the security configuration of an endpoint. Once the UseLogonCredential value is modified, the adversary may attempt to dump clear text passwords from memory.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Modification of WDigest Security Provider",
+    "query": "registry where event.type in (\"creation\", \"change\") and\n  registry.path:\"HKLM\\\\SYSTEM\\\\*ControlSet*\\\\Control\\\\SecurityProviders\\\\WDigest\\\\UseLogonCredential\" and\n  registry.data.strings:\"1\"\n",
+    "references": [
+      "https://www.csoonline.com/article/3438824/how-to-detect-and-halt-credential-theft-via-windows-wdigest.html",
+      "https://www.praetorian.com/blog/mitigating-mimikatz-wdigest-cleartext-credential-theft?edition=2019"
+    ],
+    "risk_score": 73,
+    "rule_id": "d703a5af-d5b0-43bd-8ddb-7a5d500b7da5",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Credential Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0006",
+          "name": "Credential Access",
+          "reference": "https://attack.mitre.org/tactics/TA0006/"
+        },
+        "technique": [
+          {
+            "id": "T1003",
+            "name": "OS Credential Dumping",
+            "reference": "https://attack.mitre.org/techniques/T1003/",
+            "subtechnique": [
+              {
+                "id": "T1003.001",
+                "name": "LSASS Memory",
+                "reference": "https://attack.mitre.org/techniques/T1003/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Detects attempts to modify or delete a sign on policy for an Okta application. An adversary may attempt to modify or delete the sign on policy for an Okta application in order to remove or weaken an organization's security controls.",
+    "false_positives": [
+      "Consider adding exceptions to this rule to filter false positives if sign on policies for Okta applications are regularly modified or deleted in your organization."
+    ],
+    "index": [
+      "filebeat-*",
+      "logs-okta*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Modification or Removal of an Okta Application Sign-On Policy",
+    "note": "## Config\n\nThe Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:okta.system and event.action:(application.policy.sign_on.update or application.policy.sign_on.rule.delete)\n",
+    "references": [
+      "https://help.okta.com/en/prod/Content/Topics/Security/App_Based_Signon.htm",
+      "https://developer.okta.com/docs/reference/api/system-log/",
+      "https://developer.okta.com/docs/reference/api/event-types/"
+    ],
+    "risk_score": 47,
+    "rule_id": "cd16fb10-0261-46e8-9932-a0336278cdbe",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Identity",
+      "Okta",
+      "Continuous Monitoring",
+      "SecOps",
+      "Identity and Access"
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 6
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the use of net.exe to mount a WebDav or hidden remote share. This may indicate lateral movement or preparation for data exfiltration.",
+    "from": "now-9m",
+    "index": [
+      "logs-endpoint.events.*",
+      "winlogbeat-*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Mounting Hidden or WebDav Remote Shares",
+    "query": "process where event.type in (\"start\", \"process_started\") and\n ((process.name : \"net.exe\" or process.pe.original_file_name == \"net.exe\") or ((process.name : \"net1.exe\" or process.pe.original_file_name == \"net1.exe\") and\n not process.parent.name : \"net.exe\")) and\n process.args : \"use\" and\n /* including hidden and webdav based online shares such as onedrive  */\n process.args : (\"\\\\\\\\*\\\\*$*\", \"\\\\\\\\*@SSL\\\\*\", \"http*\") and\n /* excluding shares deletion operation */\n not process.args : \"/d*\"\n",
+    "risk_score": 21,
+    "rule_id": "c4210e1c-64f2-4f48-b67e-b5a8ffe3aa14",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Lateral Movement"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0008",
+          "name": "Lateral Movement",
+          "reference": "https://attack.mitre.org/tactics/TA0008/"
+        },
+        "technique": [
+          {
+            "id": "T1021",
+            "name": "Remote Services",
+            "reference": "https://attack.mitre.org/techniques/T1021/",
+            "subtechnique": [
+              {
+                "id": "T1021.002",
+                "name": "SMB/Windows Admin Shares",
+                "reference": "https://attack.mitre.org/techniques/T1021/002/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 3
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies MsBuild.exe making outbound network connections. This may indicate adversarial activity as MsBuild is often leveraged by adversaries to execute code and evade detection.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "MsBuild Making Network Connections",
+    "query": "sequence by process.entity_id\n  [process where process.name : \"MSBuild.exe\" and event.type == \"start\"]\n  [network where process.name : \"MSBuild.exe\" and\n     not cidrmatch(destination.ip, \"127.0.0.1\", \"::1\")]\n",
+    "risk_score": 47,
+    "rule_id": "0e79980b-4250-4a50-a509-69294c14e84b",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1127",
+            "name": "Trusted Developer Utilities Proxy Execution",
+            "reference": "https://attack.mitre.org/techniques/T1127/",
+            "subtechnique": [
+              {
+                "id": "T1127.001",
+                "name": "MSBuild",
+                "reference": "https://attack.mitre.org/techniques/T1127/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "type": "eql",
+    "version": 8
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies Mshta.exe making outbound network connections. This may indicate adversarial activity, as Mshta is often leveraged by adversaries to execute malicious scripts and evade detection.",
+    "from": "now-20m",
+    "index": [
+      "logs-endpoint.events.*",
+      "winlogbeat-*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Mshta Making Network Connections",
+    "query": "sequence by process.entity_id with maxspan=10m\n  [process where event.type in (\"start\", \"process_started\") and process.name : \"mshta.exe\" and\n     not process.parent.name : \"Microsoft.ConfigurationManagement.exe\" and\n     not (process.parent.executable : \"C:\\\\Amazon\\\\Amazon Assistant\\\\amazonAssistantService.exe\" or\n          process.parent.executable : \"C:\\\\TeamViewer\\\\TeamViewer.exe\") and\n     not process.args : \"ADSelfService_Enroll.hta\"]\n  [network where process.name : \"mshta.exe\"]\n",
+    "risk_score": 21,
+    "rule_id": "c2d90150-0133-451c-a783-533e736c12d7",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1218",
+            "name": "Signed Binary Proxy Execution",
+            "reference": "https://attack.mitre.org/techniques/T1218/",
+            "subtechnique": [
+              {
+                "id": "T1218.005",
+                "name": "Mshta",
+                "reference": "https://attack.mitre.org/techniques/T1218/005/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "type": "eql",
+    "version": 5
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies when multi-factor authentication (MFA) is disabled for an Azure user account. An adversary may disable MFA for a user account in order to weaken the authentication requirements for the account.",
+    "from": "now-25m",
+    "index": [
+      "filebeat-*",
+      "logs-azure*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Multi-Factor Authentication Disabled for an Azure User",
+    "note": "## Config\n\nThe Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:azure.auditlogs and azure.auditlogs.operation_name:\"Disable Strong Authentication\" and event.outcome:(Success or success)\n",
+    "risk_score": 47,
+    "rule_id": "dafa3235-76dc-40e2-9f71-1773b96d24cf",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "Azure",
+      "Continuous Monitoring",
+      "SecOps",
+      "Identity and Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1098",
+            "name": "Account Manipulation",
+            "reference": "https://attack.mitre.org/techniques/T1098/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 5
+  },
+  {
+    "author": [
+      "Elastic",
+      "Austin Songer"
+    ],
+    "description": "Identifies a copy operation of the Active Directory Domain Database (ntds.dit) or Security Account Manager (SAM) files. Those files contain sensitive information including hashed domain and/or local credentials.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "max_signals": 33,
+    "name": "NTDS or SAM Database File Copied",
+    "query": "process where event.type in (\"start\", \"process_started\") and\n  (\n    (process.pe.original_file_name in (\"Cmd.Exe\", \"PowerShell.EXE\", \"XCOPY.EXE\") and\n       process.args : (\"copy\", \"xcopy\", \"Copy-Item\", \"move\", \"cp\", \"mv\")\n    ) or\n    (process.pe.original_file_name : \"esentutl.exe\" and process.args : (\"*/y*\", \"*/vss*\", \"*/d*\"))\n  ) and\n  process.args : (\"*\\\\ntds.dit\", \"*\\\\config\\\\SAM\", \"\\\\*\\\\GLOBALROOT\\\\Device\\\\HarddiskVolumeShadowCopy*\\\\*\", \"*/system32/config/SAM*\")\n",
+    "references": [
+      "https://thedfirreport.com/2020/11/23/pysa-mespinoza-ransomware/",
+      "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.002/T1003.002.md#atomic-test-3---esentutlexe-sam-copy"
+    ],
+    "risk_score": 73,
+    "rule_id": "3bc6deaa-fbd4-433a-ae21-3e892f95624f",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Credential Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0006",
+          "name": "Credential Access",
+          "reference": "https://attack.mitre.org/tactics/TA0006/"
+        },
+        "technique": [
+          {
+            "id": "T1003",
+            "name": "OS Credential Dumping",
+            "reference": "https://attack.mitre.org/techniques/T1003/",
+            "subtechnique": [
+              {
+                "id": "T1003.002",
+                "name": "Security Account Manager",
+                "reference": "https://attack.mitre.org/techniques/T1003/002/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 5
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the SYSTEM account using an account discovery utility. This could be a sign of discovery activity after an adversary has achieved privilege escalation.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Net command via SYSTEM account",
+    "query": "process where event.type in (\"start\", \"process_started\") and \n  user.id in (\"S-1-5-18\", \"S-1-5-19\", \"S-1-5-20\") and\n  process.name : \"whoami.exe\" or\n  (process.name : \"net1.exe\" and not process.parent.name : \"net.exe\")\n",
+    "risk_score": 21,
+    "rule_id": "2856446a-34e6-435b-9fb5-f8f040bfa7ed",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Discovery"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0007",
+          "name": "Discovery",
+          "reference": "https://attack.mitre.org/tactics/TA0007/"
+        },
+        "technique": [
+          {
+            "id": "T1033",
+            "name": "System Owner/User Discovery",
+            "reference": "https://attack.mitre.org/techniques/T1033/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 8
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "A netcat process is engaging in network activity on a Linux host. Netcat is often used as a persistence mechanism by exporting a reverse shell or by serving a shell on a listening port. Netcat is also sometimes used for data exfiltration.",
+    "false_positives": [
+      "Netcat is a dual-use tool that can be used for benign or malicious activity. Netcat is included in some Linux distributions so its presence is not necessarily suspicious. Some normal use of this program, while uncommon, may originate from scripts, automation tools, and frameworks."
+    ],
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Netcat Network Activity",
+    "query": "sequence by process.entity_id\n  [process where (process.name == \"nc\" or process.name == \"ncat\" or process.name == \"netcat\" or\n                  process.name == \"netcat.openbsd\" or process.name == \"netcat.traditional\") and\n     event.type == \"start\"]\n  [network where (process.name == \"nc\" or process.name == \"ncat\" or process.name == \"netcat\" or\n                  process.name == \"netcat.openbsd\" or process.name == \"netcat.traditional\")]\n",
+    "references": [
+      "http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet",
+      "https://www.sans.org/security-resources/sec560/netcat_cheat_sheet_v1.pdf",
+      "https://en.wikipedia.org/wiki/Netcat"
+    ],
+    "risk_score": 47,
+    "rule_id": "adb961e0-cb74-42a0-af9e-29fc41f88f5f",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "Threat Detection"
+    ],
+    "type": "eql",
+    "version": 6
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies certutil.exe making a network connection. Adversaries could abuse certutil.exe to download a certificate, or malware, from a remote URL.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Network Connection via Certutil",
+    "query": "sequence by process.entity_id\n  [process where process.name : \"certutil.exe\" and event.type == \"start\"]\n  [network where process.name : \"certutil.exe\" and\n    not cidrmatch(destination.ip, \"10.0.0.0/8\", \"127.0.0.0/8\", \"169.254.0.0/16\", \"172.16.0.0/12\", \"192.0.0.0/24\",\n                                  \"192.0.0.0/29\", \"192.0.0.8/32\", \"192.0.0.9/32\", \"192.0.0.10/32\", \"192.0.0.170/32\",\n                                  \"192.0.0.171/32\", \"192.0.2.0/24\", \"192.31.196.0/24\", \"192.52.193.0/24\",\n                                  \"192.168.0.0/16\", \"192.88.99.0/24\", \"224.0.0.0/4\", \"100.64.0.0/10\", \"192.175.48.0/24\",\n                                  \"198.18.0.0/15\", \"198.51.100.0/24\", \"203.0.113.0/24\", \"240.0.0.0/4\", \"::1\",\n                                  \"FE80::/10\", \"FF00::/8\")]\n",
+    "references": [
+      "https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml"
+    ],
+    "risk_score": 21,
+    "rule_id": "3838e0e3-1850-4850-a411-2e8c5ba40ba8",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Command and Control"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0011",
+          "name": "Command and Control",
+          "reference": "https://attack.mitre.org/tactics/TA0011/"
+        },
+        "technique": [
+          {
+            "id": "T1105",
+            "name": "Ingress Tool Transfer",
+            "reference": "https://attack.mitre.org/techniques/T1105/"
+          }
+        ]
+      }
+    ],
+    "type": "eql",
+    "version": 6
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Compiled HTML files (.chm) are commonly distributed as part of the Microsoft HTML Help system. Adversaries may conceal malicious code in a CHM file and deliver it to a victim for execution. CHM content is loaded by the HTML Help executable program (hh.exe).",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Network Connection via Compiled HTML File",
+    "query": "sequence by process.entity_id\n  [process where process.name : \"hh.exe\" and event.type == \"start\"]\n  [network where process.name : \"hh.exe\" and\n     not cidrmatch(destination.ip, \"10.0.0.0/8\", \"127.0.0.0/8\", \"169.254.0.0/16\", \"172.16.0.0/12\", \"192.0.0.0/24\",\n       \"192.0.0.0/29\", \"192.0.0.8/32\", \"192.0.0.9/32\", \"192.0.0.10/32\", \"192.0.0.170/32\", \"192.0.0.171/32\",\n       \"192.0.2.0/24\", \"192.31.196.0/24\", \"192.52.193.0/24\", \"192.168.0.0/16\", \"192.88.99.0/24\", \"224.0.0.0/4\",\n       \"100.64.0.0/10\", \"192.175.48.0/24\",\"198.18.0.0/15\", \"198.51.100.0/24\", \"203.0.113.0/24\", \"240.0.0.0/4\", \"::1\",\n       \"FE80::/10\", \"FF00::/8\")]\n",
+    "references": [
+      "https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml"
+    ],
+    "risk_score": 21,
+    "rule_id": "b29ee2be-bf99-446c-ab1a-2dc0183394b8",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Execution"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0002",
+          "name": "Execution",
+          "reference": "https://attack.mitre.org/tactics/TA0002/"
+        },
+        "technique": [
+          {
+            "id": "T1204",
+            "name": "User Execution",
+            "reference": "https://attack.mitre.org/techniques/T1204/",
+            "subtechnique": [
+              {
+                "id": "T1204.002",
+                "name": "Malicious File",
+                "reference": "https://attack.mitre.org/techniques/T1204/002/"
+              }
+            ]
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1218",
+            "name": "Signed Binary Proxy Execution",
+            "reference": "https://attack.mitre.org/techniques/T1218/",
+            "subtechnique": [
+              {
+                "id": "T1218.001",
+                "name": "Compiled HTML File",
+                "reference": "https://attack.mitre.org/techniques/T1218/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "type": "eql",
+    "version": 9
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies msxsl.exe making a network connection. This may indicate adversarial activity as msxsl.exe is often leveraged by adversaries to execute malicious scripts and evade detection.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Network Connection via MsXsl",
+    "query": "sequence by process.entity_id\n  [process where process.name : \"msxsl.exe\" and event.type == \"start\"]\n  [network where process.name : \"msxsl.exe\" and\n     not cidrmatch(destination.ip, \"10.0.0.0/8\", \"127.0.0.0/8\", \"169.254.0.0/16\", \"172.16.0.0/12\", \"192.0.0.0/24\",\n       \"192.0.0.0/29\", \"192.0.0.8/32\", \"192.0.0.9/32\", \"192.0.0.10/32\", \"192.0.0.170/32\", \"192.0.0.171/32\",\n       \"192.0.2.0/24\", \"192.31.196.0/24\", \"192.52.193.0/24\", \"192.168.0.0/16\", \"192.88.99.0/24\", \"224.0.0.0/4\",\n       \"100.64.0.0/10\", \"192.175.48.0/24\",\"198.18.0.0/15\", \"198.51.100.0/24\", \"203.0.113.0/24\", \"240.0.0.0/4\", \"::1\",\n       \"FE80::/10\", \"FF00::/8\")]\n",
+    "references": [
+      "https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml"
+    ],
+    "risk_score": 21,
+    "rule_id": "b86afe07-0d98-4738-b15d-8d7465f95ff5",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1220",
+            "name": "XSL Script Processing",
+            "reference": "https://attack.mitre.org/techniques/T1220/"
+          }
+        ]
+      }
+    ],
+    "type": "eql",
+    "version": 7
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the native Windows tools regsvr32.exe, regsvr64.exe, RegSvcs.exe, or RegAsm.exe making a network connection. This may be indicative of an attacker bypassing allowlists or running arbitrary scripts via a signed Microsoft binary.",
+    "false_positives": [
+      "Security testing may produce events like this. Activity of this kind performed by non-engineers and ordinary users is unusual."
+    ],
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Network Connection via Registration Utility",
+    "query": "sequence by process.entity_id\n  [process where event.type == \"start\" and\n   process.name : (\"regsvr32.exe\", \"RegAsm.exe\", \"RegSvcs.exe\") and\n   not (\n         user.id == \"S-1-5-18\" and\n         (process.parent.name : \"msiexec.exe\" or process.parent.executable : (\"C:\\\\Program Files (x86)\\\\*.exe\", \"C:\\\\Program Files\\\\*.exe\"))\n       )\n   ]\n  [network where process.name : (\"regsvr32.exe\", \"RegAsm.exe\", \"RegSvcs.exe\")  and\n   not cidrmatch(destination.ip, \"10.0.0.0/8\", \"127.0.0.0/8\", \"169.254.0.0/16\", \"172.16.0.0/12\", \"192.0.0.0/24\",\n       \"192.0.0.0/29\", \"192.0.0.8/32\", \"192.0.0.9/32\", \"192.0.0.10/32\", \"192.0.0.170/32\", \"192.0.0.171/32\",\n       \"192.0.2.0/24\", \"192.31.196.0/24\", \"192.52.193.0/24\", \"192.168.0.0/16\", \"192.88.99.0/24\", \"224.0.0.0/4\",\n       \"100.64.0.0/10\", \"192.175.48.0/24\",\"198.18.0.0/15\", \"198.51.100.0/24\", \"203.0.113.0/24\", \"240.0.0.0/4\", \"::1\",\n       \"FE80::/10\", \"FF00::/8\") and network.protocol != \"dns\"]\n",
+    "references": [
+      "https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml"
+    ],
+    "risk_score": 21,
+    "rule_id": "fb02b8d3-71ee-4af1-bacd-215d23f17efa",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Execution"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0002",
+          "name": "Execution",
+          "reference": "https://attack.mitre.org/tactics/TA0002/"
+        },
+        "technique": []
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1218",
+            "name": "Signed Binary Proxy Execution",
+            "reference": "https://attack.mitre.org/techniques/T1218/",
+            "subtechnique": [
+              {
+                "id": "T1218.010",
+                "name": "Regsvr32",
+                "reference": "https://attack.mitre.org/techniques/T1218/010/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "type": "eql",
+    "version": 9
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Binaries signed with trusted digital certificates can execute on Windows systems protected by digital signature validation. Adversaries may use these binaries to 'live off the land' and execute malicious files that could bypass application allowlists and signature validation.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Network Connection via Signed Binary",
+    "query": "sequence by process.entity_id\n  [process where (process.name : \"expand.exe\" or process.name : \"extrac32.exe\" or\n                 process.name : \"ieexec.exe\" or process.name : \"makecab.exe\") and\n                 event.type == \"start\"]\n  [network where (process.name : \"expand.exe\" or process.name : \"extrac32.exe\" or\n                 process.name : \"ieexec.exe\" or process.name : \"makecab.exe\") and\n    not cidrmatch(destination.ip,\n      \"10.0.0.0/8\", \"127.0.0.0/8\", \"169.254.0.0/16\", \"172.16.0.0/12\", \"192.0.0.0/24\", \"192.0.0.0/29\", \"192.0.0.8/32\",\n      \"192.0.0.9/32\", \"192.0.0.10/32\", \"192.0.0.170/32\", \"192.0.0.171/32\", \"192.0.2.0/24\", \"192.31.196.0/24\",\n      \"192.52.193.0/24\", \"192.168.0.0/16\", \"192.88.99.0/24\", \"224.0.0.0/4\", \"100.64.0.0/10\", \"192.175.48.0/24\",\n      \"198.18.0.0/15\", \"198.51.100.0/24\", \"203.0.113.0/24\", \"240.0.0.0/4\", \"::1\", \"FE80::/10\", \"FF00::/8\")]\n",
+    "references": [
+      "https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml"
+    ],
+    "risk_score": 21,
+    "rule_id": "63e65ec3-43b1-45b0-8f2d-45b34291dc44",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1218",
+            "name": "Signed Binary Proxy Execution",
+            "reference": "https://attack.mitre.org/techniques/T1218/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0002",
+          "name": "Execution",
+          "reference": "https://attack.mitre.org/tactics/TA0002/"
+        },
+        "technique": []
+      }
+    ],
+    "type": "eql",
+    "version": 9
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Adversaries may register a rogue network logon provider module for persistence and/or credential access via intercepting the authentication credentials in clear text during user logon.",
+    "false_positives": [
+      "Authorized third party network logon providers."
+    ],
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Network Logon Provider Registry Modification",
+    "query": "registry where registry.data.strings != null and\n registry.path : \"HKLM\\\\SYSTEM\\\\*ControlSet*\\\\Services\\\\*\\\\NetworkProvider\\\\ProviderPath\" and\n /* Excluding default NetworkProviders RDPNP, LanmanWorkstation and webclient. */\n not ( user.id : \"S-1-5-18\" and\n       registry.data.strings in\n                (\"%SystemRoot%\\\\System32\\\\ntlanman.dll\",\n                 \"%SystemRoot%\\\\System32\\\\drprov.dll\",\n                 \"%SystemRoot%\\\\System32\\\\davclnt.dll\")\n      )\n",
+    "references": [
+      "https://github.com/gtworek/PSBits/tree/master/PasswordStealing/NPPSpy",
+      "https://docs.microsoft.com/en-us/windows/win32/api/npapi/nf-npapi-nplogonnotify"
+    ],
+    "risk_score": 47,
+    "rule_id": "54c3d186-0461-4dc3-9b33-2dc5c7473936",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Persistence",
+      "Credential Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0006",
+          "name": "Credential Access",
+          "reference": "https://attack.mitre.org/tactics/TA0006/"
+        },
+        "technique": [
+          {
+            "id": "T1556",
+            "name": "Modify Authentication Process",
+            "reference": "https://attack.mitre.org/techniques/T1556/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1543",
+            "name": "Create or Modify System Process",
+            "reference": "https://attack.mitre.org/techniques/T1543/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 1
+  },
+  {
+    "anomaly_threshold": 75,
+    "author": [
+      "Elastic"
+    ],
+    "description": "A machine learning job detected a rare destination country name in the network logs. This can be due to initial access, persistence, command-and-control, or exfiltration activity. For example, when a user clicks on a link in a phishing email or opens a malicious document, a request may be sent to download and run a payload from a server in a country which does not normally appear in network traffic or business work-flows. Malware instances and persistence mechanisms may communicate with command-and-control (C2) infrastructure in their country of origin, which may be an unusual destination country for the source network.",
+    "false_positives": [
+      "Business workflows that occur very occasionally, and involve a business relationship with an organization in a country that does not routinely appear in network events, can trigger this alert. A new business workflow with an organization in a country with which no workflows previously existed may trigger this alert - although the model will learn that the new destination country is no longer anomalous as the activity becomes ongoing. Business travelers who roam to many countries for brief periods may trigger this alert."
+    ],
+    "from": "now-30m",
+    "interval": "15m",
+    "license": "Elastic License v2",
+    "machine_learning_job_id": "rare_destination_country",
+    "name": "Network Traffic to Rare Destination Country",
+    "references": [
+      "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"
+    ],
+    "risk_score": 21,
+    "rule_id": "35f86980-1fb1-4dff-b311-3be941549c8d",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Network",
+      "Threat Detection",
+      "ML"
+    ],
+    "type": "machine_learning",
+    "version": 2
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the use of the Exchange PowerShell cmdlet, Set-CASMailbox, to add a new ActiveSync allowed device. Adversaries may target user email to collect sensitive information.",
+    "false_positives": [
+      "Legitimate exchange system administration activity."
+    ],
+    "from": "now-9m",
+    "index": [
+      "logs-endpoint.events.*",
+      "winlogbeat-*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "New ActiveSyncAllowedDeviceID Added via PowerShell",
+    "query": "process where event.type in (\"start\", \"process_started\") and\n  process.name: (\"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\") and process.args : \"Set-CASMailbox*ActiveSyncAllowedDeviceIDs*\"\n",
+    "references": [
+      "https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/",
+      "https://docs.microsoft.com/en-us/powershell/module/exchange/set-casmailbox?view=exchange-ps"
+    ],
+    "risk_score": 47,
+    "rule_id": "ce64d965-6cb0-466d-b74f-8d2c76f47f05",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Persistence"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1098",
+            "name": "Account Manipulation",
+            "reference": "https://attack.mitre.org/techniques/T1098/",
+            "subtechnique": [
+              {
+                "id": "T1098.002",
+                "name": "Exchange Email Delegate Permissions",
+                "reference": "https://attack.mitre.org/techniques/T1098/002/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 6
+  },
+  {
+    "author": [
+      "Austin Songer"
+    ],
+    "description": "Identifies a new or modified federation domain, which can be used to create a trust between O365 and an external identity provider.",
+    "index": [
+      "filebeat-*",
+      "logs-o365*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "New or Modified Federation Domain",
+    "note": "## Config\n\nThe Microsoft 365 Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:(\"Set-AcceptedDomain\" or \n\"Set-MsolDomainFederationSettings\" or \"Add-FederatedDomain\" or \"New-AcceptedDomain\" or \"Remove-AcceptedDomain\" or \"Remove-FederatedDomain\") and \nevent.outcome:success\n",
+    "references": [
+      "https://docs.microsoft.com/en-us/powershell/module/exchange/remove-accepteddomain?view=exchange-ps",
+      "https://docs.microsoft.com/en-us/powershell/module/exchange/remove-federateddomain?view=exchange-ps",
+      "https://docs.microsoft.com/en-us/powershell/module/exchange/new-accepteddomain?view=exchange-ps",
+      "https://docs.microsoft.com/en-us/powershell/module/exchange/add-federateddomain?view=exchange-ps",
+      "https://docs.microsoft.com/en-us/powershell/module/exchange/set-accepteddomain?view=exchange-ps",
+      "https://docs.microsoft.com/en-us/powershell/module/msonline/set-msoldomainfederationsettings?view=azureadps-1.0"
+    ],
+    "risk_score": 21,
+    "rule_id": "684554fc-0777-47ce-8c9b-3d01f198d7f8",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "Microsoft 365",
+      "Continuous Monitoring",
+      "SecOps",
+      "Identity and Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0004",
+          "name": "Privilege Escalation",
+          "reference": "https://attack.mitre.org/tactics/TA0004/"
+        },
+        "technique": [
+          {
+            "id": "T1484",
+            "name": "Domain Policy Modification",
+            "reference": "https://attack.mitre.org/techniques/T1484/",
+            "subtechnique": [
+              {
+                "id": "T1484.002",
+                "name": "Domain Trust Modification",
+                "reference": "https://attack.mitre.org/techniques/T1484/002/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Nping ran on a Linux host. Nping is part of the Nmap tool suite and has the ability to construct raw packets for a wide variety of security testing applications, including denial of service testing.",
+    "false_positives": [
+      "Some normal use of this command may originate from security engineers and network or server administrators, but this is usually not routine or unannounced. Use of `Nping` by non-engineers or ordinary users is uncommon."
+    ],
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Nping Process Activity",
+    "query": "event.category:process and event.type:(start or process_started) and process.name:nping\n",
+    "references": [
+      "https://en.wikipedia.org/wiki/Nmap"
+    ],
+    "risk_score": 47,
+    "rule_id": "0d69150b-96f8-467c-a86d-a67a3378ce77",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "Threat Detection"
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 7
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies NullSessionPipe registry modifications that specify which pipes can be accessed anonymously. This could be indicative of adversary lateral movement preparation by making the added pipe available to everyone.",
+    "from": "now-9m",
+    "index": [
+      "logs-endpoint.events.*",
+      "winlogbeat-*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "NullSessionPipe Registry Modification",
+    "query": "registry where\nregistry.path : \"HKLM\\\\SYSTEM\\\\*ControlSet*\\\\services\\\\LanmanServer\\\\Parameters\\\\NullSessionPipes\" and\nregistry.data.strings != null\n",
+    "references": [
+      "https://www.welivesecurity.com/2019/05/29/turla-powershell-usage/",
+      "https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/network-access-restrict-anonymous-access-to-named-pipes-and-shares"
+    ],
+    "risk_score": 47,
+    "rule_id": "ddab1f5f-7089-44f5-9fda-de5b11322e77",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Lateral Movement"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0008",
+          "name": "Lateral Movement",
+          "reference": "https://attack.mitre.org/tactics/TA0008/"
+        },
+        "technique": [
+          {
+            "id": "T1021",
+            "name": "Remote Services",
+            "reference": "https://attack.mitre.org/techniques/T1021/",
+            "subtechnique": [
+              {
+                "id": "T1021.002",
+                "name": "SMB/Windows Admin Shares",
+                "reference": "https://attack.mitre.org/techniques/T1021/002/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic",
+      "Austin Songer"
+    ],
+    "description": "Identifies accounts with a high number of single sign-on (SSO) logon errors. Excessive logon errors may indicate an attempt to brute force a password or SSO token.",
+    "false_positives": [
+      "Automated processes that attempt to authenticate using expired credentials and unbounded retries may lead to false positives."
+    ],
+    "from": "now-20m",
+    "index": [
+      "filebeat-*",
+      "logs-o365*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "O365 Excessive Single Sign-On Logon Errors",
+    "note": "## Config\n\nThe Microsoft 365 Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:o365.audit and event.provider:AzureActiveDirectory and event.category:authentication and o365.audit.LogonError:\"SsoArtifactInvalidOrExpired\"\n",
+    "risk_score": 73,
+    "rule_id": "2de10e77-c144-4e69-afb7-344e7127abd0",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "Microsoft 365",
+      "Continuous Monitoring",
+      "SecOps",
+      "Identity and Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0006",
+          "name": "Credential Access",
+          "reference": "https://attack.mitre.org/tactics/TA0006/"
+        },
+        "technique": [
+          {
+            "id": "T1110",
+            "name": "Brute Force",
+            "reference": "https://attack.mitre.org/techniques/T1110/"
+          }
+        ]
+      }
+    ],
+    "threshold": {
+      "field": [
+        "user.id"
+      ],
+      "value": 5
+    },
+    "type": "threshold",
+    "version": 3
+  },
+  {
+    "author": [
+      "Elastic",
+      "Austin Songer"
+    ],
+    "description": "Identifies the assignment of rights to accesss content from another mailbox. An adversary may use the compromised account to send messages to other accounts in the network of the target business while creating inbox rules, so messages can evade spam/phishing detection mechanisms.",
+    "false_positives": [
+      "Assignment of rights to a service account."
+    ],
+    "index": [
+      "filebeat-*",
+      "logs-o365*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "O365 Exchange Suspicious Mailbox Right Delegation",
+    "note": "## Config\n\nThe Microsoft 365 Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:o365.audit and event.provider:Exchange and event.action:Add-MailboxPermission and \no365.audit.Parameters.AccessRights:(FullAccess or SendAs or SendOnBehalf) and event.outcome:success\n",
+    "risk_score": 21,
+    "rule_id": "0ce6487d-8069-4888-9ddd-61b52490cebc",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "Microsoft 365",
+      "Continuous Monitoring",
+      "SecOps",
+      "Configuration Audit"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1098",
+            "name": "Account Manipulation",
+            "reference": "https://attack.mitre.org/techniques/T1098/",
+            "subtechnique": [
+              {
+                "id": "T1098.002",
+                "name": "Exchange Email Delegate Permissions",
+                "reference": "https://attack.mitre.org/techniques/T1098/002/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Detects the occurrence of mailbox audit bypass associations. The mailbox audit is responsible for logging specified mailbox events (like accessing a folder or a message or permanently deleting a message). However, actions taken by some authorized accounts, such as accounts used by third-party tools or accounts used for lawful monitoring, can create a large number of mailbox audit log entries and may not be of interest to your organization. Because of this, administrators can create bypass associations, allowing certain accounts to perform their tasks without being logged. Attackers can abuse this allowlist mechanism to conceal actions taken, as the mailbox audit will log no activity done by the account.",
+    "false_positives": [
+      "Legitimate whitelisting of noisy accounts"
+    ],
+    "from": "now-30m",
+    "index": [
+      "filebeat-*",
+      "logs-o365*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "O365 Mailbox Audit Logging Bypass",
+    "note": "## Config\n\nThe Microsoft 365 Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:o365.audit and event.provider:Exchange and event.action:Set-MailboxAuditBypassAssociation and event.outcome:success\n",
+    "references": [
+      "https://twitter.com/misconfig/status/1476144066807140355"
+    ],
+    "risk_score": 47,
+    "rule_id": "675239ea-c1bc-4467-a6d3-b9e2cc7f676d",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "Microsoft 365",
+      "Continuous Monitoring",
+      "SecOps",
+      "Initial Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1562",
+            "name": "Impair Defenses",
+            "reference": "https://attack.mitre.org/techniques/T1562/",
+            "subtechnique": [
+              {
+                "id": "T1562.001",
+                "name": "Disable or Modify Tools",
+                "reference": "https://attack.mitre.org/techniques/T1562/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies a high number of failed Okta user authentication attempts from a single IP address, which could be indicative of a brute force or password spraying attack. An adversary may attempt a brute force or password spraying attack to obtain unauthorized access to user accounts.",
+    "false_positives": [
+      "Automated processes that attempt to authenticate using expired credentials and unbounded retries may lead to false positives."
+    ],
+    "index": [
+      "filebeat-*",
+      "logs-okta*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Okta Brute Force or Password Spraying Attack",
+    "note": "## Config\n\nThe Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:okta.system and event.category:authentication and event.outcome:failure\n",
+    "references": [
+      "https://developer.okta.com/docs/reference/api/system-log/",
+      "https://developer.okta.com/docs/reference/api/event-types/"
+    ],
+    "risk_score": 47,
+    "rule_id": "42bf698b-4738-445b-8231-c834ddefd8a0",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Identity",
+      "Okta",
+      "Continuous Monitoring",
+      "SecOps",
+      "Identity and Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0006",
+          "name": "Credential Access",
+          "reference": "https://attack.mitre.org/tactics/TA0006/"
+        },
+        "technique": [
+          {
+            "id": "T1110",
+            "name": "Brute Force",
+            "reference": "https://attack.mitre.org/techniques/T1110/"
+          }
+        ]
+      }
+    ],
+    "threshold": {
+      "field": [
+        "source.ip"
+      ],
+      "value": 25
+    },
+    "type": "threshold",
+    "version": 5
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the PowerShell process loading the Task Scheduler COM DLL followed by an outbound RPC network connection within a short time period. This may indicate lateral movement or remote discovery via scheduled tasks.",
+    "false_positives": [
+      "Legitimate scheduled tasks may be created during installation of new software."
+    ],
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Outbound Scheduled Task Activity via PowerShell",
+    "query": "sequence by host.id, process.entity_id with maxspan = 5s\n [library where dll.name : \"taskschd.dll\" and process.name : (\"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\")]\n [network where process.name : (\"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\") and destination.port == 135 and not destination.address in (\"127.0.0.1\", \"::1\")]\n",
+    "references": [
+      "https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/"
+    ],
+    "risk_score": 47,
+    "rule_id": "5cd55388-a19c-47c7-8ec4-f41656c2fded",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Execution"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0002",
+          "name": "Execution",
+          "reference": "https://attack.mitre.org/tactics/TA0002/"
+        },
+        "technique": [
+          {
+            "id": "T1053",
+            "name": "Scheduled Task/Job",
+            "reference": "https://attack.mitre.org/techniques/T1053/",
+            "subtechnique": [
+              {
+                "id": "T1053.005",
+                "name": "Scheduled Task",
+                "reference": "https://attack.mitre.org/techniques/T1053/005/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "type": "eql",
+    "version": 4
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies parent process spoofing used to thwart detection. Adversaries may spoof the parent process identifier (PPID) of a new process to evade process-monitoring defenses or to elevate privileges.",
+    "from": "now-9m",
+    "index": [
+      "logs-endpoint.events.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Parent Process PID Spoofing",
+    "query": "/* This rule is compatible with Elastic Endpoint only */\n\nsequence by host.id, user.id with maxspan=5m\n [process where event.type == \"start\" and\n  process.Ext.token.integrity_level_name != \"system\" and\n  (\n    process.pe.original_file_name : (\"winword.exe\", \"excel.exe\", \"outlook.exe\", \"powerpnt.exe\", \"eqnedt32.exe\",\n                                     \"fltldr.exe\", \"mspub.exe\", \"msaccess.exe\", \"powershell.exe\", \"pwsh.exe\",\n                                     \"cscript.exe\", \"wscript.exe\", \"rundll32.exe\", \"regsvr32.exe\", \"msbuild.exe\",\n                                     \"mshta.exe\", \"wmic.exe\", \"cmstp.exe\", \"msxsl.exe\") or\n    process.executable : (\"?:\\\\Users\\\\*.exe\",\n                          \"?:\\\\ProgramData\\\\*.exe\",\n                          \"?:\\\\Windows\\\\Microsoft.NET\\\\*.exe\",\n                          \"?:\\\\Windows\\\\Temp\\\\*.exe\",\n                          \"?:\\\\Windows\\\\Tasks\\\\*\") or\n    process.code_signature.trusted != true\n  )\n  ] by process.pid\n [process where event.type == \"start\" and process.parent.Ext.real.pid > 0 and\n  /* process.parent.Ext.real.pid is only populated if the parent process pid doesn't match */\n  \n  not (process.name : \"msedge.exe\" and process.parent.name : \"sihost.exe\")\n ] by process.parent.Ext.real.pid\n",
+    "references": [
+      "https://blog.didierstevens.com/2017/03/20/"
+    ],
+    "risk_score": 73,
+    "rule_id": "c88d4bd0-5649-4c52-87ea-9be59dbfbcf2",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1134",
+            "name": "Access Token Manipulation",
+            "reference": "https://attack.mitre.org/techniques/T1134/",
+            "subtechnique": [
+              {
+                "id": "T1134.004",
+                "name": "Parent PID Spoofing",
+                "reference": "https://attack.mitre.org/techniques/T1134/004/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "type": "eql",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies use of the Windows file system utility (fsutil.exe ) to gather information about attached peripheral devices and components connected to a computer system.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Peripheral Device Discovery",
+    "query": "process where event.type in (\"start\", \"process_started\") and\n  (process.name : \"fsutil.exe\" or process.pe.original_file_name == \"fsutil.exe\") and \n  process.args : \"fsinfo\" and process.args : \"drives\"\n",
+    "risk_score": 21,
+    "rule_id": "0c7ca5c2-728d-4ad9-b1c5-bbba83ecb1f4",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Discovery"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0007",
+          "name": "Discovery",
+          "reference": "https://attack.mitre.org/tactics/TA0007/"
+        },
+        "technique": [
+          {
+            "id": "T1120",
+            "name": "Peripheral Device Discovery",
+            "reference": "https://attack.mitre.org/techniques/T1120/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 3
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Elastic Endgame detected Permission Theft. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information.",
+    "from": "now-15m",
+    "index": [
+      "endgame-*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "max_signals": 10000,
+    "name": "Permission Theft - Detected - Elastic Endgame",
+    "query": "event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:token_protection_event or endgame.event_subtype_full:token_protection_event)\n",
+    "risk_score": 73,
+    "rule_id": "c3167e1b-f73c-41be-b60b-87f4df707fe3",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Elastic Endgame"
+    ],
+    "type": "query",
+    "version": 7
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Elastic Endgame prevented Permission Theft. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information.",
+    "from": "now-15m",
+    "index": [
+      "endgame-*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "max_signals": 10000,
+    "name": "Permission Theft - Prevented - Elastic Endgame",
+    "query": "event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:token_protection_event or endgame.event_subtype_full:token_protection_event)\n",
+    "risk_score": 47,
+    "rule_id": "453f659e-0429-40b1-bfdb-b6957286e04b",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Elastic Endgame"
+    ],
+    "type": "query",
+    "version": 7
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "An adversary can use the Background Intelligent Transfer Service (BITS) SetNotifyCmdLine method to execute a program that runs after a job finishes transferring data or after a job enters a specified state in order to persist on a system.",
+    "from": "now-9m",
+    "index": [
+      "logs-endpoint.events.*",
+      "winlogbeat-*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Persistence via BITS Job Notify Cmdline",
+    "query": "process where event.type == \"start\" and\n  process.parent.name : \"svchost.exe\" and process.parent.args : \"BITS\" and\n  not process.executable :\n              (\"?:\\\\Windows\\\\System32\\\\WerFaultSecure.exe\",\n               \"?:\\\\Windows\\\\System32\\\\WerFault.exe\",\n               \"?:\\\\Windows\\\\System32\\\\wermgr.exe\",\n               \"?:\\\\WINDOWS\\\\system32\\\\directxdatabaseupdater.exe\")\n",
+    "references": [
+      "https://pentestlab.blog/2019/10/30/persistence-bits-jobs/",
+      "https://docs.microsoft.com/en-us/windows/win32/api/bits1_5/nf-bits1_5-ibackgroundcopyjob2-setnotifycmdline",
+      "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/bitsadmin-setnotifycmdline",
+      "https://www.elastic.co/blog/hunting-for-persistence-using-elastic-security-part-2"
+    ],
+    "risk_score": 47,
+    "rule_id": "c3b915e0-22f3-4bf7-991d-b643513c722f",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Persistence"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1197",
+            "name": "BITS Jobs",
+            "reference": "https://attack.mitre.org/techniques/T1197/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the creation or modification of a DirectoryService PlugIns (dsplug) file. The DirectoryService daemonlaunches on each system boot and automatically reloads after crash. It scans and executes bundles that are located in the DirectoryServices PlugIns folder and can be abused by adversaries to maintain persistence.",
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Persistence via DirectoryService Plugin Modification",
+    "query": "event.category:file and not event.type:deletion and\n  file.path:/Library/DirectoryServices/PlugIns/*.dsplug\n",
+    "references": [
+      "https://blog.chichou.me/2019/11/21/two-macos-persistence-tricks-abusing-plugins/"
+    ],
+    "risk_score": 47,
+    "rule_id": "89fa6cb7-6b53-4de2-b604-648488841ab8",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "macOS",
+      "Threat Detection",
+      "Persistence"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1547",
+            "name": "Boot or Logon Autostart Execution",
+            "reference": "https://attack.mitre.org/techniques/T1547/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "An adversary can establish persistence by modifying an existing macOS dock property list in order to execute a malicious application instead of the intended one when invoked.",
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Persistence via Docker Shortcut Modification",
+    "query": "event.category : file and event.action : modification and \n file.path : /Users/*/Library/Preferences/com.apple.dock.plist and \n not process.name : (xpcproxy or cfprefsd or plutil or jamf or PlistBuddy or InstallerRemotePluginService)\n",
+    "references": [
+      "https://github.com/specterops/presentations/raw/master/Leo%20Pitt/Hey_Im_Still_in_Here_Modern_macOS_Persistence_SO-CON2020.pdf"
+    ],
+    "risk_score": 47,
+    "rule_id": "c81cefcb-82b9-4408-a533-3c3df549e62d",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "macOS",
+      "Threat Detection",
+      "Persistence"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1543",
+            "name": "Create or Modify System Process",
+            "reference": "https://attack.mitre.org/techniques/T1543/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 2
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "A Folder Action script is executed when the folder to which it is attached has items added or removed, or when its window is opened, closed, moved, or resized. Adversaries may abuse this feature to establish persistence by utilizing a malicious script.",
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Persistence via Folder Action Script",
+    "query": "sequence by host.id with maxspan=5s\n [process where event.type in (\"start\", \"process_started\", \"info\") and process.name == \"com.apple.foundation.UserScriptService\"] by process.pid\n [process where event.type in (\"start\", \"process_started\") and process.name in (\"osascript\", \"python\", \"tcl\", \"node\", \"perl\", \"ruby\", \"php\", \"bash\", \"csh\", \"zsh\", \"sh\")] by process.parent.pid\n",
+    "references": [
+      "https://posts.specterops.io/folder-actions-for-persistence-on-macos-8923f222343d"
+    ],
+    "risk_score": 47,
+    "rule_id": "c292fa52-4115-408a-b897-e14f684b3cb7",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "macOS",
+      "Threat Detection",
+      "Execution",
+      "Persistence"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1037",
+            "name": "Boot or Logon Initialization Scripts",
+            "reference": "https://attack.mitre.org/techniques/T1037/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0002",
+          "name": "Execution",
+          "reference": "https://attack.mitre.org/tactics/TA0002/"
+        },
+        "technique": [
+          {
+            "id": "T1059",
+            "name": "Command and Scripting Interpreter",
+            "reference": "https://attack.mitre.org/techniques/T1059/"
+          }
+        ]
+      }
+    ],
+    "type": "eql",
+    "version": 4
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies a persistence mechanism that utilizes the NtSetValueKey native API to create a hidden (null terminated) registry key. An adversary may use this method to hide from system utilities such as the Registry Editor (regedit).",
+    "from": "now-9m",
+    "index": [
+      "logs-endpoint.events.*",
+      "winlogbeat-*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Persistence via Hidden Run Key Detected",
+    "query": "/* Registry Path ends with backslash */\nregistry where /* length(registry.data.strings) > 0 and */\n registry.path : (\"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\\", \n                  \"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\\", \n                  \"HKLM\\\\Software\\\\WOW6432Node\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\\", \n                  \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\\\\", \n                  \"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\\\\")\n",
+    "references": [
+      "https://github.com/outflanknl/SharpHide",
+      "https://github.com/ewhitehats/InvisiblePersistence/blob/master/InvisibleRegValues_Whitepaper.pdf"
+    ],
+    "risk_score": 73,
+    "rule_id": "a9b05c3b-b304-4bf9-970d-acdfaef2944c",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Persistence"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1547",
+            "name": "Boot or Logon Autostart Execution",
+            "reference": "https://attack.mitre.org/techniques/T1547/",
+            "subtechnique": [
+              {
+                "id": "T1547.001",
+                "name": "Registry Run Keys / Startup Folder",
+                "reference": "https://attack.mitre.org/techniques/T1547/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 3
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the creation or modification of a K Desktop Environment (KDE) AutoStart script or desktop file that will execute upon each user logon. Adversaries may abuse this method for persistence.",
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Persistence via KDE AutoStart Script or Desktop File Modification",
+    "query": "file where event.type != \"deletion\" and\n  file.extension in (\"sh\", \"desktop\") and\n  file.path :\n    (\n      \"/home/*/.config/autostart/*\", \"/root/.config/autostart/*\",\n      \"/home/*/.kde/Autostart/*\", \"/root/.kde/Autostart/*\",\n      \"/home/*/.kde4/Autostart/*\", \"/root/.kde4/Autostart/*\",\n      \"/home/*/.kde/share/autostart/*\", \"/root/.kde/share/autostart/*\",\n      \"/home/*/.kde4/share/autostart/*\", \"/root/.kde4/share/autostart/*\",\n      \"/home/*/.local/share/autostart/*\", \"/root/.local/share/autostart/*\",\n      \"/home/*/.config/autostart-scripts/*\", \"/root/.config/autostart-scripts/*\",\n      \"/etc/xdg/autostart/*\", \"/usr/share/autostart/*\"\n    )\n",
+    "references": [
+      "https://userbase.kde.org/System_Settings/Autostart",
+      "https://www.amnesty.org/en/latest/research/2020/09/german-made-finspy-spyware-found-in-egypt-and-mac-and-linux-versions-revealed/",
+      "https://www.intezer.com/blog/research/operation-electrorat-attacker-creates-fake-companies-to-drain-your-crypto-wallets/"
+    ],
+    "risk_score": 47,
+    "rule_id": "e3e904b3-0a8e-4e68-86a8-977a163e21d3",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "Threat Detection",
+      "Persistence"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1547",
+            "name": "Boot or Logon Autostart Execution",
+            "reference": "https://attack.mitre.org/techniques/T1547/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies use of the Defaults command to install a login or logoff hook in MacOS. An adversary may abuse this capability to establish persistence in an environment by inserting code to be executed at login or logout.",
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Persistence via Login or Logout Hook",
+    "query": "process where event.type == \"start\" and\n process.name == \"defaults\" and process.args == \"write\" and process.args in (\"LoginHook\", \"LogoutHook\") and\n not process.args :\n       (\n         \"Support/JAMF/ManagementFrameworkScripts/logouthook.sh\",\n         \"Support/JAMF/ManagementFrameworkScripts/loginhook.sh\",\n         \"/Library/Application Support/JAMF/ManagementFrameworkScripts/logouthook.sh\",\n         \"/Library/Application Support/JAMF/ManagementFrameworkScripts/loginhook.sh\"\n       )\n",
+    "references": [
+      "https://www.virusbulletin.com/uploads/pdf/conference_slides/2014/Wardle-VB2014.pdf",
+      "https://www.manpagez.com/man/1/defaults/"
+    ],
+    "risk_score": 47,
+    "rule_id": "5d0265bf-dea9-41a9-92ad-48a8dcd05080",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "macOS",
+      "Threat Detection",
+      "Persistence"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1037",
+            "name": "Boot or Logon Initialization Scripts",
+            "reference": "https://attack.mitre.org/techniques/T1037/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 4
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Detects attempts to establish persistence on an endpoint by abusing Microsoft Office add-ins.",
+    "from": "now-9m",
+    "index": [
+      "logs-endpoint.events.*",
+      "winlogbeat-*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Persistence via Microsoft Office AddIns",
+    "query": "file where event.type != \"deletion\" and\n file.extension : (\"wll\",\"xll\",\"ppa\",\"ppam\",\"xla\",\"xlam\") and\n file.path :\n    (\n    \"C:\\\\Users\\\\*\\\\AppData\\\\Roaming\\\\Microsoft\\\\Word\\\\Startup\\\\*\",\n    \"C:\\\\Users\\\\*\\\\AppData\\\\Roaming\\\\Microsoft\\\\AddIns\\\\*\",\n    \"C:\\\\Users\\\\*\\\\AppData\\\\Roaming\\\\Microsoft\\\\Excel\\\\XLSTART\\\\*\"\n    )\n",
+    "references": [
+      "https://labs.mwrinfosecurity.com/blog/add-in-opportunities-for-office-persistence/"
+    ],
+    "risk_score": 73,
+    "rule_id": "f44fa4b6-524c-4e87-8d9e-a32599e4fb7c",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Persistence"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1137",
+            "name": "Office Application Startup",
+            "reference": "https://attack.mitre.org/techniques/T1137/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 3
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Detects attempts to establish persistence on an endpoint by installing a rogue Microsoft Outlook VBA Template.",
+    "false_positives": [
+      "A legitimate VBA for Outlook is usually configured interactively via OUTLOOK.EXE."
+    ],
+    "from": "now-9m",
+    "index": [
+      "logs-endpoint.events.*",
+      "winlogbeat-*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Persistence via Microsoft Outlook VBA",
+    "query": "file where event.type != \"deletion\" and\n file.path : \"C:\\\\Users\\\\*\\\\AppData\\\\Roaming\\\\Microsoft\\\\Outlook\\\\VbaProject.OTM\"\n",
+    "references": [
+      "https://www.mdsec.co.uk/2020/11/a-fresh-outlook-on-mail-based-persistence/",
+      "https://www.linkedin.com/pulse/outlook-backdoor-using-vba-samir-b-/"
+    ],
+    "risk_score": 47,
+    "rule_id": "397945f3-d39a-4e6f-8bcb-9656c2031438",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Persistence"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1137",
+            "name": "Office Application Startup",
+            "reference": "https://attack.mitre.org/techniques/T1137/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 3
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "A job can be used to schedule programs or scripts to be executed at a specified date and time. Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code.",
+    "false_positives": [
+      "Legitimate scheduled jobs may be created during installation of new software."
+    ],
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Persistence via Scheduled Job Creation",
+    "query": "file where event.type != \"deletion\" and\n file.path : \"?:\\\\Windows\\\\Tasks\\\\*\" and file.extension : \"job\"\n",
+    "risk_score": 47,
+    "rule_id": "1327384f-00f3-44d5-9a8c-2373ba071e92",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Persistence"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1053",
+            "name": "Scheduled Task/Job",
+            "reference": "https://attack.mitre.org/techniques/T1053/",
+            "subtechnique": [
+              {
+                "id": "T1053.005",
+                "name": "Scheduled Task",
+                "reference": "https://attack.mitre.org/techniques/T1053/005/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 2
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Detects the successful hijack of Microsoft Compatibility Appraiser scheduled task to establish persistence with an integrity level of system.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Persistence via TelemetryController Scheduled Task Hijack",
+    "query": "process where event.type in (\"start\", \"process_started\") and\n  process.parent.name : \"CompatTelRunner.exe\" and process.args : \"-cv*\" and\n  not process.name : (\"conhost.exe\",\n                      \"DeviceCensus.exe\",\n                      \"CompatTelRunner.exe\",\n                      \"DismHost.exe\",\n                      \"rundll32.exe\",\n                      \"powershell.exe\")\n",
+    "references": [
+      "https://www.trustedsec.com/blog/abusing-windows-telemetry-for-persistence/?utm_content=131234033&utm_medium=social&utm_source=twitter&hss_channel=tw-403811306"
+    ],
+    "risk_score": 73,
+    "rule_id": "68921d85-d0dc-48b3-865f-43291ca2c4f2",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Persistence"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1053",
+            "name": "Scheduled Task/Job",
+            "reference": "https://attack.mitre.org/techniques/T1053/",
+            "subtechnique": [
+              {
+                "id": "T1053.005",
+                "name": "Scheduled Task",
+                "reference": "https://attack.mitre.org/techniques/T1053/005/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 6
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies potential hijacking of the Microsoft Update Orchestrator Service to establish persistence with an integrity level of SYSTEM.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Persistence via Update Orchestrator Service Hijack",
+    "query": "process where event.type == \"start\" and\n  process.parent.executable : \"C:\\\\Windows\\\\System32\\\\svchost.exe\" and\n  process.parent.args : \"UsoSvc\" and\n  not process.executable :\n         (\n          \"C:\\\\Windows\\\\System32\\\\UsoClient.exe\",\n          \"C:\\\\Windows\\\\System32\\\\MusNotification.exe\",\n          \"C:\\\\Windows\\\\System32\\\\MusNotificationUx.exe\",\n          \"C:\\\\Windows\\\\System32\\\\MusNotifyIcon.exe\",\n          \"C:\\\\Windows\\\\System32\\\\WerFault.exe\",\n          \"C:\\\\Windows\\\\System32\\\\WerMgr.exe\"\n          )\n",
+    "references": [
+      "https://github.com/irsl/CVE-2020-1313"
+    ],
+    "risk_score": 73,
+    "rule_id": "265db8f5-fc73-4d0d-b434-6483b56372e2",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Persistence"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1543",
+            "name": "Create or Modify System Process",
+            "reference": "https://attack.mitre.org/techniques/T1543/",
+            "subtechnique": [
+              {
+                "id": "T1543.003",
+                "name": "Windows Service",
+                "reference": "https://attack.mitre.org/techniques/T1543/003/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 4
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "An adversary can use Windows Management Instrumentation (WMI) to install event filters, providers, consumers, and bindings that execute code when a defined event occurs. Adversaries may use the capabilities of WMI to subscribe to an event and execute arbitrary code when that event occurs, providing persistence on a system.",
+    "from": "now-9m",
+    "index": [
+      "logs-endpoint.events.*",
+      "winlogbeat-*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Persistence via WMI Event Subscription",
+    "query": "process where event.type in (\"start\", \"process_started\") and\n  (process.name : \"wmic.exe\" or process.pe.original_file_name == \"wmic.exe\") and\n  process.args : \"create\" and\n  process.args : (\"ActiveScriptEventConsumer\", \"CommandLineEventConsumer\")\n",
+    "risk_score": 21,
+    "rule_id": "9b6813a1-daf1-457e-b0e6-0bb4e55b8a4c",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Persistence"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1546",
+            "name": "Event Triggered Execution",
+            "reference": "https://attack.mitre.org/techniques/T1546/",
+            "subtechnique": [
+              {
+                "id": "T1546.003",
+                "name": "Windows Management Instrumentation Event Subscription",
+                "reference": "https://attack.mitre.org/techniques/T1546/003/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 4
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies use of the Windows Management Instrumentation StdRegProv (registry provider) to modify commonly abused registry locations for persistence.",
+    "from": "now-9m",
+    "index": [
+      "logs-endpoint.events.*",
+      "winlogbeat-*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Persistence via WMI Standard Registry Provider",
+    "query": "registry where \n registry.data.strings != null and process.name : \"WmiPrvSe.exe\" and\n registry.path : (\n                  \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\*\",\n                  \"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\*\",\n                  \"HKLM\\\\Software\\\\WOW6432Node\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\*\",\n                  \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\\\*\",\n                  \"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\\\*\",\n                  \"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\*\",\n                  \"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnceEx\\\\*\",\n                  \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\*\",\n                  \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnceEx\\\\*\",\n                  \"HKLM\\\\SYSTEM\\\\*ControlSet*\\\\Services\\\\*\\\\ServiceDLL\",\n                  \"HKLM\\\\SYSTEM\\\\*ControlSet*\\\\Services\\\\*\\\\ImagePath\",\n                  \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\Shell\\\\*\", \n                  \"HKEY_USERS\\\\*\\\\Environment\\\\UserInitMprLogonScript\", \n                  \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows\\\\Load\", \n                  \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\Shell\", \n                  \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\Shell\", \n                  \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Logoff\\\\Script\", \n                  \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Logon\\\\Script\", \n                  \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Shutdown\\\\Script\", \n                  \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Startup\\\\Script\", \n                  \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Ctf\\\\LangBarAddin\\\\*\\\\FilePath\", \n                  \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Internet Explorer\\\\Extensions\\\\*\\\\Exec\", \n                  \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Internet Explorer\\\\Extensions\\\\*\\\\Script\", \n                  \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Command Processor\\\\Autorun\"\n                  )\n",
+    "references": [
+      "https://docs.microsoft.com/en-us/previous-versions/windows/desktop/regprov/stdregprov"
+    ],
+    "risk_score": 73,
+    "rule_id": "70d12c9c-0dbd-4a1a-bc44-1467502c9cf6",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Persistence"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1547",
+            "name": "Boot or Logon Autostart Execution",
+            "reference": "https://attack.mitre.org/techniques/T1547/",
+            "subtechnique": [
+              {
+                "id": "T1547.001",
+                "name": "Registry Run Keys / Startup Folder",
+                "reference": "https://attack.mitre.org/techniques/T1547/001/"
+              }
+            ]
+          },
+          {
+            "id": "T1543",
+            "name": "Create or Modify System Process",
+            "reference": "https://attack.mitre.org/techniques/T1543/",
+            "subtechnique": [
+              {
+                "id": "T1543.003",
+                "name": "Windows Service",
+                "reference": "https://attack.mitre.org/techniques/T1543/003/"
+              }
+            ]
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0002",
+          "name": "Execution",
+          "reference": "https://attack.mitre.org/tactics/TA0002/"
+        },
+        "technique": [
+          {
+            "id": "T1047",
+            "name": "Windows Management Instrumentation",
+            "reference": "https://attack.mitre.org/techniques/T1047/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies script engines creating files in the startup folder, or the creation of script files in the startup folder.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Persistent Scripts in the Startup Directory",
+    "query": "file where event.type != \"deletion\" and user.domain != \"NT AUTHORITY\" and\n  \n  /* detect shortcuts created by wscript.exe or cscript.exe */\n  (file.path : \"C:\\\\*\\\\Programs\\\\Startup\\\\*.lnk\" and\n     process.name : (\"wscript.exe\", \"cscript.exe\")) or\n\n  /* detect vbs or js files created by any process */\n  file.path : (\"C:\\\\*\\\\Programs\\\\Startup\\\\*.vbs\", \n               \"C:\\\\*\\\\Programs\\\\Startup\\\\*.vbe\", \n               \"C:\\\\*\\\\Programs\\\\Startup\\\\*.wsh\", \n               \"C:\\\\*\\\\Programs\\\\Startup\\\\*.wsf\", \n               \"C:\\\\*\\\\Programs\\\\Startup\\\\*.js\")\n",
+    "risk_score": 47,
+    "rule_id": "f7c4dc5a-a58d-491d-9f14-9b66507121c0",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Persistence"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1547",
+            "name": "Boot or Logon Autostart Execution",
+            "reference": "https://attack.mitre.org/techniques/T1547/",
+            "subtechnique": [
+              {
+                "id": "T1547.001",
+                "name": "Registry Run Keys / Startup Folder",
+                "reference": "https://attack.mitre.org/techniques/T1547/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 3
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the creation of a new port forwarding rule. An adversary may abuse this technique to bypass network segmentation restrictions.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Port Forwarding Rule Addition",
+    "query": "registry where registry.path : \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Services\\\\PortProxy\\\\v4tov4\\\\*\"\n",
+    "references": [
+      "https://www.fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html"
+    ],
+    "risk_score": 47,
+    "rule_id": "3535c8bb-3bd5-40f4-ae32-b7cd589d5372",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Command and Control"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0011",
+          "name": "Command and Control",
+          "reference": "https://attack.mitre.org/tactics/TA0011/"
+        },
+        "technique": [
+          {
+            "id": "T1572",
+            "name": "Protocol Tunneling",
+            "reference": "https://attack.mitre.org/techniques/T1572/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 4
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Detects when a user grants permissions to an Azure-registered application or when an administrator grants tenant-wide permissions to an application. An adversary may create an Azure-registered application that requests access to data such as contact information, email, or documents.",
+    "from": "now-25m",
+    "index": [
+      "filebeat-*",
+      "logs-azure*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Possible Consent Grant Attack via Azure-Registered Application",
+    "note": "## Triage and analysis\n\n- In a consent grant attack, an attacker tricks an end user into granting a malicious application consent to access their data, usually via a phishing attack. After the malicious application has been granted consent, it has account-level access to data without the need for an organizational account.\n- Normal remediation steps, like resetting passwords for breached accounts or requiring Multi-Factor Authentication (MFA) on accounts, are not effective against this type of attack, since these are third-party applications and are external to the organization.\n- Security analysts should review the list of trusted applications for any suspicious items.\n\n\n## Config\n\nThe Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:(azure.activitylogs or azure.auditlogs or o365.audit) and \n  (\n    azure.activitylogs.operation_name:\"Consent to application\" or\n    azure.auditlogs.operation_name:\"Consent to application\" or\n    o365.audit.Operation:\"Consent to application.\"\n  ) and\n  event.outcome:(Success or success)\n",
+    "references": [
+      "https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/detect-and-remediate-illicit-consent-grants?view=o365-worldwide"
+    ],
+    "risk_score": 47,
+    "rule_id": "1c6a8c7a-5cb6-4a82-ba27-d5a5b8a40a38",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "Azure",
+      "Continuous Monitoring",
+      "SecOps",
+      "Identity and Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0001",
+          "name": "Initial Access",
+          "reference": "https://attack.mitre.org/tactics/TA0001/"
+        },
+        "technique": [
+          {
+            "id": "T1566",
+            "name": "Phishing",
+            "reference": "https://attack.mitre.org/techniques/T1566/",
+            "subtechnique": [
+              {
+                "id": "T1566.002",
+                "name": "Spearphishing Link",
+                "reference": "https://attack.mitre.org/techniques/T1566/002/"
+              }
+            ]
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0006",
+          "name": "Credential Access",
+          "reference": "https://attack.mitre.org/tactics/TA0006/"
+        },
+        "technique": [
+          {
+            "id": "T1528",
+            "name": "Steal Application Access Token",
+            "reference": "https://attack.mitre.org/techniques/T1528/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 5
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "This rule detects a known command and control pattern in network events. The FIN7 threat group is known to use this command and control technique, while maintaining persistence in their target's network.",
+    "false_positives": [
+      "This rule could identify benign domains that are formatted similarly to FIN7's command and control algorithm. Alerts should be investigated by an analyst to assess the validity of the individual observations."
+    ],
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "filebeat-*",
+      "packetbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "lucene",
+    "license": "Elastic License v2",
+    "name": "Possible FIN7 DGA Command and Control Behavior",
+    "note": "## Triage and analysis\n\nIn the event this rule identifies benign domains in your environment, the `destination.domain` field in the rule can be modified to include those domains. Example: `...AND NOT destination.domain:(zoom.us OR benign.domain1 OR benign.domain2)`.",
+    "query": "event.category:(network OR network_traffic) AND type:(tls OR http) AND network.transport:tcp\nAND destination.domain:/[a-zA-Z]{4,5}\\.(pw|us|club|info|site|top)/ AND NOT destination.domain:zoom.us\n",
+    "references": [
+      "https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html"
+    ],
+    "risk_score": 73,
+    "rule_id": "4a4e23cf-78a2-449c-bac3-701924c269d3",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Network",
+      "Threat Detection",
+      "Command and Control",
+      "Host"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0011",
+          "name": "Command and Control",
+          "reference": "https://attack.mitre.org/tactics/TA0011/"
+        },
+        "technique": [
+          {
+            "id": "T1071",
+            "name": "Application Layer Protocol",
+            "reference": "https://attack.mitre.org/techniques/T1071/"
+          },
+          {
+            "id": "T1568",
+            "name": "Dynamic Resolution",
+            "reference": "https://attack.mitre.org/techniques/T1568/",
+            "subtechnique": [
+              {
+                "id": "T1568.002",
+                "name": "Domain Generation Algorithms",
+                "reference": "https://attack.mitre.org/techniques/T1568/002/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 6
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Detects possible Denial of Service (DoS) attacks against an Okta organization. An adversary may attempt to disrupt an organization's business operations by performing a DoS attack against its Okta service.",
+    "index": [
+      "filebeat-*",
+      "logs-okta*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Possible Okta DoS Attack",
+    "note": "## Config\n\nThe Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:okta.system and event.action:(application.integration.rate_limit_exceeded or system.org.rate_limit.warning or system.org.rate_limit.violation or core.concurrency.org.limit.violation)\n",
+    "references": [
+      "https://developer.okta.com/docs/reference/api/system-log/",
+      "https://developer.okta.com/docs/reference/api/event-types/"
+    ],
+    "risk_score": 47,
+    "rule_id": "e6e3ecff-03dd-48ec-acbd-54a04de10c68",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Identity",
+      "Okta",
+      "Continuous Monitoring",
+      "SecOps",
+      "Monitoring"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0040",
+          "name": "Impact",
+          "reference": "https://attack.mitre.org/tactics/TA0040/"
+        },
+        "technique": [
+          {
+            "id": "T1498",
+            "name": "Network Denial of Service",
+            "reference": "https://attack.mitre.org/techniques/T1498/"
+          },
+          {
+            "id": "T1499",
+            "name": "Endpoint Denial of Service",
+            "reference": "https://attack.mitre.org/techniques/T1499/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 6
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies attempts to add an account to the admin group via the command line. This could be an indication of privilege escalation activity.",
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Potential Admin Group Account Addition",
+    "query": "event.category:process and event.type:(start or process_started) and\n process.name:(dscl or dseditgroup) and process.args:((\"/Groups/admin\" or admin) and (\"-a\" or \"-append\"))\n",
+    "references": [
+      "https://managingosx.wordpress.com/2010/01/14/add-a-user-to-the-admin-group-via-command-line-3-0/"
+    ],
+    "risk_score": 47,
+    "rule_id": "565c2b44-7a21-4818-955f-8d4737967d2e",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "macOS",
+      "Threat Detection",
+      "Privilege Escalation"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0004",
+          "name": "Privilege Escalation",
+          "reference": "https://attack.mitre.org/tactics/TA0004/"
+        },
+        "technique": [
+          {
+            "id": "T1078",
+            "name": "Valid Accounts",
+            "reference": "https://attack.mitre.org/techniques/T1078/",
+            "subtechnique": [
+              {
+                "id": "T1078.003",
+                "name": "Local Accounts",
+                "reference": "https://attack.mitre.org/techniques/T1078/003/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "The Application Shim was created to allow for backward compatibility of software as the operating system codebase changes over time. This Windows functionality has been abused by attackers to stealthily gain persistence and arbitrary code execution in legitimate Windows processes.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Potential Application Shimming via Sdbinst",
+    "query": "process where event.type in (\"start\", \"process_started\") and process.name : \"sdbinst.exe\"\n",
+    "risk_score": 21,
+    "rule_id": "fd4a992d-6130-4802-9ff8-829b89ae801f",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Persistence"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1546",
+            "name": "Event Triggered Execution",
+            "reference": "https://attack.mitre.org/techniques/T1546/",
+            "subtechnique": [
+              {
+                "id": "T1546.011",
+                "name": "Application Shimming",
+                "reference": "https://attack.mitre.org/techniques/T1546/011/"
+              }
+            ]
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0004",
+          "name": "Privilege Escalation",
+          "reference": "https://attack.mitre.org/tactics/TA0004/"
+        },
+        "technique": [
+          {
+            "id": "T1546",
+            "name": "Event Triggered Execution",
+            "reference": "https://attack.mitre.org/techniques/T1546/",
+            "subtechnique": [
+              {
+                "id": "T1546.011",
+                "name": "Application Shimming",
+                "reference": "https://attack.mitre.org/techniques/T1546/011/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 8
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies instances of Internet Explorer (iexplore.exe) being started via the Component Object Model (COM) making unusual network connections. Adversaries could abuse Internet Explorer via COM to avoid suspicious processes making network connections and bypass host-based firewall restrictions.",
+    "false_positives": [
+      "Processes such as MS Office using IEproxy to render HTML content."
+    ],
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Potential Command and Control via Internet Explorer",
+    "query": "sequence by host.id, user.id with maxspan = 5s\n  [library where dll.name : \"IEProxy.dll\" and process.name : (\"rundll32.exe\", \"regsvr32.exe\")]\n  [process where event.type == \"start\" and process.parent.name : \"iexplore.exe\" and process.parent.args : \"-Embedding\"]\n  /* IE started via COM in normal conditions makes few connections, mainly to Microsoft and OCSP related domains, add FPs here */\n  [network where network.protocol == \"dns\" and process.name : \"iexplore.exe\" and\n   not dns.question.name :\n   (\n    \"*.microsoft.com\",\n    \"*.digicert.com\",\n    \"*.msocsp.com\",\n    \"*.windowsupdate.com\",\n    \"*.bing.com\",\n    \"*.identrust.com\",\n    \"*.sharepoint.com\",\n    \"*.office365.com\",\n    \"*.office.com\"\n    )\n  ]\n",
+    "risk_score": 47,
+    "rule_id": "acd611f3-2b93-47b3-a0a3-7723bcc46f6d",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Command and Control"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0011",
+          "name": "Command and Control",
+          "reference": "https://attack.mitre.org/tactics/TA0011/"
+        },
+        "technique": [
+          {
+            "id": "T1071",
+            "name": "Application Layer Protocol",
+            "reference": "https://attack.mitre.org/techniques/T1071/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0002",
+          "name": "Execution",
+          "reference": "https://attack.mitre.org/tactics/TA0002/"
+        },
+        "technique": [
+          {
+            "id": "T1559",
+            "name": "Inter-Process Communication",
+            "reference": "https://attack.mitre.org/techniques/T1559/",
+            "subtechnique": [
+              {
+                "id": "T1559.001",
+                "name": "Component Object Model",
+                "reference": "https://attack.mitre.org/techniques/T1559/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "type": "eql",
+    "version": 4
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the execution of a Chromium based browser with the debugging process argument, which may indicate an attempt to steal authentication cookies. An adversary may steal web application or service session cookies and use them to gain access web applications or Internet services as an authenticated user without needing credentials.",
+    "false_positives": [
+      "Developers performing browsers plugin or extension debugging."
+    ],
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "max_signals": 33,
+    "name": "Potential Cookies Theft via Browser Debugging",
+    "query": "process where event.type in (\"start\", \"process_started\", \"info\") and\n  process.name in (\n             \"Microsoft Edge\",\n             \"chrome.exe\",\n             \"Google Chrome\",\n             \"google-chrome-stable\",\n             \"google-chrome-beta\",\n             \"google-chrome\",\n             \"msedge.exe\") and\n   process.args : (\"--remote-debugging-port=*\", \n                   \"--remote-debugging-targets=*\",  \n                   \"--remote-debugging-pipe=*\") and\n   process.args : \"--user-data-dir=*\" and not process.args:\"--remote-debugging-port=0\"\n",
+    "references": [
+      "https://github.com/defaultnamehere/cookie_crimes",
+      "https://embracethered.com/blog/posts/2020/cookie-crimes-on-mirosoft-edge/",
+      "https://github.com/rapid7/metasploit-framework/blob/master/documentation/modules/post/multi/gather/chrome_cookies.md",
+      "https://posts.specterops.io/hands-in-the-cookie-jar-dumping-cookies-with-chromiums-remote-debugger-port-34c4f468844e"
+    ],
+    "risk_score": 47,
+    "rule_id": "027ff9ea-85e7-42e3-99d2-bbb7069e02eb",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "Windows",
+      "macOS",
+      "Threat Detection",
+      "Credential Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0006",
+          "name": "Credential Access",
+          "reference": "https://attack.mitre.org/tactics/TA0006/"
+        },
+        "technique": [
+          {
+            "id": "T1539",
+            "name": "Steal Web Session Cookie",
+            "reference": "https://attack.mitre.org/techniques/T1539/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies suspicious access to an LSASS handle via DuplicateHandle from an unknown call trace module. This may indicate an attempt to bypass the NtOpenProcess API to evade detection and dump LSASS memory for credential access.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Potential Credential Access via DuplicateHandle in LSASS",
+    "query": "process where event.code == \"10\" and \n\n /* LSASS requesting DuplicateHandle access right to another process */\n process.name : \"lsass.exe\" and winlog.event_data.GrantedAccess == \"0x40\" and\n\n /* call is coming from an unknown executable region */\n winlog.event_data.CallTrace : \"*UNKNOWN*\"\n",
+    "references": [
+      "https://github.com/CCob/MirrorDump"
+    ],
+    "risk_score": 47,
+    "rule_id": "02a4576a-7480-4284-9327-548a806b5e48",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Credential Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0006",
+          "name": "Credential Access",
+          "reference": "https://attack.mitre.org/tactics/TA0006/"
+        },
+        "technique": [
+          {
+            "id": "T1003",
+            "name": "OS Credential Dumping",
+            "reference": "https://attack.mitre.org/techniques/T1003/",
+            "subtechnique": [
+              {
+                "id": "T1003.001",
+                "name": "LSASS Memory",
+                "reference": "https://attack.mitre.org/techniques/T1003/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 2
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies suspicious access to LSASS handle from a call trace pointing to DBGHelp.dll or DBGCore.dll, which both export the MiniDumpWriteDump method that can be used to dump LSASS memory content in preperation for credential access.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Potential Credential Access via LSASS Memory Dump",
+    "query": "process where event.code == \"10\" and\n  winlog.event_data.TargetImage : \"?:\\\\WINDOWS\\\\system32\\\\lsass.exe\" and\n  \n   /* DLLs exporting MiniDumpWriteDump API to create an lsass mdmp*/\n  winlog.event_data.CallTrace : (\"*dbhelp*\", \"*dbgcore*\") and\n  \n   /* case of lsass crashing */\n  not process.executable : (\"?:\\\\Windows\\\\System32\\\\WerFault.exe\", \"?:\\\\Windows\\\\System32\\\\WerFaultSecure.exe\")\n",
+    "references": [
+      "https://www.ired.team/offensive-security/credential-access-and-credential-dumping/dump-credentials-from-lsass-process-without-mimikatz"
+    ],
+    "risk_score": 73,
+    "rule_id": "9960432d-9b26-409f-972b-839a959e79e2",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Credential Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0006",
+          "name": "Credential Access",
+          "reference": "https://attack.mitre.org/tactics/TA0006/"
+        },
+        "technique": [
+          {
+            "id": "T1003",
+            "name": "OS Credential Dumping",
+            "reference": "https://attack.mitre.org/techniques/T1003/",
+            "subtechnique": [
+              {
+                "id": "T1003.001",
+                "name": "LSASS Memory",
+                "reference": "https://attack.mitre.org/techniques/T1003/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies suspicious renamed COMSVCS.DLL Image Load, which exports the MiniDump function that can be used to dump a process memory. This may indicate an attempt to dump LSASS memory while bypassing command line based detection in preparation for credential access.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Potential Credential Access via Renamed COM+ Services DLL",
+    "note": "## Config\n\nYou will need to enable logging of ImageLoads in your Sysmon configuration to include COMSVCS.DLL by Imphash or Original\nFile Name.",
+    "query": "sequence by process.entity_id with maxspan=1m\n [process where event.category == \"process\" and\n    process.name : \"rundll32.exe\"]\n [process where event.category == \"process\" and event.dataset : \"windows.sysmon_operational\" and event.code == \"7\" and\n   (file.pe.original_file_name : \"COMSVCS.DLL\" or file.pe.imphash : \"EADBCCBB324829ACB5F2BBE87E5549A8\") and\n    /* renamed COMSVCS */\n    not file.name : \"COMSVCS.DLL\"]\n",
+    "references": [
+      "https://modexp.wordpress.com/2019/08/30/minidumpwritedump-via-com-services-dll/"
+    ],
+    "risk_score": 73,
+    "rule_id": "c5c9f591-d111-4cf8-baec-c26a39bc31ef",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Credential Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0006",
+          "name": "Credential Access",
+          "reference": "https://attack.mitre.org/tactics/TA0006/"
+        },
+        "technique": [
+          {
+            "id": "T1003",
+            "name": "OS Credential Dumping",
+            "reference": "https://attack.mitre.org/techniques/T1003/",
+            "subtechnique": [
+              {
+                "id": "T1003.001",
+                "name": "LSASS Memory",
+                "reference": "https://attack.mitre.org/techniques/T1003/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the execution of known Windows utilities often abused to dump LSASS memory or the Active Directory database (NTDS.dit) in preparation for credential access.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Potential Credential Access via Windows Utilities",
+    "query": "process where event.type in (\"start\", \"process_started\") and\n/* update here with any new lolbas with dump capability */\n(process.pe.original_file_name == \"procdump\" and process.args : \"-ma\") or\n(process.name : \"ProcessDump.exe\" and not process.parent.executable regex~ \"\"\"C:\\\\Program Files( \\(x86\\))?\\\\Cisco Systems\\\\.*\"\"\") or\n(process.pe.original_file_name == \"WriteMiniDump.exe\" and not process.parent.executable regex~ \"\"\"C:\\\\Program Files( \\(x86\\))?\\\\Steam\\\\.*\"\"\") or\n(process.pe.original_file_name == \"RUNDLL32.EXE\" and (process.args : \"MiniDump*\" or process.command_line : \"*comsvcs.dll*#24*\")) or\n(process.pe.original_file_name == \"RdrLeakDiag.exe\" and process.args : \"/fullmemdmp\") or\n(process.pe.original_file_name == \"SqlDumper.exe\" and process.args : \"0x01100*\") or\n(process.pe.original_file_name == \"TTTracer.exe\" and process.args : \"-dumpFull\" and process.args : \"-attach\") or\n(process.pe.original_file_name == \"ntdsutil.exe\" and process.args : \"create*full*\") or\n(process.pe.original_file_name == \"diskshadow.exe\" and process.args : \"/s\")\n",
+    "references": [
+      "https://lolbas-project.github.io/"
+    ],
+    "risk_score": 73,
+    "rule_id": "00140285-b827-4aee-aa09-8113f58a08f3",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Credential Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0006",
+          "name": "Credential Access",
+          "reference": "https://attack.mitre.org/tactics/TA0006/"
+        },
+        "technique": [
+          {
+            "id": "T1003",
+            "name": "OS Credential Dumping",
+            "reference": "https://attack.mitre.org/techniques/T1003/",
+            "subtechnique": [
+              {
+                "id": "T1003.001",
+                "name": "LSASS Memory",
+                "reference": "https://attack.mitre.org/techniques/T1003/001/"
+              },
+              {
+                "id": "T1003.003",
+                "name": "NTDS",
+                "reference": "https://attack.mitre.org/techniques/T1003/003/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 5
+  },
+  {
+    "author": [
+      "Elastic",
+      "Dennis Perto"
+    ],
+    "description": "Identifies a Windows trusted program that is known to be vulnerable to DLL Search Order Hijacking starting after being renamed or from a non-standard path. This is uncommon behavior and may indicate an attempt to evade defenses via side-loading a malicious DLL within the memory space of one of those processes.",
+    "false_positives": [
+      "Microsoft Antimalware Service Executable installed on non default installation path."
+    ],
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Potential DLL Side-Loading via Microsoft Antimalware Service Executable",
+    "query": "process where event.type == \"start\" and\n  (process.pe.original_file_name == \"MsMpEng.exe\" and not process.name : \"MsMpEng.exe\") or\n  (process.name : \"MsMpEng.exe\" and not\n        process.executable : (\"?:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\*.exe\",\n                              \"?:\\\\Program Files\\\\Windows Defender\\\\*.exe\",\n                              \"?:\\\\Program Files (x86)\\\\Windows Defender\\\\*.exe\",\n                              \"?:\\\\Program Files\\\\Microsoft Security Client\\\\*.exe\",\n                              \"?:\\\\Program Files (x86)\\\\Microsoft Security Client\\\\*.exe\"))\n",
+    "references": [
+      "https://news.sophos.com/en-us/2021/07/04/independence-day-revil-uses-supply-chain-exploit-to-attack-hundreds-of-businesses/"
+    ],
+    "risk_score": 73,
+    "rule_id": "053a0387-f3b5-4ba5-8245-8002cca2bd08",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1574",
+            "name": "Hijack Execution Flow",
+            "reference": "https://attack.mitre.org/techniques/T1574/",
+            "subtechnique": [
+              {
+                "id": "T1574.002",
+                "name": "DLL Side-Loading",
+                "reference": "https://attack.mitre.org/techniques/T1574/002/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 2
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies an instance of a Windows trusted program that is known to be vulnerable to DLL Search Order Hijacking starting after being renamed or from a non-standard path. This is uncommon behavior and may indicate an attempt to evade defenses via side loading a malicious DLL within the memory space of one of those processes.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Potential DLL SideLoading via Trusted Microsoft Programs",
+    "query": "process where event.type == \"start\" and\n  process.pe.original_file_name in (\"WinWord.exe\", \"EXPLORER.EXE\", \"w3wp.exe\", \"DISM.EXE\") and\n  not (process.name : (\"winword.exe\", \"explorer.exe\", \"w3wp.exe\", \"Dism.exe\") or\n         process.executable : (\"?:\\\\Windows\\\\explorer.exe\",\n                               \"?:\\\\Program Files\\\\Microsoft Office\\\\root\\\\Office*\\\\WINWORD.EXE\",\n                               \"?:\\\\Program Files?(x86)\\\\Microsoft Office\\\\root\\\\Office*\\\\WINWORD.EXE\",\n                               \"?:\\\\Windows\\\\System32\\\\Dism.exe\",\n                               \"?:\\\\Windows\\\\SysWOW64\\\\Dism.exe\",\n                               \"?:\\\\Windows\\\\System32\\\\inetsrv\\\\w3wp.exe\")\n         )\n",
+    "risk_score": 73,
+    "rule_id": "1160dcdb-0a0a-4a79-91d8-9b84616edebd",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1036",
+            "name": "Masquerading",
+            "reference": "https://attack.mitre.org/techniques/T1036/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 5
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Iodine is a tool for tunneling Internet protocol version 4 (IPV4) traffic over the DNS protocol to circumvent firewalls, network security groups, and network access lists while evading detection.",
+    "false_positives": [
+      "Normal use of Iodine is uncommon apart from security testing and research. Use by non-security engineers is very uncommon."
+    ],
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Potential DNS Tunneling via Iodine",
+    "query": "event.category:process and event.type:(start or process_started) and process.name:(iodine or iodined)\n",
+    "references": [
+      "https://code.kryo.se/iodine/"
+    ],
+    "risk_score": 73,
+    "rule_id": "041d4d41-9589-43e2-ba13-5680af75ebc2",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "Threat Detection"
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 7
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "This rule identifies a large number (15) of nslookup.exe executions with an explicit query type from the same host. This may indicate command and control activity utilizing the DNS protocol.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Potential DNS Tunneling via NsLookup",
+    "query": "event.category:process and event.type:start and process.name:nslookup.exe and process.args:(-querytype=* or -qt=* or -q=* or -type=*)\n",
+    "references": [
+      "https://unit42.paloaltonetworks.com/dns-tunneling-in-the-wild-overview-of-oilrigs-dns-tunneling/"
+    ],
+    "risk_score": 47,
+    "rule_id": "3a59fc81-99d3-47ea-8cd6-d48d561fca20",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Command and Control"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0011",
+          "name": "Command and Control",
+          "reference": "https://attack.mitre.org/tactics/TA0011/"
+        },
+        "technique": [
+          {
+            "id": "T1071",
+            "name": "Application Layer Protocol",
+            "reference": "https://attack.mitre.org/techniques/T1071/",
+            "subtechnique": [
+              {
+                "id": "T1071.004",
+                "name": "DNS",
+                "reference": "https://attack.mitre.org/techniques/T1071/004/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "threshold": {
+      "field": [
+        "host.id"
+      ],
+      "value": 15
+    },
+    "type": "threshold",
+    "version": 3
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies potential attempts to disable Security-Enhanced Linux (SELinux), which is a Linux kernel security feature to support access control policies. Adversaries may disable security tools to avoid possible detection of their tools and activities.",
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Potential Disabling of SELinux",
+    "query": "event.category:process and event.type:(start or process_started) and process.name:setenforce and process.args:0\n",
+    "risk_score": 47,
+    "rule_id": "eb9eb8ba-a983-41d9-9c93-a1c05112ca5e",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1562",
+            "name": "Impair Defenses",
+            "reference": "https://attack.mitre.org/techniques/T1562/",
+            "subtechnique": [
+              {
+                "id": "T1562.001",
+                "name": "Disable or Modify Tools",
+                "reference": "https://attack.mitre.org/techniques/T1562/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 7
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "The Filter Manager Control Program (fltMC.exe) binary may be abused by adversaries to unload a filter driver and evade defenses.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Potential Evasion via Filter Manager",
+    "query": "process where event.type in (\"start\", \"process_started\") and \n process.name : \"fltMC.exe\" and process.args : \"unload\"\n",
+    "risk_score": 47,
+    "rule_id": "06dceabf-adca-48af-ac79-ffdf4c3b1e9a",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1562",
+            "name": "Impair Defenses",
+            "reference": "https://attack.mitre.org/techniques/T1562/",
+            "subtechnique": [
+              {
+                "id": "T1562.001",
+                "name": "Disable or Modify Tools",
+                "reference": "https://attack.mitre.org/techniques/T1562/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 8
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies attempts to create a local account that will be hidden from the macOS logon window. This may indicate an attempt to evade user attention while maintaining persistence using a separate local account.",
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Potential Hidden Local User Account Creation",
+    "query": "event.category:process and event.type:(start or process_started) and\n process.name:dscl and process.args:(IsHidden and create and (true or 1 or yes))\n",
+    "references": [
+      "https://support.apple.com/en-us/HT203998"
+    ],
+    "risk_score": 47,
+    "rule_id": "41b638a1-8ab6-4f8e-86d9-466317ef2db5",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "macOS",
+      "Threat Detection",
+      "Persistence"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1078",
+            "name": "Valid Accounts",
+            "reference": "https://attack.mitre.org/techniques/T1078/",
+            "subtechnique": [
+              {
+                "id": "T1078.003",
+                "name": "Local Accounts",
+                "reference": "https://attack.mitre.org/techniques/T1078/003/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies use of Bifrost, a known macOS Kerberos pentesting tool, which can be used to dump cached Kerberos tickets or attempt unauthorized authentication techniques such as pass-the-ticket/hash and kerberoasting.",
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Potential Kerberos Attack via Bifrost",
+    "query": "event.category:process and event.type:start and \n process.args:(\"-action\" and (\"-kerberoast\" or askhash or asktgs or asktgt or s4u or (\"-ticket\" and ptt) or (dump and (tickets or keytab))))\n",
+    "references": [
+      "https://github.com/its-a-feature/bifrost"
+    ],
+    "risk_score": 73,
+    "rule_id": "16904215-2c95-4ac8-bf5c-12354e047192",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "macOS",
+      "Threat Detection",
+      "Credential Access",
+      "Lateral Movement"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0008",
+          "name": "Lateral Movement",
+          "reference": "https://attack.mitre.org/tactics/TA0008/"
+        },
+        "technique": [
+          {
+            "id": "T1550",
+            "name": "Use Alternate Authentication Material",
+            "reference": "https://attack.mitre.org/techniques/T1550/",
+            "subtechnique": [
+              {
+                "id": "T1550.003",
+                "name": "Pass the Ticket",
+                "reference": "https://attack.mitre.org/techniques/T1550/003/"
+              }
+            ]
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0006",
+          "name": "Credential Access",
+          "reference": "https://attack.mitre.org/tactics/TA0006/"
+        },
+        "technique": [
+          {
+            "id": "T1558",
+            "name": "Steal or Forge Kerberos Tickets",
+            "reference": "https://attack.mitre.org/techniques/T1558/",
+            "subtechnique": [
+              {
+                "id": "T1558.003",
+                "name": "Kerberoasting",
+                "reference": "https://attack.mitre.org/techniques/T1558/003/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 2
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Adversaries can use the autostart mechanism provided by the Local Security Authority (LSA) authentication packages for privilege escalation or persistence by placing a reference to a binary in the Windows registry. The binary will then be executed by SYSTEM when the authentication packages are loaded.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Potential LSA Authentication Package Abuse",
+    "query": "registry where event.type == \"change\" and\n  registry.path : \"HKLM\\\\SYSTEM\\\\*ControlSet*\\\\Control\\\\Lsa\\\\Authentication Packages\" and\n  /* exclude SYSTEM SID - look for changes by non-SYSTEM user */\n  not user.id : \"S-1-5-18\"\n",
+    "risk_score": 47,
+    "rule_id": "e9abe69b-1deb-4e19-ac4a-5d5ac00f72eb",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Privilege Escalation"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0004",
+          "name": "Privilege Escalation",
+          "reference": "https://attack.mitre.org/tactics/TA0004/"
+        },
+        "technique": [
+          {
+            "id": "T1547",
+            "name": "Boot or Logon Autostart Execution",
+            "reference": "https://attack.mitre.org/techniques/T1547/",
+            "subtechnique": [
+              {
+                "id": "T1547.002",
+                "name": "Authentication Package",
+                "reference": "https://attack.mitre.org/techniques/T1547/002/"
+              }
+            ]
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1547",
+            "name": "Boot or Logon Autostart Execution",
+            "reference": "https://attack.mitre.org/techniques/T1547/",
+            "subtechnique": [
+              {
+                "id": "T1547.002",
+                "name": "Authentication Package",
+                "reference": "https://attack.mitre.org/techniques/T1547/002/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the creation of an LSASS process clone via PssCaptureSnapShot where the parent process is the initial LSASS process instance. This may indicate an attempt to evade detection and dump LSASS memory for credential access.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Potential LSASS Clone Creation via PssCaptureSnapShot",
+    "note": "## Config\n\nThis is meant to run only on datasources using Windows security event 4688 that captures the process clone creation.",
+    "query": "process where event.code:\"4688\" and\n  process.executable : \"?:\\\\Windows\\\\System32\\\\lsass.exe\" and\n  process.parent.executable : \"?:\\\\Windows\\\\System32\\\\lsass.exe\"\n",
+    "references": [
+      "https://www.matteomalvica.com/blog/2019/12/02/win-defender-atp-cred-bypass/",
+      "https://medium.com/@Achilles8284/the-birth-of-a-process-part-2-97c6fb9c42a2"
+    ],
+    "risk_score": 73,
+    "rule_id": "a16612dd-b30e-4d41-86a0-ebe70974ec00",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Credential Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0006",
+          "name": "Credential Access",
+          "reference": "https://attack.mitre.org/tactics/TA0006/"
+        },
+        "technique": [
+          {
+            "id": "T1003",
+            "name": "OS Credential Dumping",
+            "reference": "https://attack.mitre.org/techniques/T1003/",
+            "subtechnique": [
+              {
+                "id": "T1003.001",
+                "name": "LSASS Memory",
+                "reference": "https://attack.mitre.org/techniques/T1003/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies suspicious access to an LSASS handle via PssCaptureSnapShot where two successive process access are performed by the same process and targeting two different instances of LSASS. This may indicate an attempt to evade detection and dump LSASS memory for credential access.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-windows.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Potential LSASS Memory Dump via PssCaptureSnapShot",
+    "note": "## Config\n\nThis is meant to run only on datasources using agents v7.14+ since versions prior to that will be missing the threshold\nrule cardinality feature.",
+    "query": "event.category:process and event.code:10 and\n winlog.event_data.TargetImage:(\"C:\\\\Windows\\\\system32\\\\lsass.exe\" or\n                                 \"c:\\\\Windows\\\\system32\\\\lsass.exe\" or\n                                 \"c:\\\\Windows\\\\System32\\\\lsass.exe\")\n",
+    "references": [
+      "https://www.matteomalvica.com/blog/2019/12/02/win-defender-atp-cred-bypass/",
+      "https://twitter.com/sbousseaden/status/1280619931516747777?lang=en"
+    ],
+    "risk_score": 73,
+    "rule_id": "0f93cb9a-1931-48c2-8cd0-f173fd3e5283",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Credential Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0006",
+          "name": "Credential Access",
+          "reference": "https://attack.mitre.org/tactics/TA0006/"
+        },
+        "technique": [
+          {
+            "id": "T1003",
+            "name": "OS Credential Dumping",
+            "reference": "https://attack.mitre.org/techniques/T1003/",
+            "subtechnique": [
+              {
+                "id": "T1003.001",
+                "name": "LSASS Memory",
+                "reference": "https://attack.mitre.org/techniques/T1003/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "threshold": {
+      "cardinality": [
+        {
+          "field": "winlog.event_data.TargetProcessId",
+          "value": 2
+        }
+      ],
+      "field": [
+        "process.entity_id"
+      ],
+      "value": 2
+    },
+    "timestamp_override": "event.ingested",
+    "type": "threshold",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the creation of a suspicious zip file prepended with special characters. Sandboxed Microsoft Office applications on macOS are allowed to write files that start with special characters, which can be combined with an AutoStart location to achieve sandbox evasion.",
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Potential Microsoft Office Sandbox Evasion",
+    "query": "event.category:file and not event.type:deletion and file.name:~$*.zip\n",
+    "references": [
+      "https://i.blackhat.com/USA-20/Wednesday/us-20-Wardle-Office-Drama-On-macOS.pdf",
+      "https://www.mdsec.co.uk/2018/08/escaping-the-sandbox-microsoft-office-on-macos/",
+      "https://desi-jarvis.medium.com/office365-macos-sandbox-escape-fcce4fa4123c"
+    ],
+    "risk_score": 73,
+    "rule_id": "d22a85c6-d2ad-4cc4-bf7b-54787473669a",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "macOS",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Windows contains accessibility features that may be launched with a key combination before a user has logged in. An adversary can modify the way these programs are launched to get a command prompt or backdoor without logging in to the system.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Potential Modification of Accessibility Binaries",
+    "query": "process where event.type in (\"start\", \"process_started\", \"info\") and\n process.parent.name : (\"Utilman.exe\", \"winlogon.exe\") and user.name == \"SYSTEM\" and\n process.args :\n    (\n    \"C:\\\\Windows\\\\System32\\\\osk.exe\",\n    \"C:\\\\Windows\\\\System32\\\\Magnify.exe\",\n    \"C:\\\\Windows\\\\System32\\\\Narrator.exe\",\n    \"C:\\\\Windows\\\\System32\\\\Sethc.exe\",\n    \"utilman.exe\",\n    \"ATBroker.exe\",\n    \"DisplaySwitch.exe\",\n    \"sethc.exe\"\n    )\n and not process.pe.original_file_name in\n    (\n    \"osk.exe\",\n    \"sethc.exe\",\n    \"utilman2.exe\",\n    \"DisplaySwitch.exe\",\n    \"ATBroker.exe\",\n    \"ScreenMagnifier.exe\",\n    \"SR.exe\",\n    \"Narrator.exe\",\n    \"magnify.exe\",\n    \"MAGNIFY.EXE\"\n    )\n\n/* uncomment once in winlogbeat to avoid bypass with rogue process with matching pe original file name */\n/* and process.code_signature.subject_name == \"Microsoft Windows\" and process.code_signature.status == \"trusted\" */\n",
+    "references": [
+      "https://www.elastic.co/blog/practical-security-engineering-stateful-detection"
+    ],
+    "risk_score": 73,
+    "rule_id": "7405ddf1-6c8e-41ce-818f-48bea6bcaed8",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Persistence"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1546",
+            "name": "Event Triggered Execution",
+            "reference": "https://attack.mitre.org/techniques/T1546/",
+            "subtechnique": [
+              {
+                "id": "T1546.008",
+                "name": "Accessibility Features",
+                "reference": "https://attack.mitre.org/techniques/T1546/008/"
+              }
+            ]
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0004",
+          "name": "Privilege Escalation",
+          "reference": "https://attack.mitre.org/tactics/TA0004/"
+        },
+        "technique": [
+          {
+            "id": "T1546",
+            "name": "Event Triggered Execution",
+            "reference": "https://attack.mitre.org/techniques/T1546/",
+            "subtechnique": [
+              {
+                "id": "T1546.008",
+                "name": "Accessibility Features",
+                "reference": "https://attack.mitre.org/techniques/T1546/008/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 7
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies a Secure Shell (SSH) client or server process creating or writing to a known SSH backdoor log file. Adversaries may modify SSH related binaries for persistence or credential access via patching sensitive functions to enable unauthorized access or to log SSH credentials for exfiltration.",
+    "false_positives": [
+      "Updates to approved and trusted SSH executables can trigger this rule."
+    ],
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Potential OpenSSH Backdoor Logging Activity",
+    "query": "file where event.type == \"change\" and process.executable : (\"/usr/sbin/sshd\", \"/usr/bin/ssh\") and\n  (\n    file.name : (\".*\", \"~*\") or\n    file.extension : (\"in\", \"out\", \"ini\", \"h\", \"gz\", \"so\", \"sock\", \"sync\", \"0\", \"1\", \"2\", \"3\", \"4\", \"5\", \"6\", \"7\", \"8\", \"9\") or\n    file.path : \n    (\n      \"/private/etc/*--\", \n      \"/usr/share/*\", \n      \"/usr/include/*\", \n      \"/usr/local/include/*\", \n      \"/private/tmp/*\", \n      \"/private/var/tmp/*\",\n      \"/usr/tmp/*\", \n      \"/usr/share/man/*\", \n      \"/usr/local/share/*\", \n      \"/usr/lib/*.so.*\", \n      \"/private/etc/ssh/.sshd_auth\",\n      \"/usr/bin/ssd\", \n      \"/private/var/opt/power\", \n      \"/private/etc/ssh/ssh_known_hosts\", \n      \"/private/var/html/lol\", \n      \"/private/var/log/utmp\", \n      \"/private/var/lib\",\n      \"/var/run/sshd/sshd.pid\",\n      \"/var/run/nscd/ns.pid\",\n      \"/var/run/udev/ud.pid\",\n      \"/var/run/udevd.pid\"\n    )\n  )\n",
+    "references": [
+      "https://github.com/eset/malware-ioc/tree/master/sshdoor",
+      "https://www.welivesecurity.com/wp-content/uploads/2021/01/ESET_Kobalos.pdf"
+    ],
+    "risk_score": 73,
+    "rule_id": "f28e2be4-6eca-4349-bdd9-381573730c22",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "Threat Detection",
+      "Persistence",
+      "Credential Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0006",
+          "name": "Credential Access",
+          "reference": "https://attack.mitre.org/tactics/TA0006/"
+        },
+        "technique": [
+          {
+            "id": "T1556",
+            "name": "Modify Authentication Process",
+            "reference": "https://attack.mitre.org/techniques/T1556/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1554",
+            "name": "Compromise Client Software Binary",
+            "reference": "https://attack.mitre.org/techniques/T1554/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies a high number (25) of failed Microsoft 365 user authentication attempts from a single IP address within 30 minutes, which could be indicative of a password spraying attack. An adversary may attempt a password spraying attack to obtain unauthorized access to user accounts.",
+    "false_positives": [
+      "Automated processes that attempt to authenticate using expired credentials and unbounded retries may lead to false positives."
+    ],
+    "from": "now-30m",
+    "index": [
+      "filebeat-*",
+      "logs-o365*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Potential Password Spraying of Microsoft 365 User Accounts",
+    "note": "## Config\n\nThe Microsoft 365 Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:o365.audit and event.provider:(Exchange or AzureActiveDirectory) and event.category:authentication and \nevent.action:(\"UserLoginFailed\" or \"PasswordLogonInitialAuthUsingPassword\") and event.outcome:failure\n",
+    "risk_score": 73,
+    "rule_id": "3efee4f0-182a-40a8-a835-102c68a4175d",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "Microsoft 365",
+      "Continuous Monitoring",
+      "SecOps",
+      "Identity and Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0006",
+          "name": "Credential Access",
+          "reference": "https://attack.mitre.org/tactics/TA0006/"
+        },
+        "technique": [
+          {
+            "id": "T1110",
+            "name": "Brute Force",
+            "reference": "https://attack.mitre.org/techniques/T1110/"
+          }
+        ]
+      }
+    ],
+    "threshold": {
+      "field": [
+        "source.ip"
+      ],
+      "value": 25
+    },
+    "type": "threshold",
+    "version": 4
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies modifications to the Atom desktop text editor Init File. Adversaries may add malicious JavaScript code to the init.coffee file that will be executed upon the Atom application opening.",
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Potential Persistence via Atom Init Script Modification",
+    "query": "event.category:\"file\" and not event.type:\"deletion\" and\n file.path:/Users/*/.atom/init.coffee and not process.name:(Atom or xpcproxy) and not user.name:root\n",
+    "references": [
+      "https://github.com/D00MFist/PersistentJXA/blob/master/AtomPersist.js",
+      "https://flight-manual.atom.io/hacking-atom/sections/the-init-file/"
+    ],
+    "risk_score": 21,
+    "rule_id": "b4449455-f986-4b5a-82ed-e36b129331f7",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "macOS",
+      "Threat Detection",
+      "Persistence"
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the creation or modification of the login window property list (plist). Adversaries may modify plist files to run a program during system boot or user login for persistence.",
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Potential Persistence via Login Hook",
+    "note": "## Triage and analysis\n\nStarting in Mac OS X 10.7 (Lion), users can specify certain applications to be re-opened when a user reboots their machine. This can be abused to establish or maintain persistence on a compromised system.",
+    "query": "event.category:\"file\" and not event.type:\"deletion\" and\n file.name:\"com.apple.loginwindow.plist\" and\n process.name:(* and not (systemmigrationd or DesktopServicesHelper or diskmanagementd or rsync or launchd or cfprefsd or xpcproxy or ManagedClient or MCXCompositor))\n",
+    "references": [
+      "https://github.com/D00MFist/PersistentJXA/blob/master/LoginScript.js"
+    ],
+    "risk_score": 47,
+    "rule_id": "ac412404-57a5-476f-858f-4e8fbb4f48d8",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "macOS",
+      "Threat Detection",
+      "Persistence"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1547",
+            "name": "Boot or Logon Autostart Execution",
+            "reference": "https://attack.mitre.org/techniques/T1547/",
+            "subtechnique": [
+              {
+                "id": "T1547.011",
+                "name": "Plist Modification",
+                "reference": "https://attack.mitre.org/techniques/T1547/011/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 2
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the creation or modification of the default configuration for periodic tasks. Adversaries may abuse periodic tasks to execute malicious code or maintain persistence.",
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Potential Persistence via Periodic Tasks",
+    "query": "event.category:\"file\" and not event.type:\"deletion\" and\n file.path:(/private/etc/periodic/* or /private/etc/defaults/periodic.conf or /private/etc/periodic.conf)\n",
+    "references": [
+      "https://opensource.apple.com/source/crontabs/crontabs-13/private/etc/defaults/periodic.conf.auto.html",
+      "https://www.oreilly.com/library/view/mac-os-x/0596003706/re328.html",
+      "https://github.com/D00MFist/PersistentJXA/blob/master/PeriodicPersist.js"
+    ],
+    "risk_score": 21,
+    "rule_id": "48ec9452-e1fd-4513-a376-10a1a26d2c83",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "macOS",
+      "Threat Detection",
+      "Persistence"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1053",
+            "name": "Scheduled Task/Job",
+            "reference": "https://attack.mitre.org/techniques/T1053/",
+            "subtechnique": [
+              {
+                "id": "T1053.003",
+                "name": "Cron",
+                "reference": "https://attack.mitre.org/techniques/T1053/003/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Windows operating systems are utilizing the time provider architecture in order to obtain accurate time stamps from other network devices or clients in the network. Time providers are implemented in the form of a DLL file which resides in System32 folder. The service W32Time initiates during the startup of Windows and loads w32time.dll. Adversaries may abuse this architecture to establish persistence, specifically by registering and enabling a malicious DLL as a time provider.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Potential Persistence via Time Provider Modification",
+    "query": "registry where event.type:\"change\" and\n  registry.path:\"HKLM\\\\SYSTEM\\\\*ControlSet*\\\\Services\\\\W32Time\\\\TimeProviders\\\\*\" and\n  registry.data.strings:\"*.dll\"\n",
+    "references": [
+      "https://pentestlab.blog/2019/10/22/persistence-time-providers/"
+    ],
+    "risk_score": 47,
+    "rule_id": "14ed1aa9-ebfd-4cf9-a463-0ac59ec55204",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Persistence"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1547",
+            "name": "Boot or Logon Autostart Execution",
+            "reference": "https://attack.mitre.org/techniques/T1547/",
+            "subtechnique": [
+              {
+                "id": "T1547.003",
+                "name": "Time Providers",
+                "reference": "https://attack.mitre.org/techniques/T1547/003/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies port monitor and print processor registry modifications. Adversaries may abuse port monitor and print processors to run malicious DLLs during system boot that will be executed as SYSTEM for privilege escalation and/or persistence, if permissions allow writing a fully-qualified pathname for that DLL.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Potential Port Monitor or Print Processor Registration Abuse",
+    "query": "registry where event.type in (\"creation\", \"change\") and\n  registry.path : (\"HKLM\\\\SYSTEM\\\\*ControlSet*\\\\Control\\\\Print\\\\Monitors\\\\*\",\n    \"HLLM\\\\SYSTEM\\\\*ControlSet*\\\\Control\\\\Print\\\\Environments\\\\Windows*\\\\Print Processors\\\\*\") and\n  registry.data.strings : \"*.dll\" and\n  /* exclude SYSTEM SID - look for changes by non-SYSTEM user */\n  not user.id : \"S-1-5-18\"\n",
+    "references": [
+      "https://www.welivesecurity.com/2020/05/21/no-game-over-winnti-group/"
+    ],
+    "risk_score": 47,
+    "rule_id": "8f3e91c7-d791-4704-80a1-42c160d7aa27",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Privilege Escalation"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0004",
+          "name": "Privilege Escalation",
+          "reference": "https://attack.mitre.org/tactics/TA0004/"
+        },
+        "technique": [
+          {
+            "id": "T1547",
+            "name": "Boot or Logon Autostart Execution",
+            "reference": "https://attack.mitre.org/techniques/T1547/",
+            "subtechnique": [
+              {
+                "id": "T1547.010",
+                "name": "Port Monitors",
+                "reference": "https://attack.mitre.org/techniques/T1547/010/"
+              }
+            ]
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1547",
+            "name": "Boot or Logon Autostart Execution",
+            "reference": "https://attack.mitre.org/techniques/T1547/",
+            "subtechnique": [
+              {
+                "id": "T1547.010",
+                "name": "Port Monitors",
+                "reference": "https://attack.mitre.org/techniques/T1547/010/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Detects attempts to exploit privilege escalation vulnerabilities related to the Print Spooler service. For more information refer to CVE-2021-34527 and verify that the impacted system is investigated.",
+    "from": "now-9m",
+    "index": [
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Potential PrintNightmare Exploit Registry Modification",
+    "query": "/* This rule is not compatible with Sysmon due to schema issues */\n\nregistry where process.name : \"spoolsv.exe\" and\n  (registry.path : \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Control\\\\Print\\\\Environments\\\\Windows*\\\\Drivers\\\\Version-3\\\\mimikatz*\\\\Data File\" or\n  (registry.path : \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Control\\\\Print\\\\Environments\\\\Windows*\\\\Drivers\\\\Version-3\\\\*\\\\Configuration File\" and\n   registry.data.strings : (\"kernelbase.dll\", \"ntdll.dll\", \"kernel32.dll\", \"winhttp.dll\", \"user32.dll\")))\n",
+    "references": [
+      "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527",
+      "https://github.com/afwu/PrintNightmare"
+    ],
+    "risk_score": 73,
+    "rule_id": "6506c9fd-229e-4722-8f0f-69be759afd2a",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Privilege Escalation"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0004",
+          "name": "Privilege Escalation",
+          "reference": "https://attack.mitre.org/tactics/TA0004/"
+        },
+        "technique": [
+          {
+            "id": "T1068",
+            "name": "Exploitation for Privilege Escalation",
+            "reference": "https://attack.mitre.org/techniques/T1068/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Detects the creation or modification of a print driver with an unusual file name. This may indicate attempts to exploit privilege escalation vulnerabilities related to the Print Spooler service. For more information refer to CVE-2021-34527 and verify that the impacted system is investigated.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Potential PrintNightmare File Modification",
+    "query": "/* This rule is compatible with both Sysmon and Elastic Endpoint */\n\nfile where process.name : \"spoolsv.exe\" and \n file.name : (\"kernelbase.dll\", \"ntdll.dll\", \"kernel32.dll\", \"winhttp.dll\", \"user32.dll\") and\n file.path : \"?:\\\\Windows\\\\System32\\\\spool\\\\drivers\\\\x64\\\\3\\\\*\"\n",
+    "references": [
+      "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527",
+      "https://github.com/afwu/PrintNightmare"
+    ],
+    "risk_score": 73,
+    "rule_id": "5e87f165-45c2-4b80-bfa5-52822552c997",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Privilege Escalation"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0004",
+          "name": "Privilege Escalation",
+          "reference": "https://attack.mitre.org/tactics/TA0004/"
+        },
+        "technique": [
+          {
+            "id": "T1068",
+            "name": "Exploitation for Privilege Escalation",
+            "reference": "https://attack.mitre.org/techniques/T1068/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies use of the Secure Copy Protocol (SCP) to copy files locally by abusing the auto addition of the Secure Shell Daemon (sshd) to the authorized application list for Full Disk Access. This may indicate attempts to bypass macOS privacy controls to access sensitive files.",
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Potential Privacy Control Bypass via Localhost Secure Copy",
+    "query": "process where event.type in (\"start\", \"process_started\") and \n process.name:\"scp\" and\n process.args:\"StrictHostKeyChecking=no\" and \n process.command_line:(\"scp *localhost:/*\", \"scp *127.0.0.1:/*\") and\n not process.args:\"vagrant@*127.0.0.1*\"\n",
+    "references": [
+      "https://blog.trendmicro.com/trendlabs-security-intelligence/xcsset-mac-malware-infects-xcode-projects-performs-uxss-attack-on-safari-other-browsers-leverages-zero-day-exploits/"
+    ],
+    "risk_score": 73,
+    "rule_id": "c02c8b9f-5e1d-463c-a1b0-04edcdfe1a3d",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "macOS",
+      "Threat Detection",
+      "Privilege Escalation",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1548",
+            "name": "Abuse Elevation Control Mechanism",
+            "reference": "https://attack.mitre.org/techniques/T1548/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0004",
+          "name": "Privilege Escalation",
+          "reference": "https://attack.mitre.org/tactics/TA0004/"
+        },
+        "technique": [
+          {
+            "id": "T1548",
+            "name": "Abuse Elevation Control Mechanism",
+            "reference": "https://attack.mitre.org/techniques/T1548/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the use of sqlite3 to directly modify the Transparency, Consent, and Control (TCC) SQLite database. This may indicate an attempt to bypass macOS privacy controls, including access to sensitive resources like the system camera, microphone, address book, and calendar.",
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Potential Privacy Control Bypass via TCCDB Modification",
+    "query": "process where event.type in (\"start\", \"process_started\") and process.name : \"sqlite*\" and \n process.args : \"/*/Application Support/com.apple.TCC/TCC.db\"\n",
+    "references": [
+      "https://applehelpwriter.com/2016/08/29/discovering-how-dropbox-hacks-your-mac/",
+      "https://github.com/bp88/JSS-Scripts/blob/master/TCC.db%20Modifier.sh",
+      "https://medium.com/@mattshockl/cve-2020-9934-bypassing-the-os-x-transparency-consent-and-control-tcc-framework-for-4e14806f1de8"
+    ],
+    "risk_score": 47,
+    "rule_id": "eea82229-b002-470e-a9e1-00be38b14d32",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "macOS",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1562",
+            "name": "Impair Defenses",
+            "reference": "https://attack.mitre.org/techniques/T1562/",
+            "subtechnique": [
+              {
+                "id": "T1562.001",
+                "name": "Disable or Modify Tools",
+                "reference": "https://attack.mitre.org/techniques/T1562/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 2
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies a potential exploitation of InstallerTakeOver (CVE-2021-41379) default PoC execution. Successful exploitation allows an unprivileged user to escalate privileges to SYSTEM.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Potential Privilege Escalation via InstallerFileTakeOver",
+    "note": "## Triage and analysis.\n\n### Investigating Potential Priivilege Escalation via InstallerFileTakeOver\n\nInstallerFileTakeOver is a weaponized EoP PoC to the CVE-2021-41379 vulnerability. Upon successful exploitation,\nan unprivileged user will escalate privileges to SYSTEM/NT AUTHORITY.\n\nThis rule detects the default execution of the PoC, which overwrites the `elevation_service.exe` DACL and copy itself\nto the location to escalate privileges. An attacker is able to still take over any file that is not in use (locked), which is outside the scope of this rule.\n\n#### Possible investigation steps:\n\n- Check for the digital signature of the executable\n- Look for additional processes spawned by the process, command lines and network communications.\n- Look for additional alerts involving the host and the user.\n\n### False Positive Analysis\n\n- Verify whether the digital signature exists in the executable, and if it is valid.\n\n### Related Rules\n\n- Suspicious DLL Loaded for Persistence or Privilege Escalation - bfeaf89b-a2a7-48a3-817f-e41829dc61ee\n\n### Response and Remediation\n\n- Immediate response should be taken to validate activity, investigate and potentially isolate activity to prevent further\npost-compromise behavior.\n",
+    "query": "/* This rule is compatible with both Sysmon and Elastic Endpoint */\n\nprocess where event.type == \"start\" and \n    user.id : \"S-1-5-18\" and\n    (\n      (process.name : \"elevation_service.exe\" and \n       not process.pe.original_file_name == \"elevation_service.exe\") or\n\n      (process.parent.name : \"elevation_service.exe\" and \n       process.name : (\"rundll32.exe\", \"cmd.exe\", \"powershell.exe\")) \n    )\n",
+    "references": [
+      "https://github.com/klinix5/InstallerFileTakeOver"
+    ],
+    "risk_score": 73,
+    "rule_id": "58c6d58b-a0d3-412d-b3b8-0981a9400607",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Privilege Escalation"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0004",
+          "name": "Privilege Escalation",
+          "reference": "https://attack.mitre.org/tactics/TA0004/"
+        },
+        "technique": [
+          {
+            "id": "T1068",
+            "name": "Exploitation for Privilege Escalation",
+            "reference": "https://attack.mitre.org/techniques/T1068/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "A sudoers file specifies the commands users or groups can run and from which terminals. Adversaries can take advantage of these configurations to execute commands as other users or spawn processes with higher privileges.",
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Potential Privilege Escalation via Sudoers File Modification",
+    "query": "event.category:process and event.type:start and process.args:(echo and *NOPASSWD*ALL*)\n",
+    "risk_score": 73,
+    "rule_id": "76152ca1-71d0-4003-9e37-0983e12832da",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "macOS",
+      "Threat Detection",
+      "Privilege Escalation"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0004",
+          "name": "Privilege Escalation",
+          "reference": "https://attack.mitre.org/tactics/TA0004/"
+        },
+        "technique": [
+          {
+            "id": "T1548",
+            "name": "Abuse Elevation Control Mechanism",
+            "reference": "https://attack.mitre.org/techniques/T1548/",
+            "subtechnique": [
+              {
+                "id": "T1548.003",
+                "name": "Sudo and Sudo Caching",
+                "reference": "https://attack.mitre.org/techniques/T1548/003/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies process execution followed by a file overwrite of an executable by the same parent process. This may indicate an evasion attempt to execute malicious code in a stealthy way.",
+    "from": "now-9m",
+    "index": [
+      "logs-endpoint.events.*",
+      "winlogbeat-*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Potential Process Herpaderping Attempt",
+    "query": "sequence with maxspan=5s\n   [process where event.type == \"start\" and not process.parent.executable : \"C:\\\\Windows\\\\SoftwareDistribution\\\\*.exe\"] by host.id, process.executable, process.parent.entity_id\n   [file where event.type == \"change\" and event.action == \"overwrite\" and file.extension == \"exe\"] by host.id, file.path, process.entity_id\n",
+    "references": [
+      "https://github.com/jxy-s/herpaderping"
+    ],
+    "risk_score": 73,
+    "rule_id": "ccc55af4-9882-4c67-87b4-449a7ae8079c",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1036",
+            "name": "Masquerading",
+            "reference": "https://attack.mitre.org/techniques/T1036/"
+          }
+        ]
+      }
+    ],
+    "type": "eql",
+    "version": 2
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Detects the use of Windows API functions that are commonly abused by malware and security tools to load malicious code or inject it into remote processes.",
+    "false_positives": [
+      "Legitimate Powershell Scripts that make use of these Functions"
+    ],
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-windows.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Potential Process Injection via PowerShell",
+    "note": "## Triage and analysis.\n\n### Investigating Potential Process Injection via PowerShell\n\nPowerShell is one of the main tools used by system administrators for automation, report routines, and other tasks.\n\nPowerShell also has solid capabilities to make the interaction with the Win32 API in an uncomplicated and reliable way,\nlike the execution of inline C# code, PSReflect, Get-ProcAddress, etc.\n\nRed Team tooling and Malware Developers take advantage of these capabilities to develop stagers and loaders that inject\npayloads directly into the memory, without touching the disk.\n\n#### Possible investigation steps:\n\n- Examine script content that triggered the detection. \n- Investigate script execution chain (parent process tree)\n- Inspect any file or network events from the suspicious powershell host process instance.\n- If the action is suspicious for the user, check for any other activities done by the user in the last 48 hours.\n\n### False Positive Analysis\n\n- Verify whether the script content is malicious/harmful.\n\n### Related Rules\n\n- PowerShell PSReflect Script - 56f2e9b5-4803-4e44-a0a4-a52dc79d57fe\n\n### Response and Remediation\n\n- Immediate response should be taken to validate, investigate, and potentially contain the activity to prevent further\npost-compromise behavior.\n\n## Config\n\nThe 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration > \nAdministrative Templates > \nWindows PowerShell > \nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```\n",
+    "query": "event.category:process and \n  powershell.file.script_block_text : (\n   (VirtualAlloc or VirtualAllocEx or VirtualProtect or LdrLoadDll or LoadLibrary or LoadLibraryA or\n      LoadLibraryEx or GetProcAddress or OpenProcess or OpenProcessToken or AdjustTokenPrivileges) and\n   (WriteProcessMemory or CreateRemoteThread or NtCreateThreadEx or CreateThread or QueueUserAPC or\n      SuspendThread or ResumeThread)\n  )\n",
+    "references": [
+      "https://github.com/EmpireProject/Empire/blob/master/data/module_source/management/Invoke-PSInject.ps1",
+      "https://github.com/EmpireProject/Empire/blob/master/data/module_source/management/Invoke-ReflectivePEInjection.ps1",
+      "https://github.com/BC-SECURITY/Empire/blob/master/empire/server/data/module_source/credentials/Invoke-Mimikatz.ps1"
+    ],
+    "risk_score": 73,
+    "rule_id": "2e29e96a-b67c-455a-afe4-de6183431d0d",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1055",
+            "name": "Process Injection",
+            "reference": "https://attack.mitre.org/techniques/T1055/",
+            "subtechnique": [
+              {
+                "id": "T1055.001",
+                "name": "Dynamic-link Library Injection",
+                "reference": "https://attack.mitre.org/techniques/T1055/001/"
+              },
+              {
+                "id": "T1055.002",
+                "name": "Portable Executable Injection",
+                "reference": "https://attack.mitre.org/techniques/T1055/002/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 2
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the execution of the EarthWorm tunneler. Adversaries may tunnel network communications to and from a victim system within a separate protocol to avoid detection and network filtering, or to enable access to otherwise unreachable systems.",
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Potential Protocol Tunneling via EarthWorm",
+    "query": "process where event.type == \"start\" and\n process.args : \"-s\" and process.args : \"-d\" and process.args : \"rssocks\"\n",
+    "references": [
+      "http://rootkiter.com/EarthWorm/",
+      "https://decoded.avast.io/luigicamastra/apt-group-targeting-governmental-agencies-in-east-asia/"
+    ],
+    "risk_score": 47,
+    "rule_id": "9f1c4ca3-44b5-481d-ba42-32dc215a2769",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "Threat Detection",
+      "Command and Control"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0011",
+          "name": "Command and Control",
+          "reference": "https://attack.mitre.org/tactics/TA0011/"
+        },
+        "technique": [
+          {
+            "id": "T1572",
+            "name": "Protocol Tunneling",
+            "reference": "https://attack.mitre.org/techniques/T1572/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the modification of the Remote Desktop Protocol (RDP) Shadow registry or the execution of processes indicative of an active RDP shadowing session. An adversary may abuse the RDP Shadowing feature to spy on or control other users active RDP sessions.",
+    "from": "now-9m",
+    "index": [
+      "logs-endpoint.events.*",
+      "winlogbeat-*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Potential Remote Desktop Shadowing Activity",
+    "query": "/* Identifies the modification of RDP Shadow registry or\n  the execution of processes indicative of active shadow RDP session */\n\nany where \n  (event.category == \"registry\" and\n     registry.path : \"HKLM\\\\Software\\\\Policies\\\\Microsoft\\\\Windows NT\\\\Terminal Services\\\\Shadow\"\n  ) or\n  (event.category == \"process\" and \n     (process.name : (\"RdpSaUacHelper.exe\", \"RdpSaProxy.exe\") and process.parent.name : \"svchost.exe\") or\n     (process.pe.original_file_name : \"mstsc.exe\" and process.args : \"/shadow:*\")\n  )\n",
+    "references": [
+      "https://bitsadm.in/blog/spying-on-users-using-rdp-shadowing",
+      "https://swarm.ptsecurity.com/remote-desktop-services-shadowing/"
+    ],
+    "risk_score": 73,
+    "rule_id": "c57f8579-e2a5-4804-847f-f2732edc5156",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Lateral Movement"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0008",
+          "name": "Lateral Movement",
+          "reference": "https://attack.mitre.org/tactics/TA0008/"
+        },
+        "technique": [
+          {
+            "id": "T1021",
+            "name": "Remote Services",
+            "reference": "https://attack.mitre.org/techniques/T1021/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies potential use of an SSH utility to establish RDP over a reverse SSH Tunnel. This can be used by attackers to enable routing of network packets that would otherwise not reach their intended destination.",
+    "from": "now-9m",
+    "index": [
+      "logs-endpoint.events.*",
+      "winlogbeat-*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Potential Remote Desktop Tunneling Detected",
+    "query": "process where event.type in (\"start\", \"process_started\") and\n  /* RDP port and usual SSH tunneling related switches in command line */\n  process.args : \"*:3389\" and\n  process.args : (\"-L\", \"-P\", \"-R\", \"-pw\", \"-ssh\")\n",
+    "references": [
+      "https://blog.netspi.com/how-to-access-rdp-over-a-reverse-ssh-tunnel/"
+    ],
+    "risk_score": 73,
+    "rule_id": "76fd43b7-3480-4dd9-8ad7-8bd36bfad92f",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Command and Control"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0011",
+          "name": "Command and Control",
+          "reference": "https://attack.mitre.org/tactics/TA0011/"
+        },
+        "technique": [
+          {
+            "id": "T1572",
+            "name": "Protocol Tunneling",
+            "reference": "https://attack.mitre.org/techniques/T1572/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 4
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the execution of a shell process with suspicious arguments which may be indicative of reverse shell activity.",
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Potential Reverse Shell Activity via Terminal",
+    "query": "process where event.type in (\"start\", \"process_started\") and\n  process.name in (\"sh\", \"bash\", \"zsh\", \"dash\", \"zmodload\") and\n  process.args:(\"*/dev/tcp/*\", \"*/dev/udp/*\", \"zsh/net/tcp\", \"zsh/net/udp\")\n",
+    "references": [
+      "https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md",
+      "https://github.com/WangYihang/Reverse-Shell-Manager",
+      "https://www.netsparker.com/blog/web-security/understanding-reverse-shells/"
+    ],
+    "risk_score": 73,
+    "rule_id": "a1a0375f-22c2-48c0-81a4-7c2d11cc6856",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "macOS",
+      "Threat Detection",
+      "Execution"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0002",
+          "name": "Execution",
+          "reference": "https://attack.mitre.org/tactics/TA0002/"
+        },
+        "technique": [
+          {
+            "id": "T1059",
+            "name": "Command and Scripting Interpreter",
+            "reference": "https://attack.mitre.org/techniques/T1059/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies a high number (20) of macOS SSH KeyGen process executions from the same host. An adversary may attempt a brute force attack to obtain unauthorized access to user accounts.",
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Potential SSH Brute Force Detected",
+    "query": "event.category:process and event.type:start and process.name:\"sshd-keygen-wrapper\" and process.parent.name:launchd\n",
+    "references": [
+      "https://themittenmac.com/detecting-ssh-activity-via-process-monitoring/"
+    ],
+    "risk_score": 47,
+    "rule_id": "ace1e989-a541-44df-93a8-a8b0591b63c0",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "macOS",
+      "Threat Detection",
+      "Credential Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0006",
+          "name": "Credential Access",
+          "reference": "https://attack.mitre.org/tactics/TA0006/"
+        },
+        "technique": [
+          {
+            "id": "T1110",
+            "name": "Brute Force",
+            "reference": "https://attack.mitre.org/techniques/T1110/"
+          }
+        ]
+      }
+    ],
+    "threshold": {
+      "field": [
+        "host.id"
+      ],
+      "value": 20
+    },
+    "type": "threshold",
+    "version": 2
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Detects file name patterns generated by the use of Sysinternals SDelete utility to securely delete a file via multiple file overwrite and rename operations.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Potential Secure File Deletion via SDelete Utility",
+    "note": "## Triage and analysis\n\nVerify process details such as command line and hash to confirm this activity legitimacy.",
+    "query": "file where event.type == \"change\" and file.name : \"*AAA.AAA\"\n",
+    "risk_score": 21,
+    "rule_id": "5aee924b-6ceb-4633-980e-1bde8cdb40c5",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1070",
+            "name": "Indicator Removal on Host",
+            "reference": "https://attack.mitre.org/techniques/T1070/",
+            "subtechnique": [
+              {
+                "id": "T1070.004",
+                "name": "File Deletion",
+                "reference": "https://attack.mitre.org/techniques/T1070/004/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 5
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies potential behavior of SharpRDP, which is a tool that can be used to perform authenticated command execution against a remote target via Remote Desktop Protocol (RDP) for the purposes of lateral movement.",
+    "from": "now-9m",
+    "index": [
+      "logs-endpoint.events.*",
+      "winlogbeat-*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Potential SharpRDP Behavior",
+    "query": "/* Incoming RDP followed by a new RunMRU string value set to cmd, powershell, taskmgr or tsclient, followed by process execution within 1m */\n\nsequence by host.id with maxspan=1m\n  [network where event.type == \"start\" and process.name : \"svchost.exe\" and destination.port == 3389 and \n   network.direction : (\"incoming\", \"ingress\") and network.transport == \"tcp\" and\n   source.ip != \"127.0.0.1\" and source.ip != \"::1\"\n  ]\n\n  [registry where process.name : \"explorer.exe\" and \n   registry.path : (\"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\RunMRU\\\\*\") and\n   registry.data.strings : (\"cmd.exe*\", \"powershell.exe*\", \"taskmgr*\", \"\\\\\\\\tsclient\\\\*.exe\\\\*\")\n  ]\n  \n  [process where event.type in (\"start\", \"process_started\") and\n   (process.parent.name : (\"cmd.exe\", \"powershell.exe\", \"taskmgr.exe\") or process.args : (\"\\\\\\\\tsclient\\\\*.exe\")) and \n   not process.name : \"conhost.exe\"\n   ]\n",
+    "references": [
+      "https://posts.specterops.io/revisiting-remote-desktop-lateral-movement-8fb905cb46c3",
+      "https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES/blob/master/Lateral%20Movement/LM_sysmon_3_12_13_1_SharpRDP.evtx"
+    ],
+    "risk_score": 73,
+    "rule_id": "8c81e506-6e82-4884-9b9a-75d3d252f967",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Lateral Movement"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0008",
+          "name": "Lateral Movement",
+          "reference": "https://attack.mitre.org/tactics/TA0008/"
+        },
+        "technique": [
+          {
+            "id": "T1021",
+            "name": "Remote Services",
+            "reference": "https://attack.mitre.org/techniques/T1021/",
+            "subtechnique": [
+              {
+                "id": "T1021.001",
+                "name": "Remote Desktop Protocol",
+                "reference": "https://attack.mitre.org/techniques/T1021/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "type": "eql",
+    "version": 5
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies suspicious commands executed via a web server, which may suggest a vulnerability and remote shell access.",
+    "false_positives": [
+      "Network monitoring or management products may have a web server component that runs shell commands as part of normal behavior."
+    ],
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Potential Shell via Web Server",
+    "query": "event.category:process and event.type:(start or process_started) and process.name:(bash or dash) and\n  user.name:(apache or nginx or www or \"www-data\")\n",
+    "references": [
+      "https://pentestlab.blog/tag/web-shell/"
+    ],
+    "risk_score": 47,
+    "rule_id": "231876e7-4d1f-4d63-a47c-47dd1acdc1cb",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "Threat Detection",
+      "Persistence"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1505",
+            "name": "Server Software Component",
+            "reference": "https://attack.mitre.org/techniques/T1505/",
+            "subtechnique": [
+              {
+                "id": "T1505.003",
+                "name": "Web Shell",
+                "reference": "https://attack.mitre.org/techniques/T1505/003/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 9
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies suspicious instances of the Windows Error Reporting process (WerFault.exe or Wermgr.exe) with matching command-line and process executable values performing outgoing network connections. This may be indicative of a masquerading attempt to evade suspicious child process behavior detections.",
+    "false_positives": [
+      "Legit Application Crash with rare Werfault commandline value"
+    ],
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Potential Windows Error Manager Masquerading",
+    "query": "sequence by host.id, process.entity_id with maxspan = 5s\n  [process where event.type:\"start\" and process.name : (\"wermgr.exe\", \"WerFault.exe\") and process.args_count == 1]\n  [network where process.name : (\"wermgr.exe\", \"WerFault.exe\") and network.protocol != \"dns\" and\n    network.direction : (\"outgoing\", \"egress\") and destination.ip !=\"::1\" and destination.ip !=\"127.0.0.1\"\n  ]\n",
+    "references": [
+      "https://twitter.com/SBousseaden/status/1235533224337641473",
+      "https://www.hexacorn.com/blog/2019/09/20/werfault-command-line-switches-v0-1/",
+      "https://app.any.run/tasks/26051d84-b68e-4afb-8a9a-76921a271b81/"
+    ],
+    "risk_score": 47,
+    "rule_id": "6ea41894-66c3-4df7-ad6b-2c5074eb3df8",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1036",
+            "name": "Masquerading",
+            "reference": "https://attack.mitre.org/techniques/T1036/"
+          }
+        ]
+      }
+    ],
+    "type": "eql",
+    "version": 4
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Detects the use of Win32 API Functions that can be used to capture user Keystrokes in PowerShell Scripts. Attackers use this technique to capture user input, looking for credentials and/or other valuable data.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-windows.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "PowerShell Keylogging Script",
+    "note": "## Triage and analysis.\n\n### Investigating PowerShell Keylogging Script\n\nPowerShell is one of the main tools used by system administrators for automation, report routines, and other tasks.\n\nAttackers can abuse PowerShell capabilities to capture user Keystrokes with the goal of stealing credentials and other\nvaluable information as Credit Card data and confidential conversations.\n\n#### Possible investigation steps:\n\n- Examine script content that triggered the detection. \n- Investigate script execution chain (parent process tree)\n- Inspect any file or network events from the suspicious powershell host process instance.\n- If the action is suspicious for the user, check for any other activities done by the user in the last 48 hours.\n\n### False Positive Analysis\n\n- Verify whether the script content is malicious/harmful.\n\n### Related Rules\n\n- PowerShell PSReflect Script - 56f2e9b5-4803-4e44-a0a4-a52dc79d57fe\n\n### Response and Remediation\n\n- Immediate response should be taken to validate, investigate, and potentially contain the activity to prevent further\npost-compromise behavior.\n\n## Config\n\nThe 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration > \nAdministrative Templates > \nWindows PowerShell > \nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```\n",
+    "query": "event.category:process and \n  ( \n   powershell.file.script_block_text : (GetAsyncKeyState or NtUserGetAsyncKeyState or GetKeyboardState or Get-Keystrokes) or \n   powershell.file.script_block_text : ((SetWindowsHookA or SetWindowsHookW or SetWindowsHookEx or SetWindowsHookExA or NtUserSetWindowsHookEx) and (GetForegroundWindow or GetWindowTextA or GetWindowTextW or WM_KEYBOARD_LL))\n   )\n",
+    "references": [
+      "https://github.com/EmpireProject/Empire/blob/master/data/module_source/collection/Get-Keystrokes.ps1",
+      "https://github.com/MojtabaTajik/FunnyKeylogger/blob/master/FunnyLogger.ps1"
+    ],
+    "risk_score": 73,
+    "rule_id": "bd2c86a0-8b61-4457-ab38-96943984e889",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Collection"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0009",
+          "name": "Collection",
+          "reference": "https://attack.mitre.org/tactics/TA0009/"
+        },
+        "technique": [
+          {
+            "id": "T1056",
+            "name": "Input Capture",
+            "reference": "https://attack.mitre.org/techniques/T1056/",
+            "subtechnique": [
+              {
+                "id": "T1056.001",
+                "name": "Keylogging",
+                "reference": "https://attack.mitre.org/techniques/T1056/001/"
+              }
+            ]
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0002",
+          "name": "Execution",
+          "reference": "https://attack.mitre.org/tactics/TA0002/"
+        },
+        "technique": [
+          {
+            "id": "T1059",
+            "name": "Command and Scripting Interpreter",
+            "reference": "https://attack.mitre.org/techniques/T1059/",
+            "subtechnique": [
+              {
+                "id": "T1059.001",
+                "name": "PowerShell",
+                "reference": "https://attack.mitre.org/techniques/T1059/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 2
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "This rule detects PowerShell scripts that have capabilities to dump process memory using WindowsErrorReporting or Dbghelp.dll MiniDumpWriteDump. Attackers can use this tooling to dump LSASS and get access to credentials.",
+    "false_positives": [
+      "Powershell Scripts that use this capability for troubleshooting."
+    ],
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-windows.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "PowerShell MiniDump Script",
+    "note": "## Triage and analysis.\n\n### Investigating PowerShell MiniDump Script\n\nPowerShell is one of the main tools used by system administrators for automation, report routines, and other tasks.\n\nProcess Memory Dump capabilities can be abused by attackers to extract credentials from LSASS or to obtain other privileged\ninformation stored in the process memory.\n\n#### Possible investigation steps:\n\n- Examine script content that triggered the detection. \n- Investigate script execution chain (parent process tree)\n- Inspect any file or network events from the suspicious powershell host process instance.\n- If the action is suspicious for the user, check for any other activities done by the user in the last 48 hours.\n\n### False Positive Analysis\n\n- Verify whether the script content is malicious/harmful.\n\n### Related Rules\n\n- PowerShell PSReflect Script - 56f2e9b5-4803-4e44-a0a4-a52dc79d57fe\n- Potential Process Injection via PowerShell - 2e29e96a-b67c-455a-afe4-de6183431d0d\n\n### Response and Remediation\n\n- Immediate response should be taken to validate, investigate, and potentially contain the activity to prevent further\npost-compromise behavior.\n\n## Config\n\nThe 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration > \nAdministrative Templates > \nWindows PowerShell > \nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```\n",
+    "query": "event.category:process and powershell.file.script_block_text:(MiniDumpWriteDump or MiniDumpWithFullMemory or pmuDetirWpmuDiniM)\n",
+    "references": [
+      "https://github.com/PowerShellMafia/PowerSploit/blob/master/Exfiltration/Out-Minidump.ps1",
+      "https://github.com/FuzzySecurity/PowerShell-Suite/blob/master/Get-ProcessMiniDump.ps1",
+      "https://github.com/atc-project/atc-data/blob/master/docs/Logging_Policies/LP_0109_windows_powershell_script_block_log.md"
+    ],
+    "risk_score": 73,
+    "rule_id": "577ec21e-56fe-4065-91d8-45eb8224fe77",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Credential Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0006",
+          "name": "Credential Access",
+          "reference": "https://attack.mitre.org/tactics/TA0006/"
+        },
+        "technique": [
+          {
+            "id": "T1003",
+            "name": "OS Credential Dumping",
+            "reference": "https://attack.mitre.org/techniques/T1003/",
+            "subtechnique": [
+              {
+                "id": "T1003.001",
+                "name": "LSASS Memory",
+                "reference": "https://attack.mitre.org/techniques/T1003/001/"
+              }
+            ]
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0002",
+          "name": "Execution",
+          "reference": "https://attack.mitre.org/tactics/TA0002/"
+        },
+        "technique": [
+          {
+            "id": "T1059",
+            "name": "Command and Scripting Interpreter",
+            "reference": "https://attack.mitre.org/techniques/T1059/",
+            "subtechnique": [
+              {
+                "id": "T1059.001",
+                "name": "PowerShell",
+                "reference": "https://attack.mitre.org/techniques/T1059/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 3
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Detects the use of PSReflect in PowerShell scripts. Attackers leverage PSReflect as a library that enables PowerShell to access win32 API functions.",
+    "false_positives": [
+      "Legitimate Powershell Scripts that make use of PSReflect to access the win32 API"
+    ],
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-windows.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "PowerShell PSReflect Script",
+    "note": "## Triage and analysis\n### Investigating PowerShell PSReflect Script\n\nPowerShell is one of the main tools in the belt of system administrators for automation, report routines, and other tasks.\n\nPSReflect is a library that enables PowerShell to access win32 API functions in an uncomplicated way. It also helps to\ncreate enums and structs easily\u2014all without touching the disk.\n\nAlthough this is an interesting project for every developer and admin out there, it is mainly used in the red team and\nmalware tooling for its capabilities.\n\nDetecting the core implementation of PSReflect means detecting most of the tooling that uses windows API through\nPowerShell, enabling the defender to discover tools being dropped in the environment.\n\n#### Possible investigation steps:\n- Check for additional PowerShell logs that indicate that the script/command was run.\n- Gather the script content that may be split into multiple script blocks, and identify its capabilities.\n- If the action is suspicious for the user, check for any other activities done by the user in the last 48 hours.\n- Look for additional alerts involving the host and the user.\n\n### False Positive Analysis\n- Verify whether the script content is malicious/harmful.\n\n### Related Rules\n- PowerShell Suspicious Discovery Related Windows API Functions - 61ac3638-40a3-44b2-855a-985636ca985e\n- PowerShell Keylogging Script - bd2c86a0-8b61-4457-ab38-96943984e889\n- PowerShell Suspicious Script with Audio Capture Capabilities - 2f2f4939-0b34-40c2-a0a3-844eb7889f43\n- Potential Process Injection via PowerShell - 2e29e96a-b67c-455a-afe4-de6183431d0d\n- PowerShell Reflection Assembly Load - e26f042e-c590-4e82-8e05-41e81bd822ad\n- PowerShell Suspicious Payload Encoded and Compressed - 81fe9dc6-a2d7-4192-a2d8-eed98afc766a\n- PowerShell Suspicious Script with Screenshot Capabilities - 959a7353-1129-4aa7-9084-30746b256a70\n\n### Response and Remediation\n- Immediate response should be taken to validate activity, investigate and potentially isolate activity to prevent further\npost-compromise behavior.\n\n## Config\nThe 'PowerShell Script Block Logging' logging policy is required be configured (Enable).\n\nSteps to implement the logging policy with with Advanced Audit Configuration:\n```\nComputer Configuration > \nAdministrative Templates > \nWindows PowerShell > \nTurn on PowerShell Script Block Logging (Enable)\n```\nSteps to implement the logging policy via registry:\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```\n",
+    "query": "event.category:process and \n  powershell.file.script_block_text:(\n    New-InMemoryModule or\n    Add-Win32Type or\n    psenum or\n    DefineDynamicAssembly or\n    DefineDynamicModule or\n    Reflection.TypeAttributes or\n    Reflection.Emit.OpCodes or\n    Reflection.Emit.CustomAttributeBuilder or\n    Runtime.InteropServices.DllImportAttribute\n  )\n",
+    "references": [
+      "https://github.com/mattifestation/PSReflect/blob/master/PSReflect.psm1",
+      "https://github.com/atc-project/atc-data/blob/master/docs/Logging_Policies/LP_0109_windows_powershell_script_block_log.md"
+    ],
+    "risk_score": 47,
+    "rule_id": "56f2e9b5-4803-4e44-a0a4-a52dc79d57fe",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Execution"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0002",
+          "name": "Execution",
+          "reference": "https://attack.mitre.org/tactics/TA0002/"
+        },
+        "technique": [
+          {
+            "id": "T1059",
+            "name": "Command and Scripting Interpreter",
+            "reference": "https://attack.mitre.org/techniques/T1059/",
+            "subtechnique": [
+              {
+                "id": "T1059.001",
+                "name": "PowerShell",
+                "reference": "https://attack.mitre.org/techniques/T1059/001/"
+              }
+            ]
+          },
+          {
+            "id": "T1106",
+            "name": "Native API",
+            "reference": "https://attack.mitre.org/techniques/T1106/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "This rule detects the use of discovery-related Windows API functions in PowerShell Scripts. Attackers can use these functions to perform various situational awareness related activities, like enumerating users, shares, sessions, domain trusts, groups, etc.",
+    "false_positives": [
+      "Legitimate Powershell Scripts that make use of these Functions"
+    ],
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-windows.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "PowerShell Suspicious Discovery Related Windows API Functions",
+    "note": "## Triage and analysis.\n\n### Investigating PowerShell Suspicious Discovery Related Windows API Functions\n\nPowerShell is one of the main tools used by system administrators for automation, report routines, and other tasks.\n\nAttackers can use PowerShell to interact with the Win32 API to bypass file based AntiVirus detections, using libraries\nlike PSReflect or Get-ProcAddress Cmdlet.\n\n#### Possible investigation steps:\n\n- Examine script content that triggered the detection. \n- Investigate script execution chain (parent process tree).\n- Inspect any file or network events from the suspicious powershell host process instance.\n- If the action is suspicious for the user, check for any other activities done by the user in the last 48 hours.\n\n### False Positive Analysis\n\n- Verify whether the script content is malicious/harmful.\n\n### Related Rules\n\n- PowerShell PSReflect Script - 56f2e9b5-4803-4e44-a0a4-a52dc79d57fe\n\n### Response and Remediation\n\n- Immediate response should be taken to validate, investigate, and potentially contain the activity to prevent further\npost-compromise behavior.\n\n## Config\n\nThe 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration > \nAdministrative Templates > \nWindows PowerShell > \nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```\n",
+    "query": "event.category:process and \n  powershell.file.script_block_text : (\n    NetShareEnum or\n    NetWkstaUserEnum or\n    NetSessionEnum or\n    NetLocalGroupEnum or\n    NetLocalGroupGetMembers or\n    DsGetSiteName or\n    DsEnumerateDomainTrusts or\n    WTSEnumerateSessionsEx or\n    WTSQuerySessionInformation or\n    LsaGetLogonSessionData or\n    QueryServiceObjectSecurity\n  )\n",
+    "references": [
+      "https://github.com/BC-SECURITY/Empire/blob/9259e5106986847d2bb770c4289c0c0f1adf2344/data/module_source/situational_awareness/network/powerview.ps1#L21413",
+      "https://github.com/atc-project/atc-data/blob/master/docs/Logging_Policies/LP_0109_windows_powershell_script_block_log.md"
+    ],
+    "risk_score": 47,
+    "rule_id": "61ac3638-40a3-44b2-855a-985636ca985e",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Discovery"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0007",
+          "name": "Discovery",
+          "reference": "https://attack.mitre.org/tactics/TA0007/"
+        },
+        "technique": [
+          {
+            "id": "T1135",
+            "name": "Network Share Discovery",
+            "reference": "https://attack.mitre.org/techniques/T1135/"
+          },
+          {
+            "id": "T1069",
+            "name": "Permission Groups Discovery",
+            "reference": "https://attack.mitre.org/techniques/T1069/",
+            "subtechnique": [
+              {
+                "id": "T1069.001",
+                "name": "Local Groups",
+                "reference": "https://attack.mitre.org/techniques/T1069/001/"
+              }
+            ]
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0002",
+          "name": "Execution",
+          "reference": "https://attack.mitre.org/tactics/TA0002/"
+        },
+        "technique": [
+          {
+            "id": "T1059",
+            "name": "Command and Scripting Interpreter",
+            "reference": "https://attack.mitre.org/techniques/T1059/",
+            "subtechnique": [
+              {
+                "id": "T1059.001",
+                "name": "PowerShell",
+                "reference": "https://attack.mitre.org/techniques/T1059/001/"
+              }
+            ]
+          },
+          {
+            "id": "T1106",
+            "name": "Native API",
+            "reference": "https://attack.mitre.org/techniques/T1106/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 3
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the use of .Net functionality for decompression and base64 decoding combined in PowerShell scripts, which Malware and security tools heavily use to deobfuscate payloads and load them directly in memory to bypass defenses.",
+    "false_positives": [
+      "Legitimate PowerShell Scripts which makes use of compression and encoding"
+    ],
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-windows.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "PowerShell Suspicious Payload Encoded and Compressed",
+    "query": "event.category:process and \n  powershell.file.script_block_text : (\n    (System.IO.Compression.DeflateStream or System.IO.Compression.GzipStream or IO.Compression.DeflateStream or IO.Compression.GzipStream) and\n    FromBase64String\n  )\n",
+    "risk_score": 47,
+    "rule_id": "81fe9dc6-a2d7-4192-a2d8-eed98afc766a",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1140",
+            "name": "Deobfuscate/Decode Files or Information",
+            "reference": "https://attack.mitre.org/techniques/T1140/"
+          },
+          {
+            "id": "T1027",
+            "name": "Obfuscated Files or Information",
+            "reference": "https://attack.mitre.org/techniques/T1027/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0002",
+          "name": "Execution",
+          "reference": "https://attack.mitre.org/tactics/TA0002/"
+        },
+        "technique": [
+          {
+            "id": "T1059",
+            "name": "Command and Scripting Interpreter",
+            "reference": "https://attack.mitre.org/techniques/T1059/",
+            "subtechnique": [
+              {
+                "id": "T1059.001",
+                "name": "PowerShell",
+                "reference": "https://attack.mitre.org/techniques/T1059/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Detects PowerShell scripts that can record audio, a common feature in popular post-exploitation tooling.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-windows.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "PowerShell Suspicious Script with Audio Capture Capabilities",
+    "note": "## Triage and analysis.\n\n### Investigating PowerShell Suspicious Script with Audio Capture Capabilities\n\nPowerShell is one of the main tools used by system administrators for automation, report routines, and other tasks.\n\nAttackers can use PowerShell to interact with the Windows API and capture audio from input devices connected to the\ncomputer.\n\n#### Possible investigation steps:\n\n- Examine script content that triggered the detection. \n- Investigate script execution chain (parent process tree)\n- Inspect any file or network events from the suspicious powershell host process instance.\n- If the action is suspicious for the user, check for any other activities done by the user in the last 48 hours.\n\n### False Positive Analysis\n\n- Verify whether the script content is malicious/harmful.\n\n### Related Rules\n\n- PowerShell PSReflect Script - 56f2e9b5-4803-4e44-a0a4-a52dc79d57fe\n- Potential Process Injection via PowerShell - 2e29e96a-b67c-455a-afe4-de6183431d0d\n\n### Response and Remediation\n\n- Immediate response should be taken to validate, investigate, and potentially contain the activity to prevent further\npost-compromise behavior.\n\n## Config\n\nThe 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration > \nAdministrative Templates > \nWindows PowerShell > \nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```\n",
+    "query": "event.category:process and \n  powershell.file.script_block_text : (\n    Get-MicrophoneAudio or (waveInGetNumDevs and mciSendStringA)\n  )\n",
+    "references": [
+      "https://github.com/PowerShellMafia/PowerSploit/blob/master/Exfiltration/Get-MicrophoneAudio.ps1"
+    ],
+    "risk_score": 47,
+    "rule_id": "2f2f4939-0b34-40c2-a0a3-844eb7889f43",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Collection"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0009",
+          "name": "Collection",
+          "reference": "https://attack.mitre.org/tactics/TA0009/"
+        },
+        "technique": [
+          {
+            "id": "T1123",
+            "name": "Audio Capture",
+            "reference": "https://attack.mitre.org/techniques/T1123/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0002",
+          "name": "Execution",
+          "reference": "https://attack.mitre.org/tactics/TA0002/"
+        },
+        "technique": [
+          {
+            "id": "T1059",
+            "name": "Command and Scripting Interpreter",
+            "reference": "https://attack.mitre.org/techniques/T1059/",
+            "subtechnique": [
+              {
+                "id": "T1059.001",
+                "name": "PowerShell",
+                "reference": "https://attack.mitre.org/techniques/T1059/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 3
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Detects PowerShell Scripts that can take screenshots, which is a common feature in post-exploitation kits and RATs (Remote Access Tools).",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-windows.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "PowerShell Suspicious Script with Screenshot Capabilities",
+    "query": "event.category:process and \n  powershell.file.script_block_text : (\n    CopyFromScreen and\n    (System.Drawing.Bitmap or Drawing.Bitmap)\n  )\n",
+    "references": [
+      "https://docs.microsoft.com/en-us/dotnet/api/system.drawing.graphics.copyfromscreen"
+    ],
+    "risk_score": 47,
+    "rule_id": "959a7353-1129-4aa7-9084-30746b256a70",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Collection"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0009",
+          "name": "Collection",
+          "reference": "https://attack.mitre.org/tactics/TA0009/"
+        },
+        "technique": [
+          {
+            "id": "T1113",
+            "name": "Screen Capture",
+            "reference": "https://attack.mitre.org/techniques/T1113/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0002",
+          "name": "Execution",
+          "reference": "https://attack.mitre.org/tactics/TA0002/"
+        },
+        "technique": [
+          {
+            "id": "T1059",
+            "name": "Command and Scripting Interpreter",
+            "reference": "https://attack.mitre.org/techniques/T1059/",
+            "subtechnique": [
+              {
+                "id": "T1059.001",
+                "name": "PowerShell",
+                "reference": "https://attack.mitre.org/techniques/T1059/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies a privilege escalation attempt via named pipe impersonation. An adversary may abuse this technique by utilizing a framework such Metasploit's meterpreter getsystem command.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Privilege Escalation via Named Pipe Impersonation",
+    "query": "process where event.type in (\"start\", \"process_started\") and\n process.pe.original_file_name in (\"Cmd.Exe\", \"PowerShell.EXE\") and \n process.args : \"echo\" and process.args : \">\" and process.args : \"\\\\\\\\.\\\\pipe\\\\*\"\n",
+    "references": [
+      "https://www.ired.team/offensive-security/privilege-escalation/windows-namedpipes-privilege-escalation"
+    ],
+    "risk_score": 73,
+    "rule_id": "3ecbdc9e-e4f2-43fa-8cca-63802125e582",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Privilege Escalation"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0004",
+          "name": "Privilege Escalation",
+          "reference": "https://attack.mitre.org/tactics/TA0004/"
+        },
+        "technique": [
+          {
+            "id": "T1134",
+            "name": "Access Token Manipulation",
+            "reference": "https://attack.mitre.org/techniques/T1134/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 3
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies a privilege escalation attempt via rogue named pipe impersonation. An adversary may abuse this technique by masquerading as a known named pipe and manipulating a privileged process to connect to it.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Privilege Escalation via Rogue Named Pipe Impersonation",
+    "note": "## Config\n\nNamed Pipe Creation Events need to be enabled within the Sysmon configuration by including the following settings:\n`condition equal \"contains\" and keyword equal \"pipe\"`\n",
+    "query": "file where event.action : \"Pipe Created*\" and\n /* normal sysmon named pipe creation events truncate the pipe keyword */\n  file.name : \"\\\\*\\\\Pipe\\\\*\"\n",
+    "references": [
+      "https://itm4n.github.io/printspoofer-abusing-impersonate-privileges/",
+      "https://github.com/zcgonvh/EfsPotato",
+      "https://twitter.com/SBousseaden/status/1429530155291193354"
+    ],
+    "risk_score": 73,
+    "rule_id": "76ddb638-abf7-42d5-be22-4a70b0bf7241",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Privilege Escalation"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0004",
+          "name": "Privilege Escalation",
+          "reference": "https://attack.mitre.org/tactics/TA0004/"
+        },
+        "technique": [
+          {
+            "id": "T1134",
+            "name": "Access Token Manipulation",
+            "reference": "https://attack.mitre.org/techniques/T1134/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies modifications to the root crontab file. Adversaries may overwrite this file to gain code execution with root privileges by exploiting privileged file write or move related vulnerabilities.",
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Privilege Escalation via Root Crontab File Modification",
+    "query": "event.category:file and not event.type:deletion and\n file.path:/private/var/at/tabs/root and not process.executable:/usr/bin/crontab\n",
+    "references": [
+      "https://phoenhex.re/2017-06-09/pwn2own-diskarbitrationd-privesc",
+      "https://www.exploit-db.com/exploits/42146"
+    ],
+    "risk_score": 73,
+    "rule_id": "0ff84c42-873d-41a2-a4ed-08d74d352d01",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "macOS",
+      "Threat Detection",
+      "Privilege Escalation"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0004",
+          "name": "Privilege Escalation",
+          "reference": "https://attack.mitre.org/tactics/TA0004/"
+        },
+        "technique": [
+          {
+            "id": "T1053",
+            "name": "Scheduled Task/Job",
+            "reference": "https://attack.mitre.org/techniques/T1053/",
+            "subtechnique": [
+              {
+                "id": "T1053.003",
+                "name": "Cron",
+                "reference": "https://attack.mitre.org/techniques/T1053/003/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies a privilege escalation attempt via a rogue Windows directory (Windir) environment variable. This is a known primitive that is often combined with other vulnerabilities to elevate privileges.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Privilege Escalation via Windir Environment Variable",
+    "query": "registry where registry.path : (\"HKEY_USERS\\\\*\\\\Environment\\\\windir\", \"HKEY_USERS\\\\*\\\\Environment\\\\systemroot\") and \n not registry.data.strings : (\"C:\\\\windows\", \"%SystemRoot%\")\n",
+    "references": [
+      "https://www.tiraniddo.dev/2017/05/exploiting-environment-variables-in.html"
+    ],
+    "risk_score": 73,
+    "rule_id": "d563aaba-2e72-462b-8658-3e5ea22db3a6",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Privilege Escalation"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0004",
+          "name": "Privilege Escalation",
+          "reference": "https://attack.mitre.org/tactics/TA0004/"
+        },
+        "technique": [
+          {
+            "id": "T1574",
+            "name": "Hijack Execution Flow",
+            "reference": "https://attack.mitre.org/techniques/T1574/",
+            "subtechnique": [
+              {
+                "id": "T1574.007",
+                "name": "Path Interception by PATH Environment Variable",
+                "reference": "https://attack.mitre.org/techniques/T1574/007/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 3
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Compiled HTML files (.chm) are commonly distributed as part of the Microsoft HTML Help system. Adversaries may conceal malicious code in a CHM file and deliver it to a victim for execution. CHM content is loaded by the HTML Help executable program (hh.exe).",
+    "false_positives": [
+      "The HTML Help executable program (hh.exe) runs whenever a user clicks a compiled help (.chm) file or menu item that opens the help file inside the Help Viewer. This is not always malicious, but adversaries may abuse this technology to conceal malicious code."
+    ],
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Process Activity via Compiled HTML File",
+    "query": "process where event.type in (\"start\", \"process_started\") and \n process.parent.name : \"hh.exe\" and \n process.name : (\"mshta.exe\", \"cmd.exe\", \"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\", \"cscript.exe\", \"wscript.exe\")\n",
+    "risk_score": 47,
+    "rule_id": "e3343ab9-4245-4715-b344-e11c56b0a47f",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Execution"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0002",
+          "name": "Execution",
+          "reference": "https://attack.mitre.org/tactics/TA0002/"
+        },
+        "technique": [
+          {
+            "id": "T1204",
+            "name": "User Execution",
+            "reference": "https://attack.mitre.org/techniques/T1204/",
+            "subtechnique": [
+              {
+                "id": "T1204.002",
+                "name": "Malicious File",
+                "reference": "https://attack.mitre.org/techniques/T1204/002/"
+              }
+            ]
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1218",
+            "name": "Signed Binary Proxy Execution",
+            "reference": "https://attack.mitre.org/techniques/T1218/",
+            "subtechnique": [
+              {
+                "id": "T1218.001",
+                "name": "Compiled HTML File",
+                "reference": "https://attack.mitre.org/techniques/T1218/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 10
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies process execution from suspicious default Windows directories. This is sometimes done by adversaries to hide malware in trusted paths.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Process Execution from an Unusual Directory",
+    "query": "process where event.type in (\"start\", \"process_started\", \"info\") and\n /* add suspicious execution paths here */\nprocess.executable : (\"C:\\\\PerfLogs\\\\*.exe\",\"C:\\\\Users\\\\Public\\\\*.exe\",\"C:\\\\Users\\\\Default\\\\*.exe\",\"C:\\\\Windows\\\\Tasks\\\\*.exe\",\"C:\\\\Intel\\\\*.exe\",\"C:\\\\AMD\\\\Temp\\\\*.exe\",\"C:\\\\Windows\\\\AppReadiness\\\\*.exe\",\n\"C:\\\\Windows\\\\ServiceState\\\\*.exe\",\"C:\\\\Windows\\\\security\\\\*.exe\",\"C:\\\\Windows\\\\IdentityCRL\\\\*.exe\",\"C:\\\\Windows\\\\Branding\\\\*.exe\",\"C:\\\\Windows\\\\csc\\\\*.exe\",\n \"C:\\\\Windows\\\\DigitalLocker\\\\*.exe\",\"C:\\\\Windows\\\\en-US\\\\*.exe\",\"C:\\\\Windows\\\\wlansvc\\\\*.exe\",\"C:\\\\Windows\\\\Prefetch\\\\*.exe\",\"C:\\\\Windows\\\\Fonts\\\\*.exe\",\n \"C:\\\\Windows\\\\diagnostics\\\\*.exe\",\"C:\\\\Windows\\\\TAPI\\\\*.exe\",\"C:\\\\Windows\\\\INF\\\\*.exe\",\"C:\\\\Windows\\\\System32\\\\Speech\\\\*.exe\",\"C:\\\\windows\\\\tracing\\\\*.exe\",\n \"c:\\\\windows\\\\IME\\\\*.exe\",\"c:\\\\Windows\\\\Performance\\\\*.exe\",\"c:\\\\windows\\\\intel\\\\*.exe\",\"c:\\\\windows\\\\ms\\\\*.exe\",\"C:\\\\Windows\\\\dot3svc\\\\*.exe\",\"C:\\\\Windows\\\\ServiceProfiles\\\\*.exe\",\n \"C:\\\\Windows\\\\panther\\\\*.exe\",\"C:\\\\Windows\\\\RemotePackages\\\\*.exe\",\"C:\\\\Windows\\\\OCR\\\\*.exe\",\"C:\\\\Windows\\\\appcompat\\\\*.exe\",\"C:\\\\Windows\\\\apppatch\\\\*.exe\",\"C:\\\\Windows\\\\addins\\\\*.exe\",\n \"C:\\\\Windows\\\\Setup\\\\*.exe\",\"C:\\\\Windows\\\\Help\\\\*.exe\",\"C:\\\\Windows\\\\SKB\\\\*.exe\",\"C:\\\\Windows\\\\Vss\\\\*.exe\",\"C:\\\\Windows\\\\Web\\\\*.exe\",\"C:\\\\Windows\\\\servicing\\\\*.exe\",\"C:\\\\Windows\\\\CbsTemp\\\\*.exe\",\n \"C:\\\\Windows\\\\Logs\\\\*.exe\",\"C:\\\\Windows\\\\WaaS\\\\*.exe\",\"C:\\\\Windows\\\\twain_32\\\\*.exe\",\"C:\\\\Windows\\\\ShellExperiences\\\\*.exe\",\"C:\\\\Windows\\\\ShellComponents\\\\*.exe\",\"C:\\\\Windows\\\\PLA\\\\*.exe\",\n \"C:\\\\Windows\\\\Migration\\\\*.exe\",\"C:\\\\Windows\\\\debug\\\\*.exe\",\"C:\\\\Windows\\\\Cursors\\\\*.exe\",\"C:\\\\Windows\\\\Containers\\\\*.exe\",\"C:\\\\Windows\\\\Boot\\\\*.exe\",\"C:\\\\Windows\\\\bcastdvr\\\\*.exe\",\n \"C:\\\\Windows\\\\assembly\\\\*.exe\",\"C:\\\\Windows\\\\TextInput\\\\*.exe\",\"C:\\\\Windows\\\\security\\\\*.exe\",\"C:\\\\Windows\\\\schemas\\\\*.exe\",\"C:\\\\Windows\\\\SchCache\\\\*.exe\",\"C:\\\\Windows\\\\Resources\\\\*.exe\",\n \"C:\\\\Windows\\\\rescache\\\\*.exe\",\"C:\\\\Windows\\\\Provisioning\\\\*.exe\",\"C:\\\\Windows\\\\PrintDialog\\\\*.exe\",\"C:\\\\Windows\\\\PolicyDefinitions\\\\*.exe\",\"C:\\\\Windows\\\\media\\\\*.exe\",\n \"C:\\\\Windows\\\\Globalization\\\\*.exe\",\"C:\\\\Windows\\\\L2Schemas\\\\*.exe\",\"C:\\\\Windows\\\\LiveKernelReports\\\\*.exe\",\"C:\\\\Windows\\\\ModemLogs\\\\*.exe\",\"C:\\\\Windows\\\\ImmersiveControlPanel\\\\*.exe\") and\n not process.name : (\"SpeechUXWiz.exe\",\"SystemSettings.exe\",\"TrustedInstaller.exe\",\"PrintDialog.exe\",\"MpSigStub.exe\",\"LMS.exe\",\"mpam-*.exe\")\n /* uncomment once in winlogbeat */\n /* and not (process.code_signature.subject_name == \"Microsoft Corporation\" and process.code_signature.trusted == true) */\n",
+    "risk_score": 47,
+    "rule_id": "ebfe1448-7fac-4d59-acea-181bd89b1f7f",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Execution"
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 3
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Elastic Endgame detected Process Injection. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information.",
+    "from": "now-15m",
+    "index": [
+      "endgame-*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "max_signals": 10000,
+    "name": "Process Injection - Detected - Elastic Endgame",
+    "query": "event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:kernel_shellcode_event or endgame.event_subtype_full:kernel_shellcode_event)\n",
+    "risk_score": 73,
+    "rule_id": "80c52164-c82a-402c-9964-852533d58be1",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Elastic Endgame"
+    ],
+    "type": "query",
+    "version": 7
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Elastic Endgame prevented Process Injection. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information.",
+    "from": "now-15m",
+    "index": [
+      "endgame-*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "max_signals": 10000,
+    "name": "Process Injection - Prevented - Elastic Endgame",
+    "query": "event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:kernel_shellcode_event or endgame.event_subtype_full:kernel_shellcode_event)\n",
+    "risk_score": 47,
+    "rule_id": "990838aa-a953-4f3e-b3cb-6ddf7584de9e",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Elastic Endgame"
+    ],
+    "type": "query",
+    "version": 7
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "An instance of MSBuild, the Microsoft Build Engine, created a thread in another process. This technique is sometimes used to evade detection or elevate privileges.",
+    "false_positives": [
+      "The Build Engine is commonly used by Windows developers but use by non-engineers is unusual."
+    ],
+    "index": [
+      "winlogbeat-*",
+      "logs-windows.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Process Injection by the Microsoft Build Engine",
+    "query": "process.name:MSBuild.exe and event.action:\"CreateRemoteThread detected (rule: CreateRemoteThread)\"\n",
+    "risk_score": 21,
+    "rule_id": "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae9",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1055",
+            "name": "Process Injection",
+            "reference": "https://attack.mitre.org/techniques/T1055/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0004",
+          "name": "Privilege Escalation",
+          "reference": "https://attack.mitre.org/tactics/TA0004/"
+        },
+        "technique": [
+          {
+            "id": "T1055",
+            "name": "Process Injection",
+            "reference": "https://attack.mitre.org/techniques/T1055/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 5
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies a process termination event quickly followed by the deletion of its executable file. Malware tools and other non-native files dropped or created on a system by an adversary may leave traces to indicate to what occurred. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.",
+    "from": "now-9m",
+    "index": [
+      "logs-endpoint.events.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Process Termination followed by Deletion",
+    "query": "sequence by host.id with maxspan=5s\n   [process where event.type == \"end\" and \n    process.code_signature.trusted == false and\n    not process.executable : (\"C:\\\\Windows\\\\SoftwareDistribution\\\\*.exe\", \"C:\\\\Windows\\\\WinSxS\\\\*.exe\")\n   ] by process.executable\n   [file where event.type == \"deletion\" and file.extension : (\"exe\", \"scr\", \"com\")] by file.path\n",
+    "risk_score": 47,
+    "rule_id": "09443c92-46b3-45a4-8f25-383b028b258d",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1070",
+            "name": "Indicator Removal on Host",
+            "reference": "https://attack.mitre.org/techniques/T1070/",
+            "subtechnique": [
+              {
+                "id": "T1070.004",
+                "name": "File Deletion",
+                "reference": "https://attack.mitre.org/techniques/T1070/004/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "type": "eql",
+    "version": 3
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies execution from a directory masquerading as the Windows Program Files directories. These paths are trusted and usually host trusted third party programs. An adversary may leverage masquerading, along with low privileges to bypass detections whitelisting those folders.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Program Files Directory Masquerading",
+    "query": "process where event.type == \"start\" and\n process.executable : \"C:\\\\*Program*Files*\\\\*.exe\" and\n not process.executable : (\"C:\\\\Program Files\\\\*.exe\", \"C:\\\\Program Files (x86)\\\\*.exe\", \"C:\\\\Users\\\\*.exe\", \"C:\\\\ProgramData\\\\*.exe\")\n",
+    "risk_score": 47,
+    "rule_id": "32c5cf9c-2ef8-4e87-819e-5ccb7cd18b14",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1036",
+            "name": "Masquerading",
+            "reference": "https://attack.mitre.org/techniques/T1036/",
+            "subtechnique": [
+              {
+                "id": "T1036.005",
+                "name": "Match Legitimate Name or Location",
+                "reference": "https://attack.mitre.org/techniques/T1036/005/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 5
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the use of osascript to execute scripts via standard input that may prompt a user with a rogue dialog for credentials.",
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Prompt for Credentials with OSASCRIPT",
+    "query": "process where event.type in (\"start\", \"process_started\") and process.name : \"osascript\" and\n process.command_line : \"osascript*display dialog*password*\"\n",
+    "references": [
+      "https://github.com/EmpireProject/EmPyre/blob/master/lib/modules/collection/osx/prompt.py",
+      "https://ss64.com/osx/osascript.html"
+    ],
+    "risk_score": 73,
+    "rule_id": "38948d29-3d5d-42e3-8aec-be832aaaf8eb",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "macOS",
+      "Threat Detection",
+      "Credential Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0006",
+          "name": "Credential Access",
+          "reference": "https://attack.mitre.org/tactics/TA0006/"
+        },
+        "technique": [
+          {
+            "id": "T1056",
+            "name": "Input Capture",
+            "reference": "https://attack.mitre.org/techniques/T1056/",
+            "subtechnique": [
+              {
+                "id": "T1056.002",
+                "name": "GUI Input Capture",
+                "reference": "https://attack.mitre.org/techniques/T1056/002/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 3
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies use of the SysInternals tool PsExec.exe making a network connection. This could be an indication of lateral movement.",
+    "false_positives": [
+      "PsExec is a dual-use tool that can be used for benign or malicious activity. It's important to baseline your environment to determine the amount of noise to expect from this tool."
+    ],
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "PsExec Network Connection",
+    "query": "sequence by process.entity_id\n  [process where process.name : \"PsExec.exe\" and event.type == \"start\"]\n  [network where process.name : \"PsExec.exe\"]\n",
+    "risk_score": 21,
+    "rule_id": "55d551c6-333b-4665-ab7e-5d14a59715ce",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Execution"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0002",
+          "name": "Execution",
+          "reference": "https://attack.mitre.org/tactics/TA0002/"
+        },
+        "technique": [
+          {
+            "id": "T1569",
+            "name": "System Services",
+            "reference": "https://attack.mitre.org/techniques/T1569/",
+            "subtechnique": [
+              {
+                "id": "T1569.002",
+                "name": "Service Execution",
+                "reference": "https://attack.mitre.org/techniques/T1569/002/"
+              }
+            ]
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0008",
+          "name": "Lateral Movement",
+          "reference": "https://attack.mitre.org/tactics/TA0008/"
+        },
+        "technique": []
+      }
+    ],
+    "type": "eql",
+    "version": 7
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "This rule detects network events that may indicate the use of RDP traffic from the Internet. RDP is commonly used by system administrators to remotely control a system for maintenance or to use shared resources. It should almost never be directly exposed to the Internet, as it is frequently targeted and exploited by threat actors as an initial access or backdoor vector.",
+    "false_positives": [
+      "Some network security policies allow RDP directly from the Internet but usage that is unfamiliar to server or network owners can be unexpected and suspicious. RDP services may be exposed directly to the Internet in some networks such as cloud environments. In such cases, only RDP gateways, bastions or jump servers may be expected expose RDP directly to the Internet and can be exempted from this rule. RDP may be required by some work-flows such as remote access and support for specialized software products and servers. Such work-flows are usually known and not unexpected."
+    ],
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "filebeat-*",
+      "packetbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "RDP (Remote Desktop Protocol) from the Internet",
+    "query": "event.category:(network or network_traffic) and network.transport:tcp and (destination.port:3389 or event.dataset:zeek.rdp) and\n  not source.ip:(\n    10.0.0.0/8 or\n    127.0.0.0/8 or\n    169.254.0.0/16 or\n    172.16.0.0/12 or\n    192.0.0.0/24 or\n    192.0.0.0/29 or\n    192.0.0.8/32 or\n    192.0.0.9/32 or\n    192.0.0.10/32 or\n    192.0.0.170/32 or\n    192.0.0.171/32 or\n    192.0.2.0/24 or\n    192.31.196.0/24 or\n    192.52.193.0/24 or\n    192.168.0.0/16 or\n    192.88.99.0/24 or\n    224.0.0.0/4 or\n    100.64.0.0/10 or\n    192.175.48.0/24 or\n    198.18.0.0/15 or\n    198.51.100.0/24 or\n    203.0.113.0/24 or\n    240.0.0.0/4 or\n    \"::1\" or\n    \"FE80::/10\" or\n    \"FF00::/8\"\n  ) and\n  destination.ip:(\n    10.0.0.0/8 or\n    172.16.0.0/12 or\n    192.168.0.0/16\n  )\n",
+    "references": [
+      "https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml"
+    ],
+    "risk_score": 47,
+    "rule_id": "8c1bdde8-4204-45c0-9e0c-c85ca3902488",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Network",
+      "Threat Detection",
+      "Command and Control",
+      "Host"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0011",
+          "name": "Command and Control",
+          "reference": "https://attack.mitre.org/tactics/TA0011/"
+        },
+        "technique": []
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0008",
+          "name": "Lateral Movement",
+          "reference": "https://attack.mitre.org/tactics/TA0008/"
+        },
+        "technique": [
+          {
+            "id": "T1021",
+            "name": "Remote Services",
+            "reference": "https://attack.mitre.org/techniques/T1021/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0001",
+          "name": "Initial Access",
+          "reference": "https://attack.mitre.org/tactics/TA0001/"
+        },
+        "technique": [
+          {
+            "id": "T1190",
+            "name": "Exploit Public-Facing Application",
+            "reference": "https://attack.mitre.org/techniques/T1190/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 11
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies registry write modifications to enable Remote Desktop Protocol (RDP) access. This could be indicative of adversary lateral movement preparation.",
+    "from": "now-9m",
+    "index": [
+      "logs-endpoint.events.*",
+      "winlogbeat-*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "RDP Enabled via Registry",
+    "query": "registry where\nregistry.path : \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Control\\\\Terminal Server\\\\fDenyTSConnections\" and\nregistry.data.strings == \"0\" and not (process.name : \"svchost.exe\" and user.domain == \"NT AUTHORITY\") and\nnot process.executable : \"C:\\\\Windows\\\\System32\\\\SystemPropertiesRemote.exe\"\n",
+    "risk_score": 47,
+    "rule_id": "58aa72ca-d968-4f34-b9f7-bea51d75eb50",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Lateral Movement"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0008",
+          "name": "Lateral Movement",
+          "reference": "https://attack.mitre.org/tactics/TA0008/"
+        },
+        "technique": [
+          {
+            "id": "T1021",
+            "name": "Remote Services",
+            "reference": "https://attack.mitre.org/techniques/T1021/",
+            "subtechnique": [
+              {
+                "id": "T1021.001",
+                "name": "Remote Desktop Protocol",
+                "reference": "https://attack.mitre.org/techniques/T1021/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 4
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "This rule detects network events that may indicate the use of RPC traffic from the Internet. RPC is commonly used by system administrators to remotely control a system for maintenance or to use shared resources. It should almost never be directly exposed to the Internet, as it is frequently targeted and exploited by threat actors as an initial access or backdoor vector.",
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "filebeat-*",
+      "packetbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "RPC (Remote Procedure Call) from the Internet",
+    "query": "event.category:(network or network_traffic) and network.transport:tcp and (destination.port:135 or event.dataset:zeek.dce_rpc) and\n  not source.ip:(\n    10.0.0.0/8 or\n    127.0.0.0/8 or\n    169.254.0.0/16 or\n    172.16.0.0/12 or\n    192.0.0.0/24 or\n    192.0.0.0/29 or\n    192.0.0.8/32 or\n    192.0.0.9/32 or\n    192.0.0.10/32 or\n    192.0.0.170/32 or\n    192.0.0.171/32 or\n    192.0.2.0/24 or\n    192.31.196.0/24 or\n    192.52.193.0/24 or\n    192.168.0.0/16 or\n    192.88.99.0/24 or\n    224.0.0.0/4 or\n    100.64.0.0/10 or\n    192.175.48.0/24 or\n    198.18.0.0/15 or\n    198.51.100.0/24 or\n    203.0.113.0/24 or\n    240.0.0.0/4 or\n    \"::1\" or\n    \"FE80::/10\" or\n    \"FF00::/8\"\n  ) and\n  destination.ip:(\n    10.0.0.0/8 or\n    172.16.0.0/12 or\n    192.168.0.0/16\n  )\n",
+    "references": [
+      "https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml"
+    ],
+    "risk_score": 73,
+    "rule_id": "143cb236-0956-4f42-a706-814bcaa0cf5a",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Network",
+      "Threat Detection",
+      "Initial Access",
+      "Host"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0001",
+          "name": "Initial Access",
+          "reference": "https://attack.mitre.org/tactics/TA0001/"
+        },
+        "technique": [
+          {
+            "id": "T1190",
+            "name": "Exploit Public-Facing Application",
+            "reference": "https://attack.mitre.org/techniques/T1190/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 11
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "This rule detects network events that may indicate the use of RPC traffic to the Internet. RPC is commonly used by system administrators to remotely control a system for maintenance or to use shared resources. It should almost never be directly exposed to the Internet, as it is frequently targeted and exploited by threat actors as an initial access or backdoor vector.",
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "filebeat-*",
+      "packetbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "RPC (Remote Procedure Call) to the Internet",
+    "query": "event.category:(network or network_traffic) and network.transport:tcp and (destination.port:135 or event.dataset:zeek.dce_rpc) and\n  source.ip:(\n    10.0.0.0/8 or\n    172.16.0.0/12 or\n    192.168.0.0/16\n  ) and\n  not destination.ip:(\n    10.0.0.0/8 or\n    127.0.0.0/8 or\n    169.254.0.0/16 or\n    172.16.0.0/12 or\n    192.0.0.0/24 or\n    192.0.0.0/29 or\n    192.0.0.8/32 or\n    192.0.0.9/32 or\n    192.0.0.10/32 or\n    192.0.0.170/32 or\n    192.0.0.171/32 or\n    192.0.2.0/24 or\n    192.31.196.0/24 or\n    192.52.193.0/24 or\n    192.168.0.0/16 or\n    192.88.99.0/24 or\n    224.0.0.0/4 or\n    100.64.0.0/10 or\n    192.175.48.0/24 or\n    198.18.0.0/15 or\n    198.51.100.0/24 or\n    203.0.113.0/24 or\n    240.0.0.0/4 or\n    \"::1\" or\n    \"FE80::/10\" or\n    \"FF00::/8\"\n  )\n",
+    "references": [
+      "https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml"
+    ],
+    "risk_score": 73,
+    "rule_id": "32923416-763a-4531-bb35-f33b9232ecdb",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Network",
+      "Threat Detection",
+      "Initial Access",
+      "Host"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0001",
+          "name": "Initial Access",
+          "reference": "https://attack.mitre.org/tactics/TA0001/"
+        },
+        "technique": [
+          {
+            "id": "T1190",
+            "name": "Exploit Public-Facing Application",
+            "reference": "https://attack.mitre.org/techniques/T1190/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 11
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Elastic Endgame detected ransomware. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information.",
+    "from": "now-15m",
+    "index": [
+      "endgame-*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "max_signals": 10000,
+    "name": "Ransomware - Detected - Elastic Endgame",
+    "query": "event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:ransomware_event or endgame.event_subtype_full:ransomware_event)\n",
+    "risk_score": 99,
+    "rule_id": "8cb4f625-7743-4dfb-ae1b-ad92be9df7bd",
+    "severity": "critical",
+    "tags": [
+      "Elastic",
+      "Elastic Endgame"
+    ],
+    "type": "query",
+    "version": 8
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Elastic Endgame prevented ransomware. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information.",
+    "from": "now-15m",
+    "index": [
+      "endgame-*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "max_signals": 10000,
+    "name": "Ransomware - Prevented - Elastic Endgame",
+    "query": "event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:ransomware_event or endgame.event_subtype_full:ransomware_event)\n",
+    "risk_score": 73,
+    "rule_id": "e3c5d5cb-41d5-4206-805c-f30561eae3ac",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Elastic Endgame"
+    ],
+    "type": "query",
+    "version": 8
+  },
+  {
+    "anomaly_threshold": 50,
+    "author": [
+      "Elastic"
+    ],
+    "description": "A machine learning job detected an unusual error in a CloudTrail message. These can be byproducts of attempted or successful persistence, privilege escalation, defense evasion, discovery, lateral movement, or collection.",
+    "false_positives": [
+      "Rare and unusual errors may indicate an impending service failure state. Rare and unusual user error activity can also be due to manual troubleshooting or reconfiguration attempts by insufficiently privileged users, bugs in cloud automation scripts or workflows, or changes to IAM privileges."
+    ],
+    "from": "now-2h",
+    "interval": "15m",
+    "license": "Elastic License v2",
+    "machine_learning_job_id": "rare_error_code",
+    "name": "Rare AWS Error Code",
+    "note": "## Config\n\nThe AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\n\n## Triage and analysis\n\nInvestigating Unusual CloudTrail Error Activity ###\nDetection alerts from this rule indicate a rare and unusual error code that was associated with the response to an AWS API command or method call. Here are some possible avenues of investigation:\n- Examine the history of the error. Has it manifested before? If the error, which is visible in the `aws.cloudtrail.error_code field`, only manifested recently, it might be related to recent changes in an automation module or script.\n- Examine the request parameters. These may provide indications as to the nature of the task being performed when the error occurred. Is the error related to unsuccessful attempts to enumerate or access objects, data, or secrets? If so, this can sometimes be a byproduct of discovery, privilege escalation, or lateral movement attempts.\n- Consider the user as identified by the `user.name` field. Is this activity part of an expected workflow for the user context? Examine the user identity in the `aws.cloudtrail.user_identity.arn` field and the access key ID in the `aws.cloudtrail.user_identity.access_key_id` field, which can help identify the precise user context. The user agent details in the `user_agent.original` field may also indicate what kind of a client made the request.\n- Consider the source IP address and geolocation for the calling user who issued the command. Do they look normal for the calling user? If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts, or could it be sourcing from an EC2 instance that's not under your control? If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance?",
+    "references": [
+      "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"
+    ],
+    "risk_score": 21,
+    "rule_id": "19de8096-e2b0-4bd8-80c9-34a820813fff",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "AWS",
+      "ML"
+    ],
+    "type": "machine_learning",
+    "version": 7
+  },
+  {
+    "anomaly_threshold": 75,
+    "author": [
+      "Elastic"
+    ],
+    "description": "A machine learning job found an unusual user name in the authentication logs. An unusual user name is one way of detecting credentialed access by means of a new or dormant user account. An inactive user account (because the user has left the organization) that becomes active may be due to credentialed access using a compromised account password. Threat actors will sometimes also create new users as a means of persisting in a compromised web application.",
+    "false_positives": [
+      "User accounts that are rarely active, such as a site reliability engineer (SRE) or developer logging into a production server for troubleshooting, may trigger this alert. Under some conditions, a newly created user account may briefly trigger this alert while the model is learning."
+    ],
+    "from": "now-30m",
+    "interval": "15m",
+    "license": "Elastic License v2",
+    "machine_learning_job_id": "auth_rare_user",
+    "name": "Rare User Logon",
+    "references": [
+      "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"
+    ],
+    "risk_score": 21,
+    "rule_id": "138c5dd5-838b-446e-b1ac-c995c7f8108a",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Authentication",
+      "Threat Detection",
+      "ML"
+    ],
+    "type": "machine_learning",
+    "version": 3
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Detects attempts to maintain persistence by creating registry keys using AppCert DLLs. AppCert DLLs are loaded by every process using the common API functions to create processes.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Registry Persistence via AppCert DLL",
+    "query": "registry where\n/* uncomment once stable length(bytes_written_string) > 0 and */\n  registry.path : \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Control\\\\Session Manager\\\\AppCertDLLs\\\\*\"\n",
+    "risk_score": 47,
+    "rule_id": "513f0ffd-b317-4b9c-9494-92ce861f22c7",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Persistence"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1546",
+            "name": "Event Triggered Execution",
+            "reference": "https://attack.mitre.org/techniques/T1546/",
+            "subtechnique": [
+              {
+                "id": "T1546.009",
+                "name": "AppCert DLLs",
+                "reference": "https://attack.mitre.org/techniques/T1546/009/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 3
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Attackers may maintain persistence by creating registry keys using AppInit DLLs. AppInit DLLs are loaded by every process using the common library, user32.dll.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Registry Persistence via AppInit DLL",
+    "query": "registry where\n   registry.path : (\"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows\\\\AppInit_Dlls\", \n                    \"HKLM\\\\SOFTWARE\\\\Wow6432Node\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows\\\\AppInit_Dlls\") and\n   not process.executable : (\"C:\\\\Windows\\\\System32\\\\msiexec.exe\", \n                             \"C:\\\\Windows\\\\SysWOW64\\\\msiexec.exe\", \n                             \"C:\\\\Program Files\\\\Commvault\\\\ContentStore*\\\\Base\\\\cvd.exe\",\n                             \"C:\\\\Program Files (x86)\\\\Commvault\\\\ContentStore*\\\\Base\\\\cvd.exe\")\n",
+    "risk_score": 47,
+    "rule_id": "d0e159cf-73e9-40d1-a9ed-077e3158a855",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Persistence"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1546",
+            "name": "Event Triggered Execution",
+            "reference": "https://attack.mitre.org/techniques/T1546/",
+            "subtechnique": [
+              {
+                "id": "T1546.010",
+                "name": "AppInit DLLs",
+                "reference": "https://attack.mitre.org/techniques/T1546/010/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 3
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies use of the network shell utility (netsh.exe) to enable inbound Remote Desktop Protocol (RDP) connections in the Windows Firewall.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Remote Desktop Enabled in Windows Firewall",
+    "query": "process where event.type in (\"start\", \"process_started\") and\n (process.name : \"netsh.exe\" or process.pe.original_file_name == \"netsh.exe\") and\n process.args : (\"localport=3389\", \"RemoteDesktop\", \"group=\\\"remote desktop\\\"\") and\n process.args : (\"action=allow\", \"enable=Yes\", \"enable\")\n",
+    "risk_score": 47,
+    "rule_id": "074464f9-f30d-4029-8c03-0ed237fffec7",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1562",
+            "name": "Impair Defenses",
+            "reference": "https://attack.mitre.org/techniques/T1562/",
+            "subtechnique": [
+              {
+                "id": "T1562.004",
+                "name": "Disable or Modify System Firewall",
+                "reference": "https://attack.mitre.org/techniques/T1562/004/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 4
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the execution of a file that was created by the virtual system process. This may indicate lateral movement via network file shares.",
+    "from": "now-9m",
+    "index": [
+      "logs-endpoint.events.*",
+      "winlogbeat-*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Remote Execution via File Shares",
+    "query": "sequence with maxspan=1m\n  [file where event.type in (\"creation\", \"change\") and process.pid == 4 and file.extension : \"exe\"] by host.id, file.path\n  [process where event.type in (\"start\", \"process_started\")] by host.id, process.executable\n",
+    "references": [
+      "https://blog.menasec.net/2020/08/new-trick-to-detect-lateral-movement.html"
+    ],
+    "risk_score": 47,
+    "rule_id": "ab75c24b-2502-43a0-bf7c-e60e662c811e",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Lateral Movement"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0008",
+          "name": "Lateral Movement",
+          "reference": "https://attack.mitre.org/tactics/TA0008/"
+        },
+        "technique": [
+          {
+            "id": "T1021",
+            "name": "Remote Services",
+            "reference": "https://attack.mitre.org/techniques/T1021/",
+            "subtechnique": [
+              {
+                "id": "T1021.002",
+                "name": "SMB/Windows Admin Shares",
+                "reference": "https://attack.mitre.org/techniques/T1021/002/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "type": "eql",
+    "version": 2
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies a remote file copy attempt to a hidden network share. This may indicate lateral movement or data staging activity.",
+    "from": "now-9m",
+    "index": [
+      "logs-endpoint.events.*",
+      "winlogbeat-*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Remote File Copy to a Hidden Share",
+    "query": "process where event.type in (\"start\", \"process_started\") and\n  process.name : (\"cmd.exe\", \"powershell.exe\", \"robocopy.exe\", \"xcopy.exe\") and \n  process.args : (\"copy*\", \"move*\", \"cp\", \"mv\") and process.args : \"*$*\"\n",
+    "risk_score": 47,
+    "rule_id": "fa01341d-6662-426b-9d0c-6d81e33c8a9d",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Lateral Movement"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0008",
+          "name": "Lateral Movement",
+          "reference": "https://attack.mitre.org/tactics/TA0008/"
+        },
+        "technique": [
+          {
+            "id": "T1021",
+            "name": "Remote Services",
+            "reference": "https://attack.mitre.org/techniques/T1021/",
+            "subtechnique": [
+              {
+                "id": "T1021.002",
+                "name": "SMB/Windows Admin Shares",
+                "reference": "https://attack.mitre.org/techniques/T1021/002/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 3
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies an executable or script file remotely downloaded via a TeamViewer transfer session.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Remote File Copy via TeamViewer",
+    "query": "file where event.type == \"creation\" and process.name : \"TeamViewer.exe\" and\n  file.extension : (\"exe\", \"dll\", \"scr\", \"com\", \"bat\", \"ps1\", \"vbs\", \"vbe\", \"js\", \"wsh\", \"hta\")\n",
+    "references": [
+      "https://blog.menasec.net/2019/11/hunting-for-suspicious-use-of.html"
+    ],
+    "risk_score": 47,
+    "rule_id": "b25a7df2-120a-4db2-bd3f-3e4b86b24bee",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Command and Control"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0011",
+          "name": "Command and Control",
+          "reference": "https://attack.mitre.org/tactics/TA0011/"
+        },
+        "technique": [
+          {
+            "id": "T1105",
+            "name": "Ingress Tool Transfer",
+            "reference": "https://attack.mitre.org/techniques/T1105/"
+          },
+          {
+            "id": "T1219",
+            "name": "Remote Access Software",
+            "reference": "https://attack.mitre.org/techniques/T1219/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 5
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the desktopimgdownldr utility being used to download a remote file. An adversary may use desktopimgdownldr to download arbitrary files as an alternative to certutil.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Remote File Download via Desktopimgdownldr Utility",
+    "query": "process where event.type in (\"start\", \"process_started\") and\n  (process.name : \"desktopimgdownldr.exe\" or process.pe.original_file_name == \"desktopimgdownldr.exe\") and\n  process.args : \"/lockscreenurl:http*\"\n",
+    "references": [
+      "https://labs.sentinelone.com/living-off-windows-land-a-new-native-file-downldr/"
+    ],
+    "risk_score": 47,
+    "rule_id": "15c0b7a7-9c34-4869-b25b-fa6518414899",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Command and Control"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0011",
+          "name": "Command and Control",
+          "reference": "https://attack.mitre.org/tactics/TA0011/"
+        },
+        "technique": [
+          {
+            "id": "T1105",
+            "name": "Ingress Tool Transfer",
+            "reference": "https://attack.mitre.org/techniques/T1105/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 5
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the Windows Defender configuration utility (MpCmdRun.exe) being used to download a remote file.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Remote File Download via MpCmdRun",
+    "note": "## Triage and analysis\n\n### Investigating Remote File Download via MpCmdRun\nVerify details such as the parent process, URL reputation, and downloaded file details. Additionally, `MpCmdRun` logs this information in the Appdata Temp folder in `MpCmdRun.log`.",
+    "query": "process where event.type == \"start\" and\n  (process.name : \"MpCmdRun.exe\" or process.pe.original_file_name == \"MpCmdRun.exe\") and\n   process.args : \"-DownloadFile\" and process.args : \"-url\" and process.args : \"-path\"\n",
+    "references": [
+      "https://twitter.com/mohammadaskar2/status/1301263551638761477",
+      "https://www.bleepingcomputer.com/news/microsoft/microsoft-defender-can-ironically-be-used-to-download-malware/"
+    ],
+    "risk_score": 47,
+    "rule_id": "c6453e73-90eb-4fe7-a98c-cde7bbfc504a",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Command and Control"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0011",
+          "name": "Command and Control",
+          "reference": "https://attack.mitre.org/tactics/TA0011/"
+        },
+        "technique": [
+          {
+            "id": "T1105",
+            "name": "Ingress Tool Transfer",
+            "reference": "https://attack.mitre.org/techniques/T1105/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 5
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies powershell.exe being used to download an executable file from an untrusted remote destination.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Remote File Download via PowerShell",
+    "query": "sequence by host.id, process.entity_id with maxspan=30s\n  [network where process.name : (\"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\") and network.protocol == \"dns\" and\n   not dns.question.name : (\"localhost\", \"*.microsoft.com\", \"*.azureedge.net\", \"*.powershellgallery.com\", \"*.windowsupdate.com\", \"metadata.google.internal\") and \n   not user.domain : \"NT AUTHORITY\"]\n    [file where process.name : \"powershell.exe\" and event.type == \"creation\" and file.extension : (\"exe\", \"dll\", \"ps1\", \"bat\") and \n   not file.name : \"__PSScriptPolicy*.ps1\"]\n",
+    "risk_score": 47,
+    "rule_id": "33f306e8-417c-411b-965c-c2812d6d3f4d",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Command and Control"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0011",
+          "name": "Command and Control",
+          "reference": "https://attack.mitre.org/tactics/TA0011/"
+        },
+        "technique": [
+          {
+            "id": "T1105",
+            "name": "Ingress Tool Transfer",
+            "reference": "https://attack.mitre.org/techniques/T1105/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0002",
+          "name": "Execution",
+          "reference": "https://attack.mitre.org/tactics/TA0002/"
+        },
+        "technique": [
+          {
+            "id": "T1059",
+            "name": "Command and Scripting Interpreter",
+            "reference": "https://attack.mitre.org/techniques/T1059/",
+            "subtechnique": [
+              {
+                "id": "T1059.001",
+                "name": "PowerShell",
+                "reference": "https://attack.mitre.org/techniques/T1059/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "type": "eql",
+    "version": 3
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies built-in Windows script interpreters (cscript.exe or wscript.exe) being used to download an executable file from a remote destination.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Remote File Download via Script Interpreter",
+    "query": "sequence by host.id, process.entity_id\n  [network where process.name : (\"wscript.exe\", \"cscript.exe\") and network.protocol != \"dns\" and\n   network.direction : (\"outgoing\", \"egress\") and network.type == \"ipv4\" and destination.ip != \"127.0.0.1\"\n  ]\n  [file where event.type == \"creation\" and file.extension : (\"exe\", \"dll\")]\n",
+    "risk_score": 47,
+    "rule_id": "1d276579-3380-4095-ad38-e596a01bc64f",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Command and Control"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0011",
+          "name": "Command and Control",
+          "reference": "https://attack.mitre.org/tactics/TA0011/"
+        },
+        "technique": [
+          {
+            "id": "T1105",
+            "name": "Ingress Tool Transfer",
+            "reference": "https://attack.mitre.org/techniques/T1105/"
+          }
+        ]
+      }
+    ],
+    "type": "eql",
+    "version": 3
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Detects use of the systemsetup command to enable remote SSH Login.",
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Remote SSH Login Enabled via systemsetup Command",
+    "query": "event.category:process and event.type:(start or process_started) and\n process.name:systemsetup and\n process.args:(\"-setremotelogin\" and on)\n",
+    "references": [
+      "https://documents.trendmicro.com/assets/pdf/XCSSET_Technical_Brief.pdf",
+      "https://ss64.com/osx/systemsetup.html",
+      "https://support.apple.com/guide/remote-desktop/about-systemsetup-apd95406b8d/mac"
+    ],
+    "risk_score": 47,
+    "rule_id": "5ae4e6f8-d1bf-40fa-96ba-e29645e1e4dc",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "macOS",
+      "Threat Detection",
+      "Lateral Movement"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0008",
+          "name": "Lateral Movement",
+          "reference": "https://attack.mitre.org/tactics/TA0008/"
+        },
+        "technique": [
+          {
+            "id": "T1021",
+            "name": "Remote Services",
+            "reference": "https://attack.mitre.org/techniques/T1021/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 3
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies remote scheduled task creations on a target host. This could be indicative of adversary lateral movement.",
+    "from": "now-9m",
+    "index": [
+      "logs-endpoint.events.*",
+      "winlogbeat-*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Remote Scheduled Task Creation",
+    "note": "## Triage and analysis\n\n### Investigating Creation of Remote Scheduled Tasks\n\n[Scheduled tasks](https://docs.microsoft.com/en-us/windows/win32/taskschd/about-the-task-scheduler) are a great mechanism used for persistence and executing programs. These features can\nbe used remotely for a variety of legitimate reasons, but at the same time used by malware and adversaries.\nWhen investigating scheduled tasks that have been set-up remotely, one of the first methods should be determining the\noriginal intent behind the configuration and verify if the activity is tied to benign behavior such as software installations or any kind\nof network administrator work. One objective for these alerts is to understand the configured action within the scheduled\ntask, this is captured within the registry event data for this rule and can be base64 decoded to view the value.\n\n#### Possible investigation steps:\n- Review the base64 encoded tasks actions registry value to investigate the task configured action.\n- Determine if task is related to legitimate or benign behavior based on the corresponding process or program tied to the\nscheduled task.\n- Further examination should include both the source and target machines where host-based artifacts and network logs\nshould be reviewed further around the time window of the creation of the scheduled task.\n\n### False Positive Analysis\n- There is a high possibility of benign activity tied to the creation of remote scheduled tasks as it is a general feature\nwithin Windows and used for legitimate purposes for a wide range of activity. Any kind of context should be found to\nfurther understand the source of the activity and determine the intent based on the scheduled task contents.\n\n### Related Rules\n- Service Command Lateral Movement\n- Remotely Started Services via RPC\n\n### Response and Remediation\n- This behavior represents post-exploitation actions such as persistence or lateral movement, immediate response should\nbe taken to review and investigate the activity and potentially isolate involved machines to prevent further post-compromise\nbehavior.\n- Remove scheduled task and any other related artifacts to the activity.\n- Review privileged account management and user account management settings such as implementing GPO policies to further\nrestrict activity or configure settings that only allow Administrators to create remote scheduled tasks.\n",
+    "query": "/* Task Scheduler service incoming connection followed by TaskCache registry modification  */\n\nsequence by host.id, process.entity_id with maxspan = 1m\n   [network where process.name : \"svchost.exe\" and\n   network.direction : (\"incoming\", \"ingress\") and source.port >= 49152 and destination.port >= 49152 and\n   source.ip != \"127.0.0.1\" and source.ip != \"::1\"\n   ]\n   [registry where registry.path : \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Schedule\\\\TaskCache\\\\Tasks\\\\*\\\\Actions\"]\n",
+    "risk_score": 47,
+    "rule_id": "954ee7c8-5437-49ae-b2d6-2960883898e9",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Lateral Movement"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0008",
+          "name": "Lateral Movement",
+          "reference": "https://attack.mitre.org/tactics/TA0008/"
+        },
+        "technique": [
+          {
+            "id": "T1021",
+            "name": "Remote Services",
+            "reference": "https://attack.mitre.org/techniques/T1021/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0002",
+          "name": "Execution",
+          "reference": "https://attack.mitre.org/tactics/TA0002/"
+        },
+        "technique": [
+          {
+            "id": "T1053",
+            "name": "Scheduled Task/Job",
+            "reference": "https://attack.mitre.org/techniques/T1053/",
+            "subtechnique": [
+              {
+                "id": "T1053.005",
+                "name": "Scheduled Task",
+                "reference": "https://attack.mitre.org/techniques/T1053/005/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "type": "eql",
+    "version": 6
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Discovery of remote system information using built-in commands, which may be used to mover laterally.",
+    "from": "now-9m",
+    "index": [
+      "logs-endpoint.events.*",
+      "winlogbeat-*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Remote System Discovery Commands",
+    "query": "process where event.type in (\"start\", \"process_started\") and\n  (process.name : \"nbtstat.exe\" and process.args : (\"-n\", \"-s\")) or\n  (process.name : \"arp.exe\" and process.args : \"-a\")\n",
+    "risk_score": 21,
+    "rule_id": "0635c542-1b96-4335-9b47-126582d2c19a",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Discovery"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0007",
+          "name": "Discovery",
+          "reference": "https://attack.mitre.org/tactics/TA0007/"
+        },
+        "technique": [
+          {
+            "id": "T1018",
+            "name": "Remote System Discovery",
+            "reference": "https://attack.mitre.org/techniques/T1018/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 3
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies remote execution of Windows services over remote procedure call (RPC). This could be indicative of lateral movement, but will be noisy if commonly done by administrators.\"",
+    "from": "now-9m",
+    "index": [
+      "logs-endpoint.events.*",
+      "winlogbeat-*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Remotely Started Services via RPC",
+    "query": "sequence with maxspan=1s\n   [network where process.name : \"services.exe\" and\n      network.direction : (\"incoming\", \"ingress\") and network.transport == \"tcp\" and \n      source.port >= 49152 and destination.port >= 49152 and source.ip != \"127.0.0.1\" and source.ip != \"::1\"\n   ] by host.id, process.entity_id\n\n   [process where event.type in (\"start\", \"process_started\") and process.parent.name : \"services.exe\" and \n       not (process.name : \"svchost.exe\" and process.args : \"tiledatamodelsvc\") and \n       not (process.name : \"msiexec.exe\" and process.args : \"/V\")\n   \n    /* uncomment if psexec is noisy in your environment */\n    /* and not process.name : \"PSEXESVC.exe\" */\n   ] by host.id, process.parent.entity_id\n",
+    "risk_score": 47,
+    "rule_id": "aa9a274d-6b53-424d-ac5e-cb8ca4251650",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Lateral Movement"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0008",
+          "name": "Lateral Movement",
+          "reference": "https://attack.mitre.org/tactics/TA0008/"
+        },
+        "technique": [
+          {
+            "id": "T1021",
+            "name": "Remote Services",
+            "reference": "https://attack.mitre.org/techniques/T1021/"
+          }
+        ]
+      }
+    ],
+    "type": "eql",
+    "version": 4
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies a suspicious AutoIt process execution. Malware written as an AutoIt script tends to rename the AutoIt executable to avoid detection.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Renamed AutoIt Scripts Interpreter",
+    "query": "process where event.type in (\"start\", \"process_started\", \"info\") and\n  process.pe.original_file_name : \"AutoIt*.exe\" and not process.name : \"AutoIt*.exe\"\n",
+    "risk_score": 47,
+    "rule_id": "2e1e835d-01e5-48ca-b9fc-7a61f7f11902",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1036",
+            "name": "Masquerading",
+            "reference": "https://attack.mitre.org/techniques/T1036/",
+            "subtechnique": [
+              {
+                "id": "T1036.003",
+                "name": "Rename System Utilities",
+                "reference": "https://attack.mitre.org/techniques/T1036/003/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 5
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Detects a Roshal Archive (RAR) file or PowerShell script downloaded from the internet by an internal host. Gaining initial access to a system and then downloading encoded or encrypted tools to move laterally is a common practice for adversaries as a way to protect their more valuable tools and tactics, techniques, and procedures (TTPs). This may be atypical behavior for a managed network and can be indicative of malware, exfiltration, or command and control.",
+    "false_positives": [
+      "Downloading RAR or PowerShell files from the Internet may be expected for certain systems. This rule should be tailored to either exclude systems as sources or destinations in which this behavior is expected."
+    ],
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "filebeat-*",
+      "packetbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Roshal Archive (RAR) or PowerShell File Downloaded from the Internet",
+    "note": "## Threat intel\n\nThis activity has been observed in FIN7 campaigns.",
+    "query": "event.category:(network or network_traffic) and network.protocol:http and\n  (url.extension:(ps1 or rar) or url.path:(*.ps1 or *.rar)) and\n    not destination.ip:(\n      10.0.0.0/8 or\n      127.0.0.0/8 or\n      169.254.0.0/16 or\n      172.16.0.0/12 or\n      192.0.0.0/24 or\n      192.0.0.0/29 or\n      192.0.0.8/32 or\n      192.0.0.9/32 or\n      192.0.0.10/32 or\n      192.0.0.170/32 or\n      192.0.0.171/32 or\n      192.0.2.0/24 or\n      192.31.196.0/24 or\n      192.52.193.0/24 or\n      192.168.0.0/16 or\n      192.88.99.0/24 or\n      224.0.0.0/4 or\n      100.64.0.0/10 or\n      192.175.48.0/24 or\n      198.18.0.0/15 or\n      198.51.100.0/24 or\n      203.0.113.0/24 or\n      240.0.0.0/4 or\n      \"::1\" or\n      \"FE80::/10\" or\n      \"FF00::/8\"\n    ) and\n    source.ip:(\n      10.0.0.0/8 or\n      172.16.0.0/12 or\n      192.168.0.0/16\n    )\n",
+    "references": [
+      "https://www.fireeye.com/blog/threat-research/2017/04/fin7-phishing-lnk.html",
+      "https://www.justice.gov/opa/press-release/file/1084361/download",
+      "https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml"
+    ],
+    "risk_score": 47,
+    "rule_id": "ff013cb4-274d-434a-96bb-fe15ddd3ae92",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Network",
+      "Threat Detection",
+      "Command and Control",
+      "Host"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0011",
+          "name": "Command and Control",
+          "reference": "https://attack.mitre.org/tactics/TA0011/"
+        },
+        "technique": [
+          {
+            "id": "T1105",
+            "name": "Ingress Tool Transfer",
+            "reference": "https://attack.mitre.org/techniques/T1105/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 9
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies modifications to the registered Subject Interface Package (SIP) providers. SIP providers are used by the Windows cryptographic system to validate file signatures on the system. This may be an attempt to bypass signature validation checks or inject code into critical processes.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "SIP Provider Modification",
+    "query": "registry where event.type:\"change\" and\n  registry.path: (\n    \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Cryptography\\\\OID\\\\EncodingType 0\\\\CryptSIPDllPutSignedDataMsg\\\\{*}\\\\Dll\",\n    \"HKLM\\\\SOFTWARE\\\\WOW6432Node\\\\Microsoft\\\\Cryptography\\\\OID\\\\EncodingType 0\\\\CryptSIPDllPutSignedDataMsg\\\\{*}\\\\Dll\",\n    \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Cryptography\\\\Providers\\\\Trust\\\\FinalPolicy\\\\{*}\\\\$Dll\",\n    \"HKLM\\\\SOFTWARE\\\\WOW6432Node\\\\Microsoft\\\\Cryptography\\\\Providers\\\\Trust\\\\FinalPolicy\\\\{*}\\\\$Dll\"\n    ) and\n  registry.data.strings:\"*.dll\"\n",
+    "references": [
+      "https://github.com/mattifestation/PoCSubjectInterfacePackage"
+    ],
+    "risk_score": 47,
+    "rule_id": "f2c7b914-eda3-40c2-96ac-d23ef91776ca",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1553",
+            "name": "Subvert Trust Controls",
+            "reference": "https://attack.mitre.org/techniques/T1553/",
+            "subtechnique": [
+              {
+                "id": "T1553.003",
+                "name": "SIP and Trust Provider Hijacking",
+                "reference": "https://attack.mitre.org/techniques/T1553/003/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "This rule detects network events that may indicate the use of Windows file sharing (also called SMB or CIFS) traffic to the Internet. SMB is commonly used within networks to share files, printers, and other system resources amongst trusted systems. It should almost never be directly exposed to the Internet, as it is frequently targeted and exploited by threat actors as an initial access or backdoor vector or for data exfiltration.",
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "filebeat-*",
+      "packetbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "SMB (Windows File Sharing) Activity to the Internet",
+    "query": "event.category:(network or network_traffic) and network.transport:tcp and (destination.port:(139 or 445) or event.dataset:zeek.smb) and\n  source.ip:(\n    10.0.0.0/8 or\n    172.16.0.0/12 or\n    192.168.0.0/16\n  ) and\n  not destination.ip:(\n    10.0.0.0/8 or\n    127.0.0.0/8 or\n    169.254.0.0/16 or\n    172.16.0.0/12 or\n    192.0.0.0/24 or\n    192.0.0.0/29 or\n    192.0.0.8/32 or\n    192.0.0.9/32 or\n    192.0.0.10/32 or\n    192.0.0.170/32 or\n    192.0.0.171/32 or\n    192.0.2.0/24 or\n    192.31.196.0/24 or\n    192.52.193.0/24 or\n    192.168.0.0/16 or\n    192.88.99.0/24 or\n    224.0.0.0/4 or\n    100.64.0.0/10 or\n    192.175.48.0/24 or\n    198.18.0.0/15 or\n    198.51.100.0/24 or\n    203.0.113.0/24 or\n    240.0.0.0/4 or\n    \"::1\" or\n    \"FE80::/10\" or\n    \"FF00::/8\"\n  )\n",
+    "references": [
+      "https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml"
+    ],
+    "risk_score": 73,
+    "rule_id": "c82b2bd8-d701-420c-ba43-f11a155b681a",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Network",
+      "Threat Detection",
+      "Initial Access",
+      "Host"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0001",
+          "name": "Initial Access",
+          "reference": "https://attack.mitre.org/tactics/TA0001/"
+        },
+        "technique": [
+          {
+            "id": "T1190",
+            "name": "Exploit Public-Facing Application",
+            "reference": "https://attack.mitre.org/techniques/T1190/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0010",
+          "name": "Exfiltration",
+          "reference": "https://attack.mitre.org/tactics/TA0010/"
+        },
+        "technique": [
+          {
+            "id": "T1048",
+            "name": "Exfiltration Over Alternative Protocol",
+            "reference": "https://attack.mitre.org/techniques/T1048/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 11
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "This rule detects events that may indicate use of SMTP on TCP port 26. This port is commonly used by several popular mail transfer agents to deconflict with the default SMTP port 25. This port has also been used by a malware family called BadPatch for command and control of Windows systems.",
+    "false_positives": [
+      "Servers that process email traffic may cause false positives and should be excluded from this rule as this is expected behavior."
+    ],
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "filebeat-*",
+      "packetbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "SMTP on Port 26/TCP",
+    "query": "event.category:(network or network_traffic) and network.transport:tcp and (destination.port:26 or (event.dataset:zeek.smtp and destination.port:26))\n",
+    "references": [
+      "https://unit42.paloaltonetworks.com/unit42-badpatch/",
+      "https://isc.sans.edu/forums/diary/Next+up+whats+up+with+TCP+port+26/25564/"
+    ],
+    "risk_score": 21,
+    "rule_id": "d7e62693-aab9-4f66-a21a-3d79ecdd603d",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Network",
+      "Threat Detection",
+      "Command and Control",
+      "Host"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0011",
+          "name": "Command and Control",
+          "reference": "https://attack.mitre.org/tactics/TA0011/"
+        },
+        "technique": []
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0010",
+          "name": "Exfiltration",
+          "reference": "https://attack.mitre.org/tactics/TA0010/"
+        },
+        "technique": [
+          {
+            "id": "T1048",
+            "name": "Exfiltration Over Alternative Protocol",
+            "reference": "https://attack.mitre.org/techniques/T1048/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 8
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "The Secure Shell (SSH) authorized_keys file specifies which users are allowed to log into a server using public key authentication. Adversaries may modify it to maintain persistence on a victim host by adding their own public key(s).",
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "SSH Authorized Keys File Modification",
+    "query": "event.category:file and event.type:(change or creation) and \n file.name:(\"authorized_keys\" or \"authorized_keys2\") and \n not process.executable:\n             (/Library/Developer/CommandLineTools/usr/bin/git or \n              /usr/local/Cellar/maven/*/libexec/bin/mvn or \n              /Library/Java/JavaVirtualMachines/jdk*.jdk/Contents/Home/bin/java or \n              /usr/bin/vim or \n              /usr/local/Cellar/coreutils/*/bin/gcat or \n              /usr/bin/bsdtar or\n              /usr/bin/nautilus or \n              /usr/bin/scp or\n              /usr/bin/touch or \n              /var/lib/docker/*)\n",
+    "risk_score": 47,
+    "rule_id": "2215b8bd-1759-4ffa-8ab8-55c8e6b32e7f",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "macOS",
+      "Threat Detection",
+      "Persistence"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1098",
+            "name": "Account Manipulation",
+            "reference": "https://attack.mitre.org/techniques/T1098/",
+            "subtechnique": [
+              {
+                "id": "T1098.004",
+                "name": "SSH Authorized Keys",
+                "reference": "https://attack.mitre.org/techniques/T1098/004/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "The malware known as SUNBURST targets the SolarWind's Orion business software for command and control. This rule detects post-exploitation command and control activity of the SUNBURST backdoor.",
+    "from": "now-9m",
+    "index": [
+      "logs-endpoint.events.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "SUNBURST Command and Control Activity",
+    "note": "## Triage and analysis\n\nThe SUNBURST malware attempts to hide within the Orion Improvement Program (OIP) network traffic. As this rule detects post-exploitation network traffic, investigations into this should be prioritized.",
+    "query": "network where event.type == \"protocol\" and network.protocol == \"http\" and\n  process.name : (\"ConfigurationWizard.exe\",\n                  \"NetFlowService.exe\",\n                  \"NetflowDatabaseMaintenance.exe\",\n                  \"SolarWinds.Administration.exe\",\n                  \"SolarWinds.BusinessLayerHost.exe\",\n                  \"SolarWinds.BusinessLayerHostx64.exe\",\n                  \"SolarWinds.Collector.Service.exe\",\n                  \"SolarwindsDiagnostics.exe\") and\n  (http.request.body.content : \"*/swip/Upload.ashx*\" and http.request.body.content : (\"POST*\", \"PUT*\")) or\n  (http.request.body.content : (\"*/swip/SystemDescription*\", \"*/swip/Events*\") and http.request.body.content : (\"GET*\", \"HEAD*\")) and\n  not http.request.body.content : \"*solarwinds.com*\"\n",
+    "references": [
+      "https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html"
+    ],
+    "risk_score": 73,
+    "rule_id": "22599847-5d13-48cb-8872-5796fee8692b",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Command and Control"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0011",
+          "name": "Command and Control",
+          "reference": "https://attack.mitre.org/tactics/TA0011/"
+        },
+        "technique": [
+          {
+            "id": "T1071",
+            "name": "Application Layer Protocol",
+            "reference": "https://attack.mitre.org/techniques/T1071/",
+            "subtechnique": [
+              {
+                "id": "T1071.001",
+                "name": "Web Protocols",
+                "reference": "https://attack.mitre.org/techniques/T1071/001/"
+              }
+            ]
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0001",
+          "name": "Initial Access",
+          "reference": "https://attack.mitre.org/tactics/TA0001/"
+        },
+        "technique": [
+          {
+            "id": "T1195",
+            "name": "Supply Chain Compromise",
+            "reference": "https://attack.mitre.org/techniques/T1195/",
+            "subtechnique": [
+              {
+                "id": "T1195.002",
+                "name": "Compromise Software Supply Chain",
+                "reference": "https://attack.mitre.org/techniques/T1195/002/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 4
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "A scheduled task was created by a Windows script via cscript.exe, wscript.exe or powershell.exe. This can be abused by an adversary to establish persistence.",
+    "false_positives": [
+      "Legitimate scheduled tasks may be created during installation of new software."
+    ],
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Scheduled Task Created by a Windows Script",
+    "note": "## Triage and analysis\n\nDecode the base64 encoded Tasks Actions registry value to investigate the task's configured action.",
+    "query": "sequence by host.id with maxspan = 30s\n  [library where dll.name : \"taskschd.dll\" and process.name : (\"cscript.exe\", \"wscript.exe\", \"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\")]\n  [registry where registry.path : \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Schedule\\\\TaskCache\\\\Tasks\\\\*\\\\Actions\"]\n",
+    "risk_score": 47,
+    "rule_id": "689b9d57-e4d5-4357-ad17-9c334609d79a",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Persistence"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1053",
+            "name": "Scheduled Task/Job",
+            "reference": "https://attack.mitre.org/techniques/T1053/",
+            "subtechnique": [
+              {
+                "id": "T1053.005",
+                "name": "Scheduled Task",
+                "reference": "https://attack.mitre.org/techniques/T1053/005/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "type": "eql",
+    "version": 5
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Detects the modification of Group Policy Object attributes to execute a scheduled task in the objects controlled by the GPO.",
+    "index": [
+      "winlogbeat-*",
+      "logs-system.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Scheduled Task Execution at Scale via GPO",
+    "note": "## Triage and analysis\n\n### Investigating Scheduled Task Execution at Scale via GPO\n\nGroup Policy Objects can be used by attackers to execute Scheduled Tasks at scale to compromise Objects controlled by a given GPO,\nthis is done by changing the contents of the `<GPOPath>\\Machine\\Preferences\\ScheduledTasks\\ScheduledTasks.xml` file.\n\n#### Possible investigation steps:\n- This attack abuses a legitimate mechanism of the Active Directory, so it is important to determine whether the activity is legitimate\nand the administrator is authorized to perform this operation.\n- Retrieve the contents of the `ScheduledTasks.xml` file, check the `<Command>` and `<Arguments>` XML tags for any potentially malicious\ncommands and binaries.\n- If the action is suspicious for the user, check for any other activities done by the user in the last 48 hours.\n\n### False Positive Analysis\n- Verify if the execution is allowed and done under change management, and if the execution is legitimate.\n\n### Related Rules\n- Group Policy Abuse for Privilege Addition\n- Startup/Logon Script added to Group Policy Object\n\n### Response and Remediation\n- Immediate response should be taken to validate activity, investigate and potentially isolate activity to prevent further\npost-compromise behavior.\n\n## Config\n\nThe 'Audit Detailed File Share' audit policy is required be configured (Success Failure).\nSteps to implement the logging policy with with Advanced Audit Configuration:\n```\nComputer Configuration > \nPolicies > \nWindows Settings > \nSecurity Settings > \nAdvanced Audit Policies Configuration > \nAudit Policies > \nObject Access > \nAudit Detailed File Share (Success,Failure)\n```\n\nThe 'Audit Directory Service Changes' audit policy is required be configured (Success Failure).\nSteps to implement the logging policy with with Advanced Audit Configuration:\n```\nComputer Configuration > \nPolicies > \nWindows Settings > \nSecurity Settings > \nAdvanced Audit Policies Configuration > \nAudit Policies > \nDS Access > \nAudit Directory Service Changes (Success,Failure)\n```\n",
+    "query": "(event.code: \"5136\" and winlog.event_data.AttributeLDAPDisplayName:(\"gPCMachineExtensionNames\" or \"gPCUserExtensionNames\") and \n   winlog.event_data.AttributeValue:(*CAB54552-DEEA-4691-817E-ED4A4D1AFC72* and *AADCED64-746C-4633-A97C-D61349046527*)) \nor\n(event.code: \"5145\" and winlog.event_data.ShareName: \"\\\\\\\\*\\\\SYSVOL\" and winlog.event_data.RelativeTargetName: *ScheduledTasks.xml and\n  (message: WriteData or winlog.event_data.AccessList: *%%4417*))\n",
+    "references": [
+      "https://github.com/atc-project/atc-data/blob/master/docs/Logging_Policies/LP_0025_windows_audit_directory_service_changes.md",
+      "https://github.com/atc-project/atc-data/blob/f2bbb51ecf68e2c9f488e3c70dcdd3df51d2a46b/docs/Logging_Policies/LP_0029_windows_audit_detailed_file_share.md",
+      "https://labs.f-secure.com/tools/sharpgpoabuse",
+      "https://twitter.com/menasec1/status/1106899890377052160",
+      "https://github.com/SigmaHQ/sigma/blob/master/rules/windows/builtin/win_gpo_scheduledtasks.yml"
+    ],
+    "risk_score": 47,
+    "rule_id": "15a8ba77-1c13-4274-88fe-6bd14133861e",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Privilege Escalation",
+      "Active Directory"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0004",
+          "name": "Privilege Escalation",
+          "reference": "https://attack.mitre.org/tactics/TA0004/"
+        },
+        "technique": [
+          {
+            "id": "T1053",
+            "name": "Scheduled Task/Job",
+            "reference": "https://attack.mitre.org/techniques/T1053/",
+            "subtechnique": [
+              {
+                "id": "T1053.005",
+                "name": "Scheduled Task",
+                "reference": "https://attack.mitre.org/techniques/T1053/005/"
+              }
+            ]
+          },
+          {
+            "id": "T1484",
+            "name": "Domain Policy Modification",
+            "reference": "https://attack.mitre.org/techniques/T1484/",
+            "subtechnique": [
+              {
+                "id": "T1484.001",
+                "name": "Group Policy Modification",
+                "reference": "https://attack.mitre.org/techniques/T1484/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies attempts to enable the Windows scheduled tasks AT command via the registry. Attackers may use this method to move laterally or persist locally. The AT command has been deprecated since Windows 8 and Windows Server 2012, but still exists for backwards compatibility.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Scheduled Tasks AT Command Enabled",
+    "query": "registry where \n registry.path : \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Schedule\\\\Configuration\\\\EnableAt\" and registry.data.strings == \"1\"\n",
+    "references": [
+      "https://docs.microsoft.com/en-us/windows/win32/cimwin32prov/win32-scheduledjob"
+    ],
+    "risk_score": 47,
+    "rule_id": "9aa0e1f6-52ce-42e1-abb3-09657cee2698",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1562",
+            "name": "Impair Defenses",
+            "reference": "https://attack.mitre.org/techniques/T1562/",
+            "subtechnique": [
+              {
+                "id": "T1562.001",
+                "name": "Disable or Modify Tools",
+                "reference": "https://attack.mitre.org/techniques/T1562/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 3
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies when a screensaver plist file is modified by an unexpected process. An adversary can maintain persistence on a macOS endpoint by creating a malicious screensaver (.saver) file and configuring the screensaver plist file to execute code each time the screensaver is activated.",
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Screensaver Plist File Modified by Unexpected Process",
+    "note": "## Triage and analysis\n\n- Analyze the plist file modification event to identify whether the change was expected or not\n- Investigate the process that modified the plist file for malicious code or other suspicious behavior\n- Identify if any suspicious or known malicious screensaver (.saver) files were recently written to or modified on the host",
+    "query": "file where event.type != \"deletion\" and\n  file.name: \"com.apple.screensaver.*.plist\" and\n  file.path : (\n    \"/Users/*/Library/Preferences/ByHost/*\",\n    \"/Library/Managed Preferences/*\",\n    \"/System/Library/Preferences/*\"\n    ) and\n  /* Filter OS processes modifying screensaver plist files */\n  not process.executable : (\n    \"/usr/sbin/cfprefsd\",\n    \"/usr/libexec/xpcproxy\",\n    \"/System/Library/CoreServices/ManagedClient.app/Contents/Resources/MCXCompositor\",\n    \"/System/Library/CoreServices/ManagedClient.app/Contents/MacOS/ManagedClient\"\n    )\n",
+    "references": [
+      "https://posts.specterops.io/saving-your-access-d562bf5bf90b",
+      "https://github.com/D00MFist/PersistentJXA"
+    ],
+    "risk_score": 47,
+    "rule_id": "e6e8912f-283f-4d0d-8442-e0dcaf49944b",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "macOS",
+      "Threat Detection",
+      "Persistence"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1546",
+            "name": "Event Triggered Execution",
+            "reference": "https://attack.mitre.org/techniques/T1546/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Windows Credential Manager allows you to create, view, or delete saved credentials for signing into websites, connected applications, and networks. An adversary may abuse this to list or dump credentials stored in the Credential Manager for saved usernames and passwords. This may also be performed in preparation of lateral movement.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Searching for Saved Credentials via VaultCmd",
+    "query": "process where event.type in (\"start\", \"process_started\") and\n  (process.pe.original_file_name:\"vaultcmd.exe\" or process.name:\"vaultcmd.exe\") and\n  process.args:\"/list*\"\n",
+    "references": [
+      "https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16",
+      "https://rastamouse.me/blog/rdp-jump-boxes/"
+    ],
+    "risk_score": 47,
+    "rule_id": "be8afaed-4bcd-4e0a-b5f9-5562003dde81",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Credential Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0006",
+          "name": "Credential Access",
+          "reference": "https://attack.mitre.org/tactics/TA0006/"
+        },
+        "technique": [
+          {
+            "id": "T1003",
+            "name": "OS Credential Dumping",
+            "reference": "https://attack.mitre.org/techniques/T1003/"
+          },
+          {
+            "id": "T1555",
+            "name": "Credentials from Password Stores",
+            "reference": "https://attack.mitre.org/techniques/T1555/",
+            "subtechnique": [
+              {
+                "id": "T1555.004",
+                "name": "Windows Credential Manager",
+                "reference": "https://attack.mitre.org/techniques/T1555/004/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 2
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the use of Windows Management Instrumentation Command (WMIC) to discover certain System Security Settings such as AntiVirus or Host Firewall details.",
+    "from": "now-9m",
+    "index": [
+      "logs-endpoint.events.*",
+      "winlogbeat-*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Security Software Discovery using WMIC",
+    "query": "process where event.type in (\"start\", \"process_started\") and\n   (process.name:\"wmic.exe\" or process.pe.original_file_name:\"wmic.exe\") and\n    process.args:\"/namespace:\\\\\\\\root\\\\SecurityCenter2\" and process.args:\"Get\"\n",
+    "risk_score": 47,
+    "rule_id": "6ea55c81-e2ba-42f2-a134-bccf857ba922",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Discovery"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0007",
+          "name": "Discovery",
+          "reference": "https://attack.mitre.org/tactics/TA0007/"
+        },
+        "technique": [
+          {
+            "id": "T1518",
+            "name": "Software Discovery",
+            "reference": "https://attack.mitre.org/techniques/T1518/",
+            "subtechnique": [
+              {
+                "id": "T1518.001",
+                "name": "Security Software Discovery",
+                "reference": "https://attack.mitre.org/techniques/T1518/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 4
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the use of the grep command to discover known third-party macOS and Linux security tools, such as Antivirus or Host Firewall details.",
+    "false_positives": [
+      "Endpoint Security installers, updaters and post installation verification scripts."
+    ],
+    "from": "now-9m",
+    "index": [
+      "logs-endpoint.events.*",
+      "auditbeat-*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Security Software Discovery via Grep",
+    "query": "process where event.type == \"start\" and\nprocess.name : \"grep\" and user.id != \"0\" and\n not process.parent.executable : \"/Library/Application Support/*\" and\n   process.args :\n         (\"Little Snitch*\",\n          \"Avast*\",\n          \"Avira*\",\n          \"ESET*\",\n          \"BlockBlock*\",\n          \"360Sec*\",\n          \"LuLu*\",\n          \"KnockKnock*\",\n          \"kav\",\n          \"KIS\",\n          \"RTProtectionDaemon*\",\n          \"Malware*\",\n          \"VShieldScanner*\",\n          \"WebProtection*\",\n          \"webinspectord*\",\n          \"McAfee*\",\n          \"isecespd*\",\n          \"macmnsvc*\",\n          \"masvc*\",\n          \"kesl*\",\n          \"avscan*\",\n          \"guard*\",\n          \"rtvscand*\",\n          \"symcfgd*\",\n          \"scmdaemon*\",\n          \"symantec*\",\n          \"sophos*\",\n          \"osquery*\",\n          \"elastic-endpoint*\"\n          ) and\n   not (process.args : \"Avast\" and process.args : \"Passwords\")\n",
+    "risk_score": 47,
+    "rule_id": "870aecc0-cea4-4110-af3f-e02e9b373655",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "macOS",
+      "Linux",
+      "Threat Detection",
+      "Discovery"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0007",
+          "name": "Discovery",
+          "reference": "https://attack.mitre.org/tactics/TA0007/"
+        },
+        "technique": [
+          {
+            "id": "T1518",
+            "name": "Software Discovery",
+            "reference": "https://attack.mitre.org/techniques/T1518/",
+            "subtechnique": [
+              {
+                "id": "T1518.001",
+                "name": "Security Software Discovery",
+                "reference": "https://attack.mitre.org/techniques/T1518/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 2
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the use of a compression utility to collect known files containing sensitive information, such as credentials and system configurations.",
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Sensitive Files Compression",
+    "query": "event.category:process and event.type:start and\n  process.name:(zip or tar or gzip or hdiutil or 7z) and\n  process.args:\n    (\n      /root/.ssh/id_rsa or\n      /root/.ssh/id_rsa.pub or\n      /root/.ssh/id_ed25519 or\n      /root/.ssh/id_ed25519.pub or\n      /root/.ssh/authorized_keys or\n      /root/.ssh/authorized_keys2 or\n      /root/.ssh/known_hosts or\n      /root/.bash_history or\n      /etc/hosts or\n      /home/*/.ssh/id_rsa or\n      /home/*/.ssh/id_rsa.pub or\n      /home/*/.ssh/id_ed25519 or\n      /home/*/.ssh/id_ed25519.pub or\n      /home/*/.ssh/authorized_keys or\n      /home/*/.ssh/authorized_keys2 or\n      /home/*/.ssh/known_hosts or\n      /home/*/.bash_history or\n      /root/.aws/credentials or\n      /root/.aws/config or\n      /home/*/.aws/credentials or\n      /home/*/.aws/config or\n      /root/.docker/config.json or\n      /home/*/.docker/config.json or\n      /etc/group or\n      /etc/passwd or\n      /etc/shadow or\n      /etc/gshadow\n    )\n",
+    "references": [
+      "https://www.trendmicro.com/en_ca/research/20/l/teamtnt-now-deploying-ddos-capable-irc-bot-tntbotinger.html"
+    ],
+    "risk_score": 47,
+    "rule_id": "6b84d470-9036-4cc0-a27c-6d90bbfe81ab",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "Threat Detection",
+      "Collection",
+      "Credential Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0006",
+          "name": "Credential Access",
+          "reference": "https://attack.mitre.org/tactics/TA0006/"
+        },
+        "technique": [
+          {
+            "id": "T1552",
+            "name": "Unsecured Credentials",
+            "reference": "https://attack.mitre.org/techniques/T1552/",
+            "subtechnique": [
+              {
+                "id": "T1552.001",
+                "name": "Credentials In Files",
+                "reference": "https://attack.mitre.org/techniques/T1552/001/"
+              }
+            ]
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0009",
+          "name": "Collection",
+          "reference": "https://attack.mitre.org/tactics/TA0009/"
+        },
+        "technique": [
+          {
+            "id": "T1560",
+            "name": "Archive Collected Data",
+            "reference": "https://attack.mitre.org/techniques/T1560/",
+            "subtechnique": [
+              {
+                "id": "T1560.001",
+                "name": "Archive via Utility",
+                "reference": "https://attack.mitre.org/techniques/T1560/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies use of sc.exe to create, modify, or start services on remote hosts. This could be indicative of adversary lateral movement but will be noisy if commonly done by admins.",
+    "from": "now-9m",
+    "index": [
+      "logs-endpoint.events.*",
+      "winlogbeat-*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Service Command Lateral Movement",
+    "query": "sequence by process.entity_id with maxspan = 1m\n  [process where event.type in (\"start\", \"process_started\") and\n     (process.name : \"sc.exe\" or process.pe.original_file_name : \"sc.exe\") and\n      process.args : \"\\\\\\\\*\" and process.args : (\"binPath=*\", \"binpath=*\") and\n      process.args : (\"create\", \"config\", \"failure\", \"start\")]\n  [network where process.name : \"sc.exe\" and destination.ip != \"127.0.0.1\"]\n",
+    "risk_score": 21,
+    "rule_id": "d61cbcf8-1bc1-4cff-85ba-e7b21c5beedc",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Lateral Movement"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0008",
+          "name": "Lateral Movement",
+          "reference": "https://attack.mitre.org/tactics/TA0008/"
+        },
+        "technique": [
+          {
+            "id": "T1021",
+            "name": "Remote Services",
+            "reference": "https://attack.mitre.org/techniques/T1021/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1543",
+            "name": "Create or Modify System Process",
+            "reference": "https://attack.mitre.org/techniques/T1543/",
+            "subtechnique": [
+              {
+                "id": "T1543.003",
+                "name": "Windows Service",
+                "reference": "https://attack.mitre.org/techniques/T1543/003/"
+              }
+            ]
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0002",
+          "name": "Execution",
+          "reference": "https://attack.mitre.org/tactics/TA0002/"
+        },
+        "technique": [
+          {
+            "id": "T1569",
+            "name": "System Services",
+            "reference": "https://attack.mitre.org/techniques/T1569/",
+            "subtechnique": [
+              {
+                "id": "T1569.002",
+                "name": "Service Execution",
+                "reference": "https://attack.mitre.org/techniques/T1569/002/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "type": "eql",
+    "version": 3
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies Service Control (sc.exe) spawning from script interpreter processes to create, modify, or start services. This could be indicative of adversary lateral movement but will be noisy if commonly done by admins.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Service Control Spawned via Script Interpreter",
+    "query": "process where event.type == \"start\" and\n  (process.name : \"sc.exe\" or process.pe.original_file_name == \"sc.exe\") and\n  process.parent.name : (\"cmd.exe\", \"wscript.exe\", \"rundll32.exe\", \"regsvr32.exe\",\n                         \"wmic.exe\", \"mshta.exe\",\"powershell.exe\", \"pwsh.exe\") and\n  process.args:(\"config\", \"create\", \"start\", \"delete\", \"stop\", \"pause\") and\n  /* exclude SYSTEM SID - look for service creations by non-SYSTEM user */\n  not user.id : \"S-1-5-18\"\n",
+    "risk_score": 21,
+    "rule_id": "e8571d5f-bea1-46c2-9f56-998de2d3ed95",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Lateral Movement"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0008",
+          "name": "Lateral Movement",
+          "reference": "https://attack.mitre.org/tactics/TA0008/"
+        },
+        "technique": [
+          {
+            "id": "T1021",
+            "name": "Remote Services",
+            "reference": "https://attack.mitre.org/techniques/T1021/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 9
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "An adversary may add the setuid or setgid bit to a file or directory in order to run a file with the privileges of the owning user or group. An adversary can take advantage of this to either do a shell escape or exploit a vulnerability in an application with the setuid or setgid bit to get code running in a different user\u2019s context. Additionally, adversaries can use this mechanism on their own malware to make sure they're able to execute in elevated contexts in the future.",
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "lucene",
+    "license": "Elastic License v2",
+    "max_signals": 33,
+    "name": "Setuid / Setgid Bit Set via chmod",
+    "query": "event.category:process AND event.type:(start OR process_started) AND\n process.name:chmod AND process.args:(\"+s\" OR \"u+s\" OR /4[0-9]{3}/ OR g+s OR /2[0-9]{3}/) AND\n NOT process.args:\n           (\n             /.*\\/Applications\\/VirtualBox.app\\/.+/ OR\n             /\\/usr\\/local\\/lib\\/python.+/ OR\n             /\\/var\\/folders\\/.+\\/FP.*nstallHelper/ OR\n             /\\/Library\\/Filesystems\\/.+/ OR\n             /\\/usr\\/lib\\/virtualbox\\/.+/ OR\n             /\\/Library\\/Application.*/ OR\n             \"/run/postgresql\" OR\n             \"/var/crash\" OR\n             \"/var/run/postgresql\" OR\n             /\\/usr\\/bin\\/.+/ OR /\\/usr\\/local\\/share\\/.+/ OR\n             /\\/Applications\\/.+/ OR /\\/usr\\/libexec\\/.+/ OR\n             \"/var/metrics\" OR /\\/var\\/lib\\/dpkg\\/.+/ OR\n             /\\/run\\/log\\/journal\\/.*/ OR\n             \\/Users\\/*\\/.minikube\\/bin\\/docker-machine-driver-hyperkit\n           ) AND\n NOT process.parent.executable:\n           (\n             /\\/var\\/lib\\/docker\\/.+/ OR\n             \"/System/Library/PrivateFrameworks/PackageKit.framework/Versions/A/XPCServices/package_script_service.xpc/Contents/MacOS/package_script_service\" OR\n             \"/var/lib/dpkg/info/whoopsie.postinst\"\n           )\n",
+    "risk_score": 21,
+    "rule_id": "8a1b0278-0f9a-487d-96bd-d4833298e87a",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "macOS",
+      "Threat Detection",
+      "Privilege Escalation"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0004",
+          "name": "Privilege Escalation",
+          "reference": "https://attack.mitre.org/tactics/TA0004/"
+        },
+        "technique": [
+          {
+            "id": "T1548",
+            "name": "Abuse Elevation Control Mechanism",
+            "reference": "https://attack.mitre.org/techniques/T1548/",
+            "subtechnique": [
+              {
+                "id": "T1548.001",
+                "name": "Setuid and Setgid",
+                "reference": "https://attack.mitre.org/techniques/T1548/001/"
+              }
+            ]
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": []
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 8
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the execution of the shell process (sh) via scripting (JXA or AppleScript). Adversaries may use the doShellScript functionality in JXA or do shell script in AppleScript to execute system commands.",
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Shell Execution via Apple Scripting",
+    "query": "sequence by host.id with maxspan=5s\n [process where event.type in (\"start\", \"process_started\", \"info\") and process.name == \"osascript\"] by process.pid\n [process where event.type in (\"start\", \"process_started\") and process.name == \"sh\" and process.args == \"-c\"] by process.parent.pid\n",
+    "references": [
+      "https://developer.apple.com/library/archive/technotes/tn2065/_index.html",
+      "https://objectivebythesea.com/v2/talks/OBTS_v2_Thomas.pdf"
+    ],
+    "risk_score": 47,
+    "rule_id": "d461fac0-43e8-49e2-85ea-3a58fe120b4f",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "macOS",
+      "Threat Detection",
+      "Execution"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0002",
+          "name": "Execution",
+          "reference": "https://attack.mitre.org/tactics/TA0002/"
+        },
+        "technique": [
+          {
+            "id": "T1059",
+            "name": "Command and Scripting Interpreter",
+            "reference": "https://attack.mitre.org/techniques/T1059/"
+          }
+        ]
+      }
+    ],
+    "type": "eql",
+    "version": 3
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies files written to or modified in the startup folder by commonly abused processes. Adversaries may use this technique to maintain persistence.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Shortcut File Written or Modified for Persistence",
+    "query": "file where event.type != \"deletion\" and\n  user.domain != \"NT AUTHORITY\" and\n  file.path : (\"C:\\\\Users\\\\*\\\\AppData\\\\Roaming\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\\\\*\", \n               \"C:\\\\ProgramData\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\StartUp\\\\*\") and\n  process.name : (\"cmd.exe\",\n                  \"powershell.exe\",\n                  \"wmic.exe\",\n                  \"mshta.exe\",\n                  \"pwsh.exe\",\n                  \"cscript.exe\",\n                  \"wscript.exe\",\n                  \"regsvr32.exe\",\n                  \"RegAsm.exe\",\n                  \"rundll32.exe\",\n                  \"EQNEDT32.EXE\",\n                  \"WINWORD.EXE\",\n                  \"EXCEL.EXE\",\n                  \"POWERPNT.EXE\",\n                  \"MSPUB.EXE\",\n                  \"MSACCESS.EXE\",\n                  \"iexplore.exe\",\n                  \"InstallUtil.exe\")\n",
+    "risk_score": 47,
+    "rule_id": "440e2db4-bc7f-4c96-a068-65b78da59bde",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Persistence"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1547",
+            "name": "Boot or Logon Autostart Execution",
+            "reference": "https://attack.mitre.org/techniques/T1547/",
+            "subtechnique": [
+              {
+                "id": "T1547.001",
+                "name": "Registry Run Keys / Startup Folder",
+                "reference": "https://attack.mitre.org/techniques/T1547/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 3
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies changes to the SoftwareUpdate preferences using the built-in defaults command. Adversaries may abuse this in an attempt to disable security updates.",
+    "false_positives": [
+      "Authorized SoftwareUpdate Settings Changes"
+    ],
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "SoftwareUpdate Preferences Modification",
+    "query": "event.category:process and event.type:(start or process_started) and\n process.name:defaults and \n process.args:(write and \"-bool\" and (com.apple.SoftwareUpdate or /Library/Preferences/com.apple.SoftwareUpdate.plist) and not (TRUE or true))\n",
+    "references": [
+      "https://blog.checkpoint.com/2017/07/13/osxdok-refuses-go-away-money/"
+    ],
+    "risk_score": 47,
+    "rule_id": "f683dcdf-a018-4801-b066-193d4ae6c8e5",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "macOS",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1562",
+            "name": "Impair Defenses",
+            "reference": "https://attack.mitre.org/techniques/T1562/",
+            "subtechnique": [
+              {
+                "id": "T1562.001",
+                "name": "Disable or Modify Tools",
+                "reference": "https://attack.mitre.org/techniques/T1562/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies a SolarWinds binary modifying the start type of a service to be disabled. An adversary may abuse this technique to manipulate relevant security services.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "SolarWinds Process Disabling Services via Registry",
+    "query": "registry where registry.path : \"HKLM\\\\SYSTEM\\\\*ControlSet*\\\\Services\\\\*\\\\Start\" and registry.data.strings == \"4\" and\n process.name : (\n     \"SolarWinds.BusinessLayerHost*.exe\", \n     \"ConfigurationWizard*.exe\", \n     \"NetflowDatabaseMaintenance*.exe\", \n     \"NetFlowService*.exe\", \n     \"SolarWinds.Administration*.exe\", \n     \"SolarWinds.Collector.Service*.exe\" , \n     \"SolarwindsDiagnostics*.exe\")\n",
+    "references": [
+      "https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html"
+    ],
+    "risk_score": 47,
+    "rule_id": "b9960fef-82c6-4816-befa-44745030e917",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1562",
+            "name": "Impair Defenses",
+            "reference": "https://attack.mitre.org/techniques/T1562/",
+            "subtechnique": [
+              {
+                "id": "T1562.001",
+                "name": "Disable or Modify Tools",
+                "reference": "https://attack.mitre.org/techniques/T1562/001/"
+              }
+            ]
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0001",
+          "name": "Initial Access",
+          "reference": "https://attack.mitre.org/tactics/TA0001/"
+        },
+        "technique": [
+          {
+            "id": "T1195",
+            "name": "Supply Chain Compromise",
+            "reference": "https://attack.mitre.org/techniques/T1195/",
+            "subtechnique": [
+              {
+                "id": "T1195.002",
+                "name": "Compromise Software Supply Chain",
+                "reference": "https://attack.mitre.org/techniques/T1195/002/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 3
+  },
+  {
+    "anomaly_threshold": 50,
+    "author": [
+      "Elastic"
+    ],
+    "description": "A machine learning job detected a significant spike in the rate of a particular error in the CloudTrail messages. Spikes in error messages may accompany attempts at privilege escalation, lateral movement, or discovery.",
+    "false_positives": [
+      "Spikes in error message activity can also be due to bugs in cloud automation scripts or workflows; changes to cloud automation scripts or workflows; adoption of new services; changes in the way services are used; or changes to IAM privileges."
+    ],
+    "from": "now-60m",
+    "interval": "15m",
+    "license": "Elastic License v2",
+    "machine_learning_job_id": "high_distinct_count_error_message",
+    "name": "Spike in AWS Error Messages",
+    "note": "## Config\n\nThe AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\n\n## Triage and analysis\n\n### Investigating Spikes in CloudTrail Errors\n\nCloudTrail logging provides visibility on actions taken within an AWS environment. By monitoring these events and understanding\nwhat is considered normal behavior within an organization, suspicious or malicious activity can be spotted when deviations\nare observed. This example rule triggers from a large spike in the number of CloudTrail log messages that contain a\nparticular error message. The error message in question was associated with the response to an AWS API command or method call,\nthis has the potential to uncover unknown threats or activity.\n\n#### Possible investigation steps:\n- Examine the history of the error. Has it manifested before? If the error, which is visible in the `aws.cloudtrail.error_message` field, only manifested recently, it might be related to recent changes in an automation module or script.\n- Examine the request parameters. These may provide indications as to the nature of the task being performed when the error occurred. Is the error related to unsuccessful attempts to enumerate or access objects, data, or secrets? If so, this can sometimes be a byproduct of discovery, privilege escalation or lateral movement attempts.\n- Consider the user as identified by the `user.name field`. Is this activity part of an expected workflow for the user context? Examine the user identity in the `aws.cloudtrail.user_identity.arn` field and the access key ID in the `aws.cloudtrail.user_identity.access_key_id` field, which can help identify the precise user context. The user agent details in the `user_agent.original` field may also indicate what kind of a client made the request.\n- Consider the source IP address and geolocation for the calling user who issued the command. Do they look normal for the calling user? If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts, or could it be sourcing from an EC2 instance that's not under your control? If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance?\n\n### False Positive Analysis\n- This rule has the possibility to produce false positives based on unexpected activity occurring such as bugs or recent\nchanges to automation modules or scripting.\n- Adoption of new services or implementing new functionality to scripts may generate false positives\n\n### Related Rules\n- Unusual AWS Command for a User\n- Rare AWS Error Code\n\n### Response and Remediation\n- If activity is observed as suspicious or malicious, immediate response should be looked into rotating and deleting AWS IAM access keys\n- Validate if any unauthorized new users were created, remove these accounts and request password resets for other IAM users\n- Look into enabling multi-factor authentication for users\n- Follow security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS\n",
+    "references": [
+      "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"
+    ],
+    "risk_score": 21,
+    "rule_id": "78d3d8d9-b476-451d-a9e0-7a5addd70670",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "AWS",
+      "ML"
+    ],
+    "type": "machine_learning",
+    "version": 7
+  },
+  {
+    "anomaly_threshold": 75,
+    "author": [
+      "Elastic"
+    ],
+    "description": "A machine learning job found an unusually large spike in authentication failure events. This can be due to password spraying, user enumeration or brute force activity and may be a precursor to account takeover or credentialed access.",
+    "false_positives": [
+      "A misconfigured service account can trigger this alert. A password change on an account used by an email client can trigger this alert. Security test cycles that include brute force or password spraying activities may trigger this alert."
+    ],
+    "from": "now-30m",
+    "interval": "15m",
+    "license": "Elastic License v2",
+    "machine_learning_job_id": "auth_high_count_logon_fails",
+    "name": "Spike in Failed Logon Events",
+    "references": [
+      "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"
+    ],
+    "risk_score": 21,
+    "rule_id": "99dcf974-6587-4f65-9252-d866a3fdfd9c",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Authentication",
+      "Threat Detection",
+      "ML"
+    ],
+    "type": "machine_learning",
+    "version": 2
+  },
+  {
+    "anomaly_threshold": 75,
+    "author": [
+      "Elastic"
+    ],
+    "description": "A machine learning job detected an unusually large spike in network traffic that was denied by network access control lists (ACLs) or firewall rules. Such a burst of denied traffic is usually caused by either 1) a mis-configured application or firewall or 2) suspicious or malicious activity. Unsuccessful attempts at network transit, in order to connect to command-and-control (C2), or engage in data exfiltration, may produce a burst of failed connections. This could also be due to unusually large amounts of reconnaissance or enumeration traffic. Denial-of-service attacks or traffic floods may also produce such a surge in traffic.",
+    "false_positives": [
+      "A misconfgured network application or firewall may trigger this alert. Security scans or test cycles may trigger this alert."
+    ],
+    "from": "now-30m",
+    "interval": "15m",
+    "license": "Elastic License v2",
+    "machine_learning_job_id": "high_count_network_denies",
+    "name": "Spike in Firewall Denies",
+    "references": [
+      "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"
+    ],
+    "risk_score": 21,
+    "rule_id": "eaa77d63-9679-4ce3-be25-3ba8b795e5fa",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Network",
+      "Threat Detection",
+      "ML"
+    ],
+    "type": "machine_learning",
+    "version": 2
+  },
+  {
+    "anomaly_threshold": 75,
+    "author": [
+      "Elastic"
+    ],
+    "description": "A machine learning job found an unusually large spike in successful authentication events. This can be due to password spraying, user enumeration or brute force activity.",
+    "false_positives": [
+      "Build servers and CI systems can sometimes trigger this alert. Security test cycles that include brute force or password spraying activities may trigger this alert."
+    ],
+    "from": "now-30m",
+    "interval": "15m",
+    "license": "Elastic License v2",
+    "machine_learning_job_id": "auth_high_count_logon_events",
+    "name": "Spike in Logon Events",
+    "references": [
+      "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"
+    ],
+    "risk_score": 21,
+    "rule_id": "d7d5c059-c19a-4a96-8ae3-41496ef3bcf9",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Authentication",
+      "Threat Detection",
+      "ML"
+    ],
+    "type": "machine_learning",
+    "version": 1
+  },
+  {
+    "anomaly_threshold": 75,
+    "author": [
+      "Elastic"
+    ],
+    "description": "A machine learning job found an unusually large spike in successful authentication events from a particular source IP address. This can be due to password spraying, user enumeration or brute force activity.",
+    "false_positives": [
+      "Build servers and CI systems can sometimes trigger this alert. Security test cycles that include brute force or password spraying activities may trigger this alert."
+    ],
+    "from": "now-30m",
+    "interval": "15m",
+    "license": "Elastic License v2",
+    "machine_learning_job_id": "auth_high_count_logon_events_for_a_source_ip",
+    "name": "Spike in Logon Events from a Source IP",
+    "references": [
+      "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"
+    ],
+    "risk_score": 21,
+    "rule_id": "e26aed74-c816-40d3-a810-48d6fbd8b2fd",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Authentication",
+      "Threat Detection",
+      "ML"
+    ],
+    "type": "machine_learning",
+    "version": 2
+  },
+  {
+    "anomaly_threshold": 75,
+    "author": [
+      "Elastic"
+    ],
+    "description": "A machine learning job detected an unusually large spike in network traffic. Such a burst of traffic, if not caused by a surge in business activity, can be due to suspicious or malicious activity. Large-scale data exfiltration may produce a burst of network traffic; this could also be due to unusually large amounts of reconnaissance or enumeration traffic. Denial-of-service attacks or traffic floods may also produce such a surge in traffic.",
+    "false_positives": [
+      "Business workflows that occur very occasionally, and involve an unusual surge in network traffic, can trigger this alert. A new business workflow or a surge in business activity may trigger this alert. A misconfigured network application or firewall may trigger this alert."
+    ],
+    "from": "now-30m",
+    "interval": "15m",
+    "license": "Elastic License v2",
+    "machine_learning_job_id": "high_count_network_events",
+    "name": "Spike in Network Traffic",
+    "references": [
+      "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"
+    ],
+    "risk_score": 21,
+    "rule_id": "b240bfb8-26b7-4e5e-924e-218144a3fa71",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Network",
+      "Threat Detection",
+      "ML"
+    ],
+    "type": "machine_learning",
+    "version": 3
+  },
+  {
+    "anomaly_threshold": 75,
+    "author": [
+      "Elastic"
+    ],
+    "description": "A machine learning job detected an unusually large spike in network activity to one destination country in the network logs. This could be due to unusually large amounts of reconnaissance or enumeration traffic. Data exfiltration activity may also produce such a surge in traffic to a destination country which does not normally appear in network traffic or business work-flows. Malware instances and persistence mechanisms may communicate with command-and-control (C2) infrastructure in their country of origin, which may be an unusual destination country for the source network.",
+    "false_positives": [
+      "Business workflows that occur very occasionally, and involve an unusual surge in network traffic to one destination country, can trigger this alert. A new business workflow or a surge in business activity in a particular country may trigger this alert. Business travelers who roam to many countries for brief periods may trigger this alert if they engage in volumetric network activity."
+    ],
+    "from": "now-30m",
+    "interval": "15m",
+    "license": "Elastic License v2",
+    "machine_learning_job_id": "high_count_by_destination_country",
+    "name": "Spike in Network Traffic To a Country",
+    "references": [
+      "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"
+    ],
+    "risk_score": 21,
+    "rule_id": "c7db5533-ca2a-41f6-a8b0-ee98abe0f573",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Network",
+      "Threat Detection",
+      "ML"
+    ],
+    "type": "machine_learning",
+    "version": 2
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies files written or modified in the startup folder by unsigned processes. Adversaries may abuse this technique to maintain persistence in an environment.",
+    "from": "now-9m",
+    "index": [
+      "logs-endpoint.events.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Startup Folder Persistence via Unsigned Process",
+    "query": "sequence by host.id, process.entity_id with maxspan=5s\n  [process where event.type in (\"start\", \"process_started\") and process.code_signature.trusted == false and\n  /* suspicious paths can be added here  */\n   process.executable : (\"C:\\\\Users\\\\*.exe\", \n                         \"C:\\\\ProgramData\\\\*.exe\", \n                         \"C:\\\\Windows\\\\Temp\\\\*.exe\", \n                         \"C:\\\\Windows\\\\Tasks\\\\*.exe\", \n                         \"C:\\\\Intel\\\\*.exe\", \n                         \"C:\\\\PerfLogs\\\\*.exe\")\n   ]\n   [file where event.type != \"deletion\" and user.domain != \"NT AUTHORITY\" and\n    file.path : (\"C:\\\\Users\\\\*\\\\AppData\\\\Roaming\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\\\\*\", \n                 \"C:\\\\ProgramData\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\StartUp\\\\*\")\n   ]\n",
+    "risk_score": 41,
+    "rule_id": "2fba96c0-ade5-4bce-b92f-a5df2509da3f",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Persistence"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1547",
+            "name": "Boot or Logon Autostart Execution",
+            "reference": "https://attack.mitre.org/techniques/T1547/",
+            "subtechnique": [
+              {
+                "id": "T1547.001",
+                "name": "Registry Run Keys / Startup Folder",
+                "reference": "https://attack.mitre.org/techniques/T1547/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "type": "eql",
+    "version": 2
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies run key or startup key registry modifications. In order to survive reboots and other system interrupts, attackers will modify run keys within the registry or leverage startup folder items as a form of persistence.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Startup or Run Key Registry Modification",
+    "query": "registry where registry.data.strings != null and\n registry.path : (\n     /* Machine Hive */\n     \"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\*\", \n     \"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\*\", \n     \"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnceEx\\\\*\",\n     \"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\\\*\", \n     \"HKLM\\\\Software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\Shell\\\\*\",   \n     /* Users Hive */\n     \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\*\", \n     \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\*\", \n     \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnceEx\\\\*\",\n     \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\\\*\", \n     \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\Shell\\\\*\"\n     ) and\n  /* add common legitimate changes without being too restrictive as this is one of the most abused AESPs */\n  not registry.data.strings : \"ctfmon.exe /n\" and\n  not (registry.value : \"Application Restart #*\" and process.name : \"csrss.exe\") and\n  user.id not in (\"S-1-5-18\", \"S-1-5-19\", \"S-1-5-20\") and\n  not registry.data.strings : (\"?:\\\\Program Files\\\\*.exe\", \"?:\\\\Program Files (x86)\\\\*.exe\") and\n  not process.executable : (\"?:\\\\Windows\\\\System32\\\\msiexec.exe\", \"?:\\\\Windows\\\\SysWOW64\\\\msiexec.exe\") and\n  not (process.name : \"OneDriveSetup.exe\" and\n       registry.value : (\"Delete Cached Standalone Update Binary\", \"Delete Cached Update Binary\", \"amd64\", \"Uninstall *\") and\n       registry.data.strings : \"?:\\\\Windows\\\\system32\\\\cmd.exe /q /c * \\\"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Microsoft\\\\OneDrive\\\\*\\\"\")\n",
+    "risk_score": 21,
+    "rule_id": "97fc44d3-8dae-4019-ae83-298c3015600f",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Persistence"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1547",
+            "name": "Boot or Logon Autostart Execution",
+            "reference": "https://attack.mitre.org/techniques/T1547/",
+            "subtechnique": [
+              {
+                "id": "T1547.001",
+                "name": "Registry Run Keys / Startup Folder",
+                "reference": "https://attack.mitre.org/techniques/T1547/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 4
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Detects the modification of Group Policy Objects (GPO) to add a startup/logon script to users or computer objects.",
+    "false_positives": [
+      "Legitimate Administrative Activity"
+    ],
+    "index": [
+      "winlogbeat-*",
+      "logs-system.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Startup/Logon Script added to Group Policy Object",
+    "note": "## Triage and analysis\n\n### Investigating Scheduled Task Execution at Scale via GPO\n\nGroup Policy Objects can be used by attackers as a mechanism for an attacker to instruct an arbitrarily large group of clients to\nexecute specified commands at Startup, Logon, Shutdown, and Logoff. This is done by creating/modifying the `scripts.ini` or \n`psscripts.ini` files. The scripts are stored in the following path: `<GPOPath>\\Machine\\Scripts\\`, `<GPOPath>\\User\\Scripts\\`\n\n#### Possible investigation steps:\n- This attack abuses a legitimate mechanism of the Active Directory, so it is important to determine whether the activity is legitimate\nand the administrator is authorized to perform this operation.\n- Retrieve the contents of the script file, check for any potentially malicious commands and binaries.\n- If the action is suspicious for the user, check for any other activities done by the user in the last 48 hours.\n\n### False Positive Analysis\n- Verify if the execution is allowed and done under change management, and legitimate.\n\n### Related Rules\n- Group Policy Abuse for Privilege Addition - b9554892-5e0e-424b-83a0-5aef95aa43bf\n- Scheduled Task Execution at Scale via GPO - 15a8ba77-1c13-4274-88fe-6bd14133861e\n\n### Response and Remediation\n- Immediate response should be taken to validate activity, investigate and potentially isolate activity to prevent further\npost-compromise behavior.\n\n## Config\n\nThe 'Audit Detailed File Share' audit policy is required be configured (Success Failure).\nSteps to implement the logging policy with with Advanced Audit Configuration:\n```\nComputer Configuration > \nPolicies > \nWindows Settings > \nSecurity Settings > \nAdvanced Audit Policies Configuration > \nAudit Policies > \nObject Access > \nAudit Detailed File Share (Success,Failure)\n```\n\nThe 'Audit Directory Service Changes' audit policy is required be configured (Success Failure).\nSteps to implement the logging policy with with Advanced Audit Configuration:\n```\nComputer Configuration > \nPolicies > \nWindows Settings > \nSecurity Settings > \nAdvanced Audit Policies Configuration > \nAudit Policies > \nDS Access > \nAudit Directory Service Changes (Success,Failure)\n```\n",
+    "query": "(\n event.code:5136 and winlog.event_data.AttributeLDAPDisplayName:(gPCMachineExtensionNames or gPCUserExtensionNames) and\n   winlog.event_data.AttributeValue:(*42B5FAAE-6536-11D2-AE5A-0000F87571E3* and\n                                      (*40B66650-4972-11D1-A7CA-0000F87571E3* or *40B6664F-4972-11D1-A7CA-0000F87571E3*))\n)\nor\n(\n event.code:5145 and winlog.event_data.ShareName:\\\\\\\\*\\\\SYSVOL and\n   winlog.event_data.RelativeTargetName:(*\\\\scripts.ini or *\\\\psscripts.ini) and\n   (message:WriteData or winlog.event_data.AccessList:*%%4417*)\n)\n",
+    "references": [
+      "https://github.com/atc-project/atc-data/blob/master/docs/Logging_Policies/LP_0025_windows_audit_directory_service_changes.md",
+      "https://github.com/atc-project/atc-data/blob/f2bbb51ecf68e2c9f488e3c70dcdd3df51d2a46b/docs/Logging_Policies/LP_0029_windows_audit_detailed_file_share.md",
+      "https://labs.f-secure.com/tools/sharpgpoabuse"
+    ],
+    "risk_score": 47,
+    "rule_id": "16fac1a1-21ee-4ca6-b720-458e3855d046",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Privilege Escalation",
+      "Active Directory"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0004",
+          "name": "Privilege Escalation",
+          "reference": "https://attack.mitre.org/tactics/TA0004/"
+        },
+        "technique": [
+          {
+            "id": "T1547",
+            "name": "Boot or Logon Autostart Execution",
+            "reference": "https://attack.mitre.org/techniques/T1547/"
+          },
+          {
+            "id": "T1484",
+            "name": "Domain Policy Modification",
+            "reference": "https://attack.mitre.org/techniques/T1484/",
+            "subtechnique": [
+              {
+                "id": "T1484.001",
+                "name": "Group Policy Modification",
+                "reference": "https://attack.mitre.org/techniques/T1484/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Strace runs in a privileged context and can be used to escape restrictive environments by instantiating a shell in order to elevate privileges or move laterally.",
+    "false_positives": [
+      "Strace is a dual-use tool that can be used for benign or malicious activity. Some normal use of this command may originate from developers or SREs engaged in debugging or system call tracing."
+    ],
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Strace Process Activity",
+    "query": "event.category:process and event.type:(start or process_started) and process.name:strace\n",
+    "references": [
+      "https://en.wikipedia.org/wiki/Strace"
+    ],
+    "risk_score": 21,
+    "rule_id": "d6450d4e-81c6-46a3-bd94-079886318ed5",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "Threat Detection"
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 7
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Adversaries may create or modify the Sublime application plugins or scripts to execute a malicious payload each time the Sublime application is started.",
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Sublime Plugin or Application Script Modification",
+    "query": "file where event.type in (\"change\", \"creation\") and file.extension : \"py\" and\n  file.path : \n    (\n      \"/Users/*/Library/Application Support/Sublime Text*/Packages/*.py\", \n      \"/Applications/Sublime Text.app/Contents/MacOS/sublime.py\"\n    ) and\n  not process.executable : \n    (\n      \"/Applications/Sublime Text*.app/Contents/MacOS/Sublime Text*\", \n      \"/usr/local/Cellar/git/*/bin/git\", \n      \"/usr/libexec/xpcproxy\", \n      \"/System/Library/PrivateFrameworks/DesktopServicesPriv.framework/Versions/A/Resources/DesktopServicesHelper\", \n      \"/Applications/Sublime Text.app/Contents/MacOS/plugin_host\"\n    )\n",
+    "references": [
+      "https://posts.specterops.io/persistent-jxa-66e1c3cd1cf5"
+    ],
+    "risk_score": 21,
+    "rule_id": "88817a33-60d3-411f-ba79-7c905d865b2a",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "macOS",
+      "Threat Detection",
+      "Persistence"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1554",
+            "name": "Compromise Client Software Binary",
+            "reference": "https://attack.mitre.org/techniques/T1554/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the attempted use of a heap-based buffer overflow vulnerability for the Sudo binary in Unix-like systems (CVE-2021-3156). Successful exploitation allows an unprivileged user to escalate to the root user.",
+    "false_positives": [
+      "This rule could generate false positives if the process arguments leveraged by the exploit are shared by custom scripts using the Sudo or Sudoedit binaries. Only Sudo versions 1.8.2 through 1.8.31p2 and 1.9.0 through 1.9.5p1 are affected; if those versions are not present on the endpoint, this could be a false positive."
+    ],
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Sudo Heap-Based Buffer Overflow Attempt",
+    "query": "event.category:process and event.type:start and\n  process.name:(sudo or sudoedit) and\n  process.args:(*\\\\ and (\"-i\" or \"-s\"))\n",
+    "references": [
+      "https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-3156",
+      "https://blog.qualys.com/vulnerabilities-research/2021/01/26/cve-2021-3156-heap-based-buffer-overflow-in-sudo-baron-samedit",
+      "https://www.bleepingcomputer.com/news/security/latest-macos-big-sur-also-has-sudo-root-privilege-escalation-flaw",
+      "https://www.sudo.ws/alerts/unescape_overflow.html"
+    ],
+    "risk_score": 73,
+    "rule_id": "f37f3054-d40b-49ac-aa9b-a786c74c58b8",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "macOS",
+      "Threat Detection",
+      "Privilege Escalation"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0004",
+          "name": "Privilege Escalation",
+          "reference": "https://attack.mitre.org/tactics/TA0004/"
+        },
+        "technique": [
+          {
+            "id": "T1068",
+            "name": "Exploitation for Privilege Escalation",
+            "reference": "https://attack.mitre.org/techniques/T1068/"
+          }
+        ]
+      }
+    ],
+    "threshold": {
+      "field": [
+        "host.hostname"
+      ],
+      "value": 100
+    },
+    "type": "threshold",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "A sudoers file specifies the commands that users or groups can run and from which terminals. Adversaries can take advantage of these configurations to execute commands as other users or spawn processes with higher privileges.",
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Sudoers File Modification",
+    "query": "event.category:file and event.type:change and file.path:(/etc/sudoers* or /private/etc/sudoers*)\n",
+    "risk_score": 47,
+    "rule_id": "931e25a5-0f5e-4ae0-ba0d-9e94eff7e3a4",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "macOS",
+      "Threat Detection",
+      "Privilege Escalation"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0004",
+          "name": "Privilege Escalation",
+          "reference": "https://attack.mitre.org/tactics/TA0004/"
+        },
+        "technique": [
+          {
+            "id": "T1548",
+            "name": "Abuse Elevation Control Mechanism",
+            "reference": "https://attack.mitre.org/techniques/T1548/",
+            "subtechnique": [
+              {
+                "id": "T1548.003",
+                "name": "Sudo and Sudo Caching",
+                "reference": "https://attack.mitre.org/techniques/T1548/003/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 7
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies suspicious .NET code execution. connections.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Suspicious .NET Code Compilation",
+    "query": "process where event.type in (\"start\", \"process_started\") and\n  process.name : (\"csc.exe\", \"vbc.exe\") and\n  process.parent.name : (\"wscript.exe\", \"mshta.exe\", \"cscript.exe\", \"wmic.exe\", \"svchost.exe\", \"rundll32.exe\", \"cmstp.exe\", \"regsvr32.exe\")\n",
+    "risk_score": 47,
+    "rule_id": "201200f1-a99b-43fb-88ed-f65a45c4972c",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1027",
+            "name": "Obfuscated Files or Information",
+            "reference": "https://attack.mitre.org/techniques/T1027/",
+            "subtechnique": [
+              {
+                "id": "T1027.004",
+                "name": "Compile After Delivery",
+                "reference": "https://attack.mitre.org/techniques/T1027/004/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 5
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "This rule detects the use of Reflection.Assembly to load PEs and DLLs in memory in Powershell Scripts. Attackers use this method to load executables and DLLs without writing to the disk, bypassing security solutions.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-windows.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Suspicious .NET Reflection via PowerShell",
+    "query": "event.category:process and \n  powershell.file.script_block_text : (\n    \"[System.Reflection.Assembly]::Load\" or\n    \"[Reflection.Assembly]::Load\"\n  )\n",
+    "references": [
+      "https://docs.microsoft.com/en-us/dotnet/api/system.reflection.assembly.load"
+    ],
+    "risk_score": 73,
+    "rule_id": "e26f042e-c590-4e82-8e05-41e81bd822ad",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1055",
+            "name": "Process Injection",
+            "reference": "https://attack.mitre.org/techniques/T1055/",
+            "subtechnique": [
+              {
+                "id": "T1055.001",
+                "name": "Dynamic-link Library Injection",
+                "reference": "https://attack.mitre.org/techniques/T1055/001/"
+              },
+              {
+                "id": "T1055.002",
+                "name": "Portable Executable Injection",
+                "reference": "https://attack.mitre.org/techniques/T1055/002/"
+              }
+            ]
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0002",
+          "name": "Execution",
+          "reference": "https://attack.mitre.org/tactics/TA0002/"
+        },
+        "technique": [
+          {
+            "id": "T1059",
+            "name": "Command and Scripting Interpreter",
+            "reference": "https://attack.mitre.org/techniques/T1059/",
+            "subtechnique": [
+              {
+                "id": "T1059.001",
+                "name": "PowerShell",
+                "reference": "https://attack.mitre.org/techniques/T1059/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Detects when a user reports suspicious activity for their Okta account. These events should be investigated, as they can help security teams identify when an adversary is attempting to gain access to their network.",
+    "false_positives": [
+      "A user may report suspicious activity on their Okta account in error."
+    ],
+    "index": [
+      "filebeat-*",
+      "logs-okta*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Suspicious Activity Reported by Okta User",
+    "note": "## Config\n\nThe Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:okta.system and event.action:user.account.report_suspicious_activity_by_enduser\n",
+    "references": [
+      "https://developer.okta.com/docs/reference/api/system-log/",
+      "https://developer.okta.com/docs/reference/api/event-types/"
+    ],
+    "risk_score": 47,
+    "rule_id": "f994964f-6fce-4d75-8e79-e16ccc412588",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Identity",
+      "Okta",
+      "Continuous Monitoring",
+      "SecOps",
+      "Monitoring"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0001",
+          "name": "Initial Access",
+          "reference": "https://attack.mitre.org/tactics/TA0001/"
+        },
+        "technique": [
+          {
+            "id": "T1078",
+            "name": "Valid Accounts",
+            "reference": "https://attack.mitre.org/techniques/T1078/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1078",
+            "name": "Valid Accounts",
+            "reference": "https://attack.mitre.org/techniques/T1078/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0004",
+          "name": "Privilege Escalation",
+          "reference": "https://attack.mitre.org/tactics/TA0004/"
+        },
+        "technique": [
+          {
+            "id": "T1078",
+            "name": "Valid Accounts",
+            "reference": "https://attack.mitre.org/techniques/T1078/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1078",
+            "name": "Valid Accounts",
+            "reference": "https://attack.mitre.org/techniques/T1078/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 6
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the execution of the Automator Workflows process followed by a network connection from it's XPC service. Adversaries may drop a custom workflow template that hosts malicious JavaScript for Automation (JXA) code as an alternative to using osascript.",
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Suspicious Automator Workflows Execution",
+    "query": "sequence by host.id with maxspan=30s\n [process where event.type in (\"start\", \"process_started\") and process.name == \"automator\"]\n [network where process.name:\"com.apple.automator.runner\"]\n",
+    "references": [
+      "https://posts.specterops.io/persistent-jxa-66e1c3cd1cf5"
+    ],
+    "risk_score": 47,
+    "rule_id": "5d9f8cfc-0d03-443e-a167-2b0597ce0965",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "macOS",
+      "Threat Detection",
+      "Execution"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0002",
+          "name": "Execution",
+          "reference": "https://attack.mitre.org/tactics/TA0002/"
+        },
+        "technique": [
+          {
+            "id": "T1059",
+            "name": "Command and Scripting Interpreter",
+            "reference": "https://attack.mitre.org/techniques/T1059/"
+          }
+        ]
+      }
+    ],
+    "type": "eql",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the execution of a suspicious browser child process. Adversaries may gain access to a system through a user visiting a website over the normal course of browsing. With this technique, the user's web browser is typically targeted for exploitation.",
+    "from": "now-9m",
+    "index": [
+      "logs-endpoint.events.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Suspicious Browser Child Process",
+    "query": "process where event.type in (\"start\", \"process_started\") and\n  process.parent.name : (\"Google Chrome\", \"Google Chrome Helper*\", \"firefox\", \"Opera\", \"Safari\", \"com.apple.WebKit.WebContent\", \"Microsoft Edge\") and\n  process.name : (\"sh\", \"bash\", \"dash\", \"ksh\", \"tcsh\", \"zsh\", \"curl\", \"wget\", \"python*\", \"perl*\", \"php*\", \"osascript\", \"pwsh\") and \n  process.command_line != null and \n  not process.args : \n    ( \n      \"/Library/Application Support/Microsoft/MAU*/Microsoft AutoUpdate.app/Contents/MacOS/msupdate\", \n      \"hw.model\", \n      \"IOPlatformExpertDevice\", \n      \"/Volumes/Google Chrome/Google Chrome.app/Contents/Frameworks/*/Resources/install.sh\",\n      \"--defaults-torrc\", \n      \"Chrome.app\", \n      \"Framework.framework/Versions/*/Resources/keystone_promote_preflight.sh\", \n      \"/Users/*/Library/Application Support/Google/Chrome/recovery/*/ChromeRecovery\", \n      \"$DISPLAY\", \n      \"GIO_LAUNCHED_DESKTOP_FILE_PID=$$\"\n    )\n",
+    "references": [
+      "https://objective-see.com/blog/blog_0x43.html",
+      "https://fr.slideshare.net/codeblue_jp/cb19-recent-apt-attack-on-crypto-exchange-employees-by-heungsoo-kang"
+    ],
+    "risk_score": 73,
+    "rule_id": "080bc66a-5d56-4d1f-8071-817671716db9",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "macOS",
+      "Threat Detection",
+      "Initial Access",
+      "Execution"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0002",
+          "name": "Execution",
+          "reference": "https://attack.mitre.org/tactics/TA0002/"
+        },
+        "technique": [
+          {
+            "id": "T1203",
+            "name": "Exploitation for Client Execution",
+            "reference": "https://attack.mitre.org/techniques/T1203/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0001",
+          "name": "Initial Access",
+          "reference": "https://attack.mitre.org/tactics/TA0001/"
+        },
+        "technique": [
+          {
+            "id": "T1189",
+            "name": "Drive-by Compromise",
+            "reference": "https://attack.mitre.org/techniques/T1189/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies suspicious modifications of the calendar file by an unusual process. Adversaries may create a custom calendar notification procedure to execute a malicious program at a recurring interval to establish persistence.",
+    "false_positives": [
+      "Trusted applications for managing calendars and reminders."
+    ],
+    "from": "now-9m",
+    "index": [
+      "logs-endpoint.events.*",
+      "auditbeat-*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Suspicious Calendar File Modification",
+    "query": "event.category:file and event.action:modification and\n  file.path:/Users/*/Library/Calendars/*.calendar/Events/*.ics and\n  process.executable:\n  (* and not \n    (\n      /System/Library/* or \n      /System/Applications/Calendar.app/Contents/MacOS/* or \n      /usr/libexec/xpcproxy or \n      /sbin/launchd or \n      /Applications/*\n    )\n  )\n",
+    "references": [
+      "https://labs.f-secure.com/blog/operationalising-calendar-alerts-persistence-on-macos",
+      "https://github.com/FSecureLABS/CalendarPersist",
+      "https://github.com/D00MFist/PersistentJXA/blob/master/CalendarPersist.js"
+    ],
+    "risk_score": 47,
+    "rule_id": "cb71aa62-55c8-42f0-b0dd-afb0bb0b1f51",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "macOS",
+      "Threat Detection",
+      "Persistence"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1546",
+            "name": "Event Triggered Execution",
+            "reference": "https://attack.mitre.org/techniques/T1546/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic",
+      "Austin Songer"
+    ],
+    "description": "Identifies suspicious commands being used with certutil.exe. CertUtil is a native Windows component which is part of Certificate Services. CertUtil is often abused by attackers to live off the land for stealthier command and control or data exfiltration.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Suspicious CertUtil Commands",
+    "query": "process where event.type == \"start\" and\n  (process.name : \"certutil.exe\" or process.pe.original_file_name == \"CertUtil.exe\") and \n  process.args : (\"?decode\", \"?encode\", \"?urlcache\", \"?verifyctl\", \"?encodehex\", \"?decodehex\", \"?exportPFX\")\n",
+    "references": [
+      "https://twitter.com/Moriarty_Meng/status/984380793383370752",
+      "https://twitter.com/egre55/status/1087685529016193025",
+      "https://www.sysadmins.lv/blog-en/certutil-tips-and-tricks-working-with-x509-file-format.aspx",
+      "https://docs.microsoft.com/en-us/archive/blogs/pki/basic-crl-checking-with-certutil"
+    ],
+    "risk_score": 47,
+    "rule_id": "fd70c98a-c410-42dc-a2e3-761c71848acf",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1140",
+            "name": "Deobfuscate/Decode Files or Information",
+            "reference": "https://attack.mitre.org/techniques/T1140/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 10
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Detects attempts to exploit privilege escalation vulnerabilities related to the Adobe Acrobat Reader PrivilegedHelperTool responsible for installing updates. For more information, refer to CVE-2020-9615, CVE-2020-9614 and CVE-2020-9613 and verify that the impacted system is patched.",
+    "false_positives": [
+      "Trusted system or Adobe Acrobat Related processes."
+    ],
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Suspicious Child Process of Adobe Acrobat Reader Update Service",
+    "query": "event.category:process and event.type:(start or process_started) and\n  process.parent.name:com.adobe.ARMDC.SMJobBlessHelper and\n  user.name:root and\n  not process.executable: (/Library/PrivilegedHelperTools/com.adobe.ARMDC.SMJobBlessHelper or\n                           /usr/bin/codesign or\n                           /private/var/folders/zz/*/T/download/ARMDCHammer or\n                           /usr/sbin/pkgutil or\n                           /usr/bin/shasum or\n                           /usr/bin/perl* or\n                           /usr/sbin/spctl or\n                           /usr/sbin/installer)\n",
+    "references": [
+      "https://rekken.github.io/2020/05/14/Security-Flaws-in-Adobe-Acrobat-Reader-Allow-Malicious-Program-to-Gain-Root-on-macOS-Silently/"
+    ],
+    "risk_score": 73,
+    "rule_id": "f85ce03f-d8a8-4c83-acdc-5c8cd0592be7",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "macOS",
+      "Threat Detection",
+      "Privilege Escalation"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0004",
+          "name": "Privilege Escalation",
+          "reference": "https://attack.mitre.org/tactics/TA0004/"
+        },
+        "technique": [
+          {
+            "id": "T1068",
+            "name": "Exploitation for Privilege Escalation",
+            "reference": "https://attack.mitre.org/techniques/T1068/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies suspicious command execution (cmd) via Windows Management Instrumentation (WMI) on a remote host. This could be indicative of adversary lateral movement.",
+    "from": "now-9m",
+    "index": [
+      "logs-endpoint.events.*",
+      "winlogbeat-*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Suspicious Cmd Execution via WMI",
+    "query": "process where event.type in (\"start\", \"process_started\") and\n process.parent.name : \"WmiPrvSE.exe\" and process.name : \"cmd.exe\" and\n process.args : \"\\\\\\\\127.0.0.1\\\\*\" and process.args : (\"2>&1\", \"1>\")\n",
+    "risk_score": 47,
+    "rule_id": "12f07955-1674-44f7-86b5-c35da0a6f41a",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Execution"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0002",
+          "name": "Execution",
+          "reference": "https://attack.mitre.org/tactics/TA0002/"
+        },
+        "technique": [
+          {
+            "id": "T1047",
+            "name": "Windows Management Instrumentation",
+            "reference": "https://attack.mitre.org/techniques/T1047/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 3
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the loading of a non Microsoft signed DLL that is missing on a default Windows install (phantom DLL) or one that can be loaded from a different location by a native Windows process. This may be abused to persist or elevate privileges via privileged file write vulnerabilities.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Suspicious DLL Loaded for Persistence or Privilege Escalation",
+    "query": "library where dll.name :\n  (\n  \"wlbsctrl.dll\",\n  \"wbemcomn.dll\",\n  \"WptsExtensions.dll\",\n  \"Tsmsisrv.dll\",\n  \"TSVIPSrv.dll\",\n  \"Msfte.dll\",\n  \"wow64log.dll\",\n  \"WindowsCoreDeviceInfo.dll\",\n  \"Ualapi.dll\",\n  \"wlanhlp.dll\",\n  \"phoneinfo.dll\",\n  \"EdgeGdi.dll\",\n  \"cdpsgshims.dll\",\n  \"windowsperformancerecordercontrol.dll\",\n  \"diagtrack_win.dll\"\n  ) and \nnot (dll.code_signature.subject_name : (\"Microsoft Windows\", \"Microsoft Corporation\") and dll.code_signature.status : \"trusted\")\n",
+    "references": [
+      "https://itm4n.github.io/windows-dll-hijacking-clarified/",
+      "http://remoteawesomethoughts.blogspot.com/2019/05/windows-10-task-schedulerservice.html",
+      "https://googleprojectzero.blogspot.com/2018/04/windows-exploitation-tricks-exploiting.html",
+      "https://shellz.club/edgegdi-dll-for-persistence-and-lateral-movement/",
+      "https://windows-internals.com/faxing-your-way-to-system/",
+      "http://waleedassar.blogspot.com/2013/01/wow64logdll.html"
+    ],
+    "risk_score": 73,
+    "rule_id": "bfeaf89b-a2a7-48a3-817f-e41829dc61ee",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Persistence",
+      "Privilege Escalation"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0004",
+          "name": "Privilege Escalation",
+          "reference": "https://attack.mitre.org/tactics/TA0004/"
+        },
+        "technique": [
+          {
+            "id": "T1574",
+            "name": "Hijack Execution Flow",
+            "reference": "https://attack.mitre.org/techniques/T1574/",
+            "subtechnique": [
+              {
+                "id": "T1574.002",
+                "name": "DLL Side-Loading",
+                "reference": "https://attack.mitre.org/techniques/T1574/002/"
+              }
+            ]
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1574",
+            "name": "Hijack Execution Flow",
+            "reference": "https://attack.mitre.org/techniques/T1574/",
+            "subtechnique": [
+              {
+                "id": "T1574.001",
+                "name": "DLL Search Order Hijacking",
+                "reference": "https://attack.mitre.org/techniques/T1574/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 2
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the execution of a suspicious child process of the Event Monitor Daemon (emond). Adversaries may abuse this service by writing a rule to execute commands when a defined event occurs, such as system start up or user authentication.",
+    "from": "now-9m",
+    "index": [
+      "logs-endpoint.events.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Suspicious Emond Child Process",
+    "query": "process where event.type in (\"start\", \"process_started\") and\n process.parent.name : \"emond\" and\n process.name : (\n   \"bash\",\n   \"dash\",\n   \"sh\",\n   \"tcsh\",\n   \"csh\",\n   \"zsh\",\n   \"ksh\",\n   \"fish\",\n   \"Python\",\n   \"python*\",\n   \"perl*\",\n   \"php*\",\n   \"osascript\",\n   \"pwsh\",\n   \"curl\",\n   \"wget\",\n   \"cp\",\n   \"mv\",\n   \"touch\",\n   \"echo\",\n   \"base64\",\n   \"launchctl\")\n",
+    "references": [
+      "https://www.xorrior.com/emond-persistence/"
+    ],
+    "risk_score": 47,
+    "rule_id": "3e3d15c6-1509-479a-b125-21718372157e",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "macOS",
+      "Threat Detection",
+      "Persistence"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1546",
+            "name": "Event Triggered Execution",
+            "reference": "https://attack.mitre.org/techniques/T1546/",
+            "subtechnique": [
+              {
+                "id": "T1546.014",
+                "name": "Emond",
+                "reference": "https://attack.mitre.org/techniques/T1546/014/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "A suspicious Endpoint Security parent process was detected. This may indicate a process hollowing or other form of code injection.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Suspicious Endpoint Security Parent Process",
+    "query": "process where event.type in (\"start\", \"process_started\", \"info\") and\n process.name : (\"esensor.exe\", \"elastic-endpoint.exe\") and\n process.parent.executable != null and\n  /* add FPs here */\n not process.parent.executable : (\"C:\\\\Program Files\\\\Elastic\\\\*\", \n                                  \"C:\\\\Windows\\\\System32\\\\services.exe\", \n                                  \"C:\\\\Windows\\\\System32\\\\WerFault*.exe\", \n                                  \"C:\\\\Windows\\\\System32\\\\wermgr.exe\")\n",
+    "risk_score": 47,
+    "rule_id": "b41a13c6-ba45-4bab-a534-df53d0cfed6a",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1036",
+            "name": "Masquerading",
+            "reference": "https://attack.mitre.org/techniques/T1036/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 4
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies process execution with a single character process name. This is often done by adversaries while staging or executing temporary utilities.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Suspicious Execution - Short Program Name",
+    "query": "process where event.type in (\"start\", \"process_started\") and length(process.name) > 0 and\n length(process.name) == 5 and host.os.name == \"Windows\" and length(process.pe.original_file_name) > 5\n",
+    "risk_score": 47,
+    "rule_id": "17c7f6a5-5bc9-4e1f-92bf-13632d24384d",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Execution"
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 3
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies when a script interpreter or signed binary is launched via a non-standard working directory. An attacker may use this technique to evade defenses.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Suspicious Execution from a Mounted Device",
+    "query": "process where event.type == \"start\" and process.executable : \"C:\\\\*\" and\n  (process.working_directory : \"?:\\\\\" and not process.working_directory: \"C:\\\\\") and\n  process.parent.name : \"explorer.exe\" and\n  process.name : (\"rundll32.exe\", \"mshta.exe\", \"powershell.exe\", \"pwsh.exe\", \"cmd.exe\", \"regsvr32.exe\",\n                  \"cscript.exe\", \"wscript.exe\")\n",
+    "references": [
+      "https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/",
+      "https://www.volexity.com/blog/2021/05/27/suspected-apt29-operation-launches-election-fraud-themed-phishing-campaigns/"
+    ],
+    "risk_score": 47,
+    "rule_id": "8a1d4831-3ce6-4859-9891-28931fa6101d",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1218",
+            "name": "Signed Binary Proxy Execution",
+            "reference": "https://attack.mitre.org/techniques/T1218/",
+            "subtechnique": [
+              {
+                "id": "T1218.011",
+                "name": "Rundll32",
+                "reference": "https://attack.mitre.org/techniques/T1218/011/"
+              },
+              {
+                "id": "T1218.005",
+                "name": "Mshta",
+                "reference": "https://attack.mitre.org/techniques/T1218/005/"
+              },
+              {
+                "id": "T1218.010",
+                "name": "Regsvr32",
+                "reference": "https://attack.mitre.org/techniques/T1218/010/"
+              }
+            ]
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0002",
+          "name": "Execution",
+          "reference": "https://attack.mitre.org/tactics/TA0002/"
+        },
+        "technique": [
+          {
+            "id": "T1059",
+            "name": "Command and Scripting Interpreter",
+            "reference": "https://attack.mitre.org/techniques/T1059/",
+            "subtechnique": [
+              {
+                "id": "T1059.001",
+                "name": "PowerShell",
+                "reference": "https://attack.mitre.org/techniques/T1059/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies execution of a suspicious program via scheduled tasks by looking at process lineage and command line usage.",
+    "false_positives": [
+      "Legitimate scheduled tasks running third party software."
+    ],
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Suspicious Execution via Scheduled Task",
+    "query": "process where event.type == \"start\" and\n    /* Schedule service cmdline on Win10+ */\n    process.parent.name : \"svchost.exe\" and process.parent.args : \"Schedule\" and\n    /* add suspicious programs here */\n    process.pe.original_file_name in\n                                (\n                                  \"cscript.exe\",\n                                  \"wscript.exe\",\n                                  \"PowerShell.EXE\",\n                                  \"Cmd.Exe\",\n                                  \"MSHTA.EXE\",\n                                  \"RUNDLL32.EXE\",\n                                  \"REGSVR32.EXE\",\n                                  \"MSBuild.exe\",\n                                  \"InstallUtil.exe\",\n                                  \"RegAsm.exe\",\n                                  \"RegSvcs.exe\",\n                                  \"msxsl.exe\",\n                                  \"CONTROL.EXE\",\n                                  \"EXPLORER.EXE\",\n                                  \"Microsoft.Workflow.Compiler.exe\",\n                                  \"msiexec.exe\"\n                                  ) and\n    /* add suspicious paths here */\n    process.args : (\n       \"C:\\\\Users\\\\*\",\n       \"C:\\\\ProgramData\\\\*\", \n       \"C:\\\\Windows\\\\Temp\\\\*\", \n       \"C:\\\\Windows\\\\Tasks\\\\*\", \n       \"C:\\\\PerfLogs\\\\*\", \n       \"C:\\\\Intel\\\\*\", \n       \"C:\\\\Windows\\\\Debug\\\\*\", \n       \"C:\\\\HP\\\\*\")\n",
+    "risk_score": 47,
+    "rule_id": "5d1d6907-0747-4d5d-9b24-e4a18853dc0a",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Persistence"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1053",
+            "name": "Scheduled Task/Job",
+            "reference": "https://attack.mitre.org/techniques/T1053/",
+            "subtechnique": [
+              {
+                "id": "T1053.005",
+                "name": "Scheduled Task",
+                "reference": "https://attack.mitre.org/techniques/T1053/005/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 4
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies a suspicious Windows explorer child process. Explorer.exe can be abused to launch malicious scripts or executables from a trusted parent process.",
+    "from": "now-9m",
+    "index": [
+      "logs-endpoint.events.*",
+      "winlogbeat-*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Suspicious Explorer Child Process",
+    "query": "process where event.type in (\"start\", \"process_started\") and\n  (\n   process.name : (\"cscript.exe\", \"wscript.exe\", \"powershell.exe\", \"rundll32.exe\", \"cmd.exe\", \"mshta.exe\", \"regsvr32.exe\") or\n   process.pe.original_file_name in (\"cscript.exe\", \"wscript.exe\", \"PowerShell.EXE\", \"RUNDLL32.EXE\", \"Cmd.Exe\", \"MSHTA.EXE\", \"REGSVR32.EXE\")\n  ) and\n  /* Explorer started via DCOM */\n  process.parent.name : \"explorer.exe\" and process.parent.args : \"-Embedding\" and\n  not process.parent.args:\n          (\n            /* Noisy CLSID_SeparateSingleProcessExplorerHost Explorer COM Class IDs   */\n            \"/factory,{5BD95610-9434-43C2-886C-57852CC8A120}\",\n            \"/factory,{ceff45ee-c862-41de-aee2-a022c81eda92}\"\n          )\n",
+    "risk_score": 47,
+    "rule_id": "9a5b4e31-6cde-4295-9ff7-6be1b8567e1b",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Initial Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0001",
+          "name": "Initial Access",
+          "reference": "https://attack.mitre.org/tactics/TA0001/"
+        },
+        "technique": [
+          {
+            "id": "T1566",
+            "name": "Phishing",
+            "reference": "https://attack.mitre.org/techniques/T1566/",
+            "subtechnique": [
+              {
+                "id": "T1566.001",
+                "name": "Spearphishing Attachment",
+                "reference": "https://attack.mitre.org/techniques/T1566/001/"
+              },
+              {
+                "id": "T1566.002",
+                "name": "Spearphishing Link",
+                "reference": "https://attack.mitre.org/techniques/T1566/002/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 4
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the execution of a launchd child process with a hidden file. An adversary can establish persistence by installing a new logon item, launch agent, or daemon that executes upon login.",
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Suspicious Hidden Child Process of Launchd",
+    "query": "event.category:process and event.type:(start or process_started) and\n process.name:.* and process.parent.executable:/sbin/launchd\n",
+    "references": [
+      "https://objective-see.com/blog/blog_0x61.html",
+      "https://www.intezer.com/blog/research/operation-electrorat-attacker-creates-fake-companies-to-drain-your-crypto-wallets/",
+      "https://developer.apple.com/library/archive/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/CreatingLaunchdJobs.html"
+    ],
+    "risk_score": 47,
+    "rule_id": "083fa162-e790-4d85-9aeb-4fea04188adb",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "macOS",
+      "Threat Detection",
+      "Persistence",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1543",
+            "name": "Create or Modify System Process",
+            "reference": "https://attack.mitre.org/techniques/T1543/",
+            "subtechnique": [
+              {
+                "id": "T1543.001",
+                "name": "Launch Agent",
+                "reference": "https://attack.mitre.org/techniques/T1543/001/"
+              }
+            ]
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1564",
+            "name": "Hide Artifacts",
+            "reference": "https://attack.mitre.org/techniques/T1564/",
+            "subtechnique": [
+              {
+                "id": "T1564.001",
+                "name": "Hidden Files and Directories",
+                "reference": "https://attack.mitre.org/techniques/T1564/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies a suspicious image load (taskschd.dll) from Microsoft Office processes. This behavior may indicate adversarial activity where a scheduled task is configured via Windows Component Object Model (COM). This technique can be used to configure persistence and evade monitoring by avoiding the usage of the traditional Windows binary (schtasks.exe) used to manage scheduled tasks.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Suspicious Image Load (taskschd.dll) from MS Office",
+    "query": "library where process.name : (\"WINWORD.EXE\", \"EXCEL.EXE\", \"POWERPNT.EXE\", \"MSPUB.EXE\", \"MSACCESS.EXE\") and\n  event.action : \"load\" and\n  event.category : \"library\" and\n  dll.name : \"taskschd.dll\"\n",
+    "references": [
+      "https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16",
+      "https://www.clearskysec.com/wp-content/uploads/2020/10/Operation-Quicksand.pdf"
+    ],
+    "risk_score": 21,
+    "rule_id": "baa5d22c-5e1c-4f33-bfc9-efa73bb53022",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Persistence"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1053",
+            "name": "Scheduled Task/Job",
+            "reference": "https://attack.mitre.org/techniques/T1053/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 3
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the creation of a suspicious ImagePath value. This could be an indication of an adversary attempting to stealthily persist or escalate privileges through abnormal service creation.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Suspicious ImagePath Service Creation",
+    "query": "registry where registry.path : \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Services\\\\*\\\\ImagePath\" and\n /* add suspicious registry ImagePath values here */\n registry.data.strings : (\"%COMSPEC%*\", \"*\\\\.\\\\pipe\\\\*\")\n",
+    "risk_score": 73,
+    "rule_id": "36a8e048-d888-4f61-a8b9-0f9e2e40f317",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Persistence"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1543",
+            "name": "Create or Modify System Process",
+            "reference": "https://attack.mitre.org/techniques/T1543/",
+            "subtechnique": [
+              {
+                "id": "T1543.003",
+                "name": "Windows Service",
+                "reference": "https://attack.mitre.org/techniques/T1543/003/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 3
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies suspicious child processes of the Java interpreter process. This may indicate an attempt to execute a malicious JAR file or an exploitation attempt via a JAVA specific vulnerability.",
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Suspicious JAVA Child Process",
+    "query": "process where event.type in (\"start\", \"process_started\") and\n  process.parent.name : \"java\" and\n  process.name : (\"sh\", \"bash\", \"dash\", \"ksh\", \"tcsh\", \"zsh\", \"curl\", \"wget\")\n",
+    "references": [
+      "https://www.lunasec.io/docs/blog/log4j-zero-day/",
+      "https://github.com/christophetd/log4shell-vulnerable-app",
+      "https://www.blackhat.com/docs/us-16/materials/us-16-Munoz-A-Journey-From-JNDI-LDAP-Manipulation-To-RCE.pdf"
+    ],
+    "risk_score": 47,
+    "rule_id": "8acb7614-1d92-4359-bfcf-478b6d9de150",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "macOS",
+      "Threat Detection",
+      "Execution"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0002",
+          "name": "Execution",
+          "reference": "https://attack.mitre.org/tactics/TA0002/"
+        },
+        "technique": [
+          {
+            "id": "T1059",
+            "name": "Command and Scripting Interpreter",
+            "reference": "https://attack.mitre.org/techniques/T1059/",
+            "subtechnique": [
+              {
+                "id": "T1059.007",
+                "name": "JavaScript",
+                "reference": "https://attack.mitre.org/techniques/T1059/007/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 3
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies suspicious child processes of frequently targeted Microsoft Office applications (Word, PowerPoint, Excel). These child processes are often launched during exploitation of Office applications or from documents with malicious macros.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Suspicious MS Office Child Process",
+    "query": "process where event.type in (\"start\", \"process_started\") and\n  process.parent.name : (\"eqnedt32.exe\", \"excel.exe\", \"fltldr.exe\", \"msaccess.exe\", \"mspub.exe\", \"powerpnt.exe\", \"winword.exe\") and\n  process.name : (\"Microsoft.Workflow.Compiler.exe\", \"arp.exe\", \"atbroker.exe\", \"bginfo.exe\", \"bitsadmin.exe\", \"cdb.exe\", \"certutil.exe\",\n                \"cmd.exe\", \"cmstp.exe\", \"control.exe\", \"cscript.exe\", \"csi.exe\", \"dnx.exe\", \"dsget.exe\", \"dsquery.exe\", \"forfiles.exe\", \n                \"fsi.exe\", \"ftp.exe\", \"gpresult.exe\", \"hostname.exe\", \"ieexec.exe\", \"iexpress.exe\", \"installutil.exe\", \"ipconfig.exe\", \n                \"mshta.exe\", \"msxsl.exe\", \"nbtstat.exe\", \"net.exe\", \"net1.exe\", \"netsh.exe\", \"netstat.exe\", \"nltest.exe\", \"odbcconf.exe\", \n                \"ping.exe\", \"powershell.exe\", \"pwsh.exe\", \"qprocess.exe\", \"quser.exe\", \"qwinsta.exe\", \"rcsi.exe\", \"reg.exe\", \"regasm.exe\", \n                \"regsvcs.exe\", \"regsvr32.exe\", \"sc.exe\", \"schtasks.exe\", \"systeminfo.exe\", \"tasklist.exe\", \"tracert.exe\", \"whoami.exe\",\n                \"wmic.exe\", \"wscript.exe\", \"xwizard.exe\", \"explorer.exe\", \"rundll32.exe\", \"hh.exe\")\n",
+    "risk_score": 47,
+    "rule_id": "a624863f-a70d-417f-a7d2-7a404638d47f",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Initial Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0001",
+          "name": "Initial Access",
+          "reference": "https://attack.mitre.org/tactics/TA0001/"
+        },
+        "technique": [
+          {
+            "id": "T1566",
+            "name": "Phishing",
+            "reference": "https://attack.mitre.org/techniques/T1566/",
+            "subtechnique": [
+              {
+                "id": "T1566.001",
+                "name": "Spearphishing Attachment",
+                "reference": "https://attack.mitre.org/techniques/T1566/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 9
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies suspicious child processes of Microsoft Outlook. These child processes are often associated with spear phishing activity.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Suspicious MS Outlook Child Process",
+    "query": "process where event.type in (\"start\", \"process_started\") and\n  process.parent.name : \"outlook.exe\" and\n  process.name : (\"Microsoft.Workflow.Compiler.exe\", \"arp.exe\", \"atbroker.exe\", \"bginfo.exe\", \"bitsadmin.exe\",\n                  \"cdb.exe\", \"certutil.exe\", \"cmd.exe\", \"cmstp.exe\", \"cscript.exe\", \"csi.exe\", \"dnx.exe\", \"dsget.exe\",\n                  \"dsquery.exe\", \"forfiles.exe\", \"fsi.exe\", \"ftp.exe\", \"gpresult.exe\", \"hostname.exe\", \"ieexec.exe\",\n                  \"iexpress.exe\", \"installutil.exe\", \"ipconfig.exe\", \"mshta.exe\", \"msxsl.exe\", \"nbtstat.exe\", \"net.exe\",\n                  \"net1.exe\", \"netsh.exe\", \"netstat.exe\", \"nltest.exe\", \"odbcconf.exe\", \"ping.exe\", \"powershell.exe\",\n                  \"pwsh.exe\", \"qprocess.exe\", \"quser.exe\", \"qwinsta.exe\", \"rcsi.exe\", \"reg.exe\", \"regasm.exe\",\n                  \"regsvcs.exe\", \"regsvr32.exe\", \"sc.exe\", \"schtasks.exe\", \"systeminfo.exe\", \"tasklist.exe\",\n                  \"tracert.exe\", \"whoami.exe\", \"wmic.exe\", \"wscript.exe\", \"xwizard.exe\")\n",
+    "risk_score": 21,
+    "rule_id": "32f4675e-6c49-4ace-80f9-97c9259dca2e",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Initial Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0001",
+          "name": "Initial Access",
+          "reference": "https://attack.mitre.org/tactics/TA0001/"
+        },
+        "technique": [
+          {
+            "id": "T1566",
+            "name": "Phishing",
+            "reference": "https://attack.mitre.org/techniques/T1566/",
+            "subtechnique": [
+              {
+                "id": "T1566.001",
+                "name": "Spearphishing Attachment",
+                "reference": "https://attack.mitre.org/techniques/T1566/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 9
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies a suspicious managed code hosting process which could indicate code injection or other form of suspicious code execution.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Suspicious Managed Code Hosting Process",
+    "query": "sequence by process.entity_id with maxspan=5m\n [process where event.type == \"start\" and \n  process.name : (\"wscript.exe\", \"cscript.exe\", \"mshta.exe\", \"wmic.exe\", \"regsvr32.exe\", \"svchost.exe\", \"dllhost.exe\", \"cmstp.exe\")]\n [file where event.type != \"deletion\" and\n  file.name : (\"wscript.exe.log\",\n               \"cscript.exe\",\n               \"mshta.exe.log\",\n               \"wmic.exe.log\",\n               \"svchost.exe.log\",\n               \"dllhost.exe.log\",\n               \"cmstp.exe.log\",\n               \"regsvr32.exe.log\")]\n",
+    "references": [
+      "https://blog.menasec.net/2019/07/interesting-difr-traces-of-net-clr.html"
+    ],
+    "risk_score": 73,
+    "rule_id": "acf738b5-b5b2-4acc-bad9-1e18ee234f40",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1055",
+            "name": "Process Injection",
+            "reference": "https://attack.mitre.org/techniques/T1055/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 4
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies suspicious child processes of PDF reader applications. These child processes are often launched via exploitation of PDF applications or social engineering.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Suspicious PDF Reader Child Process",
+    "query": "process where event.type in (\"start\", \"process_started\") and\n  process.parent.name : (\"AcroRd32.exe\",\n                         \"Acrobat.exe\",\n                         \"FoxitPhantomPDF.exe\",\n                         \"FoxitReader.exe\") and\n  process.name : (\"arp.exe\", \"dsquery.exe\", \"dsget.exe\", \"gpresult.exe\", \"hostname.exe\", \"ipconfig.exe\", \"nbtstat.exe\",\n                  \"net.exe\", \"net1.exe\", \"netsh.exe\", \"netstat.exe\", \"nltest.exe\", \"ping.exe\", \"qprocess.exe\",\n                  \"quser.exe\", \"qwinsta.exe\", \"reg.exe\", \"sc.exe\", \"systeminfo.exe\", \"tasklist.exe\", \"tracert.exe\",\n                  \"whoami.exe\", \"bginfo.exe\", \"cdb.exe\", \"cmstp.exe\", \"csi.exe\", \"dnx.exe\", \"fsi.exe\", \"ieexec.exe\",\n                  \"iexpress.exe\", \"installutil.exe\", \"Microsoft.Workflow.Compiler.exe\", \"msbuild.exe\", \"mshta.exe\",\n                  \"msxsl.exe\", \"odbcconf.exe\", \"rcsi.exe\", \"regsvr32.exe\", \"xwizard.exe\", \"atbroker.exe\",\n                  \"forfiles.exe\", \"schtasks.exe\", \"regasm.exe\", \"regsvcs.exe\", \"cmd.exe\", \"cscript.exe\",\n                  \"powershell.exe\", \"pwsh.exe\", \"wmic.exe\", \"wscript.exe\", \"bitsadmin.exe\", \"certutil.exe\", \"ftp.exe\")\n",
+    "risk_score": 21,
+    "rule_id": "53a26770-9cbd-40c5-8b57-61d01a325e14",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Execution"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0002",
+          "name": "Execution",
+          "reference": "https://attack.mitre.org/tactics/TA0002/"
+        },
+        "technique": [
+          {
+            "id": "T1204",
+            "name": "User Execution",
+            "reference": "https://attack.mitre.org/techniques/T1204/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 7
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Detects the presence of portable executables (PE) in a PowerShell script by looking for its encoded header. Attackers embed PEs into PowerShell scripts for injecting them into the memory, avoiding defenses by not writing to disk.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-windows.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Suspicious Portable Executable Encoded in Powershell Script",
+    "note": "## Triage and analysis.\n\n### Investigating Suspicious Portable Executable Encoded in Powershell Script\n\nPowerShell is one of the main tools used by system administrators for automation, report routines, and other tasks.\n\nAttackers can abuse PowerShell In-Memory capabilities to inject executables into memory without touching the disk, bypassing\nAntiVirus software. These executables are generally base64 encoded.\n\n#### Possible investigation steps:\n\n- Examine script content that triggered the detection. \n- Investigate script execution chain (parent process tree).\n- Inspect any file or network events from the suspicious powershell host process instance.\n- If the action is suspicious for the user, check for any other activities done by the user in the last 48 hours.\n\n### False Positive Analysis\n\n- Verify whether the script content is malicious/harmful.\n\n### Related Rules\n\n- PowerShell Reflection Assembly Load - e26f042e-c590-4e82-8e05-41e81bd822ad\n- PowerShell Suspicious Payload Encoded and Compressed - 81fe9dc6-a2d7-4192-a2d8-eed98afc766a\n- PowerShell PSReflect Script - 56f2e9b5-4803-4e44-a0a4-a52dc79d57fe\n\n### Response and Remediation\n\n- Immediate response should be taken to validate, investigate, and potentially contain the activity to prevent further\npost-compromise behavior.\n\n## Config\n\nThe 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration > \nAdministrative Templates > \nWindows PowerShell > \nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```\n",
+    "query": "event.category:process and \n  powershell.file.script_block_text : (\n    TVqQAAMAAAAEAAAA\n  )\n",
+    "references": [
+      "https://github.com/atc-project/atc-data/blob/master/docs/Logging_Policies/LP_0109_windows_powershell_script_block_log.md"
+    ],
+    "risk_score": 47,
+    "rule_id": "ad84d445-b1ce-4377-82d9-7c633f28bf9a",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Execution"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0002",
+          "name": "Execution",
+          "reference": "https://attack.mitre.org/tactics/TA0002/"
+        },
+        "technique": [
+          {
+            "id": "T1059",
+            "name": "Command and Scripting Interpreter",
+            "reference": "https://attack.mitre.org/techniques/T1059/",
+            "subtechnique": [
+              {
+                "id": "T1059.001",
+                "name": "PowerShell",
+                "reference": "https://attack.mitre.org/techniques/T1059/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 3
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the PowerShell engine being invoked by unexpected processes. Rather than executing PowerShell functionality with powershell.exe, some attackers do this to operate more stealthily.",
+    "from": "now-9m",
+    "index": [
+      "logs-endpoint.events.*",
+      "winlogbeat-*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Suspicious PowerShell Engine ImageLoad",
+    "query": "library where dll.name : (\"System.Management.Automation.ni.dll\", \"System.Management.Automation.dll\") and\n/* add false positives relevant to your environment here */\nnot process.executable : (\"C:\\\\Windows\\\\System32\\\\RemoteFXvGPUDisablement.exe\", \"C:\\\\Windows\\\\System32\\\\sdiagnhost.exe\") and\nnot process.executable regex~ \"\"\"C:\\\\Program Files( \\(x86\\))?\\\\*\\.exe\"\"\" and\n  not process.name :\n  (\n    \"Altaro.SubAgent.exe\",\n    \"AppV_Manage.exe\",\n    \"azureadconnect.exe\",\n    \"CcmExec.exe\",\n    \"configsyncrun.exe\",\n    \"choco.exe\",\n    \"ctxappvservice.exe\",\n    \"DVLS.Console.exe\",\n    \"edgetransport.exe\",\n    \"exsetup.exe\",\n    \"forefrontactivedirectoryconnector.exe\",\n    \"InstallUtil.exe\",\n    \"JenkinsOnDesktop.exe\",\n    \"Microsoft.EnterpriseManagement.ServiceManager.UI.Console.exe\",\n    \"mmc.exe\",\n    \"mscorsvw.exe\",\n    \"msexchangedelivery.exe\",\n    \"msexchangefrontendtransport.exe\",\n    \"msexchangehmworker.exe\",\n    \"msexchangesubmission.exe\",\n    \"msiexec.exe\",\n    \"MsiExec.exe\",\n    \"noderunner.exe\",\n    \"NServiceBus.Host.exe\",\n    \"NServiceBus.Host32.exe\",\n    \"NServiceBus.Hosting.Azure.HostProcess.exe\",\n    \"OuiGui.WPF.exe\",\n    \"powershell.exe\",\n    \"powershell_ise.exe\",\n    \"pwsh.exe\",\n    \"SCCMCliCtrWPF.exe\",\n    \"ScriptEditor.exe\",\n    \"ScriptRunner.exe\",\n    \"sdiagnhost.exe\",\n    \"servermanager.exe\",\n    \"setup100.exe\",\n    \"ServiceHub.VSDetouredHost.exe\",\n    \"SPCAF.Client.exe\",\n    \"SPCAF.SettingsEditor.exe\",\n    \"SQLPS.exe\",\n    \"telemetryservice.exe\",\n    \"UMWorkerProcess.exe\",\n    \"w3wp.exe\",\n    \"wsmprovhost.exe\"\n  )\n",
+    "risk_score": 47,
+    "rule_id": "852c1f19-68e8-43a6-9dce-340771fe1be3",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Execution"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0002",
+          "name": "Execution",
+          "reference": "https://attack.mitre.org/tactics/TA0002/"
+        },
+        "technique": [
+          {
+            "id": "T1059",
+            "name": "Command and Scripting Interpreter",
+            "reference": "https://attack.mitre.org/techniques/T1059/",
+            "subtechnique": [
+              {
+                "id": "T1059.001",
+                "name": "PowerShell",
+                "reference": "https://attack.mitre.org/techniques/T1059/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 4
+  },
+  {
+    "anomaly_threshold": 50,
+    "author": [
+      "Elastic"
+    ],
+    "description": "A machine learning job detected a PowerShell script with unusual data characteristics, such as obfuscation, that may be a characteristic of malicious PowerShell script text blocks.",
+    "false_positives": [
+      "Certain kinds of security testing may trigger this alert. PowerShell scripts that use high levels of obfuscation or have unusual script block payloads may trigger this alert."
+    ],
+    "from": "now-45m",
+    "interval": "15m",
+    "license": "Elastic License v2",
+    "machine_learning_job_id": "windows_anomalous_script",
+    "name": "Suspicious Powershell Script",
+    "references": [
+      "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"
+    ],
+    "risk_score": 21,
+    "rule_id": "1781d055-5c66-4adf-9d60-fc0fa58337b6",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "ML"
+    ],
+    "type": "machine_learning",
+    "version": 4
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Detects deletion of print driver files by an unusual process. This may indicate a clean up attempt post successful privilege escalation via Print Spooler service related vulnerabilities.",
+    "false_positives": [
+      "Uninstall or manual deletion of a legitimate printing driver files. Verify the printer file metadata such as manufacturer and signature information."
+    ],
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Suspicious Print Spooler File Deletion",
+    "query": "file where event.type : \"deletion\" and\n not process.name : (\"spoolsv.exe\", \"dllhost.exe\", \"explorer.exe\") and\n file.path : \"?:\\\\Windows\\\\System32\\\\spool\\\\drivers\\\\x64\\\\3\\\\*.dll\"\n",
+    "references": [
+      "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527",
+      "https://github.com/afwu/PrintNightmare"
+    ],
+    "risk_score": 47,
+    "rule_id": "c4818812-d44f-47be-aaef-4cfb2f9cc799",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Privilege Escalation"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0004",
+          "name": "Privilege Escalation",
+          "reference": "https://attack.mitre.org/tactics/TA0004/"
+        },
+        "technique": [
+          {
+            "id": "T1068",
+            "name": "Exploitation for Privilege Escalation",
+            "reference": "https://attack.mitre.org/techniques/T1068/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Detects attempts to exploit a privilege escalation vulnerability (CVE-2020-1030) related to the print spooler service. Exploitation involves chaining multiple primitives to load an arbitrary DLL into the print spooler process running as SYSTEM.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Suspicious Print Spooler Point and Print DLL",
+    "query": "sequence by host.id with maxspan=30s\n[registry where\n registry.path : \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Print\\\\Printers\\\\*\\\\SpoolDirectory\" and\n registry.data.strings : \"C:\\\\Windows\\\\System32\\\\spool\\\\drivers\\\\x64\\\\4\"]\n[registry where\n registry.path : \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Print\\\\Printers\\\\*\\\\CopyFiles\\\\Payload\\\\Module\" and\n registry.data.strings : \"C:\\\\Windows\\\\System32\\\\spool\\\\drivers\\\\x64\\\\4\\\\*\"]\n",
+    "references": [
+      "https://www.accenture.com/us-en/blogs/cyber-defense/discovering-exploiting-shutting-down-dangerous-windows-print-spooler-vulnerability",
+      "https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES/blob/master/Privilege%20Escalation/privesc_sysmon_cve_20201030_spooler.evtx",
+      "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2020-1030"
+    ],
+    "risk_score": 73,
+    "rule_id": "bd7eefee-f671-494e-98df-f01daf9e5f17",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Privilege Escalation"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0004",
+          "name": "Privilege Escalation",
+          "reference": "https://attack.mitre.org/tactics/TA0004/"
+        },
+        "technique": [
+          {
+            "id": "T1068",
+            "name": "Exploitation for Privilege Escalation",
+            "reference": "https://attack.mitre.org/techniques/T1068/"
+          }
+        ]
+      }
+    ],
+    "type": "eql",
+    "version": 2
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Detects attempts to exploit privilege escalation vulnerabilities related to the Print Spooler service including CVE-2020-1048 and CVE-2020-1337. .",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Suspicious PrintSpooler SPL File Created",
+    "note": "## Threat intel\n\nRefer to CVEs, CVE-2020-1048 and CVE-2020-1337 for further information on the vulnerability and exploit. Verify that the relevant system is patched.",
+    "query": "file where event.type != \"deletion\" and\n  file.extension : \"spl\" and\n  file.path : \"?:\\\\Windows\\\\System32\\\\spool\\\\PRINTERS\\\\*\" and\n  not process.name : (\"spoolsv.exe\",\n                      \"printfilterpipelinesvc.exe\",\n                      \"PrintIsolationHost.exe\",\n                      \"splwow64.exe\",\n                      \"msiexec.exe\",\n                      \"poqexec.exe\")\n",
+    "references": [
+      "https://safebreach.com/Post/How-we-bypassed-CVE-2020-1048-Patch-and-got-CVE-2020-1337"
+    ],
+    "risk_score": 73,
+    "rule_id": "a7ccae7b-9d2c-44b2-a061-98e5946971fa",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Privilege Escalation"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0004",
+          "name": "Privilege Escalation",
+          "reference": "https://attack.mitre.org/tactics/TA0004/"
+        },
+        "technique": [
+          {
+            "id": "T1068",
+            "name": "Exploitation for Privilege Escalation",
+            "reference": "https://attack.mitre.org/techniques/T1068/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 4
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Detects attempts to exploit privilege escalation vulnerabilities related to the Print Spooler service. For more information refer to the following CVE's - CVE-2020-1048, CVE-2020-1337 and CVE-2020-1300 and verify that the impacted system is patched.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Suspicious PrintSpooler Service Executable File Creation",
+    "query": "file where event.type != \"deletion\" and process.name : \"spoolsv.exe\" and\n  file.extension : (\"exe\", \"dll\") and\n  not file.path : (\"?:\\\\Windows\\\\System32\\\\spool\\\\*\", \"?:\\\\Windows\\\\Temp\\\\*\", \"?:\\\\Users\\\\*\")\n",
+    "references": [
+      "https://voidsec.com/cve-2020-1337-printdemon-is-dead-long-live-printdemon/",
+      "https://www.thezdi.com/blog/2020/7/8/cve-2020-1300-remote-code-execution-through-microsoft-windows-cab-files"
+    ],
+    "risk_score": 73,
+    "rule_id": "5bb4a95d-5a08-48eb-80db-4c3a63ec78a8",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Privilege Escalation"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0004",
+          "name": "Privilege Escalation",
+          "reference": "https://attack.mitre.org/tactics/TA0004/"
+        },
+        "technique": [
+          {
+            "id": "T1068",
+            "name": "Exploitation for Privilege Escalation",
+            "reference": "https://attack.mitre.org/techniques/T1068/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 4
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies suspicious process access events from an unknown memory region. Endpoint security solutions usually hook userland Windows APIs in order to decide if the code that is being executed is malicious or not. It's possible to bypass hooked functions by writing malicious functions that call syscalls directly.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Suspicious Process Access via Direct System Call",
+    "query": "process where event.code == \"10\" and\n length(winlog.event_data.CallTrace) > 0 and\n \n /* Sysmon CallTrace starting with unknown memory module instead of ntdll which host Windows NT Syscalls */\n not winlog.event_data.CallTrace : (\"?:\\\\WINDOWS\\\\SYSTEM32\\\\ntdll.dll*\", \"?:\\\\WINDOWS\\\\SysWOW64\\\\ntdll.dll*\")\n",
+    "references": [
+      "https://twitter.com/SBousseaden/status/1278013896440324096",
+      "https://www.ired.team/offensive-security/defense-evasion/using-syscalls-directly-from-visual-studio-to-bypass-avs-edrs"
+    ],
+    "risk_score": 73,
+    "rule_id": "2dd480be-1263-4d9c-8672-172928f6789a",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1055",
+            "name": "Process Injection",
+            "reference": "https://attack.mitre.org/techniques/T1055/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 2
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies when a process is created and immediately accessed from an unknown memory code region and by the same parent process. This may indicate a code injection or hollowing attempt.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Suspicious Process Creation CallTrace",
+    "query": "sequence by host.id with maxspan=1m\n  [process where event.code == \"1\" and\n   /* sysmon process creation */\n   process.parent.name : (\"winword.exe\", \"excel.exe\", \"outlook.exe\", \"powerpnt.exe\", \"eqnedt32.exe\",\n                          \"fltldr.exe\", \"mspub.exe\", \"msaccess.exe\", \"powershell.exe\", \"pwsh.exe\",\n                          \"cscript.exe\", \"wscript.exe\", \"rundll32.exe\", \"regsvr32.exe\", \"mshta.exe\",\n                          \"wmic.exe\", \"cmstp.exe\", \"msxsl.exe\")] by process.parent.entity_id, process.entity_id\n  [process where event.code == \"10\" and\n   /* Sysmon process access event from unknown module */\n   winlog.event_data.CallTrace : \"*UNKNOWN*\"] by process.entity_id, winlog.event_data.TargetProcessGUID\n",
+    "risk_score": 43,
+    "rule_id": "3ed032b2-45d8-4406-bc79-7ad1eabb2c72",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1055",
+            "name": "Process Injection",
+            "reference": "https://attack.mitre.org/techniques/T1055/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies suspicious psexec activity which is executing from the psexec service that has been renamed, possibly to evade detection.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Suspicious Process Execution via Renamed PsExec Executable",
+    "query": "process where event.type in (\"start\", \"process_started\", \"info\") and\n  process.pe.original_file_name : \"psexesvc.exe\" and not process.name : \"PSEXESVC.exe\"\n",
+    "risk_score": 47,
+    "rule_id": "e2f9fdf5-8076-45ad-9427-41e0e03dc9c2",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Execution"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0002",
+          "name": "Execution",
+          "reference": "https://attack.mitre.org/tactics/TA0002/"
+        },
+        "technique": [
+          {
+            "id": "T1569",
+            "name": "System Services",
+            "reference": "https://attack.mitre.org/techniques/T1569/",
+            "subtechnique": [
+              {
+                "id": "T1569.002",
+                "name": "Service Execution",
+                "reference": "https://attack.mitre.org/techniques/T1569/002/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 4
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies a suspicious Conhost child process which may be an indication of code injection activity.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Suspicious Process from Conhost",
+    "query": "process where event.type in (\"start\", \"process_started\") and\n  process.parent.name : \"conhost.exe\" and\n  not process.executable : (\"?:\\\\Windows\\\\splwow64.exe\", \"?:\\\\Windows\\\\System32\\\\WerFault.exe\", \"?:\\\\Windows\\\\System32\\\\conhost.exe\")\n",
+    "references": [
+      "https://modexp.wordpress.com/2018/09/12/process-injection-user-data/",
+      "https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES/blob/master/Defense%20Evasion/evasion_codeinj_odzhan_conhost_sysmon_10_1.evtx"
+    ],
+    "risk_score": 73,
+    "rule_id": "28896382-7d4f-4d50-9b72-67091901fd26",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1055",
+            "name": "Process Injection",
+            "reference": "https://attack.mitre.org/techniques/T1055/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 4
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies suspicious Image Loading of the Remote Desktop Services ActiveX Client (mstscax), this may indicate the presence of RDP lateral movement capability.",
+    "from": "now-9m",
+    "index": [
+      "logs-endpoint.events.*",
+      "winlogbeat-*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Suspicious RDP ActiveX Client Loaded",
+    "query": "library where dll.name : \"mstscax.dll\" and\n   /* depending on noise in your env add here extra paths  */\n  process.executable :\n    (\n    \"C:\\\\Windows\\\\*\",\n    \"C:\\\\Users\\\\Public\\\\*\",\n    \"C:\\\\Users\\\\Default\\\\*\",\n    \"C:\\\\Intel\\\\*\",\n    \"C:\\\\PerfLogs\\\\*\",\n    \"C:\\\\ProgramData\\\\*\",\n    \"\\\\Device\\\\Mup\\\\*\",\n    \"\\\\\\\\*\"\n    ) and\n    /* add here FPs */\n  not process.executable : (\"C:\\\\Windows\\\\System32\\\\mstsc.exe\", \"C:\\\\Windows\\\\SysWOW64\\\\mstsc.exe\")\n",
+    "references": [
+      "https://posts.specterops.io/revisiting-remote-desktop-lateral-movement-8fb905cb46c3"
+    ],
+    "risk_score": 47,
+    "rule_id": "71c5cb27-eca5-4151-bb47-64bc3f883270",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Lateral Movement"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0008",
+          "name": "Lateral Movement",
+          "reference": "https://attack.mitre.org/tactics/TA0008/"
+        },
+        "technique": [
+          {
+            "id": "T1021",
+            "name": "Remote Services",
+            "reference": "https://attack.mitre.org/techniques/T1021/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 3
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies scrobj.dll loaded into unusual Microsoft processes. This usually means a malicious scriptlet is being executed in the target process.",
+    "from": "now-9m",
+    "index": [
+      "logs-endpoint.events.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Suspicious Script Object Execution",
+    "query": "sequence by process.entity_id with maxspan=2m\n  [process where event.type == \"start\" \n   and (process.code_signature.subject_name in (\"Microsoft Corporation\", \"Microsoft Windows\") and \n   process.code_signature.trusted == true) and\n     not process.executable : (\n       \"?:\\\\Windows\\\\System32\\\\cscript.exe\",\n       \"?:\\\\Windows\\\\SysWOW64\\\\cscript.exe\",\n       \"?:\\\\Program Files (x86)\\\\Internet Explorer\\\\iexplore.exe\",\n       \"?:\\\\Program Files\\\\Internet Explorer\\\\iexplore.exe\",\n       \"?:\\\\Windows\\\\SystemApps\\\\Microsoft.MicrosoftEdge_*\\\\MicrosoftEdge.exe\",\n       \"?:\\\\Windows\\\\system32\\\\msiexec.exe\",\n       \"?:\\\\Windows\\\\SysWOW64\\\\msiexec.exe\",\n       \"?:\\\\Windows\\\\System32\\\\smartscreen.exe\",\n       \"?:\\\\Windows\\\\system32\\\\taskhostw.exe\",\n       \"?:\\\\windows\\\\system32\\\\inetsrv\\\\w3wp.exe\",\n       \"?:\\\\windows\\\\SysWOW64\\\\inetsrv\\\\w3wp.exe\",\n       \"?:\\\\Windows\\\\system32\\\\wscript.exe\",\n       \"?:\\\\Windows\\\\SysWOW64\\\\wscript.exe\",\n       \"?:\\\\Windows\\\\system32\\\\mobsync.exe\",\n       \"?:\\\\Windows\\\\SysWOW64\\\\mobsync.exe\",\n       \"?:\\\\Windows\\\\System32\\\\cmd.exe\",\n       \"?:\\\\Windows\\\\SysWOW64\\\\cmd.exe\")]\n  [library where event.type == \"start\" and dll.name : \"scrobj.dll\"]\n",
+    "risk_score": 47,
+    "rule_id": "4ed678a9-3a4f-41fb-9fea-f85a6e0a0dff",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1218",
+            "name": "Signed Binary Proxy Execution",
+            "reference": "https://attack.mitre.org/techniques/T1218/"
+          }
+        ]
+      }
+    ],
+    "type": "eql",
+    "version": 4
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "A suspicious SolarWinds child process was detected, which may indicate an attempt to execute malicious programs.",
+    "false_positives": [
+      "Trusted SolarWinds child processes, verify process details such as network connections and file writes."
+    ],
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Suspicious SolarWinds Child Process",
+    "query": "process where event.type in (\"start\", \"process_started\") and\n process.parent.name: (\"SolarWinds.BusinessLayerHost.exe\", \"SolarWinds.BusinessLayerHostx64.exe\") and\n not process.name : (\n        \"APMServiceControl*.exe\",\n        \"ExportToPDFCmd*.Exe\",\n        \"SolarWinds.Credentials.Orion.WebApi*.exe\",\n        \"SolarWinds.Orion.Topology.Calculator*.exe\",\n        \"Database-Maint.exe\",\n        \"SolarWinds.Orion.ApiPoller.Service.exe\",\n        \"WerFault.exe\",\n        \"WerMgr.exe\")\n",
+    "references": [
+      "https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html",
+      "https://github.com/fireeye/sunburst_countermeasures/blob/main/rules/SUNBURST/hxioc/SOLARWINDS%20SUSPICIOUS%20CHILD%20PROCESSES%20(METHODOLOGY).ioc"
+    ],
+    "risk_score": 47,
+    "rule_id": "93b22c0a-06a0-4131-b830-b10d5e166ff4",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Execution"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0002",
+          "name": "Execution",
+          "reference": "https://attack.mitre.org/tactics/TA0002/"
+        },
+        "technique": [
+          {
+            "id": "T1106",
+            "name": "Native API",
+            "reference": "https://attack.mitre.org/techniques/T1106/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0001",
+          "name": "Initial Access",
+          "reference": "https://attack.mitre.org/tactics/TA0001/"
+        },
+        "technique": [
+          {
+            "id": "T1195",
+            "name": "Supply Chain Compromise",
+            "reference": "https://attack.mitre.org/techniques/T1195/",
+            "subtechnique": [
+              {
+                "id": "T1195.002",
+                "name": "Compromise Software Supply Chain",
+                "reference": "https://attack.mitre.org/techniques/T1195/002/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 3
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies suspicious startup shell folder modifications to change the default Startup directory in order to bypass detections monitoring file creation in the Windows Startup folder.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Suspicious Startup Shell Folder Modification",
+    "note": "## Triage and analysis\n\n### Investigating Suspicious Startup Shell Activity\n\nTechniques used within malware and by adversaries often leverage the Windows registry to store malicious programs for\npersistence. Startup shell folders are often targeted as they are not as prevalent as normal Startup folder paths so this\nbehavior may evade existing AV/EDR solutions. Another preference is that these programs might run with higher privileges\nwhich can be ideal for an attacker.\n\n#### Possible investigation steps:\n- Review the source process and related file tied to the Windows Registry entry\n- Validate the activity is not related to planned patches, updates, network administrator activity or legitimate software\ninstallations\n- Determine if activity is unique by validating if other machines in same organization have similar entry\n\n### False Positive Analysis\n- There is a high possibility of benign legitimate programs being added to Shell folders. This activity could be based\non new software installations, patches, or any kind of network administrator related activity. Before entering further\ninvestigation, this activity should be validated that is it not related to benign activity\n\n### Related Rules\n- Startup or Run Key Registry Modification\n- Persistent Scripts in the Startup Directory\n\n### Response and Remediation\n- Activity should first be validated as a true positive event if so then immediate response should be taken to review,\ninvestigate and potentially isolate activity to prevent further post-compromise behavior\n- The respective binary or program tied to this persistence method should be further analyzed and reviewed to understand\nit's behavior and capabilities\n- Since this activity is considered post-exploitation behavior, it's important to understand how the behavior was first\ninitialized such as through a macro-enabled document that was attached in a phishing email. By understanding the source\nof the attack, this information can then be used to search for similar indicators on other machines in the same environment.\n",
+    "query": "registry where\n registry.path : (\n     \"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\User Shell Folders\\\\Common Startup\",\n     \"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\Shell Folders\\\\Common Startup\",\n     \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\User Shell Folders\\\\Startup\",\n     \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\Shell Folders\\\\Startup\"\n     ) and\n  registry.data.strings != null and\n  /* Normal Startup Folder Paths */\n  not registry.data.strings : (\n           \"C:\\\\ProgramData\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\",\n           \"%ProgramData%\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\",\n           \"%USERPROFILE%\\\\AppData\\\\Roaming\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\",\n           \"C:\\\\Users\\\\*\\\\AppData\\\\Roaming\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\"\n           )\n",
+    "risk_score": 73,
+    "rule_id": "c8b150f0-0164-475b-a75e-74b47800a9ff",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Persistence"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1547",
+            "name": "Boot or Logon Autostart Execution",
+            "reference": "https://attack.mitre.org/techniques/T1547/",
+            "subtechnique": [
+              {
+                "id": "T1547.001",
+                "name": "Registry Run Keys / Startup Folder",
+                "reference": "https://attack.mitre.org/techniques/T1547/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 2
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies a suspicious image load (wmiutils.dll) from Microsoft Office processes. This behavior may indicate adversarial activity where child processes are spawned via Windows Management Instrumentation (WMI). This technique can be used to execute code and evade traditional parent/child processes spawned from Microsoft Office products.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Suspicious WMI Image Load from MS Office",
+    "query": "library where process.name : (\"WINWORD.EXE\", \"EXCEL.EXE\", \"POWERPNT.EXE\", \"MSPUB.EXE\", \"MSACCESS.EXE\") and\n  event.action : \"load\" and\n  event.category : \"library\" and\n  dll.name : \"wmiutils.dll\"\n",
+    "references": [
+      "https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16"
+    ],
+    "risk_score": 21,
+    "rule_id": "891cb88e-441a-4c3e-be2d-120d99fe7b0d",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Execution"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0002",
+          "name": "Execution",
+          "reference": "https://attack.mitre.org/tactics/TA0002/"
+        },
+        "technique": [
+          {
+            "id": "T1047",
+            "name": "Windows Management Instrumentation",
+            "reference": "https://attack.mitre.org/techniques/T1047/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 4
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies WMIC whitelisting bypass techniques by alerting on suspicious execution of scripts. When WMIC loads scripting libraries it may be indicative of a whitelist bypass.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Suspicious WMIC XSL Script Execution",
+    "query": "sequence by process.entity_id with maxspan = 2m\n[process where event.type in (\"start\", \"process_started\") and\n   (process.name : \"WMIC.exe\" or process.pe.original_file_name : \"wmic.exe\") and\n   process.args : (\"format*:*\", \"/format*:*\", \"*-format*:*\") and\n   not process.command_line : \"* /format:table *\"]\n[library where event.type == \"start\" and dll.name : (\"jscript.dll\", \"vbscript.dll\")]\n",
+    "risk_score": 21,
+    "rule_id": "7f370d54-c0eb-4270-ac5a-9a6020585dc6",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1220",
+            "name": "XSL Script Processing",
+            "reference": "https://attack.mitre.org/techniques/T1220/"
+          }
+        ]
+      }
+    ],
+    "type": "eql",
+    "version": 2
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "A suspicious WerFault child process was detected, which may indicate an attempt to run unnoticed. Verify process details such as command line, network connections, file writes and parent process details as well.",
+    "false_positives": [
+      "Custom Windows error reporting debugger or applications restarted by WerFault after a crash."
+    ],
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Suspicious WerFault Child Process",
+    "query": "process where event.type in (\"start\", \"process_started\") and\n  process.parent.name : \"WerFault.exe\" and\n  not process.name : (\"cofire.exe\",\n                      \"psr.exe\",\n                      \"VsJITDebugger.exe\",\n                      \"TTTracer.exe\",\n                      \"rundll32.exe\",\n                      \"LogiOptionsMgr.exe\") and\n  not process.args : (\"/LOADSAVEDWINDOWS\",\n                      \"/restore\",\n                      \"RestartByRestartManager*\",\n                      \"--restarted\",\n                      \"createdump\",\n                      \"dontsend\",\n                      \"/watson\")\n",
+    "references": [
+      "https://www.hexacorn.com/blog/2019/09/19/silentprocessexit-quick-look-under-the-hood/",
+      "https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES/blob/master/Persistence/persistence_SilentProcessExit_ImageHijack_sysmon_13_1.evtx",
+      "https://blog.menasec.net/2021/01/"
+    ],
+    "risk_score": 47,
+    "rule_id": "ac5012b8-8da8-440b-aaaf-aedafdea2dff",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1036",
+            "name": "Masquerading",
+            "reference": "https://attack.mitre.org/techniques/T1036/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 4
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "A suspicious Zoom child process was detected, which may indicate an attempt to run unnoticed. Verify process details such as command line, network connections, file writes and associated file signature details as well.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Suspicious Zoom Child Process",
+    "query": "process where event.type in (\"start\", \"process_started\", \"info\") and\n process.parent.name : \"Zoom.exe\" and process.name : (\"cmd.exe\", \"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\")\n",
+    "risk_score": 47,
+    "rule_id": "97aba1ef-6034-4bd3-8c1a-1e0996b27afa",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1036",
+            "name": "Masquerading",
+            "reference": "https://attack.mitre.org/techniques/T1036/"
+          },
+          {
+            "id": "T1055",
+            "name": "Process Injection",
+            "reference": "https://attack.mitre.org/techniques/T1055/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 5
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies suspicious child processes of frequently targeted Microsoft Office applications (Word, PowerPoint, and Excel). These child processes are often launched during exploitation of Office applications or by documents with malicious macros.",
+    "from": "now-9m",
+    "index": [
+      "logs-endpoint.events.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Suspicious macOS MS Office Child Process",
+    "query": "process where event.type in (\"start\", \"process_started\") and\n process.parent.name:(\"Microsoft Word\", \"Microsoft PowerPoint\", \"Microsoft Excel\") and\n process.name:\n (\n   \"bash\", \n   \"dash\", \n   \"sh\", \n   \"tcsh\", \n   \"csh\", \n   \"zsh\", \n   \"ksh\", \n   \"fish\", \n   \"python*\", \n   \"perl*\", \n   \"php*\", \n   \"osascript\",\n   \"pwsh\", \n   \"curl\", \n   \"wget\", \n   \"cp\", \n   \"mv\", \n   \"base64\", \n   \"launchctl\"\n  ) and\n  /* noisy false positives related to product version discovery and office errors reporting */\n  not process.args:\n    (\n      \"ProductVersion\",\n      \"hw.model\",\n      \"ioreg\",\n      \"ProductName\",\n      \"ProductUserVisibleVersion\",\n      \"ProductBuildVersion\",\n      \"/Library/Application Support/Microsoft/MERP*/Microsoft Error Reporting.app/Contents/MacOS/Microsoft Error Reporting\"\n    )\n",
+    "references": [
+      "https://blog.malwarebytes.com/cybercrime/2017/02/microsoft-office-macro-malware-targets-macs/"
+    ],
+    "risk_score": 47,
+    "rule_id": "66da12b1-ac83-40eb-814c-07ed1d82b7b9",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "macOS",
+      "Threat Detection",
+      "Initial Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0001",
+          "name": "Initial Access",
+          "reference": "https://attack.mitre.org/tactics/TA0001/"
+        },
+        "technique": [
+          {
+            "id": "T1566",
+            "name": "Phishing",
+            "reference": "https://attack.mitre.org/techniques/T1566/",
+            "subtechnique": [
+              {
+                "id": "T1566.001",
+                "name": "Spearphishing Attachment",
+                "reference": "https://attack.mitre.org/techniques/T1566/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 2
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies a suspicious parent child process relationship with cmd.exe descending from svchost.exe",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Svchost spawning Cmd",
+    "query": "process where event.type in (\"start\", \"process_started\") and\n  process.parent.name : \"svchost.exe\" and process.name : \"cmd.exe\" and \n  not (process.pe.original_file_name == \"Cmd.Exe\" and process.args : \"?:\\\\Program Files\\\\Npcap\\\\CheckStatus.bat??\")\n",
+    "risk_score": 21,
+    "rule_id": "fd7a6052-58fa-4397-93c3-4795249ccfa2",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Execution"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0002",
+          "name": "Execution",
+          "reference": "https://attack.mitre.org/tactics/TA0002/"
+        },
+        "technique": [
+          {
+            "id": "T1059",
+            "name": "Command and Scripting Interpreter",
+            "reference": "https://attack.mitre.org/techniques/T1059/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 8
+  },
+  {
+    "author": [
+      "Austin Songer"
+    ],
+    "description": "Identifies the creation of symbolic links to a shadow copy. Symbolic Links can be used to access files in the shadow copy, including sensitive files that may contain credential information.",
+    "false_positives": [
+      "Legitimate administrative activity related to shadow copies"
+    ],
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Symbolic Link to Shadow Copy Created",
+    "query": "process where event.type in (\"start\", \"process_started\") and\nprocess.pe.original_file_name == \"Cmd.Exe\" and\nprocess.args : \"*mklink*\" and\nprocess.args : \"*\\\\GLOBALROOT\\\\Device\\\\HarddiskVolumeShadowCopy*\"\n",
+    "references": [
+      "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/mklink",
+      "https://2017.zeronights.org/wp-content/uploads/materials/ZN17_Kheirkhabarov_Hunting_for_Credentials_Dumping_in_Windows_Environment.pdf"
+    ],
+    "risk_score": 47,
+    "rule_id": "d117cbb4-7d56-41b4-b999-bdf8c25648a0",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Credential Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0006",
+          "name": "Credential Access",
+          "reference": "https://attack.mitre.org/tactics/TA0006/"
+        },
+        "technique": [
+          {
+            "id": "T1003",
+            "name": "OS Credential Dumping",
+            "reference": "https://attack.mitre.org/techniques/T1003/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the deletion of sensitive Linux system logs. This may indicate an attempt to evade detection or destroy forensic evidence on a system.",
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "System Log File Deletion",
+    "query": "file where event.type == \"deletion\" and \n  file.path : \n    (\n    \"/var/run/utmp\", \n    \"/var/log/wtmp\", \n    \"/var/log/btmp\", \n    \"/var/log/lastlog\", \n    \"/var/log/faillog\",\n    \"/var/log/syslog\", \n    \"/var/log/messages\", \n    \"/var/log/secure\", \n    \"/var/log/auth.log\"\n    )\n",
+    "references": [
+      "https://www.fireeye.com/blog/threat-research/2020/11/live-off-the-land-an-overview-of-unc1945.html"
+    ],
+    "risk_score": 47,
+    "rule_id": "aa895aea-b69c-4411-b110-8d7599634b30",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1070",
+            "name": "Indicator Removal on Host",
+            "reference": "https://attack.mitre.org/techniques/T1070/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 3
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Windows services typically run as SYSTEM and can be used as a privilege escalation opportunity. Malware or penetration testers may run a shell as a service to gain SYSTEM permissions.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "System Shells via Services",
+    "query": "process where event.type in (\"start\", \"process_started\") and\n  process.parent.name : \"services.exe\" and\n  process.name : (\"cmd.exe\", \"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\") and\n  \n  /* Third party FP's */\n  not process.args : \"NVDisplay.ContainerLocalSystem\"\n",
+    "risk_score": 47,
+    "rule_id": "0022d47d-39c7-4f69-a232-4fe9dc7a3acd",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Persistence"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1543",
+            "name": "Create or Modify System Process",
+            "reference": "https://attack.mitre.org/techniques/T1543/",
+            "subtechnique": [
+              {
+                "id": "T1543.003",
+                "name": "Windows Service",
+                "reference": "https://attack.mitre.org/techniques/T1543/003/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 10
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Keychains are the built-in way for macOS to keep track of users' passwords and credentials for many services and features, including Wi-Fi and website passwords, secure notes, certificates, and Kerberos. Adversaries may collect the keychain storage data from a system to acquire credentials.",
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "SystemKey Access via Command Line",
+    "query": "event.category:process and event.type:(start or process_started) and\n  process.args:\"/private/var/db/SystemKey\"\n",
+    "references": [
+      "https://github.com/AlessandroZ/LaZagne/blob/master/Mac/lazagne/softwares/system/chainbreaker.py"
+    ],
+    "risk_score": 73,
+    "rule_id": "d75991f2-b989-419d-b797-ac1e54ec2d61",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "macOS",
+      "Threat Detection",
+      "Credential Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0006",
+          "name": "Credential Access",
+          "reference": "https://attack.mitre.org/tactics/TA0006/"
+        },
+        "technique": [
+          {
+            "id": "T1555",
+            "name": "Credentials from Password Stores",
+            "reference": "https://attack.mitre.org/techniques/T1555/",
+            "subtechnique": [
+              {
+                "id": "T1555.001",
+                "name": "Keychain",
+                "reference": "https://attack.mitre.org/techniques/T1555/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the use of the mount_apfs command to mount the entire file system through Apple File System (APFS) snapshots as read-only and with the noowners flag set. This action enables the adversary to access almost any file in the file system, including all user data and files protected by Apple\u2019s privacy framework (TCC).",
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "TCC Bypass via Mounted APFS Snapshot Access",
+    "query": "event.category : process and event.type : (start or process_started) and process.name : mount_apfs and\n  process.args : (/System/Volumes/Data and noowners)\n",
+    "references": [
+      "https://theevilbit.github.io/posts/cve_2020_9771/"
+    ],
+    "risk_score": 73,
+    "rule_id": "b00bcd89-000c-4425-b94c-716ef67762f6",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "macOS",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1006",
+            "name": "Direct Volume Access",
+            "reference": "https://attack.mitre.org/techniques/T1006/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Adversaries may attempt to clear or disable the Bash command-line history in an attempt to evade detection or forensic investigations.",
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Tampering of Bash Command-Line History",
+    "query": "process where event.type in (\"start\", \"process_started\") and\n (\n  (process.args : (\"rm\", \"echo\") and process.args : (\".bash_history\", \"/root/.bash_history\", \"/home/*/.bash_history\")) or\n  (process.name : \"history\" and process.args : \"-c\") or\n  (process.args : \"export\" and process.args : (\"HISTFILE=/dev/null\", \"HISTFILESIZE=0\")) or\n  (process.args : \"unset\" and process.args : \"HISTFILE\") or\n  (process.args : \"set\" and process.args : \"history\" and process.args : \"+o\")\n )\n",
+    "risk_score": 47,
+    "rule_id": "7bcbb3ac-e533-41ad-a612-d6c3bf666aba",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1070",
+            "name": "Indicator Removal on Host",
+            "reference": "https://attack.mitre.org/techniques/T1070/",
+            "subtechnique": [
+              {
+                "id": "T1070.003",
+                "name": "Clear Command History",
+                "reference": "https://attack.mitre.org/techniques/T1070/003/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 6
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "This rule detects network events that may indicate the use of Telnet traffic. Telnet is commonly used by system administrators to remotely control older or embedded systems using the command line shell. It should almost never be directly exposed to the Internet, as it is frequently targeted and exploited by threat actors as an initial access or backdoor vector. As a plain-text protocol, it may also expose usernames and passwords to anyone capable of observing the traffic.",
+    "false_positives": [
+      "IoT (Internet of Things) devices and networks may use telnet and can be excluded if desired. Some business work-flows may use Telnet for administration of older devices. These often have a predictable behavior. Telnet activity involving an unusual source or destination may be more suspicious. Telnet activity involving a production server that has no known associated Telnet work-flow or business requirement is often suspicious."
+    ],
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "filebeat-*",
+      "packetbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Telnet Port Activity",
+    "query": "event.category:(network or network_traffic) and network.transport:tcp and destination.port:23\n",
+    "risk_score": 47,
+    "rule_id": "34fde489-94b0-4500-a76f-b8a157cf9269",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Network",
+      "Threat Detection",
+      "Command and Control",
+      "Host"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0011",
+          "name": "Command and Control",
+          "reference": "https://attack.mitre.org/tactics/TA0011/"
+        },
+        "technique": []
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0008",
+          "name": "Lateral Movement",
+          "reference": "https://attack.mitre.org/tactics/TA0008/"
+        },
+        "technique": [
+          {
+            "id": "T1021",
+            "name": "Remote Services",
+            "reference": "https://attack.mitre.org/techniques/T1021/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0001",
+          "name": "Initial Access",
+          "reference": "https://attack.mitre.org/tactics/TA0001/"
+        },
+        "technique": [
+          {
+            "id": "T1190",
+            "name": "Exploit Public-Facing Application",
+            "reference": "https://attack.mitre.org/techniques/T1190/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 9
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the deletion of backup files, saved using third-party software, by a process outside of the backup suite. Adversaries may delete Backup files to ensure that recovery from a ransomware attack is less likely.",
+    "false_positives": [
+      "Certain utilities that delete files for disk cleanup or Administrators manually removing backup files."
+    ],
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Third-party Backup Files Deleted via Unexpected Process",
+    "query": "file where event.type == \"deletion\" and\n  (\n  /* Veeam Related Backup Files */\n  (file.extension : (\"VBK\", \"VIB\", \"VBM\") and\n  not process.executable : (\"?:\\\\Windows\\\\Veeam\\\\Backup\\\\*\",\n                            \"?:\\\\Program Files\\\\Veeam\\\\Backup and Replication\\\\*\",\n                            \"?:\\\\Program Files (x86)\\\\Veeam\\\\Backup and Replication\\\\*\")) or\n\n  /* Veritas Backup Exec Related Backup File */\n  (file.extension : \"BKF\" and\n  not process.executable : (\"?:\\\\Program Files\\\\Veritas\\\\Backup Exec\\\\*\",\n                            \"?:\\\\Program Files (x86)\\\\Veritas\\\\Backup Exec\\\\*\"))\n  )\n",
+    "references": [
+      "https://www.advintel.io/post/backup-removal-solutions-from-conti-ransomware-with-love"
+    ],
+    "risk_score": 47,
+    "rule_id": "11ea6bec-ebde-4d71-a8e9-784948f8e3e9",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Impact"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0040",
+          "name": "Impact",
+          "reference": "https://attack.mitre.org/tactics/TA0040/"
+        },
+        "technique": [
+          {
+            "id": "T1490",
+            "name": "Inhibit System Recovery",
+            "reference": "https://attack.mitre.org/techniques/T1490/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 2
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Detects when Okta ThreatInsight identifies a request from a malicious IP address. Investigating requests from IP addresses identified as malicious by Okta ThreatInsight can help security teams monitor for and respond to credential based attacks against their organization, such as brute force and password spraying attacks.",
+    "index": [
+      "filebeat-*",
+      "logs-okta*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Threat Detected by Okta ThreatInsight",
+    "note": "## Config\n\nThe Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:okta.system and event.action:security.threat.detected\n",
+    "references": [
+      "https://developer.okta.com/docs/reference/api/system-log/",
+      "https://developer.okta.com/docs/reference/api/event-types/"
+    ],
+    "risk_score": 47,
+    "rule_id": "6885d2ae-e008-4762-b98a-e8e1cd3a81e9",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Identity",
+      "Okta",
+      "Continuous Monitoring",
+      "SecOps",
+      "Monitoring"
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 6
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "This rule is triggered when indicators from the Threat Intel Filebeat module (v8.x) has a match against local file or network observations.",
+    "from": "now-65m",
+    "index": [
+      "auditbeat-*",
+      "endgame-*",
+      "filebeat-*",
+      "logs-*",
+      "packetbeat-*",
+      "winlogbeat-*"
+    ],
+    "interval": "1h",
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Threat Intel Filebeat Module (v8.x) Indicator Match",
+    "note": "## Triage and Analysis\n\n### Investigating Threat Intel Indicator Matches\n\nThreat Intel indicator match rules allow matching from a local observation such as an endpoint event that records a file\nhash with an entry of a file hash stored within the Threat Intel integrations. Other examples of matches can occur on\nan IP address, registry path, URL and imphash.\n\nThe matches will be based on the incoming last 30 days feed data so it's important to validate the data and review the results by\ninvestigating the associated activity to determine if it requires further investigation.\n\nIf an indicator matches a local observation, the following enriched fields will be generated to identify the indicator, field, and type matched.\n\n- `threat.indicator.matched.atomic` - this identifies the atomic indicator that matched the local observation\n- `threat.indicator.matched.field` - this identifies the indicator field that matched the local observation\n- `threat.indicator.matched.type` - this identifies the indicator type that matched the local observation\n\n#### Possible investigation steps:\n- Investigation should be validated and reviewed based on the data (file hash, registry path, URL, imphash) that was matched\nand viewing the source of that activity.\n- Consider the history of the indicator that was matched. Has it happened before? Is it happening on multiple machines?\nThese kinds of questions can help understand if the activity is related to legitimate behavior.\n- Consider the user and their role within the company, is this something related to their job or work function?\n\n### False Positive Analysis\n- For any matches found, it's important to consider the initial release date of that indicator. Threat intelligence can\nbe a great tool for augmenting existing security processes, while at the same time it should be understood that threat\nintelligence can represent a specific set of activity observed at a point in time. For example, an IP address\nmay have hosted malware observed in a Dridex campaign month ago, but it's possible that IP has been remediated and\nno longer represents any threat.\n- Adversaries often use legitimate tools as network administrators such as `PsExec` or `AdFind`, these tools often find their\nway into indicator lists creating the potential for false positives.\n- It's possible after large and publicly written campaigns, curious employees might end up going directly to attacker infrastructure and generating these rules\n\n### Response and Remediation\n- If suspicious or malicious behavior is observed, immediate response should be taken to isolate activity to prevent further\npost-compromise behavior.\n- One example of a response if a machine matched a command and control IP address would be to add an entry to a network\ndevice such as a firewall or proxy appliance to prevent any outbound activity from leaving that machine.\n- Another example of a response with a malicious file hash match would involve validating if the file was properly quarantined,\nreview current running processes looking for any abnormal activity, and investigating for any other follow-up actions such as persistence or lateral movement\n",
+    "query": "file.hash.*:* or file.pe.imphash:* or source.ip:* or destination.ip:* or url.full:* or registry.path:*\n",
+    "references": [
+      "https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-threatintel.html"
+    ],
+    "risk_score": 99,
+    "rule_id": "699e9fdb-b77c-4c01-995c-1c15019b9c43",
+    "severity": "critical",
+    "tags": [
+      "Elastic",
+      "Windows",
+      "Elastic Endgame",
+      "Network",
+      "Continuous Monitoring",
+      "SecOps",
+      "Monitoring"
+    ],
+    "threat_filters": [
+      {
+        "$state": {
+          "store": "appState"
+        },
+        "meta": {
+          "disabled": false,
+          "key": "event.dataset",
+          "negate": false,
+          "params": {
+            "query": "ti_*"
+          },
+          "type": "phrase"
+        },
+        "query": {
+          "match_phrase": {
+            "event.dataset": "ti_*"
+          }
+        }
+      },
+      {
+        "$state": {
+          "store": "appState"
+        },
+        "meta": {
+          "disabled": false,
+          "key": "event.category",
+          "negate": false,
+          "params": {
+            "query": "threat"
+          },
+          "type": "phrase"
+        },
+        "query": {
+          "match_phrase": {
+            "event.category": "threat"
+          }
+        }
+      },
+      {
+        "$state": {
+          "store": "appState"
+        },
+        "meta": {
+          "disabled": false,
+          "key": "event.kind",
+          "negate": false,
+          "params": {
+            "query": "enrichment"
+          },
+          "type": "phrase"
+        },
+        "query": {
+          "match_phrase": {
+            "event.kind": "enrichment"
+          }
+        }
+      },
+      {
+        "$state": {
+          "store": "appState"
+        },
+        "meta": {
+          "disabled": false,
+          "key": "event.type",
+          "negate": false,
+          "params": {
+            "query": "indicator"
+          },
+          "type": "phrase"
+        },
+        "query": {
+          "match_phrase": {
+            "event.type": "indicator"
+          }
+        }
+      }
+    ],
+    "threat_index": [
+      "filebeat-8*"
+    ],
+    "threat_indicator_path": "threat.indicator",
+    "threat_language": "kuery",
+    "threat_mapping": [
+      {
+        "entries": [
+          {
+            "field": "file.hash.md5",
+            "type": "mapping",
+            "value": "threat.indicator.file.hash.md5"
+          }
+        ]
+      },
+      {
+        "entries": [
+          {
+            "field": "file.hash.sha1",
+            "type": "mapping",
+            "value": "threat.indicator.file.hash.sha1"
+          }
+        ]
+      },
+      {
+        "entries": [
+          {
+            "field": "file.hash.sha256",
+            "type": "mapping",
+            "value": "threat.indicator.file.hash.sha256"
+          }
+        ]
+      },
+      {
+        "entries": [
+          {
+            "field": "file.pe.imphash",
+            "type": "mapping",
+            "value": "threat.indicator.file.pe.imphash"
+          }
+        ]
+      },
+      {
+        "entries": [
+          {
+            "field": "source.ip",
+            "type": "mapping",
+            "value": "threat.indicator.ip"
+          }
+        ]
+      },
+      {
+        "entries": [
+          {
+            "field": "destination.ip",
+            "type": "mapping",
+            "value": "threat.indicator.ip"
+          }
+        ]
+      },
+      {
+        "entries": [
+          {
+            "field": "url.full",
+            "type": "mapping",
+            "value": "threat.indicator.url.full"
+          }
+        ]
+      },
+      {
+        "entries": [
+          {
+            "field": "registry.path",
+            "type": "mapping",
+            "value": "threat.indicator.registry.path"
+          }
+        ]
+      }
+    ],
+    "threat_query": "@timestamp >= \"now-30d\" and event.dataset:ti_* and (threat.indicator.file.hash.*:* or threat.indicator.file.pe.imphash:* or threat.indicator.ip:* or threat.indicator.registry.path:* or threat.indicator.url.full:*)",
+    "timeline_id": "495ad7a7-316e-4544-8a0f-9c098daee76e",
+    "timeline_title": "Generic Threat Match Timeline",
+    "type": "threat_match",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "This rule is triggered when indicators from the Threat Intel integrations has a match against local file or network observations.",
+    "from": "now-65m",
+    "index": [
+      "auditbeat-*",
+      "endgame-*",
+      "filebeat-*",
+      "logs-*",
+      "packetbeat-*",
+      "winlogbeat-*"
+    ],
+    "interval": "1h",
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Threat Intel Indicator Match",
+    "note": "## Triage and Analysis\n\n### Investigating Threat Intel Indicator Matches\n\nThreat Intel indicator match rules allow matching from a local observation such as an endpoint event that records a file\nhash with an entry of a file hash stored within the Threat Intel integrations. Other examples of matches can occur on\nan IP address, registry path, URL and imphash.\n\nThe matches will be based on the incoming last 30 days feed data so it's important to validate the data and review the results by\ninvestigating the associated activity to determine if it requires further investigation.\n\nIf an indicator matches a local observation, the following enriched fields will be generated to identify the indicator, field, and type matched.\n\n- `threat.indicator.matched.atomic` - this identifies the atomic indicator that matched the local observation\n- `threat.indicator.matched.field` - this identifies the indicator field that matched the local observation\n- `threat.indicator.matched.type` - this identifies the indicator type that matched the local observation\n\n#### Possible investigation steps:\n- Investigation should be validated and reviewed based on the data (file hash, registry path, URL, imphash) that was matched\nand viewing the source of that activity.\n- Consider the history of the indicator that was matched. Has it happened before? Is it happening on multiple machines?\nThese kinds of questions can help understand if the activity is related to legitimate behavior.\n- Consider the user and their role within the company, is this something related to their job or work function?\n\n### False Positive Analysis\n- For any matches found, it's important to consider the initial release date of that indicator. Threat intelligence can\nbe a great tool for augmenting existing security processes, while at the same time it should be understood that threat\nintelligence can represent a specific set of activity observed at a point in time. For example, an IP address\nmay have hosted malware observed in a Dridex campaign month ago, but it's possible that IP has been remediated and\nno longer represents any threat.\n- Adversaries often use legitimate tools as network administrators such as `PsExec` or `AdFind`, these tools often find their\nway into indicator lists creating the potential for false positives.\n- It's possible after large and publicly written campaigns, curious employees might end up going directly to attacker infrastructure and generating these rules\n\n### Response and Remediation\n- If suspicious or malicious behavior is observed, immediate response should be taken to isolate activity to prevent further\npost-compromise behavior.\n- One example of a response if a machine matched a command and control IP address would be to add an entry to a network\ndevice such as a firewall or proxy appliance to prevent any outbound activity from leaving that machine.\n- Another example of a response with a malicious file hash match would involve validating if the file was properly quarantined,\nreview current running processes looking for any abnormal activity, and investigating for any other follow-up actions such as persistence or lateral movement\n",
+    "query": "file.hash.*:* or file.pe.imphash:* or source.ip:* or destination.ip:* or url.full:* or registry.path:*\n",
+    "references": [
+      "https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-threatintel.html"
+    ],
+    "risk_score": 99,
+    "rule_id": "0c9a14d9-d65d-486f-9b5b-91e4e6b22bd0",
+    "severity": "critical",
+    "tags": [
+      "Elastic",
+      "Windows",
+      "Elastic Endgame",
+      "Network",
+      "Continuous Monitoring",
+      "SecOps",
+      "Monitoring"
+    ],
+    "threat_filters": [
+      {
+        "$state": {
+          "store": "appState"
+        },
+        "meta": {
+          "disabled": false,
+          "key": "event.dataset",
+          "negate": false,
+          "params": {
+            "query": "ti_*"
+          },
+          "type": "phrase"
+        },
+        "query": {
+          "match_phrase": {
+            "event.dataset": "ti_*"
+          }
+        }
+      },
+      {
+        "$state": {
+          "store": "appState"
+        },
+        "meta": {
+          "disabled": false,
+          "key": "event.category",
+          "negate": false,
+          "params": {
+            "query": "threat"
+          },
+          "type": "phrase"
+        },
+        "query": {
+          "match_phrase": {
+            "event.category": "threat"
+          }
+        }
+      },
+      {
+        "$state": {
+          "store": "appState"
+        },
+        "meta": {
+          "disabled": false,
+          "key": "event.kind",
+          "negate": false,
+          "params": {
+            "query": "enrichment"
+          },
+          "type": "phrase"
+        },
+        "query": {
+          "match_phrase": {
+            "event.kind": "enrichment"
+          }
+        }
+      },
+      {
+        "$state": {
+          "store": "appState"
+        },
+        "meta": {
+          "disabled": false,
+          "key": "event.type",
+          "negate": false,
+          "params": {
+            "query": "indicator"
+          },
+          "type": "phrase"
+        },
+        "query": {
+          "match_phrase": {
+            "event.type": "indicator"
+          }
+        }
+      }
+    ],
+    "threat_index": [
+      "logs-ti_*"
+    ],
+    "threat_indicator_path": "threat.indicator",
+    "threat_language": "kuery",
+    "threat_mapping": [
+      {
+        "entries": [
+          {
+            "field": "file.hash.md5",
+            "type": "mapping",
+            "value": "threat.indicator.file.hash.md5"
+          }
+        ]
+      },
+      {
+        "entries": [
+          {
+            "field": "file.hash.sha1",
+            "type": "mapping",
+            "value": "threat.indicator.file.hash.sha1"
+          }
+        ]
+      },
+      {
+        "entries": [
+          {
+            "field": "file.hash.sha256",
+            "type": "mapping",
+            "value": "threat.indicator.file.hash.sha256"
+          }
+        ]
+      },
+      {
+        "entries": [
+          {
+            "field": "file.pe.imphash",
+            "type": "mapping",
+            "value": "threat.indicator.file.pe.imphash"
+          }
+        ]
+      },
+      {
+        "entries": [
+          {
+            "field": "source.ip",
+            "type": "mapping",
+            "value": "threat.indicator.ip"
+          }
+        ]
+      },
+      {
+        "entries": [
+          {
+            "field": "destination.ip",
+            "type": "mapping",
+            "value": "threat.indicator.ip"
+          }
+        ]
+      },
+      {
+        "entries": [
+          {
+            "field": "url.full",
+            "type": "mapping",
+            "value": "threat.indicator.url.full"
+          }
+        ]
+      },
+      {
+        "entries": [
+          {
+            "field": "registry.path",
+            "type": "mapping",
+            "value": "threat.indicator.registry.path"
+          }
+        ]
+      }
+    ],
+    "threat_query": "@timestamp >= \"now-30d\" and event.dataset:ti_* and (threat.indicator.file.hash.*:* or threat.indicator.file.pe.imphash:* or threat.indicator.ip:* or threat.indicator.registry.path:* or threat.indicator.url.full:*)",
+    "timeline_id": "495ad7a7-316e-4544-8a0f-9c098daee76e",
+    "timeline_title": "Generic Threat Match Timeline",
+    "type": "threat_match",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Timestomping is an anti-forensics technique which is used to modify the timestamps of a file, often to mimic files that are in the same folder.",
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "max_signals": 33,
+    "name": "Timestomping using Touch Command",
+    "query": "process where event.type == \"start\" and\n process.name : \"touch\" and user.id != \"0\" and\n process.args : (\"-r\", \"-t\", \"-a*\",\"-m*\") and\n not process.args : (\"/usr/lib/go-*/bin/go\", \"/usr/lib/dracut/dracut-functions.sh\", \"/tmp/KSInstallAction.*/m/.patch/*\")\n",
+    "risk_score": 47,
+    "rule_id": "b0046934-486e-462f-9487-0d4cf9e429c6",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "macOS",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1070",
+            "name": "Indicator Removal on Host",
+            "reference": "https://attack.mitre.org/techniques/T1070/",
+            "subtechnique": [
+              {
+                "id": "T1070.006",
+                "name": "Timestomp",
+                "reference": "https://attack.mitre.org/techniques/T1070/006/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 4
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies User Account Control (UAC) bypass attempts by abusing an elevated COM Interface to launch a malicious program. Attackers may attempt to bypass UAC to stealthily execute code with elevated permissions.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "UAC Bypass Attempt via Elevated COM Internet Explorer Add-On Installer",
+    "query": "process where event.type in (\"start\", \"process_started\") and\n process.executable : \"C:\\\\*\\\\AppData\\\\*\\\\Temp\\\\IDC*.tmp\\\\*.exe\" and\n process.parent.name : \"ieinstal.exe\" and process.parent.args : \"-Embedding\"\n\n /* uncomment once in winlogbeat */\n /* and not (process.code_signature.subject_name == \"Microsoft Corporation\" and process.code_signature.trusted == true) */\n",
+    "references": [
+      "https://swapcontext.blogspot.com/2020/11/uac-bypasses-from-comautoapprovallist.html"
+    ],
+    "risk_score": 47,
+    "rule_id": "fc7c0fa4-8f03-4b3e-8336-c5feab0be022",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Privilege Escalation"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0004",
+          "name": "Privilege Escalation",
+          "reference": "https://attack.mitre.org/tactics/TA0004/"
+        },
+        "technique": [
+          {
+            "id": "T1548",
+            "name": "Abuse Elevation Control Mechanism",
+            "reference": "https://attack.mitre.org/techniques/T1548/",
+            "subtechnique": [
+              {
+                "id": "T1548.002",
+                "name": "Bypass User Account Control",
+                "reference": "https://attack.mitre.org/techniques/T1548/002/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 4
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies attempts to bypass User Account Control (UAC) via DLL side-loading. Attackers may attempt to bypass UAC to stealthily execute code with elevated permissions.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "UAC Bypass Attempt via Privileged IFileOperation COM Interface",
+    "query": "file where event.type : \"change\" and process.name : \"dllhost.exe\" and\n  /* Known modules names side loaded into process running with high or system integrity level for UAC Bypass, update here for new modules */\n  file.name : (\"wow64log.dll\", \"comctl32.dll\", \"DismCore.dll\", \"OskSupport.dll\", \"duser.dll\", \"Accessibility.ni.dll\") and\n  /* has no impact on rule logic just to avoid OS install related FPs */\n  not file.path : (\"C:\\\\Windows\\\\SoftwareDistribution\\\\*\", \"C:\\\\Windows\\\\WinSxS\\\\*\")\n",
+    "references": [
+      "https://github.com/hfiref0x/UACME"
+    ],
+    "risk_score": 73,
+    "rule_id": "5a14d01d-7ac8-4545-914c-b687c2cf66b3",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Privilege Escalation"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0004",
+          "name": "Privilege Escalation",
+          "reference": "https://attack.mitre.org/tactics/TA0004/"
+        },
+        "technique": [
+          {
+            "id": "T1548",
+            "name": "Abuse Elevation Control Mechanism",
+            "reference": "https://attack.mitre.org/techniques/T1548/",
+            "subtechnique": [
+              {
+                "id": "T1548.002",
+                "name": "Bypass User Account Control",
+                "reference": "https://attack.mitre.org/techniques/T1548/002/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 4
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies an attempt to bypass User Account Control (UAC) by masquerading as a Microsoft trusted Windows directory. Attackers may bypass UAC to stealthily execute code with elevated permissions.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "UAC Bypass Attempt via Windows Directory Masquerading",
+    "query": "process where event.type in (\"start\", \"process_started\") and\n  process.args : (\"C:\\\\Windows \\\\system32\\\\*.exe\", \"C:\\\\Windows \\\\SysWOW64\\\\*.exe\")\n",
+    "references": [
+      "https://medium.com/tenable-techblog/uac-bypass-by-mocking-trusted-directories-24a96675f6e"
+    ],
+    "risk_score": 73,
+    "rule_id": "290aca65-e94d-403b-ba0f-62f320e63f51",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Privilege Escalation"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0004",
+          "name": "Privilege Escalation",
+          "reference": "https://attack.mitre.org/tactics/TA0004/"
+        },
+        "technique": [
+          {
+            "id": "T1548",
+            "name": "Abuse Elevation Control Mechanism",
+            "reference": "https://attack.mitre.org/techniques/T1548/",
+            "subtechnique": [
+              {
+                "id": "T1548.002",
+                "name": "Bypass User Account Control",
+                "reference": "https://attack.mitre.org/techniques/T1548/002/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 4
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies attempts to bypass User Account Control (UAC) by abusing an elevated COM Interface to launch a rogue Windows ClipUp program. Attackers may attempt to bypass UAC to stealthily execute code with elevated permissions.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "UAC Bypass Attempt with IEditionUpgradeManager Elevated COM Interface",
+    "query": "process where event.type in (\"start\", \"process_started\") and process.name : \"Clipup.exe\" and\n  not process.executable : \"C:\\\\Windows\\\\System32\\\\ClipUp.exe\" and process.parent.name : \"dllhost.exe\" and\n  /* CLSID of the Elevated COM Interface IEditionUpgradeManager */\n  process.parent.args : \"/Processid:{BD54C901-076B-434E-B6C7-17C531F4AB41}\"\n",
+    "references": [
+      "https://github.com/hfiref0x/UACME"
+    ],
+    "risk_score": 73,
+    "rule_id": "b90cdde7-7e0d-4359-8bf0-2c112ce2008a",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Privilege Escalation"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0004",
+          "name": "Privilege Escalation",
+          "reference": "https://attack.mitre.org/tactics/TA0004/"
+        },
+        "technique": [
+          {
+            "id": "T1548",
+            "name": "Abuse Elevation Control Mechanism",
+            "reference": "https://attack.mitre.org/techniques/T1548/",
+            "subtechnique": [
+              {
+                "id": "T1548.002",
+                "name": "Bypass User Account Control",
+                "reference": "https://attack.mitre.org/techniques/T1548/002/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 4
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies User Account Control (UAC) bypass via hijacking DiskCleanup Scheduled Task. Attackers bypass UAC to stealthily execute code with elevated permissions.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "UAC Bypass via DiskCleanup Scheduled Task Hijack",
+    "query": "process where event.type == \"start\" and\n process.args : \"/autoclean\" and process.args : \"/d\" and\n not process.executable : (\"C:\\\\Windows\\\\System32\\\\cleanmgr.exe\",\n                           \"C:\\\\Windows\\\\SysWOW64\\\\cleanmgr.exe\",\n                           \"C:\\\\Windows\\\\System32\\\\taskhostw.exe\")\n",
+    "risk_score": 47,
+    "rule_id": "1dcc51f6-ba26-49e7-9ef4-2655abb2361e",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Privilege Escalation"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0004",
+          "name": "Privilege Escalation",
+          "reference": "https://attack.mitre.org/tactics/TA0004/"
+        },
+        "technique": [
+          {
+            "id": "T1548",
+            "name": "Abuse Elevation Control Mechanism",
+            "reference": "https://attack.mitre.org/techniques/T1548/",
+            "subtechnique": [
+              {
+                "id": "T1548.002",
+                "name": "Bypass User Account Control",
+                "reference": "https://attack.mitre.org/techniques/T1548/002/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 6
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies User Account Control (UAC) bypass attempts via the ICMLuaUtil Elevated COM interface. Attackers may attempt to bypass UAC to stealthily execute code with elevated permissions.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "UAC Bypass via ICMLuaUtil Elevated COM Interface",
+    "query": "process where event.type in (\"start\", \"process_started\") and\n process.parent.name == \"dllhost.exe\" and\n process.parent.args in (\"/Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}\", \"/Processid:{D2E7041B-2927-42FB-8E9F-7CE93B6DC937}\") and\n process.pe.original_file_name != \"WerFault.exe\"\n",
+    "risk_score": 73,
+    "rule_id": "68d56fdc-7ffa-4419-8e95-81641bd6f845",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Privilege Escalation"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0004",
+          "name": "Privilege Escalation",
+          "reference": "https://attack.mitre.org/tactics/TA0004/"
+        },
+        "technique": [
+          {
+            "id": "T1548",
+            "name": "Abuse Elevation Control Mechanism",
+            "reference": "https://attack.mitre.org/techniques/T1548/",
+            "subtechnique": [
+              {
+                "id": "T1548.002",
+                "name": "Bypass User Account Control",
+                "reference": "https://attack.mitre.org/techniques/T1548/002/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 4
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies attempts to bypass User Account Control (UAC) by hijacking the Microsoft Management Console (MMC) Windows Firewall snap-in. Attackers bypass UAC to stealthily execute code with elevated permissions.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "UAC Bypass via Windows Firewall Snap-In Hijack",
+    "query": "process where event.type in (\"start\", \"process_started\") and\n process.parent.name == \"mmc.exe\" and\n /* process.Ext.token.integrity_level_name == \"high\" can be added in future for tuning */\n /* args of the Windows Firewall SnapIn */\n  process.parent.args == \"WF.msc\" and process.name != \"WerFault.exe\"\n",
+    "references": [
+      "https://github.com/AzAgarampur/byeintegrity-uac"
+    ],
+    "risk_score": 47,
+    "rule_id": "1178ae09-5aff-460a-9f2f-455cd0ac4d8e",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Privilege Escalation"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0004",
+          "name": "Privilege Escalation",
+          "reference": "https://attack.mitre.org/tactics/TA0004/"
+        },
+        "technique": [
+          {
+            "id": "T1548",
+            "name": "Abuse Elevation Control Mechanism",
+            "reference": "https://attack.mitre.org/techniques/T1548/",
+            "subtechnique": [
+              {
+                "id": "T1548.002",
+                "name": "Bypass User Account Control",
+                "reference": "https://attack.mitre.org/techniques/T1548/002/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 4
+  },
+  {
+    "author": [
+      "Elastic",
+      "Austin Songer"
+    ],
+    "description": "Identifies when an unauthorized access attempt is made by a user for an Okta application.",
+    "index": [
+      "filebeat-*",
+      "logs-okta*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Unauthorized Access to an Okta Application",
+    "note": "## Config\n\nThe Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:okta.system and event.action:app.generic.unauth_app_access_attempt\n",
+    "risk_score": 21,
+    "rule_id": "4edd3e1a-3aa0-499b-8147-4d2ea43b1613",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Identity",
+      "Okta",
+      "Continuous Monitoring",
+      "SecOps",
+      "Identity and Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0001",
+          "name": "Initial Access",
+          "reference": "https://attack.mitre.org/tactics/TA0001/"
+        },
+        "technique": [
+          {
+            "id": "T1078",
+            "name": "Valid Accounts",
+            "reference": "https://attack.mitre.org/techniques/T1078/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": []
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": []
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0004",
+          "name": "Privilege Escalation",
+          "reference": "https://attack.mitre.org/tactics/TA0004/"
+        },
+        "technique": []
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Detects changes to registry persistence keys that are uncommonly used or modified by legitimate programs. This could be an indication of an adversary's attempt to persist in a stealthy manner.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Uncommon Registry Persistence Change",
+    "query": "registry where\n  /* uncomment once stable length(registry.data.strings) > 0 and */\n registry.path : (\n      \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Terminal Server\\\\Install\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\*\",\n      \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Terminal Server\\\\Install\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Runonce\\\\*\",\n      \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows\\\\Load\",\n      \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows\\\\Run\",\n      \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows\\\\IconServiceLib\",\n      \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\Shell\",\n      \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\Shell\",\n      \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\AppSetup\",\n      \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\Taskman\",\n      \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\Userinit\",\n      \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\VmApplet\",\n      \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\\\*\",\n      \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\Shell\",\n      \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Logoff\\\\Script\",\n      \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Logon\\\\Script\",\n      \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Shutdown\\\\Script\",\n      \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Startup\\\\Script\",\n      \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\\\*\",\n      \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\Shell\",\n      \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Logoff\\\\Script\",\n      \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Logon\\\\Script\",\n      \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Shutdown\\\\Script\",\n      \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Startup\\\\Script\",\n      \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Active Setup\\\\Installed Components\\\\*\\\\ShellComponent\",\n      \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows CE Services\\\\AutoStartOnConnect\\\\MicrosoftActiveSync\",\n      \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows CE Services\\\\AutoStartOnDisconnect\\\\MicrosoftActiveSync\",\n      \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Ctf\\\\LangBarAddin\\\\*\\\\FilePath\",\n      \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Internet Explorer\\\\Extensions\\\\*\\\\Exec\",\n      \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Internet Explorer\\\\Extensions\\\\*\\\\Script\",\n      \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Command Processor\\\\Autorun\",\n      \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Ctf\\\\LangBarAddin\\\\*\\\\FilePath\",\n      \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Internet Explorer\\\\Extensions\\\\*\\\\Exec\",\n      \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Internet Explorer\\\\Extensions\\\\*\\\\Script\",\n      \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Command Processor\\\\Autorun\",\n      \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\*\\\\VerifierDlls\",\n      \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\GpExtensions\\\\*\\\\DllName\",\n      \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Control\\\\SafeBoot\\\\AlternateShell\",\n      \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Control\\\\Terminal Server\\\\Wds\\\\rdpwd\\\\StartupPrograms\",\n      \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Control\\\\Terminal Server\\\\WinStations\\\\RDP-Tcp\\\\InitialProgram\",\n      \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Control\\\\Session Manager\\\\BootExecute\",\n      \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Control\\\\Session Manager\\\\SetupExecute\",\n      \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Control\\\\Session Manager\\\\Execute\",\n      \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Control\\\\Session Manager\\\\S0InitialCommand\",\n      \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Control\\\\ServiceControlManagerExtension\",\n      \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Control\\\\BootVerificationProgram\\\\ImagePath\",\n      \"HKLM\\\\SYSTEM\\\\Setup\\\\CmdLine\",\n      \"HKEY_USERS\\\\*\\\\Environment\\\\UserInitMprLogonScript\") and\n      \n not registry.data.strings : (\"C:\\\\Windows\\\\system32\\\\userinit.exe\", \"cmd.exe\", \"C:\\\\Program Files (x86)\\\\*.exe\",\n                              \"C:\\\\Program Files\\\\*.exe\") and\n not (process.name : \"rundll32.exe\" and registry.path : \"*\\\\Software\\\\Microsoft\\\\Internet Explorer\\\\Extensions\\\\*\\\\Script\") and\n not process.executable : (\"C:\\\\Windows\\\\System32\\\\msiexec.exe\",\n                           \"C:\\\\Windows\\\\SysWOW64\\\\msiexec.exe\",\n                           \"C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\Platform\\\\*\\\\MsMpEng.exe\",\n                           \"C:\\\\Program Files\\\\*.exe\",\n                           \"C:\\\\Program Files (x86)\\\\*.exe\")\n",
+    "references": [
+      "https://www.microsoftpressstore.com/articles/article.aspx?p=2762082&seqNum=2"
+    ],
+    "risk_score": 47,
+    "rule_id": "54902e45-3467-49a4-8abc-529f2c8cfb80",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Persistence"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1547",
+            "name": "Boot or Logon Autostart Execution",
+            "reference": "https://attack.mitre.org/techniques/T1547/",
+            "subtechnique": [
+              {
+                "id": "T1547.001",
+                "name": "Registry Run Keys / Startup Folder",
+                "reference": "https://attack.mitre.org/techniques/T1547/001/"
+              }
+            ]
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1112",
+            "name": "Modify Registry",
+            "reference": "https://attack.mitre.org/techniques/T1112/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 4
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies when a child process is spawned by the screensaver engine process, which is consistent with an attacker's malicious payload being executed after the screensaver activated on the endpoint. An adversary can maintain persistence on a macOS endpoint by creating a malicious screensaver (.saver) file and configuring the screensaver plist file to execute code each time the screensaver is activated.",
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Unexpected Child Process of macOS Screensaver Engine",
+    "note": "## Triage and analysis\n\n- Analyze the descendant processes of the ScreenSaverEngine process for malicious code and suspicious behavior such\nas downloading a payload from a server\n- Review the installed and activated screensaver on the host. Triage the screensaver (.saver) file that was triggered to\nidentify whether the file is malicious or not.\n",
+    "query": "process where event.type == \"start\" and process.parent.name == \"ScreenSaverEngine\"\n",
+    "references": [
+      "https://posts.specterops.io/saving-your-access-d562bf5bf90b",
+      "https://github.com/D00MFist/PersistentJXA"
+    ],
+    "risk_score": 47,
+    "rule_id": "48d7f54d-c29e-4430-93a9-9db6b5892270",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "macOS",
+      "Threat Detection",
+      "Persistence"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1546",
+            "name": "Event Triggered Execution",
+            "reference": "https://attack.mitre.org/techniques/T1546/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 1
+  },
+  {
+    "anomaly_threshold": 75,
+    "author": [
+      "Elastic"
+    ],
+    "description": "A machine learning job detected an AWS API command that, while not inherently suspicious or abnormal, is being made by a user context that does not normally use the command. This can be the result of compromised credentials or keys as someone uses a valid account to persist, move laterally, or exfiltrate data.",
+    "false_positives": [
+      "New or unusual user command activity can be due to manual troubleshooting or reconfiguration; changes in cloud automation scripts or workflows; adoption of new services; or changes in the way services are used."
+    ],
+    "from": "now-2h",
+    "interval": "15m",
+    "license": "Elastic License v2",
+    "machine_learning_job_id": "rare_method_for_a_username",
+    "name": "Unusual AWS Command for a User",
+    "note": "## Config\n\nThe AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\n\n## Triage and analysis\n\n### Investigating an Unusual CloudTrail Event\n\nDetection alerts from this rule indicate an AWS API command or method call that is rare and unusual for the calling IAM user. Here are some possible avenues of investigation:\n- Consider the user as identified by the `user.name` field. Is this command part of an expected workflow for the user context? Examine the user identity in the `aws.cloudtrail.user_identity.arn` field and the access key ID in the `aws.cloudtrail.user_identity.access_key_id` field, which can help identify the precise user context. The user agent details in the `user_agent.original` field may also indicate what kind of a client made the request.\n- Consider the source IP address and geolocation for the calling user who issued the command. Do they look normal for the calling user? If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts, or could it be sourcing from an EC2 instance that's not under your control? If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance?\n- Consider the time of day. If the user is a human, not a program or script, did the activity take place during a normal time of day?\n- Examine the history of the command. If the command, which is visible in the `event.action field`, only manifested recently, it might be part of a new automation module or script. If it has a consistent cadence (for example, if it appears in small numbers on a weekly or monthly cadence), it might be part of a housekeeping or maintenance process.\n- Examine the request parameters. These may provide indications as to the source of the program or the nature of the tasks it is performing.",
+    "references": [
+      "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"
+    ],
+    "risk_score": 21,
+    "rule_id": "ac706eae-d5ec-4b14-b4fd-e8ba8086f0e1",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "AWS",
+      "ML"
+    ],
+    "type": "machine_learning",
+    "version": 7
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies a suspicious child process of the Windows virtual system process, which could indicate code injection.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Unusual Child Process from a System Virtual Process",
+    "query": "process where event.type in (\"start\", \"process_started\") and\n  process.parent.pid == 4 and\n  not process.executable : (\"Registry\", \"MemCompression\", \"?:\\\\Windows\\\\System32\\\\smss.exe\")\n",
+    "risk_score": 73,
+    "rule_id": "de9bd7e0-49e9-4e92-a64d-53ade2e66af1",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1055",
+            "name": "Process Injection",
+            "reference": "https://attack.mitre.org/techniques/T1055/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 4
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies an unexpected process spawning from dns.exe, the process responsible for Windows DNS server services, which may indicate activity related to remote code execution or other forms of exploitation.",
+    "false_positives": [
+      "Werfault.exe will legitimately spawn when dns.exe crashes, but the DNS service is very stable and so this is a low occurring event. Denial of Service (DoS) attempts by intentionally crashing the service will also cause werfault.exe to spawn."
+    ],
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Unusual Child Process of dns.exe",
+    "note": "## Triage and analysis\n\n### Investigating Unusual Child Process\nDetection alerts from this rule indicate potential suspicious child processes spawned after exploitation from CVE-2020-1350 (SigRed) has occurred. Here are some possible avenues of investigation:\n- Any suspicious or abnormal child process spawned from dns.exe should be reviewed and investigated with care. It's impossible to predict what an adversary may deploy as the follow-on process after the exploit, but built-in discovery/enumeration utilities should be top of mind (whoami.exe, netstat.exe, systeminfo.exe, tasklist.exe).\n- Built-in Windows programs that contain capabilities used to download and execute additional payloads should also be considered. This is not an exhaustive list, but ideal candidates to start out would be: mshta.exe, powershell.exe, regsvr32.exe, rundll32.exe, wscript.exe, wmic.exe.\n- If the DoS exploit is successful and DNS Server service crashes, be mindful of potential child processes related to werfault.exe occurring.\n- Any subsequent activity following the child process spawned related to execution/network activity should be thoroughly reviewed from the endpoint.",
+    "query": "process where event.type == \"start\" and process.parent.name : \"dns.exe\" and\n  not process.name : \"conhost.exe\"\n",
+    "references": [
+      "https://research.checkpoint.com/2020/resolving-your-way-into-domain-admin-exploiting-a-17-year-old-bug-in-windows-dns-servers/",
+      "https://msrc-blog.microsoft.com/2020/07/14/july-2020-security-update-cve-2020-1350-vulnerability-in-windows-domain-name-system-dns-server/",
+      "https://github.com/maxpl0it/CVE-2020-1350-DoS"
+    ],
+    "risk_score": 73,
+    "rule_id": "8c37dc0e-e3ac-4c97-8aa0-cf6a9122de45",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Initial Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0001",
+          "name": "Initial Access",
+          "reference": "https://attack.mitre.org/tactics/TA0001/"
+        },
+        "technique": [
+          {
+            "id": "T1133",
+            "name": "External Remote Services",
+            "reference": "https://attack.mitre.org/techniques/T1133/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 5
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies child processes of unusual instances of RunDLL32 where the command line parameters were suspicious. Misuse of RunDLL32 could indicate malicious activity.",
+    "from": "now-60m",
+    "index": [
+      "logs-endpoint.events.*",
+      "winlogbeat-*",
+      "logs-windows.*"
+    ],
+    "interval": "30m",
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Unusual Child Processes of RunDLL32",
+    "query": "sequence with maxspan=1h\n  [process where event.type in (\"start\", \"process_started\") and\n     (process.name : \"rundll32.exe\" or process.pe.original_file_name == \"RUNDLL32.EXE\") and\n      process.args_count == 1\n  ] by process.entity_id\n  [process where event.type in (\"start\", \"process_started\") and process.parent.name : \"rundll32.exe\"\n  ] by process.parent.entity_id\n",
+    "risk_score": 21,
+    "rule_id": "f036953a-4615-4707-a1ca-dc53bf69dcd5",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1218",
+            "name": "Signed Binary Proxy Execution",
+            "reference": "https://attack.mitre.org/techniques/T1218/",
+            "subtechnique": [
+              {
+                "id": "T1218.011",
+                "name": "Rundll32",
+                "reference": "https://attack.mitre.org/techniques/T1218/011/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "type": "eql",
+    "version": 4
+  },
+  {
+    "anomaly_threshold": 50,
+    "author": [
+      "Elastic"
+    ],
+    "description": "A machine learning job detected AWS command activity that, while not inherently suspicious or abnormal, is sourcing from a geolocation (city) that is unusual for the command. This can be the result of compromised credentials or keys being used by a threat actor in a different geography than the authorized user(s).",
+    "false_positives": [
+      "New or unusual command and user geolocation activity can be due to manual troubleshooting or reconfiguration; changes in cloud automation scripts or workflows; adoption of new services; expansion into new regions; increased adoption of work from home policies; or users who travel frequently."
+    ],
+    "from": "now-2h",
+    "interval": "15m",
+    "license": "Elastic License v2",
+    "machine_learning_job_id": "rare_method_for_a_city",
+    "name": "Unusual City For an AWS Command",
+    "note": "## Config\n\nThe AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\n\n## Triage and analysis\n\n### Investigating an Unusual CloudTrail Event\nDetection alerts from this rule indicate an AWS API command or method call that is rare and unusual for the geolocation of the source IP address. Here are some possible avenues of investigation:\n- Consider the source IP address and geolocation for the calling user who issued the command. Do they look normal for the calling user? If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts, or could it be sourcing from an EC2 instance that's not under your control? If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance?\n- Consider the user as identified by the `user.name` field. Is this command part of an expected workflow for the user context? Examine the user identity in the `aws.cloudtrail.user_identity.arn` field and the access key ID in the `aws.cloudtrail.user_identity.access_key_id` field, which can help identify the precise user context. The user agent details in the `user_agent.original` field may also indicate what kind of a client made the request.\n- Consider the time of day. If the user is a human, not a program or script, did the activity take place during a normal time of day?\n- Examine the history of the command. If the command, which is visible in the `event.action field`, only manifested recently, it might be part of a new automation module or script. If it has a consistent cadence (for example, if it appears in small numbers on a weekly or monthly cadence), it might be part of a housekeeping or maintenance process.\n- Examine the request parameters. These may provide indications as to the source of the program or the nature of the tasks it is performing.",
+    "references": [
+      "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"
+    ],
+    "risk_score": 21,
+    "rule_id": "809b70d3-e2c3-455e-af1b-2626a5a1a276",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "AWS",
+      "ML"
+    ],
+    "type": "machine_learning",
+    "version": 7
+  },
+  {
+    "anomaly_threshold": 50,
+    "author": [
+      "Elastic"
+    ],
+    "description": "A machine learning job detected AWS command activity that, while not inherently suspicious or abnormal, is sourcing from a geolocation (country) that is unusual for the command. This can be the result of compromised credentials or keys being used by a threat actor in a different geography than the authorized user(s).",
+    "false_positives": [
+      "New or unusual command and user geolocation activity can be due to manual troubleshooting or reconfiguration; changes in cloud automation scripts or workflows; adoption of new services; expansion into new regions; increased adoption of work from home policies; or users who travel frequently."
+    ],
+    "from": "now-2h",
+    "interval": "15m",
+    "license": "Elastic License v2",
+    "machine_learning_job_id": "rare_method_for_a_country",
+    "name": "Unusual Country For an AWS Command",
+    "note": "## Config\n\nThe AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\n\n## Triage and analysis\n\n### Investigating an Unusual Country For an AWS Command\n\nCloudTrail logging provides visibility on actions taken within an AWS environment. By monitoring these events and understanding\nwhat is considered normal behavior within an organization, suspicious or malicious activity can be spotted when deviations\nare observed. This example rule focuses on AWS command activity where the country from the source of the activity has been\nconsidered unusual based on previous history.\n\n#### Possible investigation steps:\n- Consider the source IP address and geolocation for the calling user who issued the command. Do they look normal for the calling user? If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts, or could it be sourcing from an EC2 instance that's not under your control? If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance?\n- Consider the user as identified by the `user.name` field. Is this command part of an expected workflow for the user context? Examine the user identity in the `aws.cloudtrail.user_identity.arn` field and the access key ID in the `aws.cloudtrail.user_identity.access_key_id` field, which can help identify the precise user context. The user agent details in the `user_agent.original` field may also indicate what kind of a client made the request.\n- Consider the time of day. If the user is a human, not a program or script, did the activity take place during a normal time of day?\n- Examine the history of the command. If the command, which is visible in the `event.action field`, only manifested recently, it might be part of a new automation module or script. If it has a consistent cadence (for example, if it appears in small numbers on a weekly or monthly cadence), it might be part of a housekeeping or maintenance process.\n- Examine the request parameters. These may provide indications as to the source of the program or the nature of the tasks it is performing.\n\n### False Positive Analysis\n- False positives can occur if activity is coming from new employees based in a country with no previous history in AWS,\ntherefore it's important to validate the activity listed in the investigation steps above.\n\n### Related Rules\n- Unusual City For an AWS Command\n- Unusual AWS Command for a User\n- Rare AWS Error Code\n\n### Response and Remediation\n- If activity is observed as suspicious or malicious, immediate response should be looked into rotating and deleting AWS IAM access keys\n- Validate if any unauthorized new users were created, remove these accounts and request password resets for other IAM users\n- Look into enabling multi-factor authentication for users\n- Follow security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS\n",
+    "references": [
+      "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"
+    ],
+    "risk_score": 21,
+    "rule_id": "dca28dee-c999-400f-b640-50a081cc0fd1",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "AWS",
+      "ML"
+    ],
+    "type": "machine_learning",
+    "version": 7
+  },
+  {
+    "anomaly_threshold": 50,
+    "author": [
+      "Elastic"
+    ],
+    "description": "A machine learning job detected a rare and unusual DNS query that indicate network activity with unusual DNS domains. This can be due to initial access, persistence, command-and-control, or exfiltration activity. For example, when a user clicks on a link in a phishing email or opens a malicious document, a request may be sent to download and run a payload from an uncommon domain. When malware is already running, it may send requests to an uncommon DNS domain the malware uses for command-and-control communication.",
+    "false_positives": [
+      "A newly installed program or one that runs rarely as part of a monthly or quarterly workflow could trigger this alert. Network activity that occurs rarely, in small quantities, can trigger this alert. Possible examples are browsing technical support or vendor networks sparsely. A user who visits a new or unique web destination may trigger this alert."
+    ],
+    "from": "now-45m",
+    "interval": "15m",
+    "license": "Elastic License v2",
+    "machine_learning_job_id": "packetbeat_rare_dns_question",
+    "name": "Unusual DNS Activity",
+    "references": [
+      "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"
+    ],
+    "risk_score": 21,
+    "rule_id": "746edc4c-c54c-49c6-97a1-651223819448",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Network",
+      "Threat Detection",
+      "ML"
+    ],
+    "type": "machine_learning",
+    "version": 4
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies an unexpected executable file being created or modified by a Windows system critical process, which may indicate activity related to remote code execution or other forms of exploitation.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Unusual Executable File Creation by a System Critical Process",
+    "query": "file where event.type != \"deletion\" and\n  file.extension : (\"exe\", \"dll\") and\n  process.name : (\"smss.exe\",\n                  \"autochk.exe\",\n                  \"csrss.exe\",\n                  \"wininit.exe\",\n                  \"services.exe\",\n                  \"lsass.exe\",\n                  \"winlogon.exe\",\n                  \"userinit.exe\",\n                  \"LogonUI.exe\")\n",
+    "risk_score": 73,
+    "rule_id": "e94262f2-c1e9-4d3f-a907-aeab16712e1a",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1211",
+            "name": "Exploitation for Defense Evasion",
+            "reference": "https://attack.mitre.org/techniques/T1211/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 4
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies suspicious creation of Alternate Data Streams on highly targeted files. This is uncommon for legitimate files and sometimes done by adversaries to hide malware.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Unusual File Creation - Alternate Data Stream",
+    "query": "file where event.type == \"creation\" and\n  file.path : \"C:\\\\*:*\" and\n  not file.path : \"C:\\\\*:zone.identifier*\" and\n  file.extension :\n    (\n      \"pdf\",\n      \"dll\",\n      \"png\",\n      \"exe\",\n      \"dat\",\n      \"com\",\n      \"bat\",\n      \"cmd\",\n      \"sys\",\n      \"vbs\",\n      \"ps1\",\n      \"hta\",\n      \"txt\",\n      \"vbe\",\n      \"js\",\n      \"wsh\",\n      \"docx\",\n      \"doc\",\n      \"xlsx\",\n      \"xls\",\n      \"pptx\",\n      \"ppt\",\n      \"rtf\",\n      \"gif\",\n      \"jpg\",\n      \"png\",\n      \"bmp\",\n      \"img\",\n      \"iso\"\n    )\n",
+    "risk_score": 47,
+    "rule_id": "71bccb61-e19b-452f-b104-79a60e546a95",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1564",
+            "name": "Hide Artifacts",
+            "reference": "https://attack.mitre.org/techniques/T1564/",
+            "subtechnique": [
+              {
+                "id": "T1564.004",
+                "name": "NTFS File Attributes",
+                "reference": "https://attack.mitre.org/techniques/T1564/004/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies an unexpected file being modified by dns.exe, the process responsible for Windows DNS Server services, which may indicate activity related to remote code execution or other forms of exploitation.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Unusual File Modification by dns.exe",
+    "note": "## Triage and analysis\n\n### Investigating Unusual File Write\nDetection alerts from this rule indicate potential unusual/abnormal file writes from the DNS Server service process (`dns.exe`) after exploitation from CVE-2020-1350 (SigRed) has occurred. Here are some possible avenues of investigation:\n- Post-exploitation, adversaries may write additional files or payloads to the system as additional discovery/exploitation/persistence mechanisms.\n- Any suspicious or abnormal files written from `dns.exe` should be reviewed and investigated with care.",
+    "query": "file where process.name : \"dns.exe\" and event.type in (\"creation\", \"deletion\", \"change\") and\n  not file.name : \"dns.log\"\n",
+    "references": [
+      "https://research.checkpoint.com/2020/resolving-your-way-into-domain-admin-exploiting-a-17-year-old-bug-in-windows-dns-servers/",
+      "https://msrc-blog.microsoft.com/2020/07/14/july-2020-security-update-cve-2020-1350-vulnerability-in-windows-domain-name-system-dns-server/"
+    ],
+    "risk_score": 73,
+    "rule_id": "c7ce36c0-32ff-4f9a-bfc2-dcb242bf99f9",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Initial Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0001",
+          "name": "Initial Access",
+          "reference": "https://attack.mitre.org/tactics/TA0001/"
+        },
+        "technique": [
+          {
+            "id": "T1133",
+            "name": "External Remote Services",
+            "reference": "https://attack.mitre.org/techniques/T1133/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 5
+  },
+  {
+    "anomaly_threshold": 75,
+    "author": [
+      "Elastic"
+    ],
+    "description": "A machine learning job detected a user logging in at a time of day that is unusual for the user. This can be due to credentialed access via a compromised account when the user and the threat actor are in different time zones. In addition, unauthorized user activity often takes place during non-business hours.",
+    "false_positives": [
+      "Users working late, or logging in from unusual time zones while traveling, may trigger this rule."
+    ],
+    "from": "now-30m",
+    "interval": "15m",
+    "license": "Elastic License v2",
+    "machine_learning_job_id": "auth_rare_hour_for_a_user",
+    "name": "Unusual Hour for a User to Logon",
+    "references": [
+      "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"
+    ],
+    "risk_score": 21,
+    "rule_id": "745b0119-0560-43ba-860a-7235dd8cee8d",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Authentication",
+      "Threat Detection",
+      "ML"
+    ],
+    "type": "machine_learning",
+    "version": 1
+  },
+  {
+    "anomaly_threshold": 50,
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies Linux processes that do not usually use the network but have unexpected network activity, which can indicate command-and-control, lateral movement, persistence, or data exfiltration activity. A process with unusual network activity can denote process exploitation or injection, where the process is used to run persistence mechanisms that allow a malicious actor remote access or control of the host, data exfiltration, and execution of unauthorized network applications.",
+    "from": "now-45m",
+    "interval": "15m",
+    "license": "Elastic License v2",
+    "machine_learning_job_id": "linux_anomalous_network_activity_ecs",
+    "name": "Unusual Linux Network Activity",
+    "note": "## Triage and analysis\n\n### Investigating Unusual Network Activity\nDetection alerts from this rule indicate the presence of network activity from a Linux process for which network activity is rare and unusual.  Here are some possible avenues of investigation:\n- Consider the IP addresses and ports. Are these used by normal but infrequent network workflows? Are they expected or unexpected?\n- If the destination IP address is remote or external, does it associate with an expected domain, organization or geography? Note: avoid interacting directly with suspected malicious IP addresses.\n- Consider the user as identified by the username field. Is this network activity part of an expected workflow for the user who ran the program?\n- Examine the history of execution. If this process only manifested recently, it might be part of a new software package. If it has a consistent cadence (for example if it runs monthly or quarterly), it might be part of a monthly or quarterly business or maintenance process.\n- Examine the process arguments, title and working directory. These may provide indications as to the source of the program or the nature of the tasks it is performing.",
+    "references": [
+      "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"
+    ],
+    "risk_score": 21,
+    "rule_id": "52afbdc5-db15-485e-bc24-f5707f820c4b",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "Threat Detection",
+      "ML"
+    ],
+    "type": "machine_learning",
+    "version": 6
+  },
+  {
+    "anomaly_threshold": 25,
+    "author": [
+      "Elastic"
+    ],
+    "description": "Looks for commands related to system network connection discovery from an unusual user context. This can be due to uncommon troubleshooting activity or due to a compromised account. A compromised account may be used by a threat actor to engage in system network connection discovery in order to increase their understanding of connected services and systems. This information may be used to shape follow-up behaviors such as lateral movement or additional discovery.",
+    "false_positives": [
+      "Uncommon user command activity can be due to an engineer logging onto a server instance in order to perform manual troubleshooting or reconfiguration."
+    ],
+    "from": "now-45m",
+    "interval": "15m",
+    "license": "Elastic License v2",
+    "machine_learning_job_id": "linux_network_connection_discovery",
+    "name": "Unusual Linux Network Connection Discovery",
+    "risk_score": 21,
+    "rule_id": "c28c4d8c-f014-40ef-88b6-79a1d67cd499",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "Threat Detection",
+      "ML"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0007",
+          "name": "Discovery",
+          "reference": "https://attack.mitre.org/tactics/TA0007/"
+        },
+        "technique": [
+          {
+            "id": "T1049",
+            "name": "System Network Connections Discovery",
+            "reference": "https://attack.mitre.org/techniques/T1049/"
+          }
+        ]
+      }
+    ],
+    "type": "machine_learning",
+    "version": 2
+  },
+  {
+    "anomaly_threshold": 50,
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies unusual destination port activity that can indicate command-and-control, persistence mechanism, or data exfiltration activity. Rarely used destination port activity is generally unusual in Linux fleets, and can indicate unauthorized access or threat actor activity.",
+    "false_positives": [
+      "A newly installed program or one that rarely uses the network could trigger this alert."
+    ],
+    "from": "now-45m",
+    "interval": "15m",
+    "license": "Elastic License v2",
+    "machine_learning_job_id": [
+      "linux_anomalous_network_port_activity_ecs",
+      "v2_linux_anomalous_network_port_activity_ecs"
+    ],
+    "name": "Unusual Linux Network Port Activity",
+    "references": [
+      "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"
+    ],
+    "risk_score": 21,
+    "rule_id": "3c7e32e6-6104-46d9-a06e-da0f8b5795a0",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "Threat Detection",
+      "ML"
+    ],
+    "type": "machine_learning",
+    "version": 5
+  },
+  {
+    "anomaly_threshold": 50,
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies unusual listening ports on Linux instances that can indicate execution of unauthorized services, backdoors, or persistence mechanisms.",
+    "false_positives": [
+      "A newly installed program or one that rarely uses the network could trigger this alert."
+    ],
+    "from": "now-45m",
+    "interval": "15m",
+    "license": "Elastic License v2",
+    "machine_learning_job_id": "linux_anomalous_network_service",
+    "name": "Unusual Linux Network Service",
+    "references": [
+      "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"
+    ],
+    "risk_score": 21,
+    "rule_id": "52afbdc5-db15-596e-bc35-f5707f820c4b",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "Threat Detection",
+      "ML"
+    ],
+    "type": "machine_learning",
+    "version": 4
+  },
+  {
+    "anomaly_threshold": 50,
+    "author": [
+      "Elastic"
+    ],
+    "description": "Looks for anomalous access to the metadata service by an unusual process. The metadata service may be targeted in order to harvest credentials or user data scripts containing secrets.",
+    "false_positives": [
+      "A newly installed program or one that runs very rarely as part of a monthly or quarterly workflow could trigger this detection rule."
+    ],
+    "from": "now-45m",
+    "interval": "15m",
+    "license": "Elastic License v2",
+    "machine_learning_job_id": [
+      "linux_rare_metadata_process",
+      "v2_linux_rare_metadata_process"
+    ],
+    "name": "Unusual Linux Process Calling the Metadata Service",
+    "risk_score": 21,
+    "rule_id": "9d302377-d226-4e12-b54c-1906b5aec4f6",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "Threat Detection",
+      "ML"
+    ],
+    "type": "machine_learning",
+    "version": 3
+  },
+  {
+    "anomaly_threshold": 50,
+    "author": [
+      "Elastic"
+    ],
+    "description": "Looks for commands related to system process discovery from an unusual user context. This can be due to uncommon troubleshooting activity or due to a compromised account. A compromised account may be used by a threat actor to engage in system process discovery in order to increase their understanding of software applications running on a target host or network. This may be a precursor to selection of a persistence mechanism or a method of privilege elevation.",
+    "false_positives": [
+      "Uncommon user command activity can be due to an engineer logging onto a server instance in order to perform manual troubleshooting or reconfiguration."
+    ],
+    "from": "now-45m",
+    "interval": "15m",
+    "license": "Elastic License v2",
+    "machine_learning_job_id": "linux_system_process_discovery",
+    "name": "Unusual Linux Process Discovery Activity",
+    "risk_score": 21,
+    "rule_id": "5c983105-4681-46c3-9890-0c66d05e776b",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "Threat Detection",
+      "ML"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0007",
+          "name": "Discovery",
+          "reference": "https://attack.mitre.org/tactics/TA0007/"
+        },
+        "technique": [
+          {
+            "id": "T1057",
+            "name": "Process Discovery",
+            "reference": "https://attack.mitre.org/techniques/T1057/"
+          }
+        ]
+      }
+    ],
+    "type": "machine_learning",
+    "version": 2
+  },
+  {
+    "anomaly_threshold": 75,
+    "author": [
+      "Elastic"
+    ],
+    "description": "Looks for commands related to system information discovery from an unusual user context. This can be due to uncommon troubleshooting activity or due to a compromised account. A compromised account may be used to engage in system information discovery in order to gather detailed information about system configuration and software versions. This may be a precursor to selection of a persistence mechanism or a method of privilege elevation.",
+    "false_positives": [
+      "Uncommon user command activity can be due to an engineer logging onto a server instance in order to perform manual troubleshooting or reconfiguration."
+    ],
+    "from": "now-45m",
+    "interval": "15m",
+    "license": "Elastic License v2",
+    "machine_learning_job_id": "linux_system_information_discovery",
+    "name": "Unusual Linux System Information Discovery Activity",
+    "risk_score": 21,
+    "rule_id": "d4af3a06-1e0a-48ec-b96a-faf2309fae46",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "Threat Detection",
+      "ML"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0007",
+          "name": "Discovery",
+          "reference": "https://attack.mitre.org/tactics/TA0007/"
+        },
+        "technique": [
+          {
+            "id": "T1082",
+            "name": "System Information Discovery",
+            "reference": "https://attack.mitre.org/techniques/T1082/"
+          }
+        ]
+      }
+    ],
+    "type": "machine_learning",
+    "version": 2
+  },
+  {
+    "anomaly_threshold": 25,
+    "author": [
+      "Elastic"
+    ],
+    "description": "Looks for commands related to system network configuration discovery from an unusual user context. This can be due to uncommon troubleshooting activity or due to a compromised account. A compromised account may be used by a threat actor to engage in system network configuration discovery in order to increase their understanding of connected networks and hosts. This information may be used to shape follow-up behaviors such as lateral movement or additional discovery.",
+    "false_positives": [
+      "Uncommon user command activity can be due to an engineer logging onto a server instance in order to perform manual troubleshooting or reconfiguration."
+    ],
+    "from": "now-45m",
+    "interval": "15m",
+    "license": "Elastic License v2",
+    "machine_learning_job_id": "linux_network_configuration_discovery",
+    "name": "Unusual Linux System Network Configuration Discovery",
+    "risk_score": 21,
+    "rule_id": "f9590f47-6bd5-4a49-bd49-a2f886476fb9",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "Threat Detection",
+      "ML"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0007",
+          "name": "Discovery",
+          "reference": "https://attack.mitre.org/tactics/TA0007/"
+        },
+        "technique": [
+          {
+            "id": "T1016",
+            "name": "System Network Configuration Discovery",
+            "reference": "https://attack.mitre.org/techniques/T1016/"
+          }
+        ]
+      }
+    ],
+    "type": "machine_learning",
+    "version": 2
+  },
+  {
+    "anomaly_threshold": 75,
+    "author": [
+      "Elastic"
+    ],
+    "description": "Looks for commands related to system user or owner discovery from an unusual user context. This can be due to uncommon troubleshooting activity or due to a compromised account. A compromised account may be used to engage in system owner or user discovery in order to identify currently active or primary users of a system. This may be a precursor to additional discovery, credential dumping or privilege elevation activity.",
+    "false_positives": [
+      "Uncommon user command activity can be due to an engineer logging onto a server instance in order to perform manual troubleshooting or reconfiguration."
+    ],
+    "from": "now-45m",
+    "interval": "15m",
+    "license": "Elastic License v2",
+    "machine_learning_job_id": "linux_system_user_discovery",
+    "name": "Unusual Linux System Owner or User Discovery Activity",
+    "risk_score": 21,
+    "rule_id": "59756272-1998-4b8c-be14-e287035c4d10",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "Threat Detection",
+      "ML"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0007",
+          "name": "Discovery",
+          "reference": "https://attack.mitre.org/tactics/TA0007/"
+        },
+        "technique": [
+          {
+            "id": "T1033",
+            "name": "System Owner/User Discovery",
+            "reference": "https://attack.mitre.org/techniques/T1033/"
+          }
+        ]
+      }
+    ],
+    "type": "machine_learning",
+    "version": 2
+  },
+  {
+    "anomaly_threshold": 75,
+    "author": [
+      "Elastic"
+    ],
+    "description": "Looks for anomalous access to the cloud platform metadata service by an unusual user. The metadata service may be targeted in order to harvest credentials or user data scripts containing secrets.",
+    "false_positives": [
+      "A newly installed program, or one that runs under a new or rarely used user context, could trigger this detection rule. Manual interrogation of the metadata service during debugging or troubleshooting could trigger this rule."
+    ],
+    "from": "now-45m",
+    "interval": "15m",
+    "license": "Elastic License v2",
+    "machine_learning_job_id": [
+      "linux_rare_metadata_user",
+      "v2_linux_rare_metadata_user"
+    ],
+    "name": "Unusual Linux User Calling the Metadata Service",
+    "risk_score": 21,
+    "rule_id": "1faec04b-d902-4f89-8aff-92cd9043c16f",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "Threat Detection",
+      "ML"
+    ],
+    "type": "machine_learning",
+    "version": 3
+  },
+  {
+    "anomaly_threshold": 50,
+    "author": [
+      "Elastic"
+    ],
+    "description": "A machine learning job detected activity for a username that is not normally active, which can indicate unauthorized changes, activity by unauthorized users, lateral movement, or compromised credentials. In many organizations, new usernames are not often created apart from specific types of system activities, such as creating new accounts for new employees. These user accounts quickly become active and routine. Events from rarely used usernames can point to suspicious activity. Additionally, automated Linux fleets tend to see activity from rarely used usernames only when personnel log in to make authorized or unauthorized changes, or threat actors have acquired credentials and log in for malicious purposes. Unusual usernames can also indicate pivoting, where compromised credentials are used to try and move laterally from one host to another.",
+    "false_positives": [
+      "Uncommon user activity can be due to an engineer logging onto a server instance in order to perform manual troubleshooting or reconfiguration."
+    ],
+    "from": "now-45m",
+    "interval": "15m",
+    "license": "Elastic License v2",
+    "machine_learning_job_id": [
+      "linux_anomalous_user_name_ecs",
+      "v2_linux_anomalous_user_name_ecs"
+    ],
+    "name": "Unusual Linux Username",
+    "note": "## Triage and analysis\n\n### Investigating an Unusual Linux User\nDetection alerts from this rule indicate activity for a Linux user name that is rare and unusual. Here are some possible avenues of investigation:\n- Consider the user as identified by the username field. Is this program part of an expected workflow for the user who ran this program on this host? Could this be related to troubleshooting or debugging activity by a developer or site reliability engineer?\n- Examine the history of user activity. If this user only manifested recently, it might be a service account for a new software package. If it has a consistent cadence (for example if it runs monthly or quarterly), it might be part of a monthly or quarterly business process.\n- Examine the process arguments, title and working directory. These may provide indications as to the source of the program or the nature of the tasks that the user is performing.",
+    "references": [
+      "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"
+    ],
+    "risk_score": 21,
+    "rule_id": "b347b919-665f-4aac-b9e8-68369bf2340c",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "Threat Detection",
+      "ML"
+    ],
+    "type": "machine_learning",
+    "version": 7
+  },
+  {
+    "anomaly_threshold": 50,
+    "author": [
+      "Elastic"
+    ],
+    "description": "A machine learning job detected an unusual web URL request from a Linux host, which can indicate malware delivery and execution. Wget and cURL are commonly used by Linux programs to download code and data. Most of the time, their usage is entirely normal. Generally, because they use a list of URLs, they repeatedly download from the same locations. However, Wget and cURL are sometimes used to deliver Linux exploit payloads, and threat actors use these tools to download additional software and code. For these reasons, unusual URLs can indicate unauthorized downloads or threat activity.",
+    "false_positives": [
+      "A new and unusual program or artifact download in the course of software upgrades, debugging, or troubleshooting could trigger this alert."
+    ],
+    "from": "now-45m",
+    "interval": "15m",
+    "license": "Elastic License v2",
+    "machine_learning_job_id": "linux_anomalous_network_url_activity_ecs",
+    "name": "Unusual Linux Web Activity",
+    "references": [
+      "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"
+    ],
+    "risk_score": 21,
+    "rule_id": "52afbdc5-db15-485e-bc35-f5707f820c4c",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "Threat Detection",
+      "ML"
+    ],
+    "type": "machine_learning",
+    "version": 4
+  },
+  {
+    "anomaly_threshold": 50,
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies an unusually high number of authentication attempts.",
+    "false_positives": [
+      "Security audits may trigger this alert. Conditions that generate bursts of failed logins, such as misconfigured applications or account lockouts could trigger this alert."
+    ],
+    "from": "now-45m",
+    "interval": "15m",
+    "license": "Elastic License v2",
+    "machine_learning_job_id": "suspicious_login_activity_ecs",
+    "name": "Unusual Login Activity",
+    "references": [
+      "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"
+    ],
+    "risk_score": 21,
+    "rule_id": "4330272b-9724-4bc6-a3ca-f1532b81e5c2",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "Threat Detection",
+      "ML"
+    ],
+    "type": "machine_learning",
+    "version": 4
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies network activity from unexpected system applications. This may indicate adversarial activity as these applications are often leveraged by adversaries to execute code and evade detection.",
+    "from": "now-9m",
+    "index": [
+      "logs-endpoint.events.*",
+      "winlogbeat-*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Unusual Network Activity from a Windows System Binary",
+    "query": "sequence by process.entity_id with maxspan=5m\n  [process where event.type in (\"start\", \"process_started\") and\n\n     /* known applocker bypasses */\n     (process.name : \"bginfo.exe\" or\n      process.name : \"cdb.exe\" or\n      process.name : \"control.exe\" or\n      process.name : \"cmstp.exe\" or\n      process.name : \"csi.exe\" or\n      process.name : \"dnx.exe\" or\n      process.name : \"fsi.exe\" or\n      process.name : \"ieexec.exe\" or\n      process.name : \"iexpress.exe\" or\n      process.name : \"installutil.exe\" or\n      process.name : \"Microsoft.Workflow.Compiler.exe\" or\n      process.name : \"MSBuild.exe\" or\n      process.name : \"msdt.exe\" or\n      process.name : \"mshta.exe\" or\n      process.name : \"msiexec.exe\" or\n      process.name : \"msxsl.exe\" or\n      process.name : \"odbcconf.exe\" or\n      process.name : \"rcsi.exe\" or\n      process.name : \"regsvr32.exe\" or\n      process.name : \"xwizard.exe\")]\n  [network where\n     (process.name : \"bginfo.exe\" or\n      process.name : \"cdb.exe\" or\n      process.name : \"control.exe\" or\n      process.name : \"cmstp.exe\" or\n      process.name : \"csi.exe\" or\n      process.name : \"dnx.exe\" or\n      process.name : \"fsi.exe\" or\n      process.name : \"ieexec.exe\" or\n      process.name : \"iexpress.exe\" or\n      process.name : \"installutil.exe\" or\n      process.name : \"Microsoft.Workflow.Compiler.exe\" or\n      process.name : \"MSBuild.exe\" or\n      process.name : \"msdt.exe\" or\n      process.name : \"mshta.exe\" or\n      process.name : \"msiexec.exe\" or\n      process.name : \"msxsl.exe\" or\n      process.name : \"odbcconf.exe\" or\n      process.name : \"rcsi.exe\" or\n      process.name : \"regsvr32.exe\" or\n      process.name : \"xwizard.exe\")]\n",
+    "risk_score": 21,
+    "rule_id": "1fe3b299-fbb5-4657-a937-1d746f2c711a",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1127",
+            "name": "Trusted Developer Utilities Proxy Execution",
+            "reference": "https://attack.mitre.org/techniques/T1127/"
+          }
+        ]
+      }
+    ],
+    "type": "eql",
+    "version": 2
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies unusual instances of dllhost.exe making outbound network connections. This may indicate adversarial Command and Control activity.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Unusual Network Connection via DllHost",
+    "query": "sequence by host.id, process.entity_id with maxspan=1m\n  [process where event.type in (\"start\", \"process_started\") and process.name : \"dllhost.exe\" and process.args_count == 1]\n  [network where process.name : \"dllhost.exe\" and\n   not cidrmatch(destination.ip, \"10.0.0.0/8\", \"127.0.0.0/8\", \"169.254.0.0/16\", \"172.16.0.0/12\", \"192.0.0.0/24\",\n    \"192.0.0.0/29\", \"192.0.0.8/32\", \"192.0.0.9/32\", \"192.0.0.10/32\", \"192.0.0.170/32\", \"192.0.0.171/32\", \"192.0.2.0/24\",\n    \"192.31.196.0/24\", \"192.52.193.0/24\", \"192.168.0.0/16\", \"192.88.99.0/24\", \"224.0.0.0/4\", \"100.64.0.0/10\",\n    \"192.175.48.0/24\", \"198.18.0.0/15\", \"198.51.100.0/24\", \"203.0.113.0/24\", \"240.0.0.0/4\", \"::1\", \"FE80::/10\",\n    \"FF00::/8\")]\n",
+    "references": [
+      "https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/",
+      "https://www.volexity.com/blog/2021/05/27/suspected-apt29-operation-launches-election-fraud-themed-phishing-campaigns/",
+      "https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml"
+    ],
+    "risk_score": 47,
+    "rule_id": "c7894234-7814-44c2-92a9-f7d851ea246a",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1218",
+            "name": "Signed Binary Proxy Execution",
+            "reference": "https://attack.mitre.org/techniques/T1218/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies unusual instances of rundll32.exe making outbound network connections. This may indicate adversarial Command and Control activity.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Unusual Network Connection via RunDLL32",
+    "query": "sequence by host.id, process.entity_id with maxspan=1m\n  [process where event.type in (\"start\", \"process_started\") and process.name : \"rundll32.exe\" and process.args_count == 1]\n  [network where process.name : \"rundll32.exe\" and\n   not cidrmatch(destination.ip, \"10.0.0.0/8\", \"127.0.0.0/8\", \"169.254.0.0/16\", \"172.16.0.0/12\", \"192.0.0.0/24\",\n       \"192.0.0.0/29\", \"192.0.0.8/32\", \"192.0.0.9/32\", \"192.0.0.10/32\", \"192.0.0.170/32\", \"192.0.0.171/32\",\n       \"192.0.2.0/24\", \"192.31.196.0/24\", \"192.52.193.0/24\", \"192.168.0.0/16\", \"192.88.99.0/24\", \"224.0.0.0/4\",\n       \"100.64.0.0/10\", \"192.175.48.0/24\",\"198.18.0.0/15\", \"198.51.100.0/24\", \"203.0.113.0/24\", \"240.0.0.0/4\", \"::1\",\n       \"FE80::/10\", \"FF00::/8\")]\n",
+    "references": [
+      "https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml"
+    ],
+    "risk_score": 47,
+    "rule_id": "52aaab7b-b51c-441a-89ce-4387b3aea886",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1218",
+            "name": "Signed Binary Proxy Execution",
+            "reference": "https://attack.mitre.org/techniques/T1218/",
+            "subtechnique": [
+              {
+                "id": "T1218.011",
+                "name": "Rundll32",
+                "reference": "https://attack.mitre.org/techniques/T1218/011/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "type": "eql",
+    "version": 10
+  },
+  {
+    "anomaly_threshold": 50,
+    "author": [
+      "Elastic"
+    ],
+    "description": "A machine learning job detected an unusual network destination domain name. This can be due to initial access, persistence, command-and-control, or exfiltration activity. For example, when a user clicks on a link in a phishing email or opens a malicious document, a request may be sent to download and run a payload from an uncommon web server name. When malware is already running, it may send requests to an uncommon DNS domain the malware uses for command-and-control communication.",
+    "false_positives": [
+      "Web activity that occurs rarely in small quantities can trigger this alert. Possible examples are browsing technical support or vendor URLs that are used very sparsely. A user who visits a new and unique web destination may trigger this alert when the activity is sparse. Web applications that generate URLs unique to a transaction may trigger this when they are used sparsely. Web domains can be excluded in cases such as these."
+    ],
+    "from": "now-45m",
+    "interval": "15m",
+    "license": "Elastic License v2",
+    "machine_learning_job_id": "packetbeat_rare_server_domain",
+    "name": "Unusual Network Destination Domain Name",
+    "references": [
+      "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"
+    ],
+    "risk_score": 21,
+    "rule_id": "17e68559-b274-4948-ad0b-f8415bb31126",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Network",
+      "Threat Detection",
+      "ML"
+    ],
+    "type": "machine_learning",
+    "version": 4
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies a suspicious parent child process relationship with cmd.exe descending from an unusual process.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Unusual Parent Process for cmd.exe",
+    "query": "process where event.type in (\"start\", \"process_started\") and\n  process.name : \"cmd.exe\" and\n  process.parent.name : (\"lsass.exe\",\n                         \"csrss.exe\",\n                         \"epad.exe\",\n                         \"regsvr32.exe\",\n                         \"dllhost.exe\",\n                         \"LogonUI.exe\",\n                         \"wermgr.exe\",\n                         \"spoolsv.exe\",\n                         \"jucheck.exe\",\n                         \"jusched.exe\",\n                         \"ctfmon.exe\",\n                         \"taskhostw.exe\",\n                         \"GoogleUpdate.exe\",\n                         \"sppsvc.exe\",\n                         \"sihost.exe\",\n                         \"slui.exe\",\n                         \"SIHClient.exe\",\n                         \"SearchIndexer.exe\",\n                         \"SearchProtocolHost.exe\",\n                         \"FlashPlayerUpdateService.exe\",\n                         \"WerFault.exe\",\n                         \"WUDFHost.exe\",\n                         \"unsecapp.exe\",\n                         \"wlanext.exe\" )\n",
+    "risk_score": 47,
+    "rule_id": "3b47900d-e793-49e8-968f-c90dc3526aa1",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Execution"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0002",
+          "name": "Execution",
+          "reference": "https://attack.mitre.org/tactics/TA0002/"
+        },
+        "technique": [
+          {
+            "id": "T1059",
+            "name": "Command and Scripting Interpreter",
+            "reference": "https://attack.mitre.org/techniques/T1059/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 4
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies Windows programs run from unexpected parent processes. This could indicate masquerading or other strange activity on a system.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Unusual Parent-Child Relationship",
+    "query": "process where event.type in (\"start\", \"process_started\") and\nprocess.parent.name != null and\n (\n   /* suspicious parent processes */\n   (process.name:\"autochk.exe\" and not process.parent.name:\"smss.exe\") or\n   (process.name:(\"fontdrvhost.exe\", \"dwm.exe\") and not process.parent.name:(\"wininit.exe\", \"winlogon.exe\")) or\n   (process.name:(\"consent.exe\", \"RuntimeBroker.exe\", \"TiWorker.exe\") and not process.parent.name:\"svchost.exe\") or\n   (process.name:\"SearchIndexer.exe\" and not process.parent.name:\"services.exe\") or\n   (process.name:\"SearchProtocolHost.exe\" and not process.parent.name:(\"SearchIndexer.exe\", \"dllhost.exe\")) or\n   (process.name:\"dllhost.exe\" and not process.parent.name:(\"services.exe\", \"svchost.exe\")) or\n   (process.name:\"smss.exe\" and not process.parent.name:(\"System\", \"smss.exe\")) or\n   (process.name:\"csrss.exe\" and not process.parent.name:(\"smss.exe\", \"svchost.exe\")) or\n   (process.name:\"wininit.exe\" and not process.parent.name:\"smss.exe\") or\n   (process.name:\"winlogon.exe\" and not process.parent.name:\"smss.exe\") or\n   (process.name:(\"lsass.exe\", \"LsaIso.exe\") and not process.parent.name:\"wininit.exe\") or\n   (process.name:\"LogonUI.exe\" and not process.parent.name:(\"wininit.exe\", \"winlogon.exe\")) or\n   (process.name:\"services.exe\" and not process.parent.name:\"wininit.exe\") or\n   (process.name:\"svchost.exe\" and not process.parent.name:(\"MsMpEng.exe\", \"services.exe\")) or\n   (process.name:\"spoolsv.exe\" and not process.parent.name:\"services.exe\") or\n   (process.name:\"taskhost.exe\" and not process.parent.name:(\"services.exe\", \"svchost.exe\")) or\n   (process.name:\"taskhostw.exe\" and not process.parent.name:(\"services.exe\", \"svchost.exe\")) or\n   (process.name:\"userinit.exe\" and not process.parent.name:(\"dwm.exe\", \"winlogon.exe\")) or\n   (process.name:(\"wmiprvse.exe\", \"wsmprovhost.exe\", \"winrshost.exe\") and not process.parent.name:\"svchost.exe\") or\n   /* suspicious child processes */\n   (process.parent.name:(\"SearchProtocolHost.exe\", \"taskhost.exe\", \"csrss.exe\") and not process.name:(\"werfault.exe\", \"wermgr.exe\", \"WerFaultSecure.exe\")) or\n   (process.parent.name:\"autochk.exe\" and not process.name:(\"chkdsk.exe\", \"doskey.exe\", \"WerFault.exe\")) or\n   (process.parent.name:\"smss.exe\" and not process.name:(\"autochk.exe\", \"smss.exe\", \"csrss.exe\", \"wininit.exe\", \"winlogon.exe\", \"setupcl.exe\", \"WerFault.exe\")) or\n   (process.parent.name:\"wermgr.exe\" and not process.name:(\"WerFaultSecure.exe\", \"wermgr.exe\", \"WerFault.exe\")) or\n   (process.parent.name:\"conhost.exe\" and not process.name:(\"mscorsvw.exe\", \"wermgr.exe\", \"WerFault.exe\", \"WerFaultSecure.exe\"))\n  )\n",
+    "references": [
+      "https://github.com/sbousseaden/Slides/blob/master/Hunting%20MindMaps/PNG/Windows%20Processes%20TH.map.png",
+      "https://www.andreafortuna.org/2017/06/15/standard-windows-processes-a-brief-reference/"
+    ],
+    "risk_score": 47,
+    "rule_id": "35df0dd8-092d-4a83-88c1-5151a804f31b",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Privilege Escalation"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0004",
+          "name": "Privilege Escalation",
+          "reference": "https://attack.mitre.org/tactics/TA0004/"
+        },
+        "technique": [
+          {
+            "id": "T1055",
+            "name": "Process Injection",
+            "reference": "https://attack.mitre.org/techniques/T1055/",
+            "subtechnique": [
+              {
+                "id": "T1055.012",
+                "name": "Process Hollowing",
+                "reference": "https://attack.mitre.org/techniques/T1055/012/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 10
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies processes modifying the services registry key directly, instead of through the expected Windows APIs. This could be an indication of an adversary attempting to stealthily persist through abnormal service creation or modification of an existing service.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Unusual Persistence via Services Registry",
+    "query": "registry where registry.path : (\"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Services\\\\*\\\\ServiceDLL\", \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Services\\\\*\\\\ImagePath\") and\n  not registry.data.strings : (\"?:\\\\windows\\\\system32\\\\Drivers\\\\*.sys\",\n                               \"\\\\SystemRoot\\\\System32\\\\drivers\\\\*.sys\",\n                               \"\\\\??\\\\?:\\\\Windows\\\\system32\\\\Drivers\\\\*.SYS\",\n                               \"system32\\\\DRIVERS\\\\USBSTOR\") and\n  not (process.name : \"procexp??.exe\" and registry.data.strings : \"?:\\\\*\\\\procexp*.sys\") and\n  not process.executable : (\"?:\\\\Program Files\\\\*.exe\",\n                            \"?:\\\\Program Files (x86)\\\\*.exe\",\n                            \"?:\\\\Windows\\\\System32\\\\svchost.exe\",\n                            \"?:\\\\Windows\\\\winsxs\\\\*\\\\TiWorker.exe\",\n                            \"?:\\\\Windows\\\\System32\\\\drvinst.exe\",\n                            \"?:\\\\Windows\\\\System32\\\\services.exe\",\n                            \"?:\\\\Windows\\\\System32\\\\msiexec.exe\",\n                            \"?:\\\\Windows\\\\System32\\\\regsvr32.exe\")\n",
+    "risk_score": 21,
+    "rule_id": "403ef0d3-8259-40c9-a5b6-d48354712e49",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Persistence"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1543",
+            "name": "Create or Modify System Process",
+            "reference": "https://attack.mitre.org/techniques/T1543/",
+            "subtechnique": [
+              {
+                "id": "T1543.003",
+                "name": "Windows Service",
+                "reference": "https://attack.mitre.org/techniques/T1543/003/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 4
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Detects unusual Print Spooler service (spoolsv.exe) child processes. This may indicate an attempt to exploit privilege escalation vulnerabilities related to the Printing Service on Windows.",
+    "false_positives": [
+      "Install or update of a legitimate printing driver. Verify the printer driver file metadata such as manufacturer and signature information."
+    ],
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Unusual Print Spooler Child Process",
+    "query": "process where event.type == \"start\" and\n process.parent.name : \"spoolsv.exe\" and user.id : \"S-1-5-18\" and\n\n /* exclusions for FP control below */\n not process.name : (\"splwow64.exe\", \"PDFCreator.exe\", \"acrodist.exe\", \"spoolsv.exe\", \"msiexec.exe\", \"route.exe\", \"WerFault.exe\") and\n not process.command_line : \"*\\\\WINDOWS\\\\system32\\\\spool\\\\DRIVERS*\" and\n not (process.name : \"net.exe\" and process.command_line : (\"*stop*\", \"*start*\")) and\n not (process.name : (\"cmd.exe\", \"powershell.exe\") and process.command_line : (\"*.spl*\", \"*\\\\program files*\", \"*route add*\")) and\n not (process.name : \"netsh.exe\" and process.command_line : (\"*add portopening*\", \"*rule name*\")) and\n not (process.name : \"regsvr32.exe\" and process.command_line : \"*PrintConfig.dll*\")\n",
+    "references": [
+      "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527",
+      "https://github.com/afwu/PrintNightmare"
+    ],
+    "risk_score": 47,
+    "rule_id": "ee5300a7-7e31-4a72-a258-250abb8b3aa1",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Privilege Escalation"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0004",
+          "name": "Privilege Escalation",
+          "reference": "https://attack.mitre.org/tactics/TA0004/"
+        },
+        "technique": [
+          {
+            "id": "T1068",
+            "name": "Exploitation for Privilege Escalation",
+            "reference": "https://attack.mitre.org/techniques/T1068/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 2
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies processes running in a temporary folder. This is sometimes done by adversaries to hide malware.",
+    "false_positives": [
+      "Build systems, like Jenkins, may start processes in the `/tmp` directory. These can be exempted by name or by username."
+    ],
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Unusual Process Execution - Temp",
+    "query": "event.category:process and event.type:(start or process_started) and process.working_directory:/tmp\n",
+    "risk_score": 47,
+    "rule_id": "df959768-b0c9-4d45-988c-5606a2be8e5a",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "Threat Detection"
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 7
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies processes running from an Alternate Data Stream. This is uncommon for legitimate processes and sometimes done by adversaries to hide malware.",
+    "from": "now-9m",
+    "index": [
+      "logs-endpoint.events.*",
+      "winlogbeat-*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Unusual Process Execution Path - Alternate Data Stream",
+    "query": "process where event.type == \"start\" and\n  process.args : \"?:\\\\*:*\" and process.args_count == 1\n",
+    "risk_score": 47,
+    "rule_id": "4bd1c1af-79d4-4d37-9efa-6e0240640242",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1564",
+            "name": "Hide Artifacts",
+            "reference": "https://attack.mitre.org/techniques/T1564/",
+            "subtechnique": [
+              {
+                "id": "T1564.004",
+                "name": "NTFS File Attributes",
+                "reference": "https://attack.mitre.org/techniques/T1564/004/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 5
+  },
+  {
+    "anomaly_threshold": 50,
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies rare processes that do not usually run on individual hosts, which can indicate execution of unauthorized services, malware, or persistence mechanisms. Processes are considered rare when they only run occasionally as compared with other processes running on the host.",
+    "false_positives": [
+      "A newly installed program or one that runs rarely as part of a monthly or quarterly workflow could trigger this alert."
+    ],
+    "from": "now-45m",
+    "interval": "15m",
+    "license": "Elastic License v2",
+    "machine_learning_job_id": [
+      "rare_process_by_host_linux_ecs",
+      "v2_rare_process_by_host_linux_ecs"
+    ],
+    "name": "Unusual Process For a Linux Host",
+    "note": "## Triage and analysis\n\n### Investigating an Unusual Linux Process\nDetection alerts from this rule indicate the presence of a Linux process that is rare and unusual for the host it ran on. Here are some possible avenues of investigation:\n- Consider the user as identified by the username field. Is this program part of an expected workflow for the user who ran this program on this host?\n- Examine the history of execution. If this process only manifested recently, it might be part of a new software package. If it has a consistent cadence (for example if it runs monthly or quarterly), it might be part of a monthly or quarterly business process.\n- Examine the process arguments, title and working directory. These may provide indications as to the source of the program or the nature of the tasks it is performing.",
+    "references": [
+      "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"
+    ],
+    "risk_score": 21,
+    "rule_id": "46f804f5-b289-43d6-a881-9387cf594f75",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "Threat Detection",
+      "ML"
+    ],
+    "type": "machine_learning",
+    "version": 7
+  },
+  {
+    "anomaly_threshold": 50,
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies rare processes that do not usually run on individual hosts, which can indicate execution of unauthorized services, malware, or persistence mechanisms. Processes are considered rare when they only run occasionally as compared with other processes running on the host.",
+    "false_positives": [
+      "A newly installed program or one that runs rarely as part of a monthly or quarterly workflow could trigger this alert."
+    ],
+    "from": "now-45m",
+    "interval": "15m",
+    "license": "Elastic License v2",
+    "machine_learning_job_id": [
+      "rare_process_by_host_windows_ecs",
+      "v2_rare_process_by_host_windows_ecs"
+    ],
+    "name": "Unusual Process For a Windows Host",
+    "note": "## Triage and analysis\n\n###  Investigating an Unusual Windows Process\n\nSearching for abnormal Windows processes is a good methodology to find potentially malicious activity within a network.\nBy understanding what is commonly run within an environment and developing baselines for legitimate activity can help\nuncover potential malware and suspicious behaviors.\n\n#### Possible investigation steps:\n- Consider the user as identified by the `user.name` field. Is this program part of an expected workflow for the user who ran this program on this host?\n- Examine the history of execution. If this process only manifested recently, it might be part of a new software package. If it has a consistent cadence (for example if it runs monthly or quarterly), it might be part of a monthly or quarterly business process.\n- Examine the process metadata like the values of the Company, Description and Product fields which may indicate whether the program is associated with an expected software vendor or package.\n- Examine arguments and working directory. These may provide indications as to the source of the program or the nature of the tasks it is performing.\n- Consider the same for the parent process. If the parent process is a legitimate system utility or service, this could be related to software updates or system management. If the parent process is something user-facing like an Office application, this process could be more suspicious.\n- If you have file hash values in the event data, and you suspect malware, you can optionally run a search for the file hash to see if the file is identified as malware by anti-malware tools.\n\n### False Positive Analysis\n- Validate the unusual Windows process is not related to new benign software installation activity. If related to\nlegitimate software, this can be done by leveraging the exception workflow in the Kibana Security App or Elasticsearch\nAPI to tune this rule to your environment\n- Try to understand the context of the execution by thinking about the user, machine, or business purpose.  It's possible that a small number of endpoints\nsuch as servers that have very unique software that might appear to be unusual, but satisfy a specific business need.\n\n### Related Rules\n- Anomalous Windows Process Creation\n- Unusual Windows Path Activity\n- Unusual Windows Process Calling the Metadata Service\n\n### Response and Remediation\n- This rule is related to process execution events and should be immediately reviewed and investigated to determine if malicious\n- Based on validation and if malicious, the impacted machine should be isolated and analyzed to determine other post-compromise\nbehavior such as setting up persistence or performing lateral movement.\n- Look into preventive measures such as Windows Defender Application Control and AppLocker to gain better control on\nwhat is allowed to run on Windows infrastructure.\n",
+    "references": [
+      "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"
+    ],
+    "risk_score": 21,
+    "rule_id": "6d448b96-c922-4adb-b51c-b767f1ea5b76",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "ML"
+    ],
+    "type": "machine_learning",
+    "version": 8
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies network activity from unexpected system applications. This may indicate adversarial activity as these applications are often leveraged by adversaries to execute code and evade detection.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Unusual Process Network Connection",
+    "query": "sequence by process.entity_id\n  [process where (process.name : \"Microsoft.Workflow.Compiler.exe\" or\n                  process.name : \"bginfo.exe\" or\n                  process.name : \"cdb.exe\" or\n                  process.name : \"cmstp.exe\" or\n                  process.name : \"csi.exe\" or\n                  process.name : \"dnx.exe\" or\n                  process.name : \"fsi.exe\" or\n                  process.name : \"ieexec.exe\" or\n                  process.name : \"iexpress.exe\" or\n                  process.name : \"odbcconf.exe\" or\n                  process.name : \"rcsi.exe\" or\n                  process.name : \"xwizard.exe\") and\n     event.type == \"start\"]\n  [network where (process.name : \"Microsoft.Workflow.Compiler.exe\" or\n                  process.name : \"bginfo.exe\" or\n                  process.name : \"cdb.exe\" or\n                  process.name : \"cmstp.exe\" or\n                  process.name : \"csi.exe\" or\n                  process.name : \"dnx.exe\" or\n                  process.name : \"fsi.exe\" or\n                  process.name : \"ieexec.exe\" or\n                  process.name : \"iexpress.exe\" or\n                  process.name : \"odbcconf.exe\" or\n                  process.name : \"rcsi.exe\" or\n                  process.name : \"xwizard.exe\")]\n",
+    "risk_score": 21,
+    "rule_id": "610949a1-312f-4e04-bb55-3a79b8c95267",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1127",
+            "name": "Trusted Developer Utilities Proxy Execution",
+            "reference": "https://attack.mitre.org/techniques/T1127/"
+          }
+        ]
+      }
+    ],
+    "type": "eql",
+    "version": 7
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies unusual child processes of Service Host (svchost.exe) that traditionally do not spawn any child processes. This may indicate a code injection or an equivalent form of exploitation.",
+    "false_positives": [
+      "Changes to Windows services or a rarely executed child process."
+    ],
+    "from": "now-9m",
+    "index": [
+      "logs-endpoint.events.*",
+      "winlogbeat-*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Unusual Service Host Child Process - Childless Service",
+    "query": "process where event.type in (\"start\", \"process_started\") and\n     process.parent.name : \"svchost.exe\" and\n\n     /* based on svchost service arguments -s svcname where the service is known to be childless */\n\n    process.parent.args : (\"WdiSystemHost\",\"LicenseManager\",\n      \"StorSvc\",\"CDPSvc\",\"cdbhsvc\",\"BthAvctpSvc\",\"SstpSvc\",\"WdiServiceHost\",\n      \"imgsvc\",\"TrkWks\",\"WpnService\",\"IKEEXT\",\"PolicyAgent\",\"CryptSvc\",\n      \"netprofm\",\"ProfSvc\",\"StateRepository\",\"camsvc\",\"LanmanWorkstation\",\n      \"NlaSvc\",\"EventLog\",\"hidserv\",\"DisplayEnhancementService\",\"ShellHWDetection\",\n      \"AppHostSvc\",\"fhsvc\",\"CscService\",\"PushToInstall\") and\n\n      /* unknown FPs can be added here */\n\n     not process.name : (\"WerFault.exe\",\"WerFaultSecure.exe\",\"wermgr.exe\")\n",
+    "risk_score": 47,
+    "rule_id": "6a8ab9cc-4023-4d17-b5df-1a3e16882ce7",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion",
+      "Privilege Escalation"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0004",
+          "name": "Privilege Escalation",
+          "reference": "https://attack.mitre.org/tactics/TA0004/"
+        },
+        "technique": [
+          {
+            "id": "T1055",
+            "name": "Process Injection",
+            "reference": "https://attack.mitre.org/techniques/T1055/",
+            "subtechnique": [
+              {
+                "id": "T1055.012",
+                "name": "Process Hollowing",
+                "reference": "https://attack.mitre.org/techniques/T1055/012/"
+              }
+            ]
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1055",
+            "name": "Process Injection",
+            "reference": "https://attack.mitre.org/techniques/T1055/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 3
+  },
+  {
+    "anomaly_threshold": 75,
+    "author": [
+      "Elastic"
+    ],
+    "description": "A machine learning job detected a user logging in from an IP address that is unusual for the user. This can be due to credentialed access via a compromised account when the user and the threat actor are in different locations. An unusual source IP address for a username could also be due to lateral movement when a compromised account is used to pivot between hosts.",
+    "false_positives": [
+      "Business travelers who roam to new locations may trigger this alert."
+    ],
+    "from": "now-30m",
+    "interval": "15m",
+    "license": "Elastic License v2",
+    "machine_learning_job_id": "auth_rare_source_ip_for_a_user",
+    "name": "Unusual Source IP for a User to Logon from",
+    "references": [
+      "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"
+    ],
+    "risk_score": 21,
+    "rule_id": "d4b73fa0-9d43-465e-b8bf-50230da6718b",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Authentication",
+      "Threat Detection",
+      "ML"
+    ],
+    "type": "machine_learning",
+    "version": 1
+  },
+  {
+    "anomaly_threshold": 75,
+    "author": [
+      "Elastic"
+    ],
+    "description": "Looks for sudo activity from an unusual user context. An unusual sudo user could be due to troubleshooting activity or it could be a sign of credentialed access via compromised accounts.",
+    "false_positives": [
+      "Uncommon sudo activity can be due to an engineer logging onto a server instance in order to perform manual troubleshooting or reconfiguration."
+    ],
+    "from": "now-45m",
+    "interval": "15m",
+    "license": "Elastic License v2",
+    "machine_learning_job_id": "linux_rare_sudo_user",
+    "name": "Unusual Sudo Activity",
+    "risk_score": 21,
+    "rule_id": "1e9fc667-9ff1-4b33-9f40-fefca8537eb0",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "Threat Detection",
+      "ML"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1548",
+            "name": "Abuse Elevation Control Mechanism",
+            "reference": "https://attack.mitre.org/techniques/T1548/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0004",
+          "name": "Privilege Escalation",
+          "reference": "https://attack.mitre.org/tactics/TA0004/"
+        },
+        "technique": [
+          {
+            "id": "T1548",
+            "name": "Abuse Elevation Control Mechanism",
+            "reference": "https://attack.mitre.org/techniques/T1548/"
+          }
+        ]
+      }
+    ],
+    "type": "machine_learning",
+    "version": 2
+  },
+  {
+    "anomaly_threshold": 50,
+    "author": [
+      "Elastic"
+    ],
+    "description": "A machine learning job detected a rare and unusual URL that indicates unusual web browsing activity. This can be due to initial access, persistence, command-and-control, or exfiltration activity. For example, in a strategic web compromise or watering hole attack, when a trusted website is compromised to target a particular sector or organization, targeted users may receive emails with uncommon URLs for trusted websites. These URLs can be used to download and run a payload. When malware is already running, it may send requests to uncommon URLs on trusted websites the malware uses for command-and-control communication. When rare URLs are observed being requested for a local web server by a remote source, these can be due to web scanning, enumeration or attack traffic, or they can be due to bots and web scrapers which are part of common Internet background traffic.",
+    "false_positives": [
+      "Web activity that occurs rarely in small quantities can trigger this alert. Possible examples are browsing technical support or vendor URLs that are used very sparsely. A user who visits a new and unique web destination may trigger this alert when the activity is sparse. Web applications that generate URLs unique to a transaction may trigger this when they are used sparsely. Web domains can be excluded in cases such as these."
+    ],
+    "from": "now-45m",
+    "interval": "15m",
+    "license": "Elastic License v2",
+    "machine_learning_job_id": "packetbeat_rare_urls",
+    "name": "Unusual Web Request",
+    "references": [
+      "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"
+    ],
+    "risk_score": 21,
+    "rule_id": "91f02f01-969f-4167-8f55-07827ac3acc9",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Network",
+      "Threat Detection",
+      "ML"
+    ],
+    "type": "machine_learning",
+    "version": 4
+  },
+  {
+    "anomaly_threshold": 50,
+    "author": [
+      "Elastic"
+    ],
+    "description": "A machine learning job detected a rare and unusual user agent indicating web browsing activity by an unusual process other than a web browser. This can be due to persistence, command-and-control, or exfiltration activity. Uncommon user agents coming from remote sources to local destinations are often the result of scanners, bots, and web scrapers, which are part of common Internet background traffic. Much of this is noise, but more targeted attacks on websites using tools like Burp or SQLmap can sometimes be discovered by spotting uncommon user agents. Uncommon user agents in traffic from local sources to remote destinations can be any number of things, including harmless programs like weather monitoring or stock-trading programs. However, uncommon user agents from local sources can also be due to malware or scanning activity.",
+    "false_positives": [
+      "Web activity that is uncommon, like security scans, may trigger this alert and may need to be excluded. A new or rarely used program that calls web services may trigger this alert."
+    ],
+    "from": "now-45m",
+    "interval": "15m",
+    "license": "Elastic License v2",
+    "machine_learning_job_id": "packetbeat_rare_user_agent",
+    "name": "Unusual Web User Agent",
+    "references": [
+      "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"
+    ],
+    "risk_score": 21,
+    "rule_id": "91f02f01-969f-4167-8d77-07827ac4cee0",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Network",
+      "Threat Detection",
+      "ML"
+    ],
+    "type": "machine_learning",
+    "version": 4
+  },
+  {
+    "anomaly_threshold": 50,
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies Windows processes that do not usually use the network but have unexpected network activity, which can indicate command-and-control, lateral movement, persistence, or data exfiltration activity. A process with unusual network activity can denote process exploitation or injection, where the process is used to run persistence mechanisms that allow a malicious actor remote access or control of the host, data exfiltration, and execution of unauthorized network applications.",
+    "false_positives": [
+      "A newly installed program or one that rarely uses the network could trigger this alert."
+    ],
+    "from": "now-45m",
+    "interval": "15m",
+    "license": "Elastic License v2",
+    "machine_learning_job_id": [
+      "windows_anomalous_network_activity_ecs",
+      "v2_windows_anomalous_network_activity_ecs"
+    ],
+    "name": "Unusual Windows Network Activity",
+    "note": "## Triage and analysis\n\n### Investigating Unusual Network Activity\nDetection alerts from this rule indicate the presence of network activity from a Windows process for which network activity is very unusual.  Here are some possible avenues of investigation:\n- Consider the IP addresses, protocol and ports. Are these used by normal but infrequent network workflows? Are they expected or unexpected?\n- If the destination IP address is remote or external, does it associate with an expected domain, organization or geography? Note: avoid interacting directly with suspected malicious IP addresses.\n- Consider the user as identified by the username field. Is this network activity part of an expected workflow for the user who ran the program?\n- Examine the history of execution. If this process only manifested recently, it might be part of a new software package. If it has a consistent cadence (for example if it runs monthly or quarterly), it might be part of a monthly or quarterly business process.\n- Examine the process arguments, title and working directory. These may provide indications as to the source of the program or the nature of the tasks it is performing.\n- Consider the same for the parent process. If the parent process is a legitimate system utility or service, this could be related to software updates or system management. If the parent process is something user-facing like an Office application, this process could be more suspicious.\n- If you have file hash values in the event data, and you suspect malware, you can optionally run a search for the file hash to see if the file is identified as malware by anti-malware tools.",
+    "references": [
+      "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"
+    ],
+    "risk_score": 21,
+    "rule_id": "ba342eb2-583c-439f-b04d-1fdd7c1417cc",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "ML"
+    ],
+    "type": "machine_learning",
+    "version": 7
+  },
+  {
+    "anomaly_threshold": 50,
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies processes started from atypical folders in the file system, which might indicate malware execution or persistence mechanisms. In corporate Windows environments, software installation is centrally managed and it is unusual for programs to be executed from user or temporary directories. Processes executed from these locations can denote that a user downloaded software directly from the Internet or a malicious script or macro executed malware.",
+    "false_positives": [
+      "A new and unusual program or artifact download in the course of software upgrades, debugging, or troubleshooting could trigger this alert. Users downloading and running programs from unusual locations, such as temporary directories, browser caches, or profile paths could trigger this alert."
+    ],
+    "from": "now-45m",
+    "interval": "15m",
+    "license": "Elastic License v2",
+    "machine_learning_job_id": [
+      "windows_anomalous_path_activity_ecs",
+      "v2_windows_anomalous_path_activity_ecs"
+    ],
+    "name": "Unusual Windows Path Activity",
+    "references": [
+      "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"
+    ],
+    "risk_score": 21,
+    "rule_id": "445a342e-03fb-42d0-8656-0367eb2dead5",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "ML"
+    ],
+    "type": "machine_learning",
+    "version": 5
+  },
+  {
+    "anomaly_threshold": 50,
+    "author": [
+      "Elastic"
+    ],
+    "description": "Looks for anomalous access to the metadata service by an unusual process. The metadata service may be targeted in order to harvest credentials or user data scripts containing secrets.",
+    "false_positives": [
+      "A newly installed program or one that runs very rarely as part of a monthly or quarterly workflow could trigger this detection rule."
+    ],
+    "from": "now-45m",
+    "interval": "15m",
+    "license": "Elastic License v2",
+    "machine_learning_job_id": [
+      "windows_rare_metadata_process",
+      "v2_windows_rare_metadata_process"
+    ],
+    "name": "Unusual Windows Process Calling the Metadata Service",
+    "risk_score": 21,
+    "rule_id": "abae61a8-c560-4dbd-acca-1e1438bff36b",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "ML"
+    ],
+    "type": "machine_learning",
+    "version": 3
+  },
+  {
+    "anomaly_threshold": 50,
+    "author": [
+      "Elastic"
+    ],
+    "description": "A machine learning job detected an unusual remote desktop protocol (RDP) username, which can indicate account takeover or credentialed persistence using compromised accounts. RDP attacks, such as BlueKeep, also tend to use unusual usernames.",
+    "false_positives": [
+      "Uncommon username activity can be due to an engineer logging onto a server instance in order to perform manual troubleshooting or reconfiguration."
+    ],
+    "from": "now-45m",
+    "interval": "15m",
+    "license": "Elastic License v2",
+    "machine_learning_job_id": "windows_rare_user_type10_remote_login",
+    "name": "Unusual Windows Remote User",
+    "note": "## Triage and analysis\n\n### Investigating an Unusual Windows User\nDetection alerts from this rule indicate activity for a rare and unusual Windows RDP (remote desktop) user. Here are some possible avenues of investigation:\n- Consider the user as identified by the username field. Is the user part of a group who normally logs into Windows hosts using RDP (remote desktop protocol)? Is this logon activity part of an expected workflow for the user?\n- Consider the source of the login. If the source is remote, could this be related to occasional troubleshooting or support activity by a vendor or an employee working remotely?",
+    "references": [
+      "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"
+    ],
+    "risk_score": 21,
+    "rule_id": "1781d055-5c66-4adf-9e93-fc0fa69550c9",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "ML"
+    ],
+    "type": "machine_learning",
+    "version": 5
+  },
+  {
+    "anomaly_threshold": 50,
+    "author": [
+      "Elastic"
+    ],
+    "description": "A machine learning job detected an unusual Windows service, This can indicate execution of unauthorized services, malware, or persistence mechanisms. In corporate Windows environments, hosts do not generally run many rare or unique services. This job helps detect malware and persistence mechanisms that have been installed and run as a service.",
+    "false_positives": [
+      "A newly installed program or one that runs rarely as part of a monthly or quarterly workflow could trigger this alert."
+    ],
+    "from": "now-45m",
+    "interval": "15m",
+    "license": "Elastic License v2",
+    "machine_learning_job_id": "windows_anomalous_service",
+    "name": "Unusual Windows Service",
+    "references": [
+      "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"
+    ],
+    "risk_score": 21,
+    "rule_id": "1781d055-5c66-4adf-9c71-fc0fa58338c7",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "ML"
+    ],
+    "type": "machine_learning",
+    "version": 4
+  },
+  {
+    "anomaly_threshold": 75,
+    "author": [
+      "Elastic"
+    ],
+    "description": "Looks for anomalous access to the cloud platform metadata service by an unusual user. The metadata service may be targeted in order to harvest credentials or user data scripts containing secrets.",
+    "false_positives": [
+      "A newly installed program, or one that runs under a new or rarely used user context, could trigger this detection rule. Manual interrogation of the metadata service during debugging or troubleshooting could trigger this rule."
+    ],
+    "from": "now-45m",
+    "interval": "15m",
+    "license": "Elastic License v2",
+    "machine_learning_job_id": [
+      "windows_rare_metadata_user",
+      "v2_windows_rare_metadata_user"
+    ],
+    "name": "Unusual Windows User Calling the Metadata Service",
+    "risk_score": 21,
+    "rule_id": "df197323-72a8-46a9-a08e-3f5b04a4a97a",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "ML"
+    ],
+    "type": "machine_learning",
+    "version": 3
+  },
+  {
+    "anomaly_threshold": 50,
+    "author": [
+      "Elastic"
+    ],
+    "description": "A machine learning job detected an unusual user context switch, using the runas command or similar techniques, which can indicate account takeover or privilege escalation using compromised accounts. Privilege elevation using tools like runas are more commonly used by domain and network administrators than by regular Windows users.",
+    "false_positives": [
+      "Uncommon user privilege elevation activity can be due to an administrator, help desk technician, or a user performing manual troubleshooting or reconfiguration."
+    ],
+    "from": "now-45m",
+    "interval": "15m",
+    "license": "Elastic License v2",
+    "machine_learning_job_id": "windows_rare_user_runas_event",
+    "name": "Unusual Windows User Privilege Elevation Activity",
+    "references": [
+      "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"
+    ],
+    "risk_score": 21,
+    "rule_id": "1781d055-5c66-4adf-9d82-fc0fa58449c8",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "ML"
+    ],
+    "type": "machine_learning",
+    "version": 4
+  },
+  {
+    "anomaly_threshold": 50,
+    "author": [
+      "Elastic"
+    ],
+    "description": "A machine learning job detected activity for a username that is not normally active, which can indicate unauthorized changes, activity by unauthorized users, lateral movement, or compromised credentials. In many organizations, new usernames are not often created apart from specific types of system activities, such as creating new accounts for new employees. These user accounts quickly become active and routine. Events from rarely used usernames can point to suspicious activity. Additionally, automated Linux fleets tend to see activity from rarely used usernames only when personnel log in to make authorized or unauthorized changes, or threat actors have acquired credentials and log in for malicious purposes. Unusual usernames can also indicate pivoting, where compromised credentials are used to try and move laterally from one host to another.",
+    "false_positives": [
+      "Uncommon user activity can be due to an administrator or help desk technician logging onto a workstation or server in order to perform manual troubleshooting or reconfiguration."
+    ],
+    "from": "now-45m",
+    "interval": "15m",
+    "license": "Elastic License v2",
+    "machine_learning_job_id": [
+      "windows_anomalous_user_name_ecs",
+      "v2_windows_anomalous_user_name_ecs"
+    ],
+    "name": "Unusual Windows Username",
+    "note": "## Triage and analysis\n\n### Investigating an Unusual Windows User\nDetection alerts from this rule indicate activity for a Windows user name that is rare and unusual. Here are some possible avenues of investigation:\n- Consider the user as identified by the username field. Is this program part of an expected workflow for the user who ran this program on this host? Could this be related to occasional troubleshooting or support activity?\n- Examine the history of user activity. If this user only manifested recently, it might be a service account for a new software package. If it has a consistent cadence (for example if it runs monthly or quarterly), it might be part of a monthly or quarterly business process.\n- Examine the process arguments, title and working directory. These may provide indications as to the source of the program or the nature of the tasks that the user is performing.\n- Consider the same for the parent process. If the parent process is a legitimate system utility or service, this could be related to software updates or system management. If the parent process is something user-facing like an Office application, this process could be more suspicious.",
+    "references": [
+      "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"
+    ],
+    "risk_score": 21,
+    "rule_id": "1781d055-5c66-4adf-9c59-fc0fa58336a5",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "ML"
+    ],
+    "type": "machine_learning",
+    "version": 7
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies attempts to create new local users. This is sometimes done by attackers to increase access to a system or domain.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "User Account Creation",
+    "query": "process where event.type in (\"start\", \"process_started\") and\n  process.name : (\"net.exe\", \"net1.exe\") and\n  not process.parent.name : \"net.exe\" and\n  (process.args : \"user\" and process.args : (\"/ad\", \"/add\"))\n",
+    "risk_score": 21,
+    "rule_id": "1aa9181a-492b-4c01-8b16-fa0735786b2b",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Persistence"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1136",
+            "name": "Create Account",
+            "reference": "https://attack.mitre.org/techniques/T1136/",
+            "subtechnique": [
+              {
+                "id": "T1136.001",
+                "name": "Local Account",
+                "reference": "https://attack.mitre.org/techniques/T1136/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 9
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies when a user is added as an owner for an Azure application. An adversary may add a user account as an owner for an Azure application in order to grant additional permissions and modify the application's configuration using another account.",
+    "from": "now-25m",
+    "index": [
+      "filebeat-*",
+      "logs-azure*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "User Added as Owner for Azure Application",
+    "note": "## Config\n\nThe Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:azure.auditlogs and azure.auditlogs.operation_name:\"Add owner to application\" and event.outcome:(Success or success)\n",
+    "risk_score": 21,
+    "rule_id": "774f5e28-7b75-4a58-b94e-41bf060fdd86",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "Azure",
+      "Continuous Monitoring",
+      "SecOps",
+      "Configuration Audit"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1098",
+            "name": "Account Manipulation",
+            "reference": "https://attack.mitre.org/techniques/T1098/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 5
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies when a user is added as an owner for an Azure service principal. The service principal object defines what the application can do in the specific tenant, who can access the application, and what resources the app can access. A service principal object is created when an application is given permission to access resources in a tenant. An adversary may add a user account as an owner for a service principal and use that account in order to define what an application can do in the Azure AD tenant.",
+    "from": "now-25m",
+    "index": [
+      "filebeat-*",
+      "logs-azure*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "User Added as Owner for Azure Service Principal",
+    "note": "## Config\n\nThe Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:azure.auditlogs and azure.auditlogs.operation_name:\"Add owner to service principal\" and event.outcome:(Success or success)\n",
+    "references": [
+      "https://docs.microsoft.com/en-us/azure/active-directory/develop/app-objects-and-service-principals"
+    ],
+    "risk_score": 21,
+    "rule_id": "38e5acdd-5f20-4d99-8fe4-f0a1a592077f",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "Azure",
+      "Continuous Monitoring",
+      "SecOps",
+      "Configuration Audit"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1098",
+            "name": "Account Manipulation",
+            "reference": "https://attack.mitre.org/techniques/T1098/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 5
+  },
+  {
+    "author": [
+      "Elastic",
+      "Skoetting"
+    ],
+    "description": "Identifies a user being added to a privileged group in Active Directory. Privileged accounts and groups in Active Directory are those to which powerful rights, privileges, and permissions are granted that allow them to perform nearly any action in Active Directory and on domain-joined systems.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "User Added to Privileged Group in Active Directory",
+    "query": "iam where event.action == \"added-member-to-group\" and\n  group.name : (\"Admin*\",\n                \"Local Administrators\",\n                \"Domain Admins\",\n                \"Enterprise Admins\",\n                \"Backup Admins\",\n                \"Schema Admins\",\n                \"DnsAdmins\",\n                \"Exchange Organization Administrators\")\n",
+    "references": [
+      "https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/appendix-b--privileged-accounts-and-groups-in-active-directory"
+    ],
+    "risk_score": 47,
+    "rule_id": "5cd8e1f7-0050-4afc-b2df-904e40b2f5ae",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Persistence"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1098",
+            "name": "Account Manipulation",
+            "reference": "https://attack.mitre.org/techniques/T1098/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 3
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "This rule detects network events that may indicate the use of VNC traffic from the Internet. VNC is commonly used by system administrators to remotely control a system for maintenance or to use shared resources. It should almost never be directly exposed to the Internet, as it is frequently targeted and exploited by threat actors as an initial access or backdoor vector.",
+    "false_positives": [
+      "VNC connections may be received directly to Linux cloud server instances but such connections are usually made only by engineers. VNC is less common than SSH or RDP but may be required by some work-flows such as remote access and support for specialized software products or servers. Such work-flows are usually known and not unexpected. Usage that is unfamiliar to server or network owners can be unexpected and suspicious."
+    ],
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "filebeat-*",
+      "packetbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "VNC (Virtual Network Computing) from the Internet",
+    "query": "event.category:(network or network_traffic) and network.transport:tcp and destination.port >= 5800 and destination.port <= 5810 and\n  not source.ip:(\n    10.0.0.0/8 or\n    127.0.0.0/8 or\n    169.254.0.0/16 or\n    172.16.0.0/12 or\n    192.0.0.0/24 or\n    192.0.0.0/29 or\n    192.0.0.8/32 or\n    192.0.0.9/32 or\n    192.0.0.10/32 or\n    192.0.0.170/32 or\n    192.0.0.171/32 or\n    192.0.2.0/24 or\n    192.31.196.0/24 or\n    192.52.193.0/24 or\n    192.168.0.0/16 or\n    192.88.99.0/24 or\n    224.0.0.0/4 or\n    100.64.0.0/10 or\n    192.175.48.0/24 or\n    198.18.0.0/15 or\n    198.51.100.0/24 or\n    203.0.113.0/24 or\n    240.0.0.0/4 or\n    \"::1\" or\n    \"FE80::/10\" or\n    \"FF00::/8\"\n  ) and\n  destination.ip:(\n    10.0.0.0/8 or\n    172.16.0.0/12 or\n    192.168.0.0/16\n  )\n",
+    "references": [
+      "https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml"
+    ],
+    "risk_score": 73,
+    "rule_id": "5700cb81-df44-46aa-a5d7-337798f53eb8",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Network",
+      "Threat Detection",
+      "Command and Control",
+      "Host"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0011",
+          "name": "Command and Control",
+          "reference": "https://attack.mitre.org/tactics/TA0011/"
+        },
+        "technique": [
+          {
+            "id": "T1219",
+            "name": "Remote Access Software",
+            "reference": "https://attack.mitre.org/techniques/T1219/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0001",
+          "name": "Initial Access",
+          "reference": "https://attack.mitre.org/tactics/TA0001/"
+        },
+        "technique": [
+          {
+            "id": "T1190",
+            "name": "Exploit Public-Facing Application",
+            "reference": "https://attack.mitre.org/techniques/T1190/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 11
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "This rule detects network events that may indicate the use of VNC traffic to the Internet. VNC is commonly used by system administrators to remotely control a system for maintenance or to use shared resources. It should almost never be directly exposed to the Internet, as it is frequently targeted and exploited by threat actors as an initial access or backdoor vector.",
+    "false_positives": [
+      "VNC connections may be made directly to Linux cloud server instances but such connections are usually made only by engineers. VNC is less common than SSH or RDP but may be required by some work flows such as remote access and support for specialized software products or servers. Such work-flows are usually known and not unexpected. Usage that is unfamiliar to server or network owners can be unexpected and suspicious."
+    ],
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "filebeat-*",
+      "packetbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "VNC (Virtual Network Computing) to the Internet",
+    "query": "event.category:(network or network_traffic) and network.transport:tcp and destination.port >= 5800 and destination.port <= 5810 and\n  source.ip:(\n    10.0.0.0/8 or\n    172.16.0.0/12 or\n    192.168.0.0/16\n  ) and\n  not destination.ip:(\n    10.0.0.0/8 or\n    127.0.0.0/8 or\n    169.254.0.0/16 or\n    172.16.0.0/12 or\n    192.0.0.0/24 or\n    192.0.0.0/29 or\n    192.0.0.8/32 or\n    192.0.0.9/32 or\n    192.0.0.10/32 or\n    192.0.0.170/32 or\n    192.0.0.171/32 or\n    192.0.2.0/24 or\n    192.31.196.0/24 or\n    192.52.193.0/24 or\n    192.168.0.0/16 or\n    192.88.99.0/24 or\n    224.0.0.0/4 or\n    100.64.0.0/10 or\n    192.175.48.0/24 or\n    198.18.0.0/15 or\n    198.51.100.0/24 or\n    203.0.113.0/24 or\n    240.0.0.0/4 or\n    \"::1\" or\n    \"FE80::/10\" or\n    \"FF00::/8\"\n  )\n",
+    "references": [
+      "https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml"
+    ],
+    "risk_score": 47,
+    "rule_id": "3ad49c61-7adc-42c1-b788-732eda2f5abf",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Network",
+      "Threat Detection",
+      "Command and Control",
+      "Host"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0011",
+          "name": "Command and Control",
+          "reference": "https://attack.mitre.org/tactics/TA0011/"
+        },
+        "technique": [
+          {
+            "id": "T1219",
+            "name": "Remote Access Software",
+            "reference": "https://attack.mitre.org/techniques/T1219/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 11
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "An adversary may attempt to get detailed information about the operating system and hardware. This rule identifies common locations used to discover virtual machine hardware by a non-root user. This technique has been used by the Pupy RAT and other malware.",
+    "false_positives": [
+      "Certain tools or automated software may enumerate hardware information. These tools can be exempted via user name or process arguments to eliminate potential noise."
+    ],
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Virtual Machine Fingerprinting",
+    "query": "event.category:process and event.type:(start or process_started) and\n  process.args:(\"/sys/class/dmi/id/bios_version\" or\n                \"/sys/class/dmi/id/product_name\" or\n                \"/sys/class/dmi/id/chassis_vendor\" or\n                \"/proc/scsi/scsi\" or\n                \"/proc/ide/hd0/model\") and\n  not user.name:root\n",
+    "risk_score": 73,
+    "rule_id": "5b03c9fb-9945-4d2f-9568-fd690fee3fba",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "Threat Detection",
+      "Discovery"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0007",
+          "name": "Discovery",
+          "reference": "https://attack.mitre.org/tactics/TA0007/"
+        },
+        "technique": [
+          {
+            "id": "T1082",
+            "name": "System Information Discovery",
+            "reference": "https://attack.mitre.org/techniques/T1082/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 6
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "An adversary may attempt to get detailed information about the operating system and hardware. This rule identifies common locations used to discover virtual machine hardware by a non-root user. This technique has been used by the Pupy RAT and other malware.",
+    "false_positives": [
+      "Certain tools or automated software may enumerate hardware information. These tools can be exempted via user name or process arguments to eliminate potential noise."
+    ],
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Virtual Machine Fingerprinting via Grep",
+    "query": "process where event.type == \"start\" and\n process.name in (\"grep\", \"egrep\") and user.id != \"0\" and\n process.args : (\"parallels*\", \"vmware*\", \"virtualbox*\") and process.args : \"Manufacturer*\" and \n not process.parent.executable in (\"/Applications/Docker.app/Contents/MacOS/Docker\", \"/usr/libexec/kcare/virt-what\")\n",
+    "references": [
+      "https://objective-see.com/blog/blog_0x4F.html"
+    ],
+    "risk_score": 47,
+    "rule_id": "c85eb82c-d2c8-485c-a36f-534f914b7663",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "macOS",
+      "Linux",
+      "Threat Detection",
+      "Discovery"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0007",
+          "name": "Discovery",
+          "reference": "https://attack.mitre.org/tactics/TA0007/"
+        },
+        "technique": [
+          {
+            "id": "T1082",
+            "name": "System Information Discovery",
+            "reference": "https://attack.mitre.org/techniques/T1082/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the execution of macOS built-in commands to connect to an existing Virtual Private Network (VPN).",
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Virtual Private Network Connection Attempt",
+    "query": "process where event.type in (\"start\", \"process_started\") and\n  (\n    (process.name : \"networksetup\" and process.args : \"-connectpppoeservice\") or\n    (process.name : \"scutil\" and process.args : \"--nc\" and process.args : \"start\") or\n    (process.name : \"osascript\" and process.command_line : \"osascript*set VPN to service*\")\n  )\n",
+    "references": [
+      "https://github.com/rapid7/metasploit-framework/blob/master/modules/post/osx/manage/vpn.rb",
+      "https://www.unix.com/man-page/osx/8/networksetup/",
+      "https://superuser.com/questions/358513/start-configured-vpn-from-command-line-osx"
+    ],
+    "risk_score": 21,
+    "rule_id": "15dacaa0-5b90-466b-acab-63435a59701a",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "macOS",
+      "Threat Detection",
+      "Lateral Movement"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0008",
+          "name": "Lateral Movement",
+          "reference": "https://attack.mitre.org/tactics/TA0008/"
+        },
+        "technique": [
+          {
+            "id": "T1021",
+            "name": "Remote Services",
+            "reference": "https://attack.mitre.org/techniques/T1021/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies use of vssadmin.exe for shadow copy deletion or resizing on endpoints. This commonly occurs in tandem with ransomware or other destructive attacks.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Volume Shadow Copy Deleted or Resized via VssAdmin",
+    "query": "process where event.type in (\"start\", \"process_started\") and event.action == \"start\" \n  and (process.name : \"vssadmin.exe\" or process.pe.original_file_name == \"VSSADMIN.EXE\") and\n  process.args in (\"delete\", \"resize\") and process.args : \"shadows*\"\n",
+    "risk_score": 73,
+    "rule_id": "b5ea4bfe-a1b2-421f-9d47-22a75a6f2921",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Impact"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0040",
+          "name": "Impact",
+          "reference": "https://attack.mitre.org/tactics/TA0040/"
+        },
+        "technique": [
+          {
+            "id": "T1490",
+            "name": "Inhibit System Recovery",
+            "reference": "https://attack.mitre.org/techniques/T1490/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 10
+  },
+  {
+    "author": [
+      "Elastic",
+      "Austin Songer"
+    ],
+    "description": "Identifies the use of the Win32_ShadowCopy class and related cmdlets to achieve shadow copy deletion. This commonly occurs in tandem with ransomware or other destructive attacks.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Volume Shadow Copy Deletion via PowerShell",
+    "query": "process where event.type in (\"start\", \"process_started\") and\n  process.name : (\"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\") and \n  process.args : (\"*Get-WmiObject*\", \"*gwmi*\", \"*Get-CimInstance*\", \"*gcim*\") and\n  process.args : (\"*Win32_ShadowCopy*\") and\n  process.args : (\"*.Delete()*\", \"*Remove-WmiObject*\", \"*rwmi*\", \"*Remove-CimInstance*\", \"*rcim*\")\n",
+    "references": [
+      "https://docs.microsoft.com/en-us/previous-versions/windows/desktop/vsswmi/win32-shadowcopy",
+      "https://powershell.one/wmi/root/cimv2/win32_shadowcopy",
+      "https://www.fortinet.com/blog/threat-research/stomping-shadow-copies-a-second-look-into-deletion-methods"
+    ],
+    "risk_score": 73,
+    "rule_id": "d99a037b-c8e2-47a5-97b9-170d076827c4",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Impact"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0040",
+          "name": "Impact",
+          "reference": "https://attack.mitre.org/tactics/TA0040/"
+        },
+        "technique": [
+          {
+            "id": "T1490",
+            "name": "Inhibit System Recovery",
+            "reference": "https://attack.mitre.org/techniques/T1490/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 2
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies use of wmic.exe for shadow copy deletion on endpoints. This commonly occurs in tandem with ransomware or other destructive attacks.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Volume Shadow Copy Deletion via WMIC",
+    "query": "process where event.type in (\"start\", \"process_started\") and\n  (process.name : \"WMIC.exe\" or process.pe.original_file_name == \"wmic.exe\") and\n  process.args : \"delete\" and process.args : \"shadowcopy\"\n",
+    "risk_score": 73,
+    "rule_id": "dc9c1f74-dac3-48e3-b47f-eb79db358f57",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Impact"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0040",
+          "name": "Impact",
+          "reference": "https://attack.mitre.org/tactics/TA0040/"
+        },
+        "technique": [
+          {
+            "id": "T1490",
+            "name": "Inhibit System Recovery",
+            "reference": "https://attack.mitre.org/techniques/T1490/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 10
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies processes executed via Windows Management Instrumentation (WMI) on a remote host. This could be indicative of adversary lateral movement, but could be noisy if administrators use WMI to remotely manage hosts.",
+    "from": "now-9m",
+    "index": [
+      "logs-endpoint.events.*",
+      "winlogbeat-*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "WMI Incoming Lateral Movement",
+    "query": "sequence by host.id with maxspan = 2s\n\n /* Accepted Incoming RPC connection by Winmgmt service */\n\n  [network where process.name : \"svchost.exe\" and network.direction : (\"incoming\", \"ingress\") and\n   source.ip != \"127.0.0.1\" and source.ip != \"::1\" and source.port >= 49152 and destination.port >= 49152\n  ]\n\n  /* Excluding Common FPs Nessus and SCCM */\n\n  [process where event.type in (\"start\", \"process_started\") and process.parent.name : \"WmiPrvSE.exe\" and\n   not process.args : (\"C:\\\\windows\\\\temp\\\\nessus_*.txt\", \n                       \"C:\\\\windows\\\\TEMP\\\\nessus_*.TMP\", \n                       \"C:\\\\Windows\\\\CCM\\\\SystemTemp\\\\*\", \n                       \"C:\\\\Windows\\\\CCMCache\\\\*\", \n                       \"C:\\\\CCM\\\\Cache\\\\*\")\n   ]\n",
+    "risk_score": 47,
+    "rule_id": "f3475224-b179-4f78-8877-c2bd64c26b88",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Lateral Movement"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0008",
+          "name": "Lateral Movement",
+          "reference": "https://attack.mitre.org/tactics/TA0008/"
+        },
+        "technique": []
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0002",
+          "name": "Execution",
+          "reference": "https://attack.mitre.org/tactics/TA0002/"
+        },
+        "technique": [
+          {
+            "id": "T1047",
+            "name": "Windows Management Instrumentation",
+            "reference": "https://attack.mitre.org/techniques/T1047/"
+          }
+        ]
+      }
+    ],
+    "type": "eql",
+    "version": 4
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "A request to a web application server contained no identifying user agent string.",
+    "false_positives": [
+      "Some normal applications and scripts may contain no user agent. Most legitimate web requests from the Internet contain a user agent string. Requests from web browsers almost always contain a user agent string. If the source is unexpected, the user unauthorized, or the request unusual, these may indicate suspicious or malicious activity."
+    ],
+    "filters": [
+      {
+        "$state": {
+          "store": "appState"
+        },
+        "exists": {
+          "field": "user_agent.original"
+        },
+        "meta": {
+          "disabled": false,
+          "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+          "key": "user_agent.original",
+          "negate": true,
+          "type": "exists",
+          "value": "exists"
+        }
+      }
+    ],
+    "index": [
+      "apm-*-transaction*",
+      "traces-apm*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Web Application Suspicious Activity: No User Agent",
+    "query": "url.path:*\n",
+    "references": [
+      "https://en.wikipedia.org/wiki/User_agent"
+    ],
+    "risk_score": 47,
+    "rule_id": "43303fd4-4839-4e48-b2b2-803ab060758d",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "APM"
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 7
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "A POST request to a web application returned a 403 response, which indicates the web application declined to process the request because the action requested was not allowed.",
+    "false_positives": [
+      "Security scans and tests may result in these errors. Misconfigured or buggy applications may produce large numbers of these errors. If the source is unexpected, the user unauthorized, or the request unusual, these may indicate suspicious or malicious activity."
+    ],
+    "index": [
+      "apm-*-transaction*",
+      "traces-apm*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Web Application Suspicious Activity: POST Request Declined",
+    "query": "http.response.status_code:403 and http.request.method:post\n",
+    "references": [
+      "https://en.wikipedia.org/wiki/HTTP_403"
+    ],
+    "risk_score": 47,
+    "rule_id": "a87a4e42-1d82-44bd-b0bf-d9b7f91fb89e",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "APM"
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 8
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "A request to a web application returned a 405 response, which indicates the web application declined to process the request because the HTTP method is not allowed for the resource.",
+    "false_positives": [
+      "Security scans and tests may result in these errors. Misconfigured or buggy applications may produce large numbers of these errors. If the source is unexpected, the user unauthorized, or the request unusual, these may indicate suspicious or malicious activity."
+    ],
+    "index": [
+      "apm-*-transaction*",
+      "traces-apm*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Web Application Suspicious Activity: Unauthorized Method",
+    "query": "http.response.status_code:405\n",
+    "references": [
+      "https://en.wikipedia.org/wiki/HTTP_405"
+    ],
+    "risk_score": 47,
+    "rule_id": "75ee75d8-c180-481c-ba88-ee50129a6aef",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "APM"
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 8
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "This is an example of how to detect an unwanted web client user agent. This search matches the user agent for sqlmap 1.3.11, which is a popular FOSS tool for testing web applications for SQL injection vulnerabilities.",
+    "false_positives": [
+      "This rule does not indicate that a SQL injection attack occurred, only that the `sqlmap` tool was used. Security scans and tests may result in these errors. If the source is not an authorized security tester, this is generally suspicious or malicious activity."
+    ],
+    "index": [
+      "apm-*-transaction*",
+      "traces-apm*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Web Application Suspicious Activity: sqlmap User Agent",
+    "query": "user_agent.original:\"sqlmap/1.3.11#stable (http://sqlmap.org)\"\n",
+    "references": [
+      "http://sqlmap.org/"
+    ],
+    "risk_score": 47,
+    "rule_id": "d49cc73f-7a16-4def-89ce-9fc7127d7820",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "APM"
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 7
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the use of the built-in networksetup command to configure webproxy settings. This may indicate an attempt to hijack web browser traffic for credential access via traffic sniffing or redirection.",
+    "false_positives": [
+      "Legitimate WebProxy Settings Modification"
+    ],
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "WebProxy Settings Modification",
+    "query": "event.category : process and event.type : start and\n process.name : networksetup and process.args : ((\"-setwebproxy\" or \"-setsecurewebproxy\" or \"-setautoproxyurl\") and not (Bluetooth or off)) and\n not process.parent.executable : (\"/Library/PrivilegedHelperTools/com.80pct.FreedomHelper\" or\n                                  \"/Applications/Fiddler Everywhere.app/Contents/Resources/app/out/WebServer/Fiddler.WebUi\" or\n                                  \"/usr/libexec/xpcproxy\")\n",
+    "references": [
+      "https://unit42.paloaltonetworks.com/mac-malware-steals-cryptocurrency-exchanges-cookies/",
+      "https://objectivebythesea.com/v2/talks/OBTS_v2_Zohar.pdf"
+    ],
+    "risk_score": 47,
+    "rule_id": "10a500bb-a28f-418e-ba29-ca4c8d1a9f2f",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "macOS",
+      "Threat Detection",
+      "Credential Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0006",
+          "name": "Credential Access",
+          "reference": "https://attack.mitre.org/tactics/TA0006/"
+        },
+        "technique": [
+          {
+            "id": "T1539",
+            "name": "Steal Web Session Cookie",
+            "reference": "https://attack.mitre.org/techniques/T1539/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 2
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the deletion of WebServer access logs. This may indicate an attempt to evade detection or destroy forensic evidence on a system.",
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "WebServer Access Logs Deleted",
+    "query": "file where event.type == \"deletion\" and\n  file.path : (\"C:\\\\inetpub\\\\logs\\\\LogFiles\\\\*.log\", \n               \"/var/log/apache*/access.log\",\n               \"/etc/httpd/logs/access_log\", \n               \"/var/log/httpd/access_log\", \n               \"/var/www/*/logs/access.log\")\n",
+    "risk_score": 47,
+    "rule_id": "665e7a4f-c58e-4fc6-bc83-87a7572670ac",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "Windows",
+      "macOS",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1070",
+            "name": "Indicator Removal on Host",
+            "reference": "https://attack.mitre.org/techniques/T1070/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 3
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies suspicious commands executed via a web server, which may suggest a vulnerability and remote shell access.",
+    "false_positives": [
+      "Security audits, maintenance, and network administrative scripts may trigger this alert when run under web processes."
+    ],
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Webshell Detection: Script Process Child of Common Web Processes",
+    "note": "## Triage and analysis\n\nDetections should be investigated to identify if the activity corresponds to legitimate activity. As this rule detects post-exploitation process activity, investigations into this should be prioritized.",
+    "query": "process where event.type == \"start\" and\n  process.parent.name : (\"w3wp.exe\", \"httpd.exe\", \"nginx.exe\", \"php.exe\", \"php-cgi.exe\", \"tomcat.exe\") and \n  process.name : (\"cmd.exe\", \"cscript.exe\", \"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\", \"wmic.exe\", \"wscript.exe\")\n",
+    "references": [
+      "https://www.microsoft.com/security/blog/2020/02/04/ghost-in-the-shell-investigating-web-shell-attacks/"
+    ],
+    "risk_score": 73,
+    "rule_id": "2917d495-59bd-4250-b395-c29409b76086",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Persistence"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1505",
+            "name": "Server Software Component",
+            "reference": "https://attack.mitre.org/techniques/T1505/",
+            "subtechnique": [
+              {
+                "id": "T1505.003",
+                "name": "Web Shell",
+                "reference": "https://attack.mitre.org/techniques/T1505/003/"
+              }
+            ]
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0001",
+          "name": "Initial Access",
+          "reference": "https://attack.mitre.org/tactics/TA0001/"
+        },
+        "technique": [
+          {
+            "id": "T1190",
+            "name": "Exploit Public-Facing Application",
+            "reference": "https://attack.mitre.org/techniques/T1190/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 3
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies process execution events where the command line value contains a long sequence of whitespace characters or multiple occurrences of contiguous whitespace. Attackers may attempt to evade signature-based detections by padding their malicious command with unnecessary whitespace characters. These observations should be investigated for malicious behavior.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Whitespace Padding in Process Command Line",
+    "note": "## Triage and analysis\n\n- Analyze the command line of the process in question for evidence of malicious code execution.\n- Review the ancestor and child processes spawned by the process in question for indicators of further malicious code execution.",
+    "query": "process where event.type in (\"start\", \"process_started\") and\n  process.command_line regex \".*[ ]{20,}.*\" or \n  \n  /* this will match on 3 or more separate occurrences of 5+ contiguous whitespace characters */\n  process.command_line regex \".*(.*[ ]{5,}[^ ]*){3,}.*\"\n",
+    "references": [
+      "https://twitter.com/JohnLaTwC/status/1419251082736201737"
+    ],
+    "risk_score": 47,
+    "rule_id": "e0dacebe-4311-4d50-9387-b17e89c2e7fd",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": []
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 4
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies use of whoami.exe which displays user, group, and privileges information for the user who is currently logged on to the local system.",
+    "false_positives": [
+      "Some normal use of this program, at varying levels of frequency, may originate from scripts, automation tools and frameworks. Usage by non-engineers and ordinary users is unusual."
+    ],
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Whoami Process Activity",
+    "query": "process where event.type in (\"start\", \"process_started\") and process.name : \"whoami.exe\"\n",
+    "risk_score": 21,
+    "rule_id": "ef862985-3f13-4262-a686-5f357bbb9bc2",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Discovery"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0007",
+          "name": "Discovery",
+          "reference": "https://attack.mitre.org/tactics/TA0007/"
+        },
+        "technique": [
+          {
+            "id": "T1033",
+            "name": "System Owner/User Discovery",
+            "reference": "https://attack.mitre.org/techniques/T1033/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 7
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "A spoofing vulnerability exists in the way Windows CryptoAPI (Crypt32.dll) validates Elliptic Curve Cryptography (ECC) certificates. An attacker could exploit the vulnerability by using a spoofed code-signing certificate to sign a malicious executable, making it appear the file was from a trusted, legitimate source.",
+    "index": [
+      "winlogbeat-*",
+      "logs-windows.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Windows CryptoAPI Spoofing Vulnerability (CVE-2020-0601 - CurveBall)",
+    "query": "event.provider:\"Microsoft-Windows-Audit-CVE\" and message:\"[CVE-2020-0601]\"\n",
+    "risk_score": 21,
+    "rule_id": "56557cde-d923-4b88-adee-c61b3f3b5dc3",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1553",
+            "name": "Subvert Trust Controls",
+            "reference": "https://attack.mitre.org/techniques/T1553/",
+            "subtechnique": [
+              {
+                "id": "T1553.002",
+                "name": "Code Signing",
+                "reference": "https://attack.mitre.org/techniques/T1553/002/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 6
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies modifications to the Windows Defender registry settings to disable the service or set the service to be started manually.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Windows Defender Disabled via Registry Modification",
+    "note": "## Triage and analysis\n\nDetections should be investigated to identify if the hosts and users are authorized to use this tool. As this rule detects post-exploitation process activity, investigations into this should be prioritized.",
+    "query": "registry where event.type in (\"creation\", \"change\") and\n  ((registry.path:\"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\DisableAntiSpyware\" and\n     registry.data.strings:\"1\") or\n  (registry.path:\"HKLM\\\\System\\\\ControlSet*\\\\Services\\\\WinDefend\\\\Start\" and\n     registry.data.strings in (\"3\", \"4\")))\n",
+    "references": [
+      "https://thedfirreport.com/2020/12/13/defender-control/"
+    ],
+    "risk_score": 21,
+    "rule_id": "2ffa1f1e-b6db-47fa-994b-1512743847eb",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1562",
+            "name": "Impair Defenses",
+            "reference": "https://attack.mitre.org/techniques/T1562/",
+            "subtechnique": [
+              {
+                "id": "T1562.006",
+                "name": "Indicator Blocking",
+                "reference": "https://attack.mitre.org/techniques/T1562/006/"
+              },
+              {
+                "id": "T1562.001",
+                "name": "Disable or Modify Tools",
+                "reference": "https://attack.mitre.org/techniques/T1562/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 3
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies modifications to the Windows Defender configuration settings using PowerShell to add exclusions at the folder directory or process level.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Windows Defender Exclusions Added via PowerShell",
+    "note": "## Triage and analysis\n\n### Investigating Windows Defender Exclusions\n\nMicrosoft Windows Defender is an anti-virus product built-in within Microsoft Windows. Since this software product is\nused to prevent and stop malware, it's important to monitor what specific exclusions are made to the product's configuration\nsettings. These can often be signs of an adversary or malware trying to bypass Windows Defender's capabilities. One of the more\nnotable [examples](https://www.cyberbit.com/blog/endpoint-security/latest-trickbot-variant-has-new-tricks-up-its-sleeve/) was observed in 2018 where Trickbot incorporated mechanisms to disable Windows Defense to avoid detection.\n\n#### Possible investigation steps:\n- With this specific rule, it's completely possible to trigger detections on network administrative activity or benign users\nusing scripting and PowerShell to configure the different exclusions for Windows Defender. Therefore, it's important to\nidentify the source of the activity first and determine if there is any mal-intent behind the events.\n- The actual exclusion such as the process, the file or directory should be reviewed in order to determine the original\nintent behind the exclusion. Is the excluded file or process malicious in nature or is it related to software that needs\nto be legitimately whitelisted from Windows Defender?\n\n### False Positive Analysis\n- This rule has a higher chance to produce false positives based on the nature around configuring exclusions by possibly\na network administrator. In order to validate the activity further, review the specific exclusion made and determine based\non the exclusion of the original intent behind the exclusion. There are often many legitimate reasons why exclusions are made\nwith Windows Defender so it's important to gain context around the exclusion.\n\n### Related Rules\n- Windows Defender Disabled via Registry Modification\n- Disabling Windows Defender Security Settings via PowerShell\n\n### Response and Remediation\n- Since this is related to post-exploitation activity, immediate response should be taken to review, investigate and\npotentially isolate further activity\n- If further analysis showed malicious intent was behind the Defender exclusions, administrators should remove\nthe exclusion and ensure antimalware capability has not been disabled or deleted\n- Exclusion lists for antimalware capabilities should always be routinely monitored for review\n",
+    "query": "process where event.type == \"start\" and\n (process.name : (\"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\") or process.pe.original_file_name in (\"powershell.exe\", \"pwsh.dll\", \"powershell_ise.exe\")) and\n  process.args : (\"*Add-MpPreference*\", \"*Set-MpPreference*\") and\n  process.args : (\"*-Exclusion*\")\n",
+    "references": [
+      "https://www.bitdefender.com/files/News/CaseStudies/study/400/Bitdefender-PR-Whitepaper-MosaicLoader-creat5540-en-EN.pdf"
+    ],
+    "risk_score": 47,
+    "rule_id": "2c17e5d7-08b9-43b2-b58a-0270d65ac85b",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1562",
+            "name": "Impair Defenses",
+            "reference": "https://attack.mitre.org/techniques/T1562/",
+            "subtechnique": [
+              {
+                "id": "T1562.006",
+                "name": "Indicator Blocking",
+                "reference": "https://attack.mitre.org/techniques/T1562/006/"
+              },
+              {
+                "id": "T1562.001",
+                "name": "Disable or Modify Tools",
+                "reference": "https://attack.mitre.org/techniques/T1562/001/"
+              }
+            ]
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0002",
+          "name": "Execution",
+          "reference": "https://attack.mitre.org/tactics/TA0002/"
+        },
+        "technique": [
+          {
+            "id": "T1059",
+            "name": "Command and Scripting Interpreter",
+            "reference": "https://attack.mitre.org/techniques/T1059/",
+            "subtechnique": [
+              {
+                "id": "T1059.001",
+                "name": "PowerShell",
+                "reference": "https://attack.mitre.org/techniques/T1059/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 5
+  },
+  {
+    "author": [
+      "Elastic",
+      "Anabella Cristaldi"
+    ],
+    "description": "Identifies attempts to clear Windows event log stores. This is often done by attackers in an attempt to evade detection or destroy forensic evidence on a system.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-windows.*",
+      "logs-system.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Windows Event Logs Cleared",
+    "query": "event.action:(\"audit-log-cleared\" or \"Log clear\")\n",
+    "risk_score": 21,
+    "rule_id": "45ac4800-840f-414c-b221-53dd36a5aaf7",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1070",
+            "name": "Indicator Removal on Host",
+            "reference": "https://attack.mitre.org/techniques/T1070/",
+            "subtechnique": [
+              {
+                "id": "T1070.001",
+                "name": "Clear Windows Event Logs",
+                "reference": "https://attack.mitre.org/techniques/T1070/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 2
+  },
+  {
+    "author": [
+      "Austin Songer"
+    ],
+    "description": "Identifies when the Windows Firewall is disabled using PowerShell cmdlets, which attackers do to evade network constraints, like internet and network lateral communication restrictions.",
+    "false_positives": [
+      "Windows Firewall can be disabled may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Windows Profile being disabled from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "from": "now-9m",
+    "index": [
+      "logs-endpoint.events.*",
+      "winlogbeat-*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Windows Firewall Disabled via PowerShell",
+    "query": "process where event.action == \"start\" and\n  (process.name : (\"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\") or process.pe.original_file_name == \"PowerShell.EXE\") and\n   process.args : \"*Set-NetFirewallProfile*\" and\n  (process.args : \"*-Enabled*\" and process.args : \"*False*\") and\n  (process.args : \"*-All*\" or process.args : (\"*Public*\", \"*Domain*\", \"*Private*\"))\n",
+    "references": [
+      "https://docs.microsoft.com/en-us/powershell/module/netsecurity/set-netfirewallprofile?view=windowsserver2019-ps",
+      "https://www.tutorialspoint.com/how-to-get-windows-firewall-profile-settings-using-powershell",
+      "http://powershellhelp.space/commands/set-netfirewallrule-psv5.php",
+      "http://woshub.com/manage-windows-firewall-powershell/"
+    ],
+    "risk_score": 47,
+    "rule_id": "f63c8e3c-d396-404f-b2ea-0379d3942d73",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1562",
+            "name": "Impair Defenses",
+            "reference": "https://attack.mitre.org/techniques/T1562/",
+            "subtechnique": [
+              {
+                "id": "T1562.004",
+                "name": "Disable or Modify System Firewall",
+                "reference": "https://attack.mitre.org/techniques/T1562/004/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies attempts to enumerate hosts in a network using the built-in Windows net.exe tool.",
+    "from": "now-9m",
+    "index": [
+      "logs-endpoint.events.*",
+      "winlogbeat-*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Windows Network Enumeration",
+    "query": "process where event.type in (\"start\", \"process_started\") and\n  ((process.name : \"net.exe\" or process.pe.original_file_name == \"net.exe\") or\n   ((process.name : \"net1.exe\" or process.pe.original_file_name == \"net1.exe\") and\n       not process.parent.name : \"net.exe\")) and\n  (process.args : \"view\" or (process.args : \"time\" and process.args : \"\\\\\\\\*\"))\n\n\n  /* expand when ancestry is available\n  and not descendant of [process where event.type == (\"start\", \"process_started\") and process.name : \"cmd.exe\" and\n                           ((process.parent.name : \"userinit.exe\") or\n                            (process.parent.name : \"gpscript.exe\") or\n                            (process.parent.name : \"explorer.exe\" and\n                               process.args : \"C:\\\\*\\\\Start Menu\\\\Programs\\\\Startup\\\\*.bat*\"))]\n  */\n",
+    "risk_score": 47,
+    "rule_id": "7b8bfc26-81d2-435e-965c-d722ee397ef1",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Discovery"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0007",
+          "name": "Discovery",
+          "reference": "https://attack.mitre.org/tactics/TA0007/"
+        },
+        "technique": [
+          {
+            "id": "T1018",
+            "name": "Remote System Discovery",
+            "reference": "https://attack.mitre.org/techniques/T1018/"
+          },
+          {
+            "id": "T1135",
+            "name": "Network Share Discovery",
+            "reference": "https://attack.mitre.org/techniques/T1135/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 4
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies a PowerShell process launched by either cscript.exe or wscript.exe. Observing Windows scripting processes executing a PowerShell script, may be indicative of malicious activity.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Windows Script Executing PowerShell",
+    "query": "process where event.type in (\"start\", \"process_started\") and\n  process.parent.name : (\"cscript.exe\", \"wscript.exe\") and process.name : \"powershell.exe\"\n",
+    "risk_score": 21,
+    "rule_id": "f545ff26-3c94-4fd0-bd33-3c7f95a3a0fc",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Initial Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0001",
+          "name": "Initial Access",
+          "reference": "https://attack.mitre.org/tactics/TA0001/"
+        },
+        "technique": [
+          {
+            "id": "T1566",
+            "name": "Phishing",
+            "reference": "https://attack.mitre.org/techniques/T1566/",
+            "subtechnique": [
+              {
+                "id": "T1566.001",
+                "name": "Spearphishing Attachment",
+                "reference": "https://attack.mitre.org/techniques/T1566/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 9
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies use of the built-in Windows script interpreters (cscript.exe or wscript.exe) being used to execute a process via Windows Management Instrumentation (WMI). This may be indicative of malicious activity.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Windows Script Interpreter Executing Process via WMI",
+    "query": "sequence by host.id with maxspan = 5s\n    [library where dll.name : \"wmiutils.dll\" and process.name : (\"wscript.exe\", \"cscript.exe\")]\n    [process where event.type in (\"start\", \"process_started\") and\n     process.parent.name : \"wmiprvse.exe\" and\n     user.domain != \"NT AUTHORITY\" and\n     (process.pe.original_file_name :\n        (\n          \"cscript.exe\",\n          \"wscript.exe\",\n          \"PowerShell.EXE\",\n          \"Cmd.Exe\",\n          \"MSHTA.EXE\",\n          \"RUNDLL32.EXE\",\n          \"REGSVR32.EXE\",\n          \"MSBuild.exe\",\n          \"InstallUtil.exe\",\n          \"RegAsm.exe\",\n          \"RegSvcs.exe\",\n          \"msxsl.exe\",\n          \"CONTROL.EXE\",\n          \"EXPLORER.EXE\",\n          \"Microsoft.Workflow.Compiler.exe\",\n          \"msiexec.exe\"\n        ) or\n      process.executable : (\"C:\\\\Users\\\\*.exe\", \"C:\\\\ProgramData\\\\*.exe\")\n     )\n    ]\n",
+    "risk_score": 47,
+    "rule_id": "b64b183e-1a76-422d-9179-7b389513e74d",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Initial Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0001",
+          "name": "Initial Access",
+          "reference": "https://attack.mitre.org/tactics/TA0001/"
+        },
+        "technique": [
+          {
+            "id": "T1566",
+            "name": "Phishing",
+            "reference": "https://attack.mitre.org/techniques/T1566/",
+            "subtechnique": [
+              {
+                "id": "T1566.001",
+                "name": "Spearphishing Attachment",
+                "reference": "https://attack.mitre.org/techniques/T1566/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "type": "eql",
+    "version": 2
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "This rule identifies Zoom meetings that are created without a passcode. Meetings without a passcode are susceptible to Zoombombing. Zoombombing is carried out by taking advantage of Zoom sessions that are not protected with a passcode. Zoombombing refers to the unwanted, disruptive intrusion, generally by Internet trolls and hackers, into a video conference call. In a typical Zoombombing incident, a teleconferencing session is hijacked by the insertion of material that is lewd, obscene, racist, or antisemitic in nature, typically resulting of the shutdown of the session.",
+    "index": [
+      "filebeat-*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Zoom Meeting with no Passcode",
+    "note": "## Config\n\nThe Zoom Filebeat module or similarly structured data is required to be compatible with this rule.",
+    "query": "event.type:creation and event.module:zoom and event.dataset:zoom.webhook and\n  event.action:meeting.created and not zoom.meeting.password:*\n",
+    "references": [
+      "https://blog.zoom.us/a-message-to-our-users/",
+      "https://www.fbi.gov/contact-us/field-offices/boston/news/press-releases/fbi-warns-of-teleconferencing-and-online-classroom-hijacking-during-covid-19-pandemic"
+    ],
+    "risk_score": 47,
+    "rule_id": "58ac2aa5-6718-427c-a845-5f3ac5af00ba",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Application",
+      "Communication",
+      "Zoom",
+      "Continuous Monitoring",
+      "SecOps",
+      "Configuration Audit"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0001",
+          "name": "Initial Access",
+          "reference": "https://attack.mitre.org/tactics/TA0001/"
+        },
+        "technique": [
+          {
+            "id": "T1190",
+            "name": "Exploit Public-Facing Application",
+            "reference": "https://attack.mitre.org/techniques/T1190/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 4
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies when the built in macOS Installer program generates a network event after attempting to install a .pkg file. This activity has been observed being leveraged by malware.",
+    "false_positives": [
+      "Custom organization-specific macOS packages that use .pkg files to run cURL could trigger this rule. If known behavior is causing false positives, it can be excluded from the rule."
+    ],
+    "from": "now-9m",
+    "index": [
+      "logs-endpoint.events.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "macOS Installer Spawns Network Event",
+    "query": "sequence by process.entity_id with maxspan=1m\n  [process where event.type == \"start\" and host.os.family == \"macos\" and\n    process.parent.executable in (\"/usr/sbin/installer\", \"/System/Library/CoreServices/Installer.app/Contents/MacOS/Installer\") ]\n  [network where not cidrmatch(destination.ip,\n    \"10.0.0.0/8\", \"127.0.0.0/8\", \"169.254.0.0/16\", \"172.16.0.0/12\", \"192.0.0.0/24\", \"192.0.0.0/29\", \"192.0.0.8/32\",\n    \"192.0.0.9/32\", \"192.0.0.10/32\", \"192.0.0.170/32\", \"192.0.0.171/32\", \"192.0.2.0/24\", \"192.31.196.0/24\",\n    \"192.52.193.0/24\", \"192.168.0.0/16\", \"192.88.99.0/24\", \"224.0.0.0/4\", \"100.64.0.0/10\", \"192.175.48.0/24\",\n    \"198.18.0.0/15\", \"198.51.100.0/24\", \"203.0.113.0/24\", \"240.0.0.0/4\", \"::1\", \"FE80::/10\", \"FF00::/8\")]\n",
+    "references": [
+      "https://redcanary.com/blog/clipping-silver-sparrows-wings",
+      "https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml"
+    ],
+    "risk_score": 47,
+    "rule_id": "99239e7d-b0d4-46e3-8609-acafcf99f68c",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "macOS",
+      "Threat Detection",
+      "Execution"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0002",
+          "name": "Execution",
+          "reference": "https://attack.mitre.org/tactics/TA0002/"
+        },
+        "technique": [
+          {
+            "id": "T1059",
+            "name": "Command and Scripting Interpreter",
+            "reference": "https://attack.mitre.org/techniques/T1059/",
+            "subtechnique": [
+              {
+                "id": "T1059.007",
+                "name": "JavaScript",
+                "reference": "https://attack.mitre.org/techniques/T1059/007/"
+              }
+            ]
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0011",
+          "name": "Command and Control",
+          "reference": "https://attack.mitre.org/tactics/TA0011/"
+        },
+        "technique": [
+          {
+            "id": "T1071",
+            "name": "Application Layer Protocol",
+            "reference": "https://attack.mitre.org/techniques/T1071/",
+            "subtechnique": [
+              {
+                "id": "T1071.001",
+                "name": "Web Protocols",
+                "reference": "https://attack.mitre.org/techniques/T1071/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 3
+  }
+]
\ No newline at end of file
diff --git a/prebuilt-rules-scripts/generate.py b/prebuilt-rules-scripts/generate.py
index 3dbd47021d..fa18c07420 100644
--- a/prebuilt-rules-scripts/generate.py
+++ b/prebuilt-rules-scripts/generate.py
@@ -380,7 +380,7 @@ def format_text(text):
 
         if rule['version'] == 1:
             version_text = str(rule['version'])
-        if rule['version'] > 1:
+        if rule['version'] > 1 and rule.get('changelog'):
             version_text = str(rule['version']) + " <<" + link_string + "-history, Version history>>"
 
         new_text = new_text + " |" + tag_strings + " |" + rule['added'] + " |" + version_text + "\n\n"
@@ -455,7 +455,10 @@ def format_text(text):
             file_text = file_text + "* " + i + "\n"
         if rule['version'] == 1:
             file_text = file_text + "\n*Version*: " + str(rule['version']) + "\n\n"
-        if rule['version'] > 1:
+        # DEBUG
+        # if rule['version'] > 1 and not rule.get('changelog'):
+        #    print(rule_link)
+        if rule['version'] > 1 and rule.get('changelog'):
             file_text = file_text + "\n*Version*: " + str(
                 rule['version']) + " (<<" + rule_link + "-history, version history>>)" + "\n\n"
 
diff --git a/prebuilt-rules-scripts/orig-rules-json-files/7.16.0-prebuilt-rule.json b/prebuilt-rules-scripts/orig-rules-json-files/7.16.0-prebuilt-rule.json
new file mode 100644
index 0000000000..649358f413
--- /dev/null
+++ b/prebuilt-rules-scripts/orig-rules-json-files/7.16.0-prebuilt-rule.json
@@ -0,0 +1,32154 @@
+[
+  {
+    "author": [
+      "Nick Jones",
+      "Elastic"
+    ],
+    "description": "An adversary may attempt to access the secrets in secrets manager to steal certificates, credentials, or other sensitive material",
+    "false_positives": [
+      "Verify whether the user identity, user agent, and/or hostname should be using GetSecretString API for the specified SecretId. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "from": "now-60m",
+    "index": [
+      "filebeat-*",
+      "logs-aws*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "AWS Access Secret in Secrets Manager",
+    "note": "## Config\n\nThe AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:aws.cloudtrail and event.provider:secretsmanager.amazonaws.com and event.action:GetSecretValue\n",
+    "references": [
+      "https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_GetSecretValue.html",
+      "http://detectioninthe.cloud/credential_access/access_secret_in_secrets_manager/"
+    ],
+    "risk_score": 73,
+    "rule_id": "a00681e3-9ed6-447c-ab2c-be648821c622",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "AWS",
+      "Continuous Monitoring",
+      "SecOps",
+      "Data Protection"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0006",
+          "name": "Credential Access",
+          "reference": "https://attack.mitre.org/tactics/TA0006/"
+        },
+        "technique": [
+          {
+            "id": "T1528",
+            "name": "Steal Application Access Token",
+            "reference": "https://attack.mitre.org/techniques/T1528/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 5
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the creation of an AWS log trail that specifies the settings for delivery of log data.",
+    "false_positives": [
+      "Trail creations may be made by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Trail creations from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "from": "now-60m",
+    "index": [
+      "filebeat-*",
+      "logs-aws*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "AWS CloudTrail Log Created",
+    "note": "## Config\n\nThe AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:aws.cloudtrail and event.provider:cloudtrail.amazonaws.com and event.action:CreateTrail and event.outcome:success\n",
+    "references": [
+      "https://docs.aws.amazon.com/awscloudtrail/latest/APIReference/API_CreateTrail.html",
+      "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cloudtrail/create-trail.html"
+    ],
+    "risk_score": 21,
+    "rule_id": "594e0cbf-86cc-45aa-9ff7-ff27db27d3ed",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "AWS",
+      "Continuous Monitoring",
+      "SecOps",
+      "Log Auditing"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0009",
+          "name": "Collection",
+          "reference": "https://attack.mitre.org/tactics/TA0009/"
+        },
+        "technique": [
+          {
+            "id": "T1530",
+            "name": "Data from Cloud Storage Object",
+            "reference": "https://attack.mitre.org/techniques/T1530/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 5
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the deletion of an AWS log trail. An adversary may delete trails in an attempt to evade defenses.",
+    "false_positives": [
+      "Trail deletions may be made by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Trail deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "from": "now-60m",
+    "index": [
+      "filebeat-*",
+      "logs-aws*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "AWS CloudTrail Log Deleted",
+    "note": "## Config\n\nThe AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:aws.cloudtrail and event.provider:cloudtrail.amazonaws.com and event.action:DeleteTrail and event.outcome:success\n",
+    "references": [
+      "https://docs.aws.amazon.com/awscloudtrail/latest/APIReference/API_DeleteTrail.html",
+      "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cloudtrail/delete-trail.html"
+    ],
+    "risk_score": 47,
+    "rule_id": "7024e2a0-315d-4334-bb1a-441c593e16ab",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "AWS",
+      "Continuous Monitoring",
+      "SecOps",
+      "Log Auditing"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1562",
+            "name": "Impair Defenses",
+            "reference": "https://attack.mitre.org/techniques/T1562/",
+            "subtechnique": [
+              {
+                "id": "T1562.001",
+                "name": "Disable or Modify Tools",
+                "reference": "https://attack.mitre.org/techniques/T1562/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 6
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies suspending the recording of AWS API calls and log file delivery for the specified trail. An adversary may suspend trails in an attempt to evade defenses.",
+    "false_positives": [
+      "Suspending the recording of a trail may be done by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Trail suspensions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "from": "now-60m",
+    "index": [
+      "filebeat-*",
+      "logs-aws*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "AWS CloudTrail Log Suspended",
+    "note": "## Config\n\nThe AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:aws.cloudtrail and event.provider:cloudtrail.amazonaws.com and event.action:StopLogging and event.outcome:success\n",
+    "references": [
+      "https://docs.aws.amazon.com/awscloudtrail/latest/APIReference/API_StopLogging.html",
+      "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cloudtrail/stop-logging.html"
+    ],
+    "risk_score": 47,
+    "rule_id": "1aa8fa52-44a7-4dae-b058-f3333b91c8d7",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "AWS",
+      "Continuous Monitoring",
+      "SecOps",
+      "Log Auditing"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1562",
+            "name": "Impair Defenses",
+            "reference": "https://attack.mitre.org/techniques/T1562/",
+            "subtechnique": [
+              {
+                "id": "T1562.001",
+                "name": "Disable or Modify Tools",
+                "reference": "https://attack.mitre.org/techniques/T1562/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 6
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies an update to an AWS log trail setting that specifies the delivery of log files.",
+    "false_positives": [
+      "Trail updates may be made by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Trail updates from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "from": "now-60m",
+    "index": [
+      "filebeat-*",
+      "logs-aws*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "AWS CloudTrail Log Updated",
+    "note": "## Config\n\nThe AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:aws.cloudtrail and event.provider:cloudtrail.amazonaws.com and event.action:UpdateTrail and event.outcome:success\n",
+    "references": [
+      "https://docs.aws.amazon.com/awscloudtrail/latest/APIReference/API_UpdateTrail.html",
+      "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cloudtrail/update-trail.html"
+    ],
+    "risk_score": 21,
+    "rule_id": "3e002465-876f-4f04-b016-84ef48ce7e5d",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "AWS",
+      "Continuous Monitoring",
+      "SecOps",
+      "Log Auditing"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0040",
+          "name": "Impact",
+          "reference": "https://attack.mitre.org/tactics/TA0040/"
+        },
+        "technique": [
+          {
+            "id": "T1565",
+            "name": "Data Manipulation",
+            "reference": "https://attack.mitre.org/techniques/T1565/",
+            "subtechnique": [
+              {
+                "id": "T1565.001",
+                "name": "Stored Data Manipulation",
+                "reference": "https://attack.mitre.org/techniques/T1565/001/"
+              }
+            ]
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0009",
+          "name": "Collection",
+          "reference": "https://attack.mitre.org/tactics/TA0009/"
+        },
+        "technique": [
+          {
+            "id": "T1530",
+            "name": "Data from Cloud Storage Object",
+            "reference": "https://attack.mitre.org/techniques/T1530/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 6
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the deletion of an AWS CloudWatch alarm. An adversary may delete alarms in an attempt to evade defenses.",
+    "false_positives": [
+      "Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Alarm deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "from": "now-60m",
+    "index": [
+      "filebeat-*",
+      "logs-aws*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "AWS CloudWatch Alarm Deletion",
+    "note": "## Config\n\nThe AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:aws.cloudtrail and event.provider:monitoring.amazonaws.com and event.action:DeleteAlarms and event.outcome:success\n",
+    "references": [
+      "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cloudwatch/delete-alarms.html",
+      "https://docs.aws.amazon.com/AmazonCloudWatch/latest/APIReference/API_DeleteAlarms.html"
+    ],
+    "risk_score": 47,
+    "rule_id": "f772ec8a-e182-483c-91d2-72058f76a44c",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "AWS",
+      "Continuous Monitoring",
+      "SecOps",
+      "Monitoring"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1562",
+            "name": "Impair Defenses",
+            "reference": "https://attack.mitre.org/techniques/T1562/",
+            "subtechnique": [
+              {
+                "id": "T1562.001",
+                "name": "Disable or Modify Tools",
+                "reference": "https://attack.mitre.org/techniques/T1562/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 6
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the deletion of a specified AWS CloudWatch log group. When a log group is deleted, all the archived log events associated with the log group are also permanently deleted.",
+    "false_positives": [
+      "Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Log group deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "from": "now-60m",
+    "index": [
+      "filebeat-*",
+      "logs-aws*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "AWS CloudWatch Log Group Deletion",
+    "note": "## Config\n\nThe AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:aws.cloudtrail and event.provider:logs.amazonaws.com and event.action:DeleteLogGroup and event.outcome:success\n",
+    "references": [
+      "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/logs/delete-log-group.html",
+      "https://docs.aws.amazon.com/AmazonCloudWatchLogs/latest/APIReference/API_DeleteLogGroup.html"
+    ],
+    "risk_score": 47,
+    "rule_id": "68a7a5a5-a2fc-4a76-ba9f-26849de881b4",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "AWS",
+      "Continuous Monitoring",
+      "SecOps",
+      "Log Auditing"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0040",
+          "name": "Impact",
+          "reference": "https://attack.mitre.org/tactics/TA0040/"
+        },
+        "technique": [
+          {
+            "id": "T1485",
+            "name": "Data Destruction",
+            "reference": "https://attack.mitre.org/techniques/T1485/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1562",
+            "name": "Impair Defenses",
+            "reference": "https://attack.mitre.org/techniques/T1562/",
+            "subtechnique": [
+              {
+                "id": "T1562.001",
+                "name": "Disable or Modify Tools",
+                "reference": "https://attack.mitre.org/techniques/T1562/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 6
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the deletion of an AWS CloudWatch log stream, which permanently deletes all associated archived log events with the stream.",
+    "false_positives": [
+      "A log stream may be deleted by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Log stream deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "from": "now-60m",
+    "index": [
+      "filebeat-*",
+      "logs-aws*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "AWS CloudWatch Log Stream Deletion",
+    "note": "## Config\n\nThe AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:aws.cloudtrail and event.provider:logs.amazonaws.com and event.action:DeleteLogStream and event.outcome:success\n",
+    "references": [
+      "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/logs/delete-log-stream.html",
+      "https://docs.aws.amazon.com/AmazonCloudWatchLogs/latest/APIReference/API_DeleteLogStream.html"
+    ],
+    "risk_score": 47,
+    "rule_id": "d624f0ae-3dd1-4856-9aad-ccfe4d4bfa17",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "AWS",
+      "Continuous Monitoring",
+      "SecOps",
+      "Log Auditing"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0040",
+          "name": "Impact",
+          "reference": "https://attack.mitre.org/tactics/TA0040/"
+        },
+        "technique": [
+          {
+            "id": "T1485",
+            "name": "Data Destruction",
+            "reference": "https://attack.mitre.org/techniques/T1485/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1562",
+            "name": "Impair Defenses",
+            "reference": "https://attack.mitre.org/techniques/T1562/",
+            "subtechnique": [
+              {
+                "id": "T1562.001",
+                "name": "Disable or Modify Tools",
+                "reference": "https://attack.mitre.org/techniques/T1562/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 6
+  },
+  {
+    "author": [
+      "Elastic",
+      "Austin Songer"
+    ],
+    "description": "Identifies attempts to delete an AWS Config Service resource. An adversary may tamper with Config services in order to reduce visibility into the security posture of an account and / or its workload instances.",
+    "false_positives": [
+      "Privileged IAM users with security responsibilities may be expected to make changes to the Config service in order to align with local security policies and requirements. Automation, orchestration, and security tools may also make changes to the Config service, where they are used to automate setup or configuration of AWS accounts. Other kinds of user or service contexts do not commonly make changes to this service."
+    ],
+    "from": "now-60m",
+    "index": [
+      "filebeat-*",
+      "logs-aws*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "AWS Config Service Tampering",
+    "note": "## Config\n\nThe AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:aws.cloudtrail and event.provider:config.amazonaws.com and\n    event.action:(DeleteConfigRule or DeleteOrganizationConfigRule or DeleteConfigurationAggregator or\n    DeleteConfigurationRecorder or DeleteConformancePack or DeleteOrganizationConformancePack or\n    DeleteDeliveryChannel or DeleteRemediationConfiguration or DeleteRetentionConfiguration)\n",
+    "references": [
+      "https://docs.aws.amazon.com/config/latest/developerguide/how-does-config-work.html",
+      "https://docs.aws.amazon.com/config/latest/APIReference/API_Operations.html"
+    ],
+    "risk_score": 47,
+    "rule_id": "7024e2a0-315d-4334-bb1a-552d604f27bc",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "AWS",
+      "Continuous Monitoring",
+      "SecOps",
+      "Monitoring"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1562",
+            "name": "Impair Defenses",
+            "reference": "https://attack.mitre.org/techniques/T1562/",
+            "subtechnique": [
+              {
+                "id": "T1562.001",
+                "name": "Disable or Modify Tools",
+                "reference": "https://attack.mitre.org/techniques/T1562/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 6
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies an AWS configuration change to stop recording a designated set of resources.",
+    "false_positives": [
+      "Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Recording changes from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "from": "now-60m",
+    "index": [
+      "filebeat-*",
+      "logs-aws*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "AWS Configuration Recorder Stopped",
+    "note": "## Config\n\nThe AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:aws.cloudtrail and event.provider:config.amazonaws.com and event.action:StopConfigurationRecorder and event.outcome:success\n",
+    "references": [
+      "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/configservice/stop-configuration-recorder.html",
+      "https://docs.aws.amazon.com/config/latest/APIReference/API_StopConfigurationRecorder.html"
+    ],
+    "risk_score": 73,
+    "rule_id": "fbd44836-0d69-4004-a0b4-03c20370c435",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "AWS",
+      "Continuous Monitoring",
+      "SecOps",
+      "Monitoring"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1562",
+            "name": "Impair Defenses",
+            "reference": "https://attack.mitre.org/techniques/T1562/",
+            "subtechnique": [
+              {
+                "id": "T1562.001",
+                "name": "Disable or Modify Tools",
+                "reference": "https://attack.mitre.org/techniques/T1562/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 6
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies disabling of Amazon Elastic Block Store (EBS) encryption by default in the current region. Disabling encryption by default does not change the encryption status of your existing volumes.",
+    "false_positives": [
+      "Disabling encryption may be done by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Disabling encryption by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "from": "now-60m",
+    "index": [
+      "filebeat-*",
+      "logs-aws*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "AWS EC2 Encryption Disabled",
+    "note": "## Config\n\nThe AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.action:DisableEbsEncryptionByDefault and event.outcome:success\n",
+    "references": [
+      "https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html",
+      "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/disable-ebs-encryption-by-default.html",
+      "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DisableEbsEncryptionByDefault.html"
+    ],
+    "risk_score": 47,
+    "rule_id": "bb9b13b2-1700-48a8-a750-b43b0a72ab69",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "AWS",
+      "Continuous Monitoring",
+      "SecOps",
+      "Data Protection"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0040",
+          "name": "Impact",
+          "reference": "https://attack.mitre.org/tactics/TA0040/"
+        },
+        "technique": [
+          {
+            "id": "T1565",
+            "name": "Data Manipulation",
+            "reference": "https://attack.mitre.org/techniques/T1565/",
+            "subtechnique": [
+              {
+                "id": "T1565.001",
+                "name": "Stored Data Manipulation",
+                "reference": "https://attack.mitre.org/techniques/T1565/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 6
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the deletion of one or more flow logs in AWS Elastic Compute Cloud (EC2). An adversary may delete flow logs in an attempt to evade defenses.",
+    "false_positives": [
+      "Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Flow log deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "from": "now-60m",
+    "index": [
+      "filebeat-*",
+      "logs-aws*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "AWS EC2 Flow Log Deletion",
+    "note": "## Config\n\nThe AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.action:DeleteFlowLogs and event.outcome:success\n",
+    "references": [
+      "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/delete-flow-logs.html",
+      "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteFlowLogs.html"
+    ],
+    "risk_score": 73,
+    "rule_id": "9395fd2c-9947-4472-86ef-4aceb2f7e872",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "AWS",
+      "Continuous Monitoring",
+      "SecOps",
+      "Log Auditing"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1562",
+            "name": "Impair Defenses",
+            "reference": "https://attack.mitre.org/techniques/T1562/",
+            "subtechnique": [
+              {
+                "id": "T1562.001",
+                "name": "Disable or Modify Tools",
+                "reference": "https://attack.mitre.org/techniques/T1562/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 6
+  },
+  {
+    "author": [
+      "Elastic",
+      "Austin Songer"
+    ],
+    "description": "Identifies potential Traffic Mirroring in an Amazon Elastic Compute Cloud (EC2) instance. Traffic Mirroring is an Amazon VPC feature that you can use to copy network traffic from an Elastic network interface. This feature can potentially be abused to exfiltrate sensitive data from unencrypted internal traffic.",
+    "false_positives": [
+      "Traffic Mirroring may be done by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Traffic Mirroring from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "from": "now-60m",
+    "index": [
+      "filebeat-*",
+      "logs-aws*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "AWS EC2 Full Network Packet Capture Detected",
+    "note": "## Config\n\nThe AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and \nevent.action:(CreateTrafficMirrorFilter or CreateTrafficMirrorFilterRule or CreateTrafficMirrorSession or CreateTrafficMirrorTarget) and \nevent.outcome:success\n",
+    "references": [
+      "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_TrafficMirrorFilter.html",
+      "https://github.com/easttimor/aws-incident-response"
+    ],
+    "risk_score": 47,
+    "rule_id": "c1812764-0788-470f-8e74-eb4a14d47573",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "AWS",
+      "Continuous Monitoring",
+      "SecOps",
+      "Network Security"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0010",
+          "name": "Exfiltration",
+          "reference": "https://attack.mitre.org/tactics/TA0010/"
+        },
+        "technique": [
+          {
+            "id": "T1020",
+            "name": "Automated Exfiltration",
+            "reference": "https://attack.mitre.org/techniques/T1020/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0009",
+          "name": "Collection",
+          "reference": "https://attack.mitre.org/tactics/TA0009/"
+        },
+        "technique": [
+          {
+            "id": "T1074",
+            "name": "Data Staged",
+            "reference": "https://attack.mitre.org/techniques/T1074/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 2
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the creation of an AWS Elastic Compute Cloud (EC2) network access control list (ACL) or an entry in a network ACL with a specified rule number.",
+    "false_positives": [
+      "Network ACL's may be created by a network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Network ACL creations from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "from": "now-60m",
+    "index": [
+      "filebeat-*",
+      "logs-aws*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "AWS EC2 Network Access Control List Creation",
+    "note": "## Config\n\nThe AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.action:(CreateNetworkAcl or CreateNetworkAclEntry) and event.outcome:success\n",
+    "references": [
+      "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/create-network-acl.html",
+      "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateNetworkAcl.html",
+      "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/create-network-acl-entry.html",
+      "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateNetworkAclEntry.html"
+    ],
+    "risk_score": 21,
+    "rule_id": "39144f38-5284-4f8e-a2ae-e3fd628d90b0",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "AWS",
+      "Continuous Monitoring",
+      "SecOps",
+      "Network Security"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1133",
+            "name": "External Remote Services",
+            "reference": "https://attack.mitre.org/techniques/T1133/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 6
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the deletion of an Amazon Elastic Compute Cloud (EC2) network access control list (ACL) or one of its ingress/egress entries.",
+    "false_positives": [
+      "Network ACL's may be deleted by a network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Network ACL deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "from": "now-60m",
+    "index": [
+      "filebeat-*",
+      "logs-aws*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "AWS EC2 Network Access Control List Deletion",
+    "note": "## Config\n\nThe AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.action:(DeleteNetworkAcl or DeleteNetworkAclEntry) and event.outcome:success\n",
+    "references": [
+      "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/delete-network-acl.html",
+      "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteNetworkAcl.html",
+      "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/delete-network-acl-entry.html",
+      "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteNetworkAclEntry.html"
+    ],
+    "risk_score": 47,
+    "rule_id": "8623535c-1e17-44e1-aa97-7a0699c3037d",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "AWS",
+      "Continuous Monitoring",
+      "SecOps",
+      "Network Security"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1562",
+            "name": "Impair Defenses",
+            "reference": "https://attack.mitre.org/techniques/T1562/",
+            "subtechnique": [
+              {
+                "id": "T1562.001",
+                "name": "Disable or Modify Tools",
+                "reference": "https://attack.mitre.org/techniques/T1562/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 6
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "An attempt was made to modify AWS EC2 snapshot attributes. Snapshots are sometimes shared by threat actors in order to exfiltrate bulk data from an EC2 fleet. If the permissions were modified, verify the snapshot was not shared with an unauthorized or unexpected AWS account.",
+    "false_positives": [
+      "IAM users may occasionally share EC2 snapshots with another AWS account belonging to the same organization. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "from": "now-60m",
+    "index": [
+      "filebeat-*",
+      "logs-aws*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "AWS EC2 Snapshot Activity",
+    "note": "## Config\n\nThe AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.action:ModifySnapshotAttribute\n",
+    "references": [
+      "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/modify-snapshot-attribute.html",
+      "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ModifySnapshotAttribute.html"
+    ],
+    "risk_score": 47,
+    "rule_id": "98fd7407-0bd5-5817-cda0-3fcc33113a56",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "AWS",
+      "Continuous Monitoring",
+      "SecOps",
+      "Asset Visibility"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0010",
+          "name": "Exfiltration",
+          "reference": "https://attack.mitre.org/tactics/TA0010/"
+        },
+        "technique": [
+          {
+            "id": "T1537",
+            "name": "Transfer Data to Cloud Account",
+            "reference": "https://attack.mitre.org/techniques/T1537/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 5
+  },
+  {
+    "author": [
+      "Elastic",
+      "Austin Songer"
+    ],
+    "description": "Identifies an attempt to export an AWS EC2 instance. A virtual machine (VM) export may indicate an attempt to extract or exfiltrate information.",
+    "false_positives": [
+      "VM exports may be done by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. VM exports from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "from": "now-60m",
+    "index": [
+      "filebeat-*",
+      "logs-aws*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "AWS EC2 VM Export Failure",
+    "note": "## Config\n\nThe AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.action:CreateInstanceExportTask and event.outcome:failure\n",
+    "references": [
+      "https://docs.aws.amazon.com/vm-import/latest/userguide/vmexport.html#export-instance"
+    ],
+    "risk_score": 21,
+    "rule_id": "e919611d-6b6f-493b-8314-7ed6ac2e413b",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "AWS",
+      "Continuous Monitoring",
+      "SecOps",
+      "Asset Visibility"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0010",
+          "name": "Exfiltration",
+          "reference": "https://attack.mitre.org/tactics/TA0010/"
+        },
+        "technique": [
+          {
+            "id": "T1537",
+            "name": "Transfer Data to Cloud Account",
+            "reference": "https://attack.mitre.org/techniques/T1537/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0009",
+          "name": "Collection",
+          "reference": "https://attack.mitre.org/tactics/TA0009/"
+        },
+        "technique": [
+          {
+            "id": "T1005",
+            "name": "Data from Local System",
+            "reference": "https://attack.mitre.org/techniques/T1005/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 2
+  },
+  {
+    "author": [
+      "Austin Songer"
+    ],
+    "description": "Detects when a EFS File System or Mount is deleted. An adversary could break any file system using the mount target that is being deleted, which might disrupt instances or applications using those mounts. The mount must be deleted prior to deleting the File System, or the adversary will be unable to delete the File System.",
+    "false_positives": [
+      "File System or Mount being deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. File System Mount deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "from": "now-60m",
+    "index": [
+      "filebeat-*",
+      "logs-aws*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "AWS EFS File System or Mount Deleted",
+    "note": "## Config\n\nThe AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:aws.cloudtrail and event.provider:elasticfilesystem.amazonaws.com and \nevent.action:(DeleteMountTarget or DeleteFileSystem) and event.outcome:success\n",
+    "references": [
+      "https://docs.aws.amazon.com/efs/latest/ug/API_DeleteFileSystem.html",
+      "https://docs.aws.amazon.com/efs/latest/ug/API_DeleteMountTarget.html"
+    ],
+    "risk_score": 47,
+    "rule_id": "536997f7-ae73-447d-a12d-bff1e8f5f0a0",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "AWS",
+      "Continuous Monitoring",
+      "SecOps",
+      "Data Protection"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0040",
+          "name": "Impact",
+          "reference": "https://attack.mitre.org/tactics/TA0040/"
+        },
+        "technique": [
+          {
+            "id": "T1485",
+            "name": "Data Destruction",
+            "reference": "https://attack.mitre.org/techniques/T1485/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 1
+  },
+  {
+    "author": [
+      "Austin Songer"
+    ],
+    "description": "Identifies when an ElastiCache security group has been created.",
+    "false_positives": [
+      "A ElastiCache security group may be created by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Security group creations from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "from": "now-60m",
+    "index": [
+      "filebeat-*",
+      "logs-aws*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "AWS ElastiCache Security Group Created",
+    "note": "## Config\n\nThe AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:aws.cloudtrail and event.provider:elasticache.amazonaws.com and event.action:\"Create Cache Security Group\" and \nevent.outcome:success\n",
+    "references": [
+      "https://docs.aws.amazon.com/AmazonElastiCache/latest/APIReference/API_CreateCacheSecurityGroup.html"
+    ],
+    "risk_score": 21,
+    "rule_id": "7b3da11a-60a2-412e-8aa7-011e1eb9ed47",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "AWS",
+      "Continuous Monitoring",
+      "SecOps",
+      "Monitoring"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1562",
+            "name": "Impair Defenses",
+            "reference": "https://attack.mitre.org/techniques/T1562/",
+            "subtechnique": [
+              {
+                "id": "T1562.007",
+                "name": "Disable or Modify Cloud Firewall",
+                "reference": "https://attack.mitre.org/techniques/T1562/007/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 1
+  },
+  {
+    "author": [
+      "Austin Songer"
+    ],
+    "description": "Identifies when an ElastiCache security group has been modified or deleted.",
+    "false_positives": [
+      "A ElastiCache security group deletion may be done by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Security Group deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "from": "now-60m",
+    "index": [
+      "filebeat-*",
+      "logs-aws*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "AWS ElastiCache Security Group Modified or Deleted",
+    "note": "## Config\n\nThe AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:aws.cloudtrail and event.provider:elasticache.amazonaws.com and event.action:(\"Delete Cache Security Group\" or \n\"Authorize Cache Security Group Ingress\" or  \"Revoke Cache Security Group Ingress\" or \"AuthorizeCacheSecurityGroupEgress\" or \n\"RevokeCacheSecurityGroupEgress\") and event.outcome:success\n",
+    "references": [
+      "https://docs.aws.amazon.com/AmazonElastiCache/latest/APIReference/Welcome.html"
+    ],
+    "risk_score": 21,
+    "rule_id": "1ba5160d-f5a2-4624-b0ff-6a1dc55d2516",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "AWS",
+      "Continuous Monitoring",
+      "SecOps",
+      "Monitoring"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1562",
+            "name": "Impair Defenses",
+            "reference": "https://attack.mitre.org/techniques/T1562/",
+            "subtechnique": [
+              {
+                "id": "T1562.007",
+                "name": "Disable or Modify Cloud Firewall",
+                "reference": "https://attack.mitre.org/techniques/T1562/007/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 1
+  },
+  {
+    "author": [
+      "Austin Songer"
+    ],
+    "description": "Identifies when a user disabled or deleted an EventBridge rule. This activity can result in an unintended loss of visibility in applications or breaking the flow with other AWS services.",
+    "false_positives": [
+      "EventBridge Rules could be deleted or disabled by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. EventBridge Rules being deleted or disabled from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "from": "now-20m",
+    "index": [
+      "filebeat-*",
+      "logs-aws*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "AWS EventBridge Rule Disabled or Deleted",
+    "note": "## Config\n\nThe AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:aws.cloudtrail and event.provider:eventbridge.amazonaws.com and event.action:(DeleteRule or DisableRule) and \nevent.outcome:success\n",
+    "references": [
+      "https://docs.aws.amazon.com/eventbridge/latest/APIReference/API_DeleteRule.html",
+      "https://docs.aws.amazon.com/eventbridge/latest/APIReference/API_DisableRule.html"
+    ],
+    "risk_score": 21,
+    "rule_id": "87594192-4539-4bc4-8543-23bc3d5bd2b4",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "AWS",
+      "Continuous Monitoring",
+      "SecOps",
+      "Monitoring"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0040",
+          "name": "Impact",
+          "reference": "https://attack.mitre.org/tactics/TA0040/"
+        },
+        "technique": []
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the execution of commands and scripts via System Manager. Execution methods such as RunShellScript, RunPowerShellScript, and alike can be abused by an authenticated attacker to install a backdoor or to interact with a compromised instance via reverse-shell using system only commands.",
+    "false_positives": [
+      "Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Suspicious commands from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "from": "now-60m",
+    "index": [
+      "filebeat-*",
+      "logs-aws*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "AWS Execution via System Manager",
+    "note": "## Config\n\nThe AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:aws.cloudtrail and event.provider:ssm.amazonaws.com and event.action:SendCommand and event.outcome:success\n",
+    "references": [
+      "https://docs.aws.amazon.com/systems-manager/latest/userguide/ssm-plugins.html"
+    ],
+    "risk_score": 21,
+    "rule_id": "37b211e8-4e2f-440f-86d8-06cc8f158cfa",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "AWS",
+      "Continuous Monitoring",
+      "SecOps",
+      "Log Auditing"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0001",
+          "name": "Initial Access",
+          "reference": "https://attack.mitre.org/tactics/TA0001/"
+        },
+        "technique": [
+          {
+            "id": "T1566",
+            "name": "Phishing",
+            "reference": "https://attack.mitre.org/techniques/T1566/",
+            "subtechnique": [
+              {
+                "id": "T1566.002",
+                "name": "Spearphishing Link",
+                "reference": "https://attack.mitre.org/techniques/T1566/002/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 6
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the deletion of an Amazon GuardDuty detector. Upon deletion, GuardDuty stops monitoring the environment and all existing findings are lost.",
+    "false_positives": [
+      "The GuardDuty detector may be deleted by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Detector deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "from": "now-60m",
+    "index": [
+      "filebeat-*",
+      "logs-aws*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "AWS GuardDuty Detector Deletion",
+    "note": "## Config\n\nThe AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:aws.cloudtrail and event.provider:guardduty.amazonaws.com and event.action:DeleteDetector and event.outcome:success\n",
+    "references": [
+      "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/guardduty/delete-detector.html",
+      "https://docs.aws.amazon.com/guardduty/latest/APIReference/API_DeleteDetector.html"
+    ],
+    "risk_score": 73,
+    "rule_id": "523116c0-d89d-4d7c-82c2-39e6845a78ef",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "AWS",
+      "Continuous Monitoring",
+      "SecOps",
+      "Monitoring"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1562",
+            "name": "Impair Defenses",
+            "reference": "https://attack.mitre.org/techniques/T1562/",
+            "subtechnique": [
+              {
+                "id": "T1562.001",
+                "name": "Disable or Modify Tools",
+                "reference": "https://attack.mitre.org/techniques/T1562/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 6
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies attempts to modify an AWS IAM Assume Role Policy. An adversary may attempt to modify the AssumeRolePolicy of a misconfigured role in order to gain the privileges of that role.",
+    "false_positives": [
+      "Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Policy updates from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "from": "now-60m",
+    "index": [
+      "filebeat-*",
+      "logs-aws*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "AWS IAM Assume Role Policy Update",
+    "note": "## Config\n\nThe AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.action:UpdateAssumeRolePolicy and event.outcome:success\n",
+    "references": [
+      "https://labs.bishopfox.com/tech-blog/5-privesc-attack-vectors-in-aws"
+    ],
+    "risk_score": 21,
+    "rule_id": "a60326d7-dca7-4fb7-93eb-1ca03a1febbd",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "AWS",
+      "Continuous Monitoring",
+      "SecOps",
+      "Identity and Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0004",
+          "name": "Privilege Escalation",
+          "reference": "https://attack.mitre.org/tactics/TA0004/"
+        },
+        "technique": [
+          {
+            "id": "T1078",
+            "name": "Valid Accounts",
+            "reference": "https://attack.mitre.org/techniques/T1078/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 5
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies a high number of failed attempts to assume an AWS Identity and Access Management (IAM) role. IAM roles are used to delegate access to users or services. An adversary may attempt to enumerate IAM roles in order to determine if a role exists before attempting to assume or hijack the discovered role.",
+    "from": "now-20m",
+    "index": [
+      "filebeat-*",
+      "logs-aws*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "AWS IAM Brute Force of Assume Role Policy",
+    "note": "## Config\n\nThe AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:aws.cloudtrail and\n  event.provider:iam.amazonaws.com and event.action:UpdateAssumeRolePolicy and\n  aws.cloudtrail.error_code:MalformedPolicyDocumentException and event.outcome:failure\n",
+    "references": [
+      "https://www.praetorian.com/blog/aws-iam-assume-role-vulnerabilities",
+      "https://rhinosecuritylabs.com/aws/assume-worst-aws-assume-role-enumeration/"
+    ],
+    "risk_score": 47,
+    "rule_id": "ea248a02-bc47-4043-8e94-2885b19b2636",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "AWS",
+      "Continuous Monitoring",
+      "SecOps",
+      "Identity and Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0006",
+          "name": "Credential Access",
+          "reference": "https://attack.mitre.org/tactics/TA0006/"
+        },
+        "technique": [
+          {
+            "id": "T1110",
+            "name": "Brute Force",
+            "reference": "https://attack.mitre.org/techniques/T1110/"
+          }
+        ]
+      }
+    ],
+    "threshold": {
+      "field": [],
+      "value": 25
+    },
+    "type": "threshold",
+    "version": 5
+  },
+  {
+    "author": [
+      "Elastic",
+      "Austin Songer"
+    ],
+    "description": "Identifies the deactivation of a specified multi-factor authentication (MFA) device and removes it from association with the user name for which it was originally enabled. In AWS Identity and Access Management (IAM), a device must be deactivated before it can be deleted.",
+    "false_positives": [
+      "A MFA device may be deactivated by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. MFA device deactivations from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "from": "now-60m",
+    "index": [
+      "filebeat-*",
+      "logs-aws*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "AWS IAM Deactivation of MFA Device",
+    "note": "## Config\n\nThe AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.action:(DeactivateMFADevice or DeleteVirtualMFADevice) and event.outcome:success\n",
+    "references": [
+      "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/deactivate-mfa-device.html",
+      "https://docs.aws.amazon.com/IAM/latest/APIReference/API_DeactivateMFADevice.html"
+    ],
+    "risk_score": 47,
+    "rule_id": "d8fc1cca-93ed-43c1-bbb6-c0dd3eff2958",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "AWS",
+      "Continuous Monitoring",
+      "SecOps",
+      "Monitoring"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0040",
+          "name": "Impact",
+          "reference": "https://attack.mitre.org/tactics/TA0040/"
+        },
+        "technique": [
+          {
+            "id": "T1531",
+            "name": "Account Access Removal",
+            "reference": "https://attack.mitre.org/techniques/T1531/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 5
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the creation of a group in AWS Identity and Access Management (IAM). Groups specify permissions for multiple users. Any user in a group automatically has the permissions that are assigned to the group.",
+    "false_positives": [
+      "A group may be created by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Group creations from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "from": "now-60m",
+    "index": [
+      "filebeat-*",
+      "logs-aws*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "AWS IAM Group Creation",
+    "note": "## Config\n\nThe AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.action:CreateGroup and event.outcome:success\n",
+    "references": [
+      "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/create-group.html",
+      "https://docs.aws.amazon.com/IAM/latest/APIReference/API_CreateGroup.html"
+    ],
+    "risk_score": 21,
+    "rule_id": "169f3a93-efc7-4df2-94d6-0d9438c310d1",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "AWS",
+      "Continuous Monitoring",
+      "SecOps",
+      "Identity and Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1136",
+            "name": "Create Account",
+            "reference": "https://attack.mitre.org/techniques/T1136/",
+            "subtechnique": [
+              {
+                "id": "T1136.003",
+                "name": "Cloud Account",
+                "reference": "https://attack.mitre.org/techniques/T1136/003/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 6
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the deletion of a specified AWS Identity and Access Management (IAM) resource group. Deleting a resource group does not delete resources that are members of the group; it only deletes the group structure.",
+    "false_positives": [
+      "A resource group may be deleted by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Resource group deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "from": "now-60m",
+    "index": [
+      "filebeat-*",
+      "logs-aws*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "AWS IAM Group Deletion",
+    "note": "## Config\n\nThe AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.action:DeleteGroup and event.outcome:success\n",
+    "references": [
+      "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/delete-group.html",
+      "https://docs.aws.amazon.com/IAM/latest/APIReference/API_DeleteGroup.html"
+    ],
+    "risk_score": 21,
+    "rule_id": "867616ec-41e5-4edc-ada2-ab13ab45de8a",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "AWS",
+      "Continuous Monitoring",
+      "SecOps",
+      "Monitoring"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0040",
+          "name": "Impact",
+          "reference": "https://attack.mitre.org/tactics/TA0040/"
+        },
+        "technique": [
+          {
+            "id": "T1531",
+            "name": "Account Access Removal",
+            "reference": "https://attack.mitre.org/techniques/T1531/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 5
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies AWS IAM password recovery requests. An adversary may attempt to gain unauthorized AWS access by abusing password recovery mechanisms.",
+    "false_positives": [
+      "Verify whether the user identity, user agent, and/or hostname should be requesting changes in your environment. Password reset attempts from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "from": "now-60m",
+    "index": [
+      "filebeat-*",
+      "logs-aws*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "AWS IAM Password Recovery Requested",
+    "note": "## Config\n\nThe AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:aws.cloudtrail and event.provider:signin.amazonaws.com and event.action:PasswordRecoveryRequested and event.outcome:success\n",
+    "references": [
+      "https://www.cadosecurity.com/2020/06/11/an-ongoing-aws-phishing-campaign/"
+    ],
+    "risk_score": 21,
+    "rule_id": "69c420e8-6c9e-4d28-86c0-8a2be2d1e78c",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "AWS",
+      "Continuous Monitoring",
+      "SecOps",
+      "Identity and Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0001",
+          "name": "Initial Access",
+          "reference": "https://attack.mitre.org/tactics/TA0001/"
+        },
+        "technique": [
+          {
+            "id": "T1078",
+            "name": "Valid Accounts",
+            "reference": "https://attack.mitre.org/techniques/T1078/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 5
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the addition of a user to a specified group in AWS Identity and Access Management (IAM).",
+    "false_positives": [
+      "Adding users to a specified group may be done by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. User additions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "from": "now-60m",
+    "index": [
+      "filebeat-*",
+      "logs-aws*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "AWS IAM User Addition to Group",
+    "note": "## Config\n\nThe AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.action:AddUserToGroup and event.outcome:success\n",
+    "references": [
+      "https://docs.aws.amazon.com/IAM/latest/APIReference/API_AddUserToGroup.html"
+    ],
+    "risk_score": 21,
+    "rule_id": "333de828-8190-4cf5-8d7c-7575846f6fe0",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "AWS",
+      "Continuous Monitoring",
+      "SecOps",
+      "Identity and Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0006",
+          "name": "Credential Access",
+          "reference": "https://attack.mitre.org/tactics/TA0006/"
+        },
+        "technique": []
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1098",
+            "name": "Account Manipulation",
+            "reference": "https://attack.mitre.org/techniques/T1098/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 6
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies a high number of failed authentication attempts to the AWS management console for the Root user identity. An adversary may attempt to brute force the password for the Root user identity, as it has complete access to all services and resources for the AWS account.",
+    "false_positives": [
+      "Automated processes that attempt to authenticate using expired credentials and unbounded retries may lead to false positives."
+    ],
+    "from": "now-20m",
+    "index": [
+      "filebeat-*",
+      "logs-aws*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "AWS Management Console Brute Force of Root User Identity",
+    "note": "## Config\n\nThe AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:aws.cloudtrail and event.provider:signin.amazonaws.com and event.action:ConsoleLogin and aws.cloudtrail.user_identity.type:Root and event.outcome:failure\n",
+    "references": [
+      "https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html"
+    ],
+    "risk_score": 73,
+    "rule_id": "4d50a94f-2844-43fa-8395-6afbd5e1c5ef",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "AWS",
+      "Continuous Monitoring",
+      "SecOps",
+      "Identity and Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0006",
+          "name": "Credential Access",
+          "reference": "https://attack.mitre.org/tactics/TA0006/"
+        },
+        "technique": [
+          {
+            "id": "T1110",
+            "name": "Brute Force",
+            "reference": "https://attack.mitre.org/techniques/T1110/"
+          }
+        ]
+      }
+    ],
+    "threshold": {
+      "field": [
+        "cloud.account.id"
+      ],
+      "value": 10
+    },
+    "type": "threshold",
+    "version": 3
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies a successful login to the AWS Management Console by the Root user.",
+    "false_positives": [
+      "It's strongly recommended that the root user is not used for everyday tasks, including the administrative ones. Verify whether the IP address, location, and/or hostname should be logging in as root in your environment. Unfamiliar root logins should be investigated immediately. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "from": "now-60m",
+    "index": [
+      "filebeat-*",
+      "logs-aws*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "AWS Management Console Root Login",
+    "note": "## Config\n\nThe AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:aws.cloudtrail and event.provider:signin.amazonaws.com and event.action:ConsoleLogin and aws.cloudtrail.user_identity.type:Root and event.outcome:success\n",
+    "references": [
+      "https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html"
+    ],
+    "risk_score": 73,
+    "rule_id": "e2a67480-3b79-403d-96e3-fdd2992c50ef",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "AWS",
+      "Continuous Monitoring",
+      "SecOps",
+      "Identity and Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0001",
+          "name": "Initial Access",
+          "reference": "https://attack.mitre.org/tactics/TA0001/"
+        },
+        "technique": [
+          {
+            "id": "T1078",
+            "name": "Valid Accounts",
+            "reference": "https://attack.mitre.org/techniques/T1078/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1078",
+            "name": "Valid Accounts",
+            "reference": "https://attack.mitre.org/techniques/T1078/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 5
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the creation of a new Amazon Relational Database Service (RDS) Aurora DB cluster or global database spread across multiple regions.",
+    "false_positives": [
+      "Valid clusters may be created by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Cluster creations from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "from": "now-60m",
+    "index": [
+      "filebeat-*",
+      "logs-aws*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "AWS RDS Cluster Creation",
+    "note": "## Config\n\nThe AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.action:(CreateDBCluster or CreateGlobalCluster) and event.outcome:success\n",
+    "references": [
+      "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/rds/create-db-cluster.html",
+      "https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_CreateDBCluster.html",
+      "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/rds/create-global-cluster.html",
+      "https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_CreateGlobalCluster.html"
+    ],
+    "risk_score": 21,
+    "rule_id": "e14c5fd7-fdd7-49c2-9e5b-ec49d817bc8d",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "AWS",
+      "Continuous Monitoring",
+      "SecOps",
+      "Asset Visibility"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1133",
+            "name": "External Remote Services",
+            "reference": "https://attack.mitre.org/techniques/T1133/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": []
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 6
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the deletion of an Amazon Relational Database Service (RDS) Aurora database cluster or global database cluster.",
+    "false_positives": [
+      "Clusters may be deleted by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Cluster deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "from": "now-60m",
+    "index": [
+      "filebeat-*",
+      "logs-aws*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "AWS RDS Cluster Deletion",
+    "note": "## Config\n\nThe AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.action:(DeleteDBCluster or DeleteGlobalCluster) and event.outcome:success\n",
+    "references": [
+      "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/rds/delete-db-cluster.html",
+      "https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_DeleteDBCluster.html",
+      "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/rds/delete-global-cluster.html",
+      "https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_DeleteGlobalCluster.html"
+    ],
+    "risk_score": 47,
+    "rule_id": "9055ece6-2689-4224-a0e0-b04881e1f8ad",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "AWS",
+      "Continuous Monitoring",
+      "SecOps",
+      "Asset Visibility"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0040",
+          "name": "Impact",
+          "reference": "https://attack.mitre.org/tactics/TA0040/"
+        },
+        "technique": [
+          {
+            "id": "T1485",
+            "name": "Data Destruction",
+            "reference": "https://attack.mitre.org/techniques/T1485/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 5
+  },
+  {
+    "author": [
+      "Elastic",
+      "Austin Songer"
+    ],
+    "description": "Identifies the creation of an Amazon Relational Database Service (RDS) Aurora database instance.",
+    "false_positives": [
+      "A database instance may be created by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Instances creations from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "from": "now-60m",
+    "index": [
+      "filebeat-*",
+      "logs-aws*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "AWS RDS Instance Creation",
+    "note": "## Config\n\nThe AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.action:CreateDBInstance and event.outcome:success\n",
+    "references": [
+      "https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_CreateDBInstance.html"
+    ],
+    "risk_score": 21,
+    "rule_id": "f30f3443-4fbb-4c27-ab89-c3ad49d62315",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "AWS",
+      "Continuous Monitoring",
+      "SecOps",
+      "Asset Visibility"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": []
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 2
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies that an Amazon Relational Database Service (RDS) cluster or instance has been stopped.",
+    "false_positives": [
+      "Valid clusters or instances may be stopped by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Cluster or instance stoppages from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "from": "now-60m",
+    "index": [
+      "filebeat-*",
+      "logs-aws*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "AWS RDS Instance/Cluster Stoppage",
+    "note": "## Config\n\nThe AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.action:(StopDBCluster or StopDBInstance) and event.outcome:success\n",
+    "references": [
+      "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/rds/stop-db-cluster.html",
+      "https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_StopDBCluster.html",
+      "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/rds/stop-db-instance.html",
+      "https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_StopDBInstance.html"
+    ],
+    "risk_score": 47,
+    "rule_id": "ecf2b32c-e221-4bd4-aa3b-c7d59b3bc01d",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "AWS",
+      "Continuous Monitoring",
+      "SecOps",
+      "Asset Visibility"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0040",
+          "name": "Impact",
+          "reference": "https://attack.mitre.org/tactics/TA0040/"
+        },
+        "technique": [
+          {
+            "id": "T1489",
+            "name": "Service Stop",
+            "reference": "https://attack.mitre.org/techniques/T1489/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 5
+  },
+  {
+    "author": [
+      "Elastic",
+      "Austin Songer"
+    ],
+    "description": "Identifies the creation of an Amazon Relational Database Service (RDS) Security group.",
+    "false_positives": [
+      "An RDS security group may be created by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Security group creations from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "from": "now-60m",
+    "index": [
+      "filebeat-*",
+      "logs-aws*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "AWS RDS Security Group Creation",
+    "note": "## Config\n\nThe AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.action:CreateDBSecurityGroup and event.outcome:success\n",
+    "references": [
+      "https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_CreateDBSecurityGroup.html"
+    ],
+    "risk_score": 21,
+    "rule_id": "378f9024-8a0c-46a5-aa08-ce147ac73a4e",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "AWS",
+      "Continuous Monitoring",
+      "SecOps",
+      "Monitoring"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1136",
+            "name": "Create Account",
+            "reference": "https://attack.mitre.org/techniques/T1136/",
+            "subtechnique": [
+              {
+                "id": "T1136.003",
+                "name": "Cloud Account",
+                "reference": "https://attack.mitre.org/techniques/T1136/003/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 2
+  },
+  {
+    "author": [
+      "Elastic",
+      "Austin Songer"
+    ],
+    "description": "Identifies the deletion of an Amazon Relational Database Service (RDS) Security group.",
+    "false_positives": [
+      "An RDS security group deletion may be done by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Security group deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "from": "now-60m",
+    "index": [
+      "filebeat-*",
+      "logs-aws*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "AWS RDS Security Group Deletion",
+    "note": "## Config\n\nThe AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.action:DeleteDBSecurityGroup and event.outcome:success\n",
+    "references": [
+      "https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_DeleteDBSecurityGroup.html"
+    ],
+    "risk_score": 21,
+    "rule_id": "863cdf31-7fd3-41cf-a185-681237ea277b",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "AWS",
+      "Continuous Monitoring",
+      "SecOps",
+      "Monitoring"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0040",
+          "name": "Impact",
+          "reference": "https://attack.mitre.org/tactics/TA0040/"
+        },
+        "technique": [
+          {
+            "id": "T1531",
+            "name": "Account Access Removal",
+            "reference": "https://attack.mitre.org/techniques/T1531/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 2
+  },
+  {
+    "author": [
+      "Elastic",
+      "Austin Songer"
+    ],
+    "description": "Identifies the export of an Amazon Relational Database Service (RDS) Aurora database snapshot.",
+    "false_positives": [
+      "Exporting snapshots may be done by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Snapshot exports from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "from": "now-60m",
+    "index": [
+      "filebeat-*",
+      "logs-aws*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "AWS RDS Snapshot Export",
+    "note": "## Config\n\nThe AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.action:StartExportTask and event.outcome:success\n",
+    "references": [
+      "https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_StartExportTask.html"
+    ],
+    "risk_score": 21,
+    "rule_id": "119c8877-8613-416d-a98a-96b6664ee73a",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "AWS",
+      "Continuous Monitoring",
+      "SecOps",
+      "Asset Visibility"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0010",
+          "name": "Exfiltration",
+          "reference": "https://attack.mitre.org/tactics/TA0010/"
+        },
+        "technique": []
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 1
+  },
+  {
+    "author": [
+      "Austin Songer"
+    ],
+    "description": "Identifies when an attempt was made to restored RDS Snapshot. Snapshots are sometimes shared by threat actors in order to exfiltrate bulk data. If the permissions were modified, verify if the snapshot was shared with an unauthorized or unexpected AWS account.",
+    "false_positives": [
+      "Restoring snapshots may be done by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Snapshot restoration from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "index": [
+      "filebeat-*",
+      "logs-aws*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "AWS RDS Snapshot Restored",
+    "note": "## Config\n\nThe AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.action:RestoreDBInstanceFromDBSnapshot and\nevent.outcome:success\n",
+    "references": [
+      "https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_RestoreDBInstanceFromDBSnapshot.html",
+      "https://github.com/RhinoSecurityLabs/pacu/blob/master/pacu/modules/rds__explore_snapshots/main.py"
+    ],
+    "risk_score": 47,
+    "rule_id": "bf1073bf-ce26-4607-b405-ba1ed8e9e204",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "AWS",
+      "Continuous Monitoring",
+      "SecOps",
+      "Asset Visibility"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0010",
+          "name": "Exfiltration",
+          "reference": "https://attack.mitre.org/tactics/TA0010/"
+        },
+        "technique": []
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies attempts to login to AWS as the root user without using multi-factor authentication (MFA). Amazon AWS best practices indicate that the root user should be protected by MFA.",
+    "false_positives": [
+      "Some organizations allow login with the root user without MFA, however, this is not considered best practice by AWS and increases the risk of compromised credentials."
+    ],
+    "from": "now-60m",
+    "index": [
+      "filebeat-*",
+      "logs-aws*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "AWS Root Login Without MFA",
+    "note": "## Config\n\nThe AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:aws.cloudtrail and event.provider:signin.amazonaws.com and event.action:ConsoleLogin and\n  aws.cloudtrail.user_identity.type:Root and\n  aws.cloudtrail.console_login.additional_eventdata.mfa_used:false and\n  event.outcome:success\n",
+    "references": [
+      "https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html"
+    ],
+    "risk_score": 73,
+    "rule_id": "bc0c6f0d-dab0-47a3-b135-0925f0a333bc",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "AWS",
+      "Continuous Monitoring",
+      "SecOps",
+      "Identity and Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0004",
+          "name": "Privilege Escalation",
+          "reference": "https://attack.mitre.org/tactics/TA0004/"
+        },
+        "technique": [
+          {
+            "id": "T1078",
+            "name": "Valid Accounts",
+            "reference": "https://attack.mitre.org/techniques/T1078/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 5
+  },
+  {
+    "author": [
+      "Elastic",
+      "Austin Songer"
+    ],
+    "description": "Identifies when a transfer lock was removed from a Route 53 domain. It is recommended to refrain from performing this action unless intending to transfer the domain to a different registrar.",
+    "false_positives": [
+      "A domain transfer lock may be disabled by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Activity from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "from": "now-60m",
+    "index": [
+      "filebeat-*",
+      "logs-aws*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "AWS Route 53 Domain Transfer Lock Disabled",
+    "note": "## Config\n\nThe AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:aws.cloudtrail and event.provider:route53.amazonaws.com and event.action:DisableDomainTransferLock and event.outcome:success\n",
+    "references": [
+      "https://docs.aws.amazon.com/Route53/latest/APIReference/API_Operations_Amazon_Route_53.html",
+      "https://docs.aws.amazon.com/Route53/latest/APIReference/API_domains_DisableDomainTransferLock.html"
+    ],
+    "risk_score": 21,
+    "rule_id": "12051077-0124-4394-9522-8f4f4db1d674",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "AWS",
+      "Continuous Monitoring",
+      "SecOps",
+      "Asset Visibility"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1098",
+            "name": "Account Manipulation",
+            "reference": "https://attack.mitre.org/techniques/T1098/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0006",
+          "name": "Credential Access",
+          "reference": "https://attack.mitre.org/tactics/TA0006/"
+        },
+        "technique": []
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic",
+      "Austin Songer"
+    ],
+    "description": "Identifies when a request has been made to transfer a Route 53 domain to another AWS account.",
+    "false_positives": [
+      "A domain may be transferred to another AWS account by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Domain transfers from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "from": "now-60m",
+    "index": [
+      "filebeat-*",
+      "logs-aws*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "AWS Route 53 Domain Transferred to Another Account",
+    "note": "## Config\n\nThe AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:aws.cloudtrail and event.provider:route53.amazonaws.com and event.action:TransferDomainToAnotherAwsAccount and event.outcome:success\n",
+    "references": [
+      "https://docs.aws.amazon.com/Route53/latest/APIReference/API_Operations_Amazon_Route_53.html"
+    ],
+    "risk_score": 21,
+    "rule_id": "2045567e-b0af-444a-8c0b-0b6e2dae9e13",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "AWS",
+      "Continuous Monitoring",
+      "SecOps",
+      "Asset Visibility"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1098",
+            "name": "Account Manipulation",
+            "reference": "https://attack.mitre.org/techniques/T1098/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0006",
+          "name": "Credential Access",
+          "reference": "https://attack.mitre.org/tactics/TA0006/"
+        },
+        "technique": []
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic",
+      "Austin Songer"
+    ],
+    "description": "Identifies when an AWS Route Table has been created.",
+    "false_positives": [
+      "Route Table being created may be done by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Route Table being created from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule.  Automated processes that uses Terraform may lead to false positives."
+    ],
+    "from": "now-60m",
+    "index": [
+      "filebeat-*",
+      "logs-aws*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "AWS Route Table Created",
+    "note": "## Config\n\nThe AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:aws.cloudtrail and event.provider:cloudtrail.amazonaws.com and event.action:(CreateRoute or CreateRouteTable) and \nevent.outcome:success\n",
+    "references": [
+      "https://docs.datadoghq.com/security_platform/default_rules/cloudtrail-aws-route-table-modified/",
+      "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateRoute.html",
+      "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateRouteTable"
+    ],
+    "risk_score": 21,
+    "rule_id": "e12c0318-99b1-44f2-830c-3a38a43207ca",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "AWS",
+      "Continuous Monitoring",
+      "SecOps",
+      "Network Security"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": []
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic",
+      "Austin Songer"
+    ],
+    "description": "Identifies when an AWS Route Table has been modified or deleted.",
+    "false_positives": [
+      "Route Table could be modified or deleted by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Route Table being modified from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.  Also automated processes that uses Terraform may lead to false positives."
+    ],
+    "from": "now-60m",
+    "index": [
+      "filebeat-*",
+      "logs-aws*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "AWS Route Table Modified or Deleted",
+    "note": "## Config\n\nThe AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:aws.cloudtrail and event.provider:cloudtrail.amazonaws.com and event.action:(ReplaceRoute or ReplaceRouteTableAssociation or\nDeleteRouteTable or DeleteRoute or DisassociateRouteTable) and event.outcome:success\n",
+    "references": [
+      "https://github.com/easttimor/aws-incident-response#network-routing",
+      "https://docs.datadoghq.com/security_platform/default_rules/cloudtrail-aws-route-table-modified",
+      "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ReplaceRoute.html",
+      "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ReplaceRouteTableAssociation",
+      "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteRouteTable.html",
+      "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteRoute.html",
+      "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DisassociateRouteTable.html"
+    ],
+    "risk_score": 21,
+    "rule_id": "e7cd5982-17c8-4959-874c-633acde7d426",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "AWS",
+      "Continuous Monitoring",
+      "SecOps",
+      "Network Security"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": []
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 1
+  },
+  {
+    "author": [
+      "Austin Songer"
+    ],
+    "description": "Identifies when a Route53 private hosted zone has been associated with VPC.",
+    "false_positives": [
+      "A private hosted zone may be asssociated with a VPC by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "from": "now-60m",
+    "index": [
+      "filebeat-*",
+      "logs-aws*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "AWS Route53 private hosted zone associated with a VPC",
+    "note": "## Config\n\nThe AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:aws.cloudtrail and event.provider:route53.amazonaws.com and event.action:AssociateVPCWithHostedZone and \nevent.outcome:success\n",
+    "references": [
+      "https://docs.aws.amazon.com/Route53/latest/APIReference/API_AssociateVPCWithHostedZone.html"
+    ],
+    "risk_score": 21,
+    "rule_id": "e3c27562-709a-42bd-82f2-3ed926cced19",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "AWS",
+      "Continuous Monitoring",
+      "SecOps",
+      "Asset Visibility"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1098",
+            "name": "Account Manipulation",
+            "reference": "https://attack.mitre.org/techniques/T1098/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the deletion of various Amazon Simple Storage Service (S3) bucket configuration components.",
+    "false_positives": [
+      "Bucket components may be deleted by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Bucket component deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "from": "now-60m",
+    "index": [
+      "filebeat-*",
+      "logs-aws*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "AWS S3 Bucket Configuration Deletion",
+    "note": "## Config\n\nThe AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:aws.cloudtrail and event.provider:s3.amazonaws.com and\n  event.action:(DeleteBucketPolicy or DeleteBucketReplication or DeleteBucketCors or\n                DeleteBucketEncryption or DeleteBucketLifecycle)\n  and event.outcome:success\n",
+    "references": [
+      "https://docs.aws.amazon.com/AmazonS3/latest/API/API_DeleteBucketPolicy.html",
+      "https://docs.aws.amazon.com/AmazonS3/latest/API/API_DeleteBucketReplication.html",
+      "https://docs.aws.amazon.com/AmazonS3/latest/API/API_DeleteBucketCors.html",
+      "https://docs.aws.amazon.com/AmazonS3/latest/API/API_DeleteBucketEncryption.html",
+      "https://docs.aws.amazon.com/AmazonS3/latest/API/API_DeleteBucketLifecycle.html"
+    ],
+    "risk_score": 21,
+    "rule_id": "227dc608-e558-43d9-b521-150772250bae",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "AWS",
+      "Continuous Monitoring",
+      "SecOps",
+      "Asset Visibility"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1070",
+            "name": "Indicator Removal on Host",
+            "reference": "https://attack.mitre.org/techniques/T1070/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 5
+  },
+  {
+    "author": [
+      "Austin Songer"
+    ],
+    "description": "Identifies when SAML activity has occurred in AWS. An adversary could manipulate SAML to maintain access to the target.",
+    "false_positives": [
+      "SAML Provider could be updated by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. SAML Provider being updated from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "from": "now-25m",
+    "index": [
+      "filebeat-*",
+      "logs-aws*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "AWS SAML Activity",
+    "note": "## Config\n\nThe AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:aws.cloudtrail and event.provider:(iam.amazonaws.com or sts.amazonaws.com) and event.action:(Assumerolewithsaml or \nUpdateSAMLProvider) and event.outcome:success\n",
+    "references": [
+      "https://docs.aws.amazon.com/IAM/latest/APIReference/API_UpdateSAMLProvider.html",
+      "https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRoleWithSAML.html"
+    ],
+    "risk_score": 21,
+    "rule_id": "979729e7-0c52-4c4c-b71e-88103304a79f",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "AWS",
+      "Continuous Monitoring",
+      "SecOps",
+      "Identity and Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1550",
+            "name": "Use Alternate Authentication Material",
+            "reference": "https://attack.mitre.org/techniques/T1550/",
+            "subtechnique": [
+              {
+                "id": "T1550.001",
+                "name": "Application Access Token",
+                "reference": "https://attack.mitre.org/techniques/T1550/001/"
+              }
+            ]
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0001",
+          "name": "Initial Access",
+          "reference": "https://attack.mitre.org/tactics/TA0001/"
+        },
+        "technique": [
+          {
+            "id": "T1078",
+            "name": "Valid Accounts",
+            "reference": "https://attack.mitre.org/techniques/T1078/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 1
+  },
+  {
+    "author": [
+      "Austin Songer"
+    ],
+    "description": "Identifies the suspicious use of GetSessionToken. Tokens could be created and used by attackers to move laterally and escalate privileges.",
+    "false_positives": [
+      "GetSessionToken may be done by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. GetSessionToken from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "index": [
+      "filebeat-*",
+      "logs-aws*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "AWS STS GetSessionToken Abuse",
+    "note": "## Config\n\nThe AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:aws.cloudtrail and event.provider:sts.amazonaws.com and event.action:GetSessionToken and \naws.cloudtrail.user_identity.type:IAMUser and event.outcome:success\n",
+    "references": [
+      "https://docs.aws.amazon.com/STS/latest/APIReference/API_GetSessionToken.html"
+    ],
+    "risk_score": 21,
+    "rule_id": "b45ab1d2-712f-4f01-a751-df3826969807",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "AWS",
+      "Continuous Monitoring",
+      "SecOps",
+      "Identity and Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0004",
+          "name": "Privilege Escalation",
+          "reference": "https://attack.mitre.org/tactics/TA0004/"
+        },
+        "technique": [
+          {
+            "id": "T1548",
+            "name": "Abuse Elevation Control Mechanism",
+            "reference": "https://attack.mitre.org/techniques/T1548/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0008",
+          "name": "Lateral Movement",
+          "reference": "https://attack.mitre.org/tactics/TA0008/"
+        },
+        "technique": [
+          {
+            "id": "T1550",
+            "name": "Use Alternate Authentication Material",
+            "reference": "https://attack.mitre.org/techniques/T1550/",
+            "subtechnique": [
+              {
+                "id": "T1550.001",
+                "name": "Application Access Token",
+                "reference": "https://attack.mitre.org/techniques/T1550/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic",
+      "Austin Songer"
+    ],
+    "description": "Identifies a change to an AWS Security Group Configuration. A security group is like a virtual firewall, and modifying configurations may allow unauthorized access. Threat actors may abuse this to establish persistence, exfiltrate data, or pivot in an AWS environment.",
+    "false_positives": [
+      "A security group may be created by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Security group creations from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "from": "now-30m",
+    "index": [
+      "filebeat-*",
+      "logs-aws*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "AWS Security Group Configuration Change Detection",
+    "note": "## Config\n\nThe AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.action:(AuthorizeSecurityGroupEgress or \nCreateSecurityGroup or ModifyInstanceAttribute or ModifySecurityGroupRules or RevokeSecurityGroupEgress or \nRevokeSecurityGroupIngress) and event.outcome:success\n",
+    "references": [
+      "https://docs.aws.amazon.com/AWSEC2/latest/WindowsGuide/ec2-security-groups.html"
+    ],
+    "risk_score": 21,
+    "rule_id": "29052c19-ff3e-42fd-8363-7be14d7c5469",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "AWS",
+      "Continuous Monitoring",
+      "SecOps",
+      "Network Security"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": []
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1562",
+            "name": "Impair Defenses",
+            "reference": "https://attack.mitre.org/techniques/T1562/",
+            "subtechnique": [
+              {
+                "id": "T1562.007",
+                "name": "Disable or Modify Cloud Firewall",
+                "reference": "https://attack.mitre.org/techniques/T1562/007/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 2
+  },
+  {
+    "author": [
+      "Austin Songer"
+    ],
+    "description": "Identifies the use of AssumeRole. AssumeRole returns a set of temporary security credentials that can be used to access AWS resources. An adversary could use those credentials to move laterally and escalate privileges.",
+    "false_positives": [
+      "Automated processes that uses Terraform may lead to false positives."
+    ],
+    "index": [
+      "filebeat-*",
+      "logs-aws*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "AWS Security Token Service (STS) AssumeRole Usage",
+    "note": "## Config\n\nThe AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:aws.cloudtrail and event.provider:sts.amazonaws.com and event.action:AssumedRole and \naws.cloudtrail.user_identity.session_context.session_issuer.type:Role and event.outcome:success\n",
+    "references": [
+      "https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html"
+    ],
+    "risk_score": 21,
+    "rule_id": "93075852-b0f5-4b8b-89c3-a226efae5726",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "AWS",
+      "Continuous Monitoring",
+      "SecOps",
+      "Identity and Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0004",
+          "name": "Privilege Escalation",
+          "reference": "https://attack.mitre.org/tactics/TA0004/"
+        },
+        "technique": [
+          {
+            "id": "T1548",
+            "name": "Abuse Elevation Control Mechanism",
+            "reference": "https://attack.mitre.org/techniques/T1548/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0008",
+          "name": "Lateral Movement",
+          "reference": "https://attack.mitre.org/tactics/TA0008/"
+        },
+        "technique": [
+          {
+            "id": "T1550",
+            "name": "Use Alternate Authentication Material",
+            "reference": "https://attack.mitre.org/techniques/T1550/",
+            "subtechnique": [
+              {
+                "id": "T1550.001",
+                "name": "Application Access Token",
+                "reference": "https://attack.mitre.org/techniques/T1550/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the deletion of a specified AWS Web Application Firewall (WAF) access control list.",
+    "false_positives": [
+      "Firewall ACL's may be deleted by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Web ACL deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "from": "now-60m",
+    "index": [
+      "filebeat-*",
+      "logs-aws*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "AWS WAF Access Control List Deletion",
+    "note": "## Config\n\nThe AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:aws.cloudtrail and event.action:DeleteWebACL and event.outcome:success\n",
+    "references": [
+      "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/waf-regional/delete-web-acl.html",
+      "https://docs.aws.amazon.com/waf/latest/APIReference/API_wafRegional_DeleteWebACL.html"
+    ],
+    "risk_score": 47,
+    "rule_id": "91d04cd4-47a9-4334-ab14-084abe274d49",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "AWS",
+      "Continuous Monitoring",
+      "SecOps",
+      "Network Security"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1562",
+            "name": "Impair Defenses",
+            "reference": "https://attack.mitre.org/techniques/T1562/",
+            "subtechnique": [
+              {
+                "id": "T1562.001",
+                "name": "Disable or Modify Tools",
+                "reference": "https://attack.mitre.org/techniques/T1562/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 6
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the deletion of a specified AWS Web Application Firewall (WAF) rule or rule group.",
+    "false_positives": [
+      "WAF rules or rule groups may be deleted by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Rule deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "from": "now-60m",
+    "index": [
+      "filebeat-*",
+      "logs-aws*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "AWS WAF Rule or Rule Group Deletion",
+    "note": "## Config\n\nThe AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:aws.cloudtrail and event.action:(DeleteRule or DeleteRuleGroup) and event.outcome:success\n",
+    "references": [
+      "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/waf/delete-rule-group.html",
+      "https://docs.aws.amazon.com/waf/latest/APIReference/API_waf_DeleteRuleGroup.html"
+    ],
+    "risk_score": 47,
+    "rule_id": "5beaebc1-cc13-4bfc-9949-776f9e0dc318",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "AWS",
+      "Continuous Monitoring",
+      "SecOps",
+      "Network Security"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1562",
+            "name": "Impair Defenses",
+            "reference": "https://attack.mitre.org/techniques/T1562/",
+            "subtechnique": [
+              {
+                "id": "T1562.001",
+                "name": "Disable or Modify Tools",
+                "reference": "https://attack.mitre.org/techniques/T1562/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 6
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Specially crafted DNS requests can manipulate a known overflow vulnerability in some Windows DNS servers which result in Remote Code Execution (RCE) or a Denial of Service (DoS) from crashing the service.",
+    "false_positives": [
+      "Environments that leverage DNS responses over 60k bytes will result in false positives - if this traffic is predictable and expected, it should be filtered out. Additionally, this detection rule could be triggered by an authorized vulnerability scan or compromise assessment."
+    ],
+    "index": [
+      "packetbeat-*",
+      "filebeat-*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Abnormally Large DNS Response",
+    "note": "## Triage and analysis\n\n### Investigating Large DNS Responses\nDetection alerts from this rule indicate possible anomalous activity around large byte DNS responses from a Windows DNS\nserver. This detection rule was created based on activity represented in exploitation of vulnerability (CVE-2020-1350)\nalso known as [SigRed](https://www.elastic.co/blog/detection-rules-for-sigred-vulnerability) during July 2020.\n\n#### Possible investigation steps:\n- This specific rule is sourced from network log activity such as DNS or network level data. It's important to validate\nthe source of the incoming traffic and determine if this activity has been observed previously within an environment.\n- Activity can be further investigated and validated by reviewing available corresponding Intrusion Detection Signatures (IDS) alerts associated with activity.\n- Further examination can be made by reviewing the `dns.question_type` network fieldset with a protocol analyzer, such as Zeek, Packetbeat, or Suricata, for `SIG` or `RRSIG` data.\n- Validate the patch level and OS of the targeted DNS server to validate the observed activity was not large-scale Internet vulnerability scanning.\n- Validate that the source of the network activity was not from an authorized vulnerability scan or compromise assessment.\n\n#### False Positive Analysis\n- Based on this rule which looks for a threshold of 60k bytes, it is possible for activity to be generated under 65k bytes\nand related to legitimate behavior.  In packet capture files received by the [SANS Internet Storm Center](https://isc.sans.edu/forums/diary/PATCH+NOW+SIGRed+CVE20201350+Microsoft+DNS+Server+Vulnerability/26356/), byte responses\nwere all observed as greater than 65k bytes.\n- This activity has the ability to be triggered from compliance/vulnerability scanning or compromise assessment, it's\nimportant to determine the source of the activity and potential whitelist the source host\n\n\n### Related Rules\n- Unusual Child Process of dns.exe\n- Unusual File Modification by dns.exe\n\n### Response and Remediation\n- Review and implement the above detection logic within your environment using technology such as Endpoint security, Winlogbeat, Packetbeat, or network security monitoring (NSM) platforms such as Zeek or Suricata.\n- Ensure that you have deployed the latest Microsoft [Security Update](https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1350) (Monthly Rollup or Security Only) and restart the\npatched machines. If unable to patch immediately: Microsoft [released](https://support.microsoft.com/en-us/help/4569509/windows-dns-server-remote-code-execution-vulnerability) a registry-based workaround that doesn\u2019t require a\nrestart. This can be used as a temporary solution before the patch is applied.\n- Maintain backups of your critical systems to aid in quick recovery.\n- Perform routine vulnerability scans of your systems, monitor [CISA advisories](https://us-cert.cisa.gov/ncas/current-activity) and patch identified vulnerabilities.\n- If observed true positive activity, implement a remediation plan and monitor host-based artifacts for additional post-exploitation behavior.\n",
+    "query": "event.category:(network or network_traffic) and destination.port:53 and\n  (event.dataset:zeek.dns or type:dns or event.type:connection) and network.bytes > 60000\n",
+    "references": [
+      "https://research.checkpoint.com/2020/resolving-your-way-into-domain-admin-exploiting-a-17-year-old-bug-in-windows-dns-servers/",
+      "https://msrc-blog.microsoft.com/2020/07/14/july-2020-security-update-cve-2020-1350-vulnerability-in-windows-domain-name-system-dns-server/",
+      "https://github.com/maxpl0it/CVE-2020-1350-DoS"
+    ],
+    "risk_score": 47,
+    "rule_id": "11013227-0301-4a8c-b150-4db924484475",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Network",
+      "Threat Detection",
+      "Lateral Movement"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0008",
+          "name": "Lateral Movement",
+          "reference": "https://attack.mitre.org/tactics/TA0008/"
+        },
+        "technique": [
+          {
+            "id": "T1210",
+            "name": "Exploitation of Remote Services",
+            "reference": "https://attack.mitre.org/techniques/T1210/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 5
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the execution of a process with arguments pointing to known browser files that store passwords and cookies. Adversaries may acquire credentials from web browsers by reading files specific to the target browser.",
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Access of Stored Browser Credentials",
+    "query": "process where event.type in (\"start\", \"process_started\") and\n  process.args :\n    (\n      \"/Users/*/Library/Application Support/Google/Chrome/Default/Login Data\", \n      \"/Users/*/Library/Application Support/Google/Chrome/Default/Cookies\", \n      \"/Users/*/Library/Cookies*\", \n      \"/Users/*/Library/Application Support/Firefox/Profiles/*.default/cookies.sqlite\", \n      \"/Users/*/Library/Application Support/Firefox/Profiles/*.default/key*.db\", \n      \"/Users/*/Library/Application Support/Firefox/Profiles/*.default/logins.json\", \n      \"Login Data\",\n      \"Cookies.binarycookies\", \n      \"key4.db\", \n      \"key3.db\", \n      \"logins.json\", \n      \"cookies.sqlite\"\n    )\n",
+    "references": [
+      "https://securelist.com/calisto-trojan-for-macos/86543/"
+    ],
+    "risk_score": 73,
+    "rule_id": "20457e4f-d1de-4b92-ae69-142e27a4342a",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "macOS",
+      "Threat Detection",
+      "Credential Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0006",
+          "name": "Credential Access",
+          "reference": "https://attack.mitre.org/tactics/TA0006/"
+        },
+        "technique": [
+          {
+            "id": "T1555",
+            "name": "Credentials from Password Stores",
+            "reference": "https://attack.mitre.org/techniques/T1555/",
+            "subtechnique": [
+              {
+                "id": "T1555.003",
+                "name": "Credentials from Web Browsers",
+                "reference": "https://attack.mitre.org/techniques/T1555/003/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Adversaries may collect the keychain storage data from a system to acquire credentials. Keychains are the built-in way for macOS to keep track of users' passwords and credentials for many services and features such as WiFi passwords, websites, secure notes and certificates.",
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Access to Keychain Credentials Directories",
+    "query": "process where event.type in (\"start\", \"process_started\") and\n  process.args :\n    (\n      \"/Users/*/Library/Keychains/*\",\n      \"/Library/Keychains/*\",\n      \"/Network/Library/Keychains/*\",\n      \"System.keychain\",\n      \"login.keychain-db\",\n      \"login.keychain\"\n    ) and\n    not process.args : (\"find-certificate\",\n                      \"add-trusted-cert\",\n                      \"set-keychain-settings\",\n                      \"delete-certificate\",\n                      \"/Users/*/Library/Keychains/openvpn.keychain-db\",\n                      \"show-keychain-info\",\n                      \"lock-keychain\",\n                      \"set-key-partition-list\",\n                      \"import\",\n                      \"find-identity\") and\n    not process.parent.executable : \"/Applications/OpenVPN Connect/OpenVPN Connect.app/Contents/MacOS/OpenVPN Connect\"\n",
+    "references": [
+      "https://objective-see.com/blog/blog_0x25.html",
+      "https://securelist.com/calisto-trojan-for-macos/86543/"
+    ],
+    "risk_score": 73,
+    "rule_id": "96e90768-c3b7-4df6-b5d9-6237f8bc36a8",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "macOS",
+      "Threat Detection",
+      "Credential Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0006",
+          "name": "Credential Access",
+          "reference": "https://attack.mitre.org/tactics/TA0006/"
+        },
+        "technique": [
+          {
+            "id": "T1555",
+            "name": "Credentials from Password Stores",
+            "reference": "https://attack.mitre.org/techniques/T1555/",
+            "subtechnique": [
+              {
+                "id": "T1555.001",
+                "name": "Keychain",
+                "reference": "https://attack.mitre.org/techniques/T1555/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 5
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "This rule detects the Active Directory query tool, AdFind.exe. AdFind has legitimate purposes, but it is frequently leveraged by threat actors to perform post-exploitation Active Directory reconnaissance. The AdFind tool has been observed in Trickbot, Ryuk, Maze, and FIN6 campaigns. For Winlogbeat, this rule requires Sysmon.",
+    "from": "now-9m",
+    "index": [
+      "logs-endpoint.events.*",
+      "winlogbeat-*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "AdFind Command Activity",
+    "note": "## Triage and analysis\n\n### Investigating AdFind Command Activity\n\n[AdFind](http://www.joeware.net/freetools/tools/adfind/) is a freely available command-line tool used to retrieve information from\nActivity Directory (AD). Network discovery and enumeration tools like `AdFind` are useful to adversaries in the same ways\nthey are effective for network administrators. This tool provides quick ability to scope AD person/computer objects and\nunderstand subnets and domain information. There are many [examples](https://thedfirreport.com/category/adfind/)\nobserved where this tool has been adopted by ransomware and criminal groups and used in compromises.\n\n#### Possible investigation steps:\n- `AdFind` is a legitimate Active Directory enumeration tool used by network administrators, it's important to understand\nthe source of the activity.  This could involve identifying the account using `AdFind` and determining based on the command-lines\nwhat information was retrieved, then further determining if these actions are in scope of that user's traditional responsibilities.\n- In multiple public references, `AdFind` is leveraged after initial access is achieved, review previous activity on impacted\nmachine looking for suspicious indicators such as previous anti-virus/EDR alerts, phishing emails received, or network traffic\nto suspicious infrastructure\n\n### False Positive Analysis\n- This rule has the high chance to produce false positives as it is a legitimate tool used by network administrators. One\noption could be whitelisting specific users or groups who use the tool as part of their daily responsibilities. This can\nbe done by leveraging the exception workflow in the Kibana Security App or Elasticsearch API to tune this rule to your environment\n- Malicious behavior with `AdFind` should be investigated as part of a step within an attack chain. It doesn't happen in\nisolation, so reviewing previous logs/activity from impacted machines could be very telling.\n\n### Related Rules\n- Windows Network Enumeration\n- Enumeration of Administrator Accounts\n- Enumeration Command Spawned via WMIPrvSE\n\n### Response and Remediation\n- Immediate response should be taken to validate activity, investigate and potentially isolate activity to prevent further\npost-compromise behavior\n- It's important to understand that `AdFind` is an Active Directory enumeration tool and can be used for malicious or legitimate\npurposes, so understanding the intent behind the activity will help determine the appropropriate response.\n",
+    "query": "process where event.type in (\"start\", \"process_started\") and \n  (process.name : \"AdFind.exe\" or process.pe.original_file_name == \"AdFind.exe\") and \n  process.args : (\"objectcategory=computer\", \"(objectcategory=computer)\", \n                  \"objectcategory=person\", \"(objectcategory=person)\",\n                  \"objectcategory=subnet\", \"(objectcategory=subnet)\",\n                  \"objectcategory=group\", \"(objectcategory=group)\", \n                  \"objectcategory=organizationalunit\", \"(objectcategory=organizationalunit)\",\n                  \"objectcategory=attributeschema\", \"(objectcategory=attributeschema)\",\n                  \"domainlist\", \"dcmodes\", \"adinfo\", \"dclist\", \"computers_pwnotreqd\", \"trustdmp\")\n",
+    "references": [
+      "http://www.joeware.net/freetools/tools/adfind/",
+      "https://thedfirreport.com/2020/05/08/adfind-recon/",
+      "https://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html",
+      "https://www.cybereason.com/blog/dropping-anchor-from-a-trickbot-infection-to-the-discovery-of-the-anchor-malware",
+      "https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html",
+      "https://usa.visa.com/dam/VCOM/global/support-legal/documents/fin6-cybercrime-group-expands-threat-To-ecommerce-merchants.pdf"
+    ],
+    "risk_score": 21,
+    "rule_id": "eda499b8-a073-4e35-9733-22ec71f57f3a",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Discovery"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0007",
+          "name": "Discovery",
+          "reference": "https://attack.mitre.org/tactics/TA0007/"
+        },
+        "technique": [
+          {
+            "id": "T1069",
+            "name": "Permission Groups Discovery",
+            "reference": "https://attack.mitre.org/techniques/T1069/",
+            "subtechnique": [
+              {
+                "id": "T1069.002",
+                "name": "Domain Groups",
+                "reference": "https://attack.mitre.org/techniques/T1069/002/"
+              }
+            ]
+          },
+          {
+            "id": "T1087",
+            "name": "Account Discovery",
+            "reference": "https://attack.mitre.org/techniques/T1087/",
+            "subtechnique": [
+              {
+                "id": "T1087.002",
+                "name": "Domain Account",
+                "reference": "https://attack.mitre.org/techniques/T1087/002/"
+              }
+            ]
+          },
+          {
+            "id": "T1482",
+            "name": "Domain Trust Discovery",
+            "reference": "https://attack.mitre.org/techniques/T1482/"
+          },
+          {
+            "id": "T1018",
+            "name": "Remote System Discovery",
+            "reference": "https://attack.mitre.org/techniques/T1018/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 5
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Adversaries can add the 'hidden' attribute to files to hide them from the user in an attempt to evade detection.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Adding Hidden File Attribute via Attrib",
+    "query": "process where event.type in (\"start\", \"process_started\") and\n  process.name : \"attrib.exe\" and process.args : \"+h\"\n",
+    "risk_score": 21,
+    "rule_id": "4630d948-40d4-4cef-ac69-4002e29bc3db",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1564",
+            "name": "Hide Artifacts",
+            "reference": "https://attack.mitre.org/techniques/T1564/",
+            "subtechnique": [
+              {
+                "id": "T1564.001",
+                "name": "Hidden Files and Directories",
+                "reference": "https://attack.mitre.org/techniques/T1564/001/"
+              }
+            ]
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": []
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 9
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Detects when an administrator role is assigned to an Okta group. An adversary may attempt to assign administrator privileges to an Okta group in order to assign additional permissions to compromised user accounts and maintain access to their target organization.",
+    "false_positives": [
+      "Administrator roles may be assigned to Okta users by a Super Admin user. Verify that the behavior was expected. Exceptions can be added to this rule to filter expected behavior."
+    ],
+    "index": [
+      "filebeat-*",
+      "logs-okta*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Administrator Privileges Assigned to an Okta Group",
+    "note": "## Config\n\nThe Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:okta.system and event.action:group.privilege.grant\n",
+    "references": [
+      "https://help.okta.com/en/prod/Content/Topics/Security/administrators-admin-comparison.htm",
+      "https://developer.okta.com/docs/reference/api/system-log/",
+      "https://developer.okta.com/docs/reference/api/event-types/"
+    ],
+    "risk_score": 47,
+    "rule_id": "b8075894-0b62-46e5-977c-31275da34419",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Identity",
+      "Okta",
+      "Continuous Monitoring",
+      "SecOps",
+      "Monitoring"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1098",
+            "name": "Account Manipulation",
+            "reference": "https://attack.mitre.org/techniques/T1098/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 6
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies when an administrator role is assigned to an Okta user. An adversary may attempt to assign an administrator role to an Okta user in order to assign additional permissions to a user account and maintain access to their target's environment.",
+    "false_positives": [
+      "Administrator roles may be assigned to Okta users by a Super Admin user. Verify that the behavior was expected. Exceptions can be added to this rule to filter expected behavior."
+    ],
+    "index": [
+      "filebeat-*",
+      "logs-okta*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Administrator Role Assigned to an Okta User",
+    "note": "## Config\n\nThe Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:okta.system and event.action:user.account.privilege.grant\n",
+    "references": [
+      "https://help.okta.com/en/prod/Content/Topics/Security/administrators-admin-comparison.htm",
+      "https://developer.okta.com/docs/reference/api/system-log/",
+      "https://developer.okta.com/docs/reference/api/event-types/"
+    ],
+    "risk_score": 47,
+    "rule_id": "f06414a6-f2a4-466d-8eba-10f85e8abf71",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Okta",
+      "SecOps",
+      "Monitoring",
+      "Continuous Monitoring"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1098",
+            "name": "Account Manipulation",
+            "reference": "https://attack.mitre.org/techniques/T1098/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 4
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Detects writing executable files that will be automatically launched by Adobe on launch.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Adobe Hijack Persistence",
+    "query": "file where event.type == \"creation\" and\n  file.path : (\"?:\\\\Program Files (x86)\\\\Adobe\\\\Acrobat Reader DC\\\\Reader\\\\AcroCEF\\\\RdrCEF.exe\",\n               \"?:\\\\Program Files\\\\Adobe\\\\Acrobat Reader DC\\\\Reader\\\\AcroCEF\\\\RdrCEF.exe\") and\n  not process.name : \"msiexec.exe\"\n",
+    "risk_score": 21,
+    "rule_id": "2bf78aa2-9c56-48de-b139-f169bf99cf86",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Persistence"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1574",
+            "name": "Hijack Execution Flow",
+            "reference": "https://attack.mitre.org/techniques/T1574/",
+            "subtechnique": [
+              {
+                "id": "T1574.010",
+                "name": "Services File Permissions Weakness",
+                "reference": "https://attack.mitre.org/techniques/T1574/010/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 9
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Elastic Endgame detected an Adversary Behavior. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information.",
+    "from": "now-15m",
+    "index": [
+      "endgame-*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Adversary Behavior - Detected - Elastic Endgame",
+    "query": "event.kind:alert and event.module:endgame and (event.action:rules_engine_event or endgame.event_subtype_full:rules_engine_event)\n",
+    "risk_score": 47,
+    "rule_id": "77a3c3df-8ec4-4da4-b758-878f551dee69",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Elastic Endgame"
+    ],
+    "type": "query",
+    "version": 6
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Detects events which have a mismatch on the expected event agent ID. The status \"agent_id_mismatch\" occurs when the expected agent ID associated with the API key does not match the actual agent ID in an event. This could indicate attempts to spoof events in order to masquerade actual activity to evade detection.",
+    "false_positives": [
+      "This is meant to run only on datasources using agents v7.14+ since versions prior to that will be missing the necessary field, resulting in false positives."
+    ],
+    "from": "now-9m",
+    "index": [
+      "logs-*",
+      "metrics-*",
+      "traces-*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Agent Spoofing - Mismatched Agent ID",
+    "query": "event.agent_id_status:agent_id_mismatch\n",
+    "risk_score": 73,
+    "rule_id": "3115bd2c-0baa-4df0-80ea-45e474b5ef93",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1036",
+            "name": "Masquerading",
+            "reference": "https://attack.mitre.org/techniques/T1036/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Detects when multiple hosts are using the same agent ID. This could occur in the event of an agent being taken over and used to inject illegitimate documents into an instance as an attempt to spoof events in order to masquerade actual activity to evade detection.",
+    "false_positives": [
+      "This is meant to run only on datasources using agents v7.14+ since versions prior to that will be missing the necessary field, resulting in false positives."
+    ],
+    "from": "now-9m",
+    "index": [
+      "logs-*",
+      "metrics-*",
+      "traces-*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Agent Spoofing - Multiple Hosts Using Same Agent",
+    "query": "event.agent_id_status:*\n",
+    "risk_score": 73,
+    "rule_id": "493834ca-f861-414c-8602-150d5505b777",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1036",
+            "name": "Masquerading",
+            "reference": "https://attack.mitre.org/techniques/T1036/"
+          }
+        ]
+      }
+    ],
+    "threshold": {
+      "cardinality": [
+        {
+          "field": "host.id",
+          "value": 2
+        }
+      ],
+      "field": [
+        "agent.id"
+      ],
+      "value": 2
+    },
+    "timestamp_override": "event.ingested",
+    "type": "threshold",
+    "version": 1
+  },
+  {
+    "anomaly_threshold": 25,
+    "author": [
+      "Elastic"
+    ],
+    "description": "Looks for unusual kernel module activity. Kernel modules are sometimes used by malware and persistence mechanisms for stealth.",
+    "false_positives": [
+      "A Linux host running unusual device drivers or other kinds of kernel modules could trigger this detection. Troubleshooting or debugging activity using unusual arguments could also trigger this detection."
+    ],
+    "from": "now-45m",
+    "interval": "15m",
+    "license": "Elastic License v2",
+    "machine_learning_job_id": "linux_rare_kernel_module_arguments",
+    "name": "Anomalous Kernel Module Activity",
+    "risk_score": 21,
+    "rule_id": "37b0816d-af40-40b4-885f-bb162b3c88a9",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "Threat Detection",
+      "ML"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1547",
+            "name": "Boot or Logon Autostart Execution",
+            "reference": "https://attack.mitre.org/techniques/T1547/",
+            "subtechnique": [
+              {
+                "id": "T1547.006",
+                "name": "Kernel Modules and Extensions",
+                "reference": "https://attack.mitre.org/techniques/T1547/006/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "type": "machine_learning",
+    "version": 4
+  },
+  {
+    "anomaly_threshold": 50,
+    "author": [
+      "Elastic"
+    ],
+    "description": "Looks for compiler activity by a user context which does not normally run compilers. This can be the result of ad-hoc software changes or unauthorized software deployment. This can also be due to local privilege elevation via locally run exploits or malware activity.",
+    "false_positives": [
+      "Uncommon compiler activity can be due to an engineer running a local build on a production or staging instance in the course of troubleshooting or fixing a software issue."
+    ],
+    "from": "now-45m",
+    "interval": "15m",
+    "license": "Elastic License v2",
+    "machine_learning_job_id": "linux_rare_user_compiler",
+    "name": "Anomalous Linux Compiler Activity",
+    "risk_score": 21,
+    "rule_id": "cd66a419-9b3f-4f57-8ff8-ac4cd2d5f530",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "Threat Detection",
+      "ML"
+    ],
+    "type": "machine_learning",
+    "version": 3
+  },
+  {
+    "anomaly_threshold": 50,
+    "author": [
+      "Elastic"
+    ],
+    "description": "Searches for rare processes running on multiple Linux hosts in an entire fleet or network. This reduces the detection of false positives since automated maintenance processes usually only run occasionally on a single machine but are common to all or many hosts in a fleet.",
+    "false_positives": [
+      "A newly installed program or one that runs rarely as part of a monthly or quarterly workflow could trigger this alert."
+    ],
+    "from": "now-45m",
+    "interval": "15m",
+    "license": "Elastic License v2",
+    "machine_learning_job_id": [
+      "linux_anomalous_process_all_hosts_ecs",
+      "v2_linux_anomalous_process_all_hosts_ecs"
+    ],
+    "name": "Anomalous Process For a Linux Population",
+    "note": "## Triage and analysis\n\n### Investigating an Unusual Linux Process\nDetection alerts from this rule indicate the presence of a Linux process that is rare and unusual for all of the monitored Linux hosts for which Auditbeat data is available. Here are some possible avenues of investigation:\n- Consider the user as identified by the username field. Is this program part of an expected workflow for the user who ran this program on this host?\n- Examine the history of execution. If this process only manifested recently, it might be part of a new software package. If it has a consistent cadence (for example if it runs monthly or quarterly), it might be part of a monthly or quarterly business process.\n- Examine the process arguments, title and working directory. These may provide indications as to the source of the program or the nature of the tasks it is performing.",
+    "references": [
+      "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"
+    ],
+    "risk_score": 21,
+    "rule_id": "647fc812-7996-4795-8869-9c4ea595fe88",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "Threat Detection",
+      "ML"
+    ],
+    "type": "machine_learning",
+    "version": 7
+  },
+  {
+    "anomaly_threshold": 50,
+    "author": [
+      "Elastic"
+    ],
+    "description": "Searches for rare processes running on multiple hosts in an entire fleet or network. This reduces the detection of false positives since automated maintenance processes usually only run occasionally on a single machine but are common to all or many hosts in a fleet.",
+    "false_positives": [
+      "A newly installed program or one that runs rarely as part of a monthly or quarterly workflow could trigger this alert."
+    ],
+    "from": "now-45m",
+    "interval": "15m",
+    "license": "Elastic License v2",
+    "machine_learning_job_id": [
+      "windows_anomalous_process_all_hosts_ecs",
+      "v2_windows_anomalous_process_all_hosts_ecs"
+    ],
+    "name": "Anomalous Process For a Windows Population",
+    "note": "## Triage and analysis\n\n### Investigating an Unusual Windows Process\nDetection alerts from this rule indicate the presence of a Windows process that is rare and unusual for all of the Windows hosts for which Winlogbeat data is available. Here are some possible avenues of investigation:\n- Consider the user as identified by the username field. Is this program part of an expected workflow for the user who ran this program on this host?\n- Examine the history of execution. If this process only manifested recently, it might be part of a new software package. If it has a consistent cadence (for example if it runs monthly or quarterly), it might be part of a monthly or quarterly business process.\n- Examine the process metadata like the values of the Company, Description and Product fields which may indicate whether the program is associated with an expected software vendor or package.\n- Examine arguments and working directory. These may provide indications as to the source of the program or the nature of the tasks it is performing.\n- Consider the same for the parent process. If the parent process is a legitimate system utility or service, this could be related to software updates or system management. If the parent process is something user-facing like an Office application, this process could be more suspicious.\n- If you have file hash values in the event data, and you suspect malware, you can optionally run a search for the file hash to see if the file is identified as malware by anti-malware tools. ",
+    "references": [
+      "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"
+    ],
+    "risk_score": 21,
+    "rule_id": "6e40d56f-5c0e-4ac6-aece-bee96645b172",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "ML"
+    ],
+    "type": "machine_learning",
+    "version": 7
+  },
+  {
+    "anomaly_threshold": 50,
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies unusual parent-child process relationships that can indicate malware execution or persistence mechanisms. Malicious scripts often call on other applications and processes as part of their exploit payload. For example, when a malicious Office document runs scripts as part of an exploit payload, Excel or Word may start a script interpreter process, which, in turn, runs a script that downloads and executes malware. Another common scenario is Outlook running an unusual process when malware is downloaded in an email. Monitoring and identifying anomalous process relationships is a method of detecting new and emerging malware that is not yet recognized by anti-virus scanners.",
+    "false_positives": [
+      "Users running scripts in the course of technical support operations of software upgrades could trigger this alert. A newly installed program or one that runs rarely as part of a monthly or quarterly workflow could trigger this alert."
+    ],
+    "from": "now-45m",
+    "interval": "15m",
+    "license": "Elastic License v2",
+    "machine_learning_job_id": [
+      "windows_anomalous_process_creation",
+      "v2_windows_anomalous_process_creation"
+    ],
+    "name": "Anomalous Windows Process Creation",
+    "references": [
+      "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"
+    ],
+    "risk_score": 21,
+    "rule_id": "0b29cab4-dbbd-4a3f-9e8e-1287c7c11ae5",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "ML"
+    ],
+    "type": "machine_learning",
+    "version": 5
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Detects execution via the Apple script interpreter (osascript) followed by a network connection from the same process within a short time period. Adversaries may use malicious scripts for execution and command and control.",
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Apple Script Execution followed by Network Connection",
+    "query": "sequence by host.id, process.entity_id with maxspan=30s\n [process where event.type == \"start\" and process.name == \"osascript\"]\n [network where event.type != \"end\" and process.name == \"osascript\" and destination.ip != \"::1\" and\n  not cidrmatch(destination.ip,\n    \"10.0.0.0/8\", \"127.0.0.0/8\", \"169.254.0.0/16\", \"172.16.0.0/12\", \"192.0.0.0/24\", \"192.0.0.0/29\", \"192.0.0.8/32\",\n    \"192.0.0.9/32\", \"192.0.0.10/32\", \"192.0.0.170/32\", \"192.0.0.171/32\", \"192.0.2.0/24\", \"192.31.196.0/24\",\n    \"192.52.193.0/24\", \"192.168.0.0/16\", \"192.88.99.0/24\", \"224.0.0.0/4\", \"100.64.0.0/10\", \"192.175.48.0/24\",\n    \"198.18.0.0/15\", \"198.51.100.0/24\", \"203.0.113.0/24\", \"240.0.0.0/4\", \"::1\", \"FE80::/10\", \"FF00::/8\")]\n",
+    "references": [
+      "https://developer.apple.com/library/archive/documentation/LanguagesUtilities/Conceptual/MacAutomationScriptingGuide/index.html",
+      "https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml"
+    ],
+    "risk_score": 47,
+    "rule_id": "47f76567-d58a-4fed-b32b-21f571e28910",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "macOS",
+      "Threat Detection",
+      "Command and Control",
+      "Execution"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0002",
+          "name": "Execution",
+          "reference": "https://attack.mitre.org/tactics/TA0002/"
+        },
+        "technique": [
+          {
+            "id": "T1059",
+            "name": "Command and Scripting Interpreter",
+            "reference": "https://attack.mitre.org/techniques/T1059/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0011",
+          "name": "Command and Control",
+          "reference": "https://attack.mitre.org/tactics/TA0011/"
+        },
+        "technique": [
+          {
+            "id": "T1105",
+            "name": "Ingress Tool Transfer",
+            "reference": "https://attack.mitre.org/techniques/T1105/"
+          }
+        ]
+      }
+    ],
+    "type": "eql",
+    "version": 3
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies execution of the Apple script interpreter (osascript) without a password prompt and with administrator privileges.",
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Apple Scripting Execution with Administrator Privileges",
+    "query": "process where event.type in (\"start\", \"process_started\") and process.name : \"osascript\" and\n  process.command_line : \"osascript*with administrator privileges\"\n",
+    "references": [
+      "https://discussions.apple.com/thread/2266150"
+    ],
+    "risk_score": 47,
+    "rule_id": "827f8d8f-4117-4ae4-b551-f56d54b9da6b",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "macOS",
+      "Threat Detection",
+      "Execution",
+      "Privilege Escalation"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0004",
+          "name": "Privilege Escalation",
+          "reference": "https://attack.mitre.org/tactics/TA0004/"
+        },
+        "technique": [
+          {
+            "id": "T1078",
+            "name": "Valid Accounts",
+            "reference": "https://attack.mitre.org/techniques/T1078/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0002",
+          "name": "Execution",
+          "reference": "https://attack.mitre.org/tactics/TA0002/"
+        },
+        "technique": [
+          {
+            "id": "T1059",
+            "name": "Command and Scripting Interpreter",
+            "reference": "https://attack.mitre.org/techniques/T1059/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Detects when a Google marketplace application is added to the Google Workspace domain. An adversary may add a malicious application to an organization\u2019s Google Workspace domain in order to maintain a presence in their target\u2019s organization and steal data.",
+    "false_positives": [
+      "Applications can be added to a Google Workspace domain by system administrators. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior."
+    ],
+    "from": "now-130m",
+    "index": [
+      "filebeat-*",
+      "logs-google_workspace*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Application Added to Google Workspace Domain",
+    "note": "## Config\n\nThe Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\n\n### Important Information Regarding Google Workspace Event Lag Times\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information:\n  - https://support.google.com/a/answer/7061566\n  - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-gsuite.html",
+    "query": "event.dataset:(gsuite.admin or google_workspace.admin) and event.provider:admin and event.category:iam and event.action:ADD_APPLICATION\n",
+    "references": [
+      "https://support.google.com/a/answer/6328701?hl=en#"
+    ],
+    "risk_score": 47,
+    "rule_id": "785a404b-75aa-4ffd-8be5-3334a5a544dd",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "Google Workspace",
+      "Continuous Monitoring",
+      "SecOps",
+      "Configuration Audit"
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 5
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Detects attempts to create an Okta API token. An adversary may create an Okta API token to maintain access to an organization's network while they work to achieve their objectives. An attacker may abuse an API token to execute techniques such as creating user accounts or disabling security rules or policies.",
+    "false_positives": [
+      "If the behavior of creating Okta API tokens is expected, consider adding exceptions to this rule to filter false positives."
+    ],
+    "index": [
+      "filebeat-*",
+      "logs-okta*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Attempt to Create Okta API Token",
+    "note": "## Config\n\nThe Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:okta.system and event.action:system.api_token.create\n",
+    "references": [
+      "https://developer.okta.com/docs/reference/api/system-log/",
+      "https://developer.okta.com/docs/reference/api/event-types/"
+    ],
+    "risk_score": 47,
+    "rule_id": "96b9f4ea-0e8c-435b-8d53-2096e75fcac5",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Identity",
+      "Okta",
+      "Continuous Monitoring",
+      "SecOps",
+      "Monitoring"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1136",
+            "name": "Create Account",
+            "reference": "https://attack.mitre.org/techniques/T1136/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 6
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Detects attempts to deactivate multi-factor authentication (MFA) for an Okta user. An adversary may deactivate MFA for an Okta user account in order to weaken the authentication requirements for the account.",
+    "false_positives": [
+      "If the behavior of deactivating MFA for Okta user accounts is expected, consider adding exceptions to this rule to filter false positives."
+    ],
+    "index": [
+      "filebeat-*",
+      "logs-okta*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Attempt to Deactivate MFA for an Okta User Account",
+    "note": "## Config\n\nThe Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:okta.system and event.action:user.mfa.factor.deactivate\n",
+    "references": [
+      "https://developer.okta.com/docs/reference/api/system-log/",
+      "https://developer.okta.com/docs/reference/api/event-types/"
+    ],
+    "risk_score": 21,
+    "rule_id": "cd89602e-9db0-48e3-9391-ae3bf241acd8",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Identity",
+      "Okta",
+      "Continuous Monitoring",
+      "SecOps",
+      "Identity and Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1098",
+            "name": "Account Manipulation",
+            "reference": "https://attack.mitre.org/techniques/T1098/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 6
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Detects attempts to deactivate an Okta application. An adversary may attempt to modify, deactivate, or delete an Okta application in order to weaken an organization's security controls or disrupt their business operations.",
+    "false_positives": [
+      "Consider adding exceptions to this rule to filter false positives if your organization's Okta applications are regularly deactivated and the behavior is expected."
+    ],
+    "index": [
+      "filebeat-*",
+      "logs-okta*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Attempt to Deactivate an Okta Application",
+    "note": "## Config\n\nThe Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:okta.system and event.action:application.lifecycle.deactivate\n",
+    "references": [
+      "https://help.okta.com/en/prod/Content/Topics/Apps/Apps_Apps.htm",
+      "https://developer.okta.com/docs/reference/api/system-log/",
+      "https://developer.okta.com/docs/reference/api/event-types/"
+    ],
+    "risk_score": 21,
+    "rule_id": "edb91186-1c7e-4db8-b53e-bfa33a1a0a8a",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Identity",
+      "Okta",
+      "Continuous Monitoring",
+      "SecOps",
+      "Monitoring"
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 4
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Detects attempts to deactivate an Okta network zone. Okta network zones can be configured to limit or restrict access to a network based on IP addresses or geolocations. An adversary may attempt to modify, delete, or deactivate an Okta network zone in order to remove or weaken an organization's security controls.",
+    "false_positives": [
+      "Consider adding exceptions to this rule to filter false positives if your organization's Okta network zones are regularly modified."
+    ],
+    "index": [
+      "filebeat-*",
+      "logs-okta*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Attempt to Deactivate an Okta Network Zone",
+    "note": "## Config\n\nThe Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:okta.system and event.action:zone.deactivate\n",
+    "references": [
+      "https://help.okta.com/en/prod/Content/Topics/Security/network/network-zones.htm",
+      "https://developer.okta.com/docs/reference/api/system-log/",
+      "https://developer.okta.com/docs/reference/api/event-types/"
+    ],
+    "risk_score": 47,
+    "rule_id": "8a5c1e5f-ad63-481e-b53a-ef959230f7f1",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Identity",
+      "Okta",
+      "Continuous Monitoring",
+      "SecOps",
+      "Network Security"
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 4
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Detects attempts to deactivate an Okta policy. An adversary may attempt to deactivate an Okta policy in order to weaken an organization's security controls. For example, an adversary may attempt to deactivate an Okta multi-factor authentication (MFA) policy in order to weaken the authentication requirements for user accounts.",
+    "false_positives": [
+      "If the behavior of deactivating Okta policies is expected, consider adding exceptions to this rule to filter false positives."
+    ],
+    "index": [
+      "filebeat-*",
+      "logs-okta*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Attempt to Deactivate an Okta Policy",
+    "note": "## Config\n\nThe Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:okta.system and event.action:policy.lifecycle.deactivate\n",
+    "references": [
+      "https://help.okta.com/en/prod/Content/Topics/Security/Security_Policies.htm",
+      "https://developer.okta.com/docs/reference/api/system-log/",
+      "https://developer.okta.com/docs/reference/api/event-types/"
+    ],
+    "risk_score": 21,
+    "rule_id": "b719a170-3bdb-4141-b0e3-13e3cf627bfe",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Identity",
+      "Okta",
+      "Continuous Monitoring",
+      "SecOps",
+      "Monitoring"
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 6
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Detects attempts to deactivate a rule within an Okta policy. An adversary may attempt to deactivate a rule within an Okta policy in order to remove or weaken an organization's security controls.",
+    "false_positives": [
+      "Consider adding exceptions to this rule to filter false positives if Okta MFA rules are regularly deactivated in your organization."
+    ],
+    "index": [
+      "filebeat-*",
+      "logs-okta*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Attempt to Deactivate an Okta Policy Rule",
+    "note": "## Config\n\nThe Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:okta.system and event.action:policy.rule.deactivate\n",
+    "references": [
+      "https://help.okta.com/en/prod/Content/Topics/Security/Security_Policies.htm",
+      "https://developer.okta.com/docs/reference/api/system-log/",
+      "https://developer.okta.com/docs/reference/api/event-types/"
+    ],
+    "risk_score": 47,
+    "rule_id": "cc92c835-da92-45c9-9f29-b4992ad621a0",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Identity",
+      "Okta",
+      "Continuous Monitoring",
+      "SecOps",
+      "Identity and Access"
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 6
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Detects attempts to delete an Okta application. An adversary may attempt to modify, deactivate, or delete an Okta application in order to weaken an organization's security controls or disrupt their business operations.",
+    "false_positives": [
+      "Consider adding exceptions to this rule to filter false positives if your organization's Okta applications are regularly deleted and the behavior is expected."
+    ],
+    "index": [
+      "filebeat-*",
+      "logs-okta*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Attempt to Delete an Okta Application",
+    "note": "## Config\n\nThe Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:okta.system and event.action:application.lifecycle.delete\n",
+    "references": [
+      "https://developer.okta.com/docs/reference/api/system-log/",
+      "https://developer.okta.com/docs/reference/api/event-types/"
+    ],
+    "risk_score": 21,
+    "rule_id": "d48e1c13-4aca-4d1f-a7b1-a9161c0ad86f",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Identity",
+      "Okta",
+      "Continuous Monitoring",
+      "SecOps",
+      "Monitoring"
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 4
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Detects attempts to delete an Okta network zone. Okta network zones can be configured to limit or restrict access to a network based on IP addresses or geolocations. An adversary may attempt to modify, delete, or deactivate an Okta network zone in order to remove or weaken an organization's security controls.",
+    "false_positives": [
+      "Consider adding exceptions to this rule to filter false positives if Oyour organization's Okta network zones are regularly deleted."
+    ],
+    "index": [
+      "filebeat-*",
+      "logs-okta*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Attempt to Delete an Okta Network Zone",
+    "note": "## Config\n\nThe Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:okta.system and event.action:zone.delete\n",
+    "references": [
+      "https://help.okta.com/en/prod/Content/Topics/Security/network/network-zones.htm",
+      "https://developer.okta.com/docs/reference/api/system-log/",
+      "https://developer.okta.com/docs/reference/api/event-types/"
+    ],
+    "risk_score": 47,
+    "rule_id": "c749e367-a069-4a73-b1f2-43a3798153ad",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Identity",
+      "Okta",
+      "Continuous Monitoring",
+      "SecOps",
+      "Network Security"
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 4
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Detects attempts to delete an Okta policy. An adversary may attempt to delete an Okta policy in order to weaken an organization's security controls. For example, an adversary may attempt to delete an Okta multi-factor authentication (MFA) policy in order to weaken the authentication requirements for user accounts.",
+    "false_positives": [
+      "Consider adding exceptions to this rule to filter false positives if Okta policies are regularly deleted in your organization."
+    ],
+    "index": [
+      "filebeat-*",
+      "logs-okta*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Attempt to Delete an Okta Policy",
+    "note": "## Config\n\nThe Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:okta.system and event.action:policy.lifecycle.delete\n",
+    "references": [
+      "https://help.okta.com/en/prod/Content/Topics/Security/Security_Policies.htm",
+      "https://developer.okta.com/docs/reference/api/system-log/",
+      "https://developer.okta.com/docs/reference/api/event-types/"
+    ],
+    "risk_score": 47,
+    "rule_id": "b4bb1440-0fcb-4ed1-87e5-b06d58efc5e9",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Identity",
+      "Okta",
+      "Continuous Monitoring",
+      "SecOps",
+      "Monitoring"
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 6
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Detects attempts to delete a rule within an Okta policy. An adversary may attempt to delete an Okta policy rule in order to weaken an organization's security controls.",
+    "false_positives": [
+      "Consider adding exceptions to this rule to filter false positives if Okta MFA rules are regularly modified in your organization."
+    ],
+    "index": [
+      "filebeat-*",
+      "logs-okta*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Attempt to Delete an Okta Policy Rule",
+    "note": "## Config\n\nThe Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:okta.system and event.action:policy.rule.delete\n",
+    "references": [
+      "https://help.okta.com/en/prod/Content/Topics/Security/Security_Policies.htm",
+      "https://developer.okta.com/docs/reference/api/system-log/",
+      "https://developer.okta.com/docs/reference/api/event-types/"
+    ],
+    "risk_score": 21,
+    "rule_id": "d5d86bf5-cf0c-4c06-b688-53fdc072fdfd",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Identity",
+      "Okta",
+      "Continuous Monitoring",
+      "SecOps",
+      "Monitoring"
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 4
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Detects attempts to disable Gatekeeper on macOS. Gatekeeper is a security feature that's designed to ensure that only trusted software is run. Adversaries may attempt to disable Gatekeeper before executing malicious code.",
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Attempt to Disable Gatekeeper",
+    "query": "event.category:process and event.type:(start or process_started) and \n  process.args:(spctl and \"--master-disable\")\n",
+    "references": [
+      "https://support.apple.com/en-us/HT202491",
+      "https://www.carbonblack.com/blog/tau-threat-intelligence-notification-new-macos-malware-variant-of-shlayer-osx-discovered/"
+    ],
+    "risk_score": 47,
+    "rule_id": "4da13d6e-904f-4636-81d8-6ab14b4e6ae9",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "macOS",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1553",
+            "name": "Subvert Trust Controls",
+            "reference": "https://attack.mitre.org/techniques/T1553/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Adversaries may attempt to disable the iptables or firewall service in an attempt to affect how a host is allowed to receive or send network traffic.",
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Attempt to Disable IPTables or Firewall",
+    "query": "event.category:process and event.type:(start or process_started) and\n  process.name:ufw and process.args:(allow or disable or reset) or\n\n  (((process.name:service and process.args:stop) or\n     (process.name:chkconfig and process.args:off) or\n     (process.name:systemctl and process.args:(disable or stop or kill))) and\n   process.args:(firewalld or ip6tables or iptables))\n",
+    "risk_score": 47,
+    "rule_id": "125417b8-d3df-479f-8418-12d7e034fee3",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1562",
+            "name": "Impair Defenses",
+            "reference": "https://attack.mitre.org/techniques/T1562/",
+            "subtechnique": [
+              {
+                "id": "T1562.001",
+                "name": "Disable or Modify Tools",
+                "reference": "https://attack.mitre.org/techniques/T1562/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 7
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Adversaries may attempt to disable the syslog service in an attempt to an attempt to disrupt event logging and evade detection by security controls.",
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Attempt to Disable Syslog Service",
+    "query": "event.category:process and event.type:(start or process_started) and\n  ((process.name:service and process.args:stop) or\n     (process.name:chkconfig and process.args:off) or\n     (process.name:systemctl and process.args:(disable or stop or kill)))\n  and process.args:(syslog or rsyslog or \"syslog-ng\")\n",
+    "risk_score": 47,
+    "rule_id": "2f8a1226-5720-437d-9c20-e0029deb6194",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1562",
+            "name": "Impair Defenses",
+            "reference": "https://attack.mitre.org/techniques/T1562/",
+            "subtechnique": [
+              {
+                "id": "T1562.001",
+                "name": "Disable or Modify Tools",
+                "reference": "https://attack.mitre.org/techniques/T1562/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 7
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies attempts to enable the root account using the dsenableroot command. This command may be abused by adversaries for persistence, as the root account is disabled by default.",
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Attempt to Enable the Root Account",
+    "query": "event.category:process and event.type:(start or process_started) and\n process.name:dsenableroot and not process.args:\"-d\"\n",
+    "references": [
+      "https://ss64.com/osx/dsenableroot.html"
+    ],
+    "risk_score": 47,
+    "rule_id": "cc2fd2d0-ba3a-4939-b87f-2901764ed036",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "macOS",
+      "Threat Detection",
+      "Persistence"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1078",
+            "name": "Valid Accounts",
+            "reference": "https://attack.mitre.org/techniques/T1078/",
+            "subtechnique": [
+              {
+                "id": "T1078.003",
+                "name": "Local Accounts",
+                "reference": "https://attack.mitre.org/techniques/T1078/003/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to their command and control servers. Root certificates are used in public key cryptography to identify a root certificate authority (CA). When a root certificate is installed, the system or application will trust certificates in the root's chain of trust that have been signed by the root certificate.",
+    "false_positives": [
+      "Certain applications may install root certificates for the purpose of inspecting SSL traffic."
+    ],
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Attempt to Install Root Certificate",
+    "query": "event.category:process and event.type:(start or process_started) and\n  process.name:security and process.args:\"add-trusted-cert\"\n",
+    "references": [
+      "https://ss64.com/osx/security-cert.html"
+    ],
+    "risk_score": 47,
+    "rule_id": "bc1eeacf-2972-434f-b782-3a532b100d67",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "macOS",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1553",
+            "name": "Subvert Trust Controls",
+            "reference": "https://attack.mitre.org/techniques/T1553/",
+            "subtechnique": [
+              {
+                "id": "T1553.004",
+                "name": "Install Root Certificate",
+                "reference": "https://attack.mitre.org/techniques/T1553/004/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Detects attempts to modify an Okta application. An adversary may attempt to modify, deactivate, or delete an Okta application in order to weaken an organization's security controls or disrupt their business operations.",
+    "false_positives": [
+      "Consider adding exceptions to this rule to filter false positives if your organization's Okta applications are regularly modified and the behavior is expected."
+    ],
+    "index": [
+      "filebeat-*",
+      "logs-okta*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Attempt to Modify an Okta Application",
+    "note": "## Config\n\nThe Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:okta.system and event.action:application.lifecycle.update\n",
+    "references": [
+      "https://help.okta.com/en/prod/Content/Topics/Apps/Apps_Apps.htm",
+      "https://developer.okta.com/docs/reference/api/system-log/",
+      "https://developer.okta.com/docs/reference/api/event-types/"
+    ],
+    "risk_score": 21,
+    "rule_id": "c74fd275-ab2c-4d49-8890-e2943fa65c09",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Identity",
+      "Okta",
+      "Continuous Monitoring",
+      "SecOps",
+      "Monitoring"
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 4
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Detects attempts to modify an Okta network zone. Okta network zones can be configured to limit or restrict access to a network based on IP addresses or geolocations. An adversary may attempt to modify, delete, or deactivate an Okta network zone in order to remove or weaken an organization's security controls.",
+    "false_positives": [
+      "Consider adding exceptions to this rule to filter false positives if Oyour organization's Okta network zones are regularly modified."
+    ],
+    "index": [
+      "filebeat-*",
+      "logs-okta*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Attempt to Modify an Okta Network Zone",
+    "note": "## Config\n\nThe Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:okta.system and event.action:(zone.update or network_zone.rule.disabled or zone.remove_blacklist)\n",
+    "references": [
+      "https://help.okta.com/en/prod/Content/Topics/Security/network/network-zones.htm",
+      "https://developer.okta.com/docs/reference/api/system-log/",
+      "https://developer.okta.com/docs/reference/api/event-types/"
+    ],
+    "risk_score": 47,
+    "rule_id": "e48236ca-b67a-4b4e-840c-fdc7782bc0c3",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Identity",
+      "Okta",
+      "Continuous Monitoring",
+      "SecOps",
+      "Network Security"
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 6
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Detects attempts to modify an Okta policy. An adversary may attempt to modify an Okta policy in order to weaken an organization's security controls. For example, an adversary may attempt to modify an Okta multi-factor authentication (MFA) policy in order to weaken the authentication requirements for user accounts.",
+    "false_positives": [
+      "Consider adding exceptions to this rule to filter false positives if Okta policies are regularly modified in your organization."
+    ],
+    "index": [
+      "filebeat-*",
+      "logs-okta*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Attempt to Modify an Okta Policy",
+    "note": "## Config\n\nThe Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:okta.system and event.action:policy.lifecycle.update\n",
+    "references": [
+      "https://developer.okta.com/docs/reference/api/system-log/",
+      "https://developer.okta.com/docs/reference/api/event-types/"
+    ],
+    "risk_score": 21,
+    "rule_id": "6731fbf2-8f28-49ed-9ab9-9a918ceb5a45",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Identity",
+      "Okta",
+      "Continuous Monitoring",
+      "SecOps",
+      "Monitoring"
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 6
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Detects attempts to modify a rule within an Okta policy. An adversary may attempt to modify an Okta policy rule in order to weaken an organization's security controls.",
+    "false_positives": [
+      "Consider adding exceptions to this rule to filter false positives if Okta MFA rules are regularly modified in your organization."
+    ],
+    "index": [
+      "filebeat-*",
+      "logs-okta*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Attempt to Modify an Okta Policy Rule",
+    "note": "## Config\n\nThe Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:okta.system and event.action:policy.rule.update\n",
+    "references": [
+      "https://help.okta.com/en/prod/Content/Topics/Security/Security_Policies.htm",
+      "https://developer.okta.com/docs/reference/api/system-log/",
+      "https://developer.okta.com/docs/reference/api/event-types/"
+    ],
+    "risk_score": 21,
+    "rule_id": "000047bb-b27a-47ec-8b62-ef1a5d2c9e19",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Identity",
+      "Okta",
+      "Continuous Monitoring",
+      "SecOps",
+      "Identity and Access"
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 6
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the execution of macOS built-in commands to mount a Server Message Block (SMB) network share. Adversaries may use valid accounts to interact with a remote network share using SMB.",
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Attempt to Mount SMB Share via Command Line",
+    "query": "process where event.type in (\"start\", \"process_started\") and\n  (\n    process.name : \"mount_smbfs\" or\n    (process.name : \"open\" and process.args : \"smb://*\") or\n    (process.name : \"mount\" and process.args : \"smbfs\") or\n    (process.name : \"osascript\" and process.command_line : \"osascript*mount volume*smb://*\")\n  )\n",
+    "references": [
+      "https://www.freebsd.org/cgi/man.cgi?mount_smbfs",
+      "https://ss64.com/osx/mount.html"
+    ],
+    "risk_score": 21,
+    "rule_id": "661545b4-1a90-4f45-85ce-2ebd7c6a15d0",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "macOS",
+      "Threat Detection",
+      "Lateral Movement"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0008",
+          "name": "Lateral Movement",
+          "reference": "https://attack.mitre.org/tactics/TA0008/"
+        },
+        "technique": [
+          {
+            "id": "T1021",
+            "name": "Remote Services",
+            "reference": "https://attack.mitre.org/techniques/T1021/",
+            "subtechnique": [
+              {
+                "id": "T1021.002",
+                "name": "SMB/Windows Admin Shares",
+                "reference": "https://attack.mitre.org/techniques/T1021/002/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies a potential Gatekeeper bypass. In macOS, when applications or programs are downloaded from the internet, there is a quarantine flag set on the file. This attribute is read by Apple's Gatekeeper defense program at execution time. An adversary may disable this attribute to evade defenses.",
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Attempt to Remove File Quarantine Attribute",
+    "query": "process where event.type in (\"start\", \"process_started\") and\n  process.args : \"xattr\" and\n  (\n    (process.args : \"com.apple.quarantine\" and process.args : (\"-d\", \"-w\")) or\n    (process.args : \"-c\" and process.command_line :\n      (\n        \"/bin/bash -c xattr -c *\",\n        \"/bin/zsh -c xattr -c *\",\n        \"/bin/sh -c xattr -c *\"\n      )\n    )\n  )\n",
+    "references": [
+      "https://www.trendmicro.com/en_us/research/20/k/new-macos-backdoor-connected-to-oceanlotus-surfaces.html",
+      "https://ss64.com/osx/xattr.html"
+    ],
+    "risk_score": 47,
+    "rule_id": "f0b48bbc-549e-4bcf-8ee0-a7a72586c6a7",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "macOS",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1562",
+            "name": "Impair Defenses",
+            "reference": "https://attack.mitre.org/techniques/T1562/",
+            "subtechnique": [
+              {
+                "id": "T1562.001",
+                "name": "Disable or Modify Tools",
+                "reference": "https://attack.mitre.org/techniques/T1562/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 3
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Detects attempts to reset an Okta user's enrolled multi-factor authentication (MFA) factors. An adversary may attempt to reset the MFA factors for an Okta user's account in order to register new MFA factors and abuse the account to blend in with normal activity in the victim's environment.",
+    "false_positives": [
+      "Consider adding exceptions to this rule to filter false positives if the MFA factors for Okta user accounts are regularly reset in your organization."
+    ],
+    "index": [
+      "filebeat-*",
+      "logs-okta*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Attempt to Reset MFA Factors for an Okta User Account",
+    "note": "## Config\n\nThe Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:okta.system and event.action:user.mfa.factor.reset_all\n",
+    "references": [
+      "https://developer.okta.com/docs/reference/api/system-log/",
+      "https://developer.okta.com/docs/reference/api/event-types/"
+    ],
+    "risk_score": 21,
+    "rule_id": "729aa18d-06a6-41c7-b175-b65b739b1181",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Identity",
+      "Okta",
+      "Continuous Monitoring",
+      "SecOps",
+      "Identity and Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1098",
+            "name": "Account Manipulation",
+            "reference": "https://attack.mitre.org/techniques/T1098/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 6
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies attempts to revoke an Okta API token. An adversary may attempt to revoke or delete an Okta API token to disrupt an organization's business operations.",
+    "false_positives": [
+      "If the behavior of revoking Okta API tokens is expected, consider adding exceptions to this rule to filter false positives."
+    ],
+    "index": [
+      "filebeat-*",
+      "logs-okta*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Attempt to Revoke Okta API Token",
+    "note": "## Config\n\nThe Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:okta.system and event.action:system.api_token.revoke\n",
+    "references": [
+      "https://developer.okta.com/docs/reference/api/system-log/",
+      "https://developer.okta.com/docs/reference/api/event-types/"
+    ],
+    "risk_score": 21,
+    "rule_id": "676cff2b-450b-4cf1-8ed2-c0c58a4a2dd7",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Identity",
+      "Okta",
+      "Continuous Monitoring",
+      "SecOps",
+      "Monitoring"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0040",
+          "name": "Impact",
+          "reference": "https://attack.mitre.org/tactics/TA0040/"
+        },
+        "technique": [
+          {
+            "id": "T1531",
+            "name": "Account Access Removal",
+            "reference": "https://attack.mitre.org/techniques/T1531/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 6
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies attempts to unload the Elastic Endpoint Security kernel extension via the kextunload command.",
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Attempt to Unload Elastic Endpoint Security Kernel Extension",
+    "query": "event.category:process and event.type:(start or process_started) and\n process.name:kextunload and process.args:(\"/System/Library/Extensions/EndpointSecurity.kext\" or \"EndpointSecurity.kext\")\n",
+    "risk_score": 73,
+    "rule_id": "70fa1af4-27fd-4f26-bd03-50b6af6b9e24",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "macOS",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1562",
+            "name": "Impair Defenses",
+            "reference": "https://attack.mitre.org/techniques/T1562/",
+            "subtechnique": [
+              {
+                "id": "T1562.001",
+                "name": "Disable or Modify Tools",
+                "reference": "https://attack.mitre.org/techniques/T1562/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Detects attempts to bypass Okta multi-factor authentication (MFA). An adversary may attempt to bypass the Okta MFA policies configured for an organization in order to obtain unauthorized access to an application.",
+    "index": [
+      "filebeat-*",
+      "logs-okta*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Attempted Bypass of Okta MFA",
+    "note": "## Config\n\nThe Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:okta.system and event.action:user.mfa.attempt_bypass\n",
+    "references": [
+      "https://developer.okta.com/docs/reference/api/system-log/",
+      "https://developer.okta.com/docs/reference/api/event-types/"
+    ],
+    "risk_score": 73,
+    "rule_id": "3805c3dc-f82c-4f8d-891e-63c24d3102b0",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Identity",
+      "Okta",
+      "Continuous Monitoring",
+      "SecOps",
+      "Identity and Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0006",
+          "name": "Credential Access",
+          "reference": "https://attack.mitre.org/tactics/TA0006/"
+        },
+        "technique": [
+          {
+            "id": "T1111",
+            "name": "Two-Factor Authentication Interception",
+            "reference": "https://attack.mitre.org/techniques/T1111/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 6
+  },
+  {
+    "author": [
+      "Elastic",
+      "Willem D'Haese",
+      "Austin Songer"
+    ],
+    "description": "Identifies attempts to brute force a Microsoft 365 user account. An adversary may attempt a brute force attack to obtain unauthorized access to user accounts.",
+    "false_positives": [
+      "Automated processes that attempt to authenticate using expired credentials and unbounded retries may lead to false positives."
+    ],
+    "from": "now-30m",
+    "index": [
+      "filebeat-*",
+      "logs-o365*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Attempts to Brute Force a Microsoft 365 User Account",
+    "note": "## Config\n\nThe Microsoft 365 Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:o365.audit and event.provider:(AzureActiveDirectory or Exchange) and\n  event.category:authentication and event.action:(UserLoginFailed or PasswordLogonInitialAuthUsingPassword) and\n  not o365.audit.LogonError:(UserAccountNotFound or EntitlementGrantsNotFound or UserStrongAuthEnrollmentRequired or\n                             UserStrongAuthClientAuthNRequired or InvalidReplyTo) and event.outcome:failure\n",
+    "references": [
+      "https://blueteamblog.com/7-ways-to-monitor-your-office-365-logs-using-siem"
+    ],
+    "risk_score": 73,
+    "rule_id": "26f68dba-ce29-497b-8e13-b4fde1db5a2d",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "Microsoft 365",
+      "Continuous Monitoring",
+      "SecOps",
+      "Identity and Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0006",
+          "name": "Credential Access",
+          "reference": "https://attack.mitre.org/tactics/TA0006/"
+        },
+        "technique": [
+          {
+            "id": "T1110",
+            "name": "Brute Force",
+            "reference": "https://attack.mitre.org/techniques/T1110/"
+          }
+        ]
+      }
+    ],
+    "threshold": {
+      "field": [
+        "user.id"
+      ],
+      "value": 10
+    },
+    "type": "threshold",
+    "version": 5
+  },
+  {
+    "author": [
+      "Elastic",
+      "@BenB196",
+      "Austin Songer"
+    ],
+    "description": "Identifies when an Okta user account is locked out 3 times within a 3 hour window. An adversary may attempt a brute force or password spraying attack to obtain unauthorized access to user accounts. The default Okta authentication policy ensures that a user account is locked out after 10 failed authentication attempts.",
+    "from": "now-180m",
+    "index": [
+      "filebeat-*",
+      "logs-okta*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Attempts to Brute Force an Okta User Account",
+    "note": "## Config\n\nThe Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:okta.system and event.action:user.account.lock\n",
+    "references": [
+      "https://developer.okta.com/docs/reference/api/system-log/",
+      "https://developer.okta.com/docs/reference/api/event-types/"
+    ],
+    "risk_score": 47,
+    "rule_id": "e08ccd49-0380-4b2b-8d71-8000377d6e49",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Identity",
+      "Okta",
+      "Continuous Monitoring",
+      "SecOps",
+      "Identity and Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0006",
+          "name": "Credential Access",
+          "reference": "https://attack.mitre.org/tactics/TA0006/"
+        },
+        "technique": [
+          {
+            "id": "T1110",
+            "name": "Brute Force",
+            "reference": "https://attack.mitre.org/techniques/T1110/"
+          }
+        ]
+      }
+    ],
+    "threshold": {
+      "field": [
+        "okta.actor.alternate_id"
+      ],
+      "value": 3
+    },
+    "type": "threshold",
+    "version": 5
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies that a login attempt occurred at a forbidden time.",
+    "index": [
+      "auditbeat-*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Auditd Login Attempt at Forbidden Time",
+    "query": "event.module:auditd and event.action:\"attempted-log-in-during-unusual-hour-to\"\n",
+    "references": [
+      "https://github.com/linux-pam/linux-pam/blob/aac5a8fdc4aa3f7e56335a6343774cc1b63b408d/modules/pam_time/pam_time.c#L666"
+    ],
+    "risk_score": 47,
+    "rule_id": "90e28af7-1d96-4582-bf11-9a1eff21d0e5",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "Threat Detection",
+      "Initial Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0001",
+          "name": "Initial Access",
+          "reference": "https://attack.mitre.org/tactics/TA0001/"
+        },
+        "technique": [
+          {
+            "id": "T1078",
+            "name": "Valid Accounts",
+            "reference": "https://attack.mitre.org/techniques/T1078/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1078",
+            "name": "Valid Accounts",
+            "reference": "https://attack.mitre.org/techniques/T1078/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies that a login attempt has happened from a forbidden location.",
+    "index": [
+      "auditbeat-*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Auditd Login from Forbidden Location",
+    "query": "event.module:auditd and event.action:\"attempted-log-in-from-unusual-place-to\"\n",
+    "references": [
+      "https://github.com/linux-pam/linux-pam/blob/aac5a8fdc4aa3f7e56335a6343774cc1b63b408d/modules/pam_access/pam_access.c#L412"
+    ],
+    "risk_score": 73,
+    "rule_id": "cab4f01c-793f-4a54-a03e-e5d85b96d7af",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "Threat Detection",
+      "Initial Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0001",
+          "name": "Initial Access",
+          "reference": "https://attack.mitre.org/tactics/TA0001/"
+        },
+        "technique": [
+          {
+            "id": "T1078",
+            "name": "Valid Accounts",
+            "reference": "https://attack.mitre.org/techniques/T1078/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1078",
+            "name": "Valid Accounts",
+            "reference": "https://attack.mitre.org/techniques/T1078/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies that the maximum number of failed login attempts has been reached for a user.",
+    "index": [
+      "auditbeat-*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Auditd Max Failed Login Attempts",
+    "query": "event.module:auditd and event.action:\"failed-log-in-too-many-times-to\"\n",
+    "references": [
+      "https://github.com/linux-pam/linux-pam/blob/0adbaeb273da1d45213134aa271e95987103281c/modules/pam_faillock/pam_faillock.c#L574"
+    ],
+    "risk_score": 47,
+    "rule_id": "fb9937ce-7e21-46bf-831d-1ad96eac674d",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "Threat Detection",
+      "Initial Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0001",
+          "name": "Initial Access",
+          "reference": "https://attack.mitre.org/tactics/TA0001/"
+        },
+        "technique": [
+          {
+            "id": "T1078",
+            "name": "Valid Accounts",
+            "reference": "https://attack.mitre.org/techniques/T1078/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1078",
+            "name": "Valid Accounts",
+            "reference": "https://attack.mitre.org/techniques/T1078/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies that the maximum number login sessions has been reached for a user.",
+    "index": [
+      "auditbeat-*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Auditd Max Login Sessions",
+    "query": "event.module:auditd and event.action:\"opened-too-many-sessions-to\"\n",
+    "references": [
+      "https://github.com/linux-pam/linux-pam/blob/70c32cc6fca51338f92afa58eb75b1107a5c2430/modules/pam_limits/pam_limits.c#L1007"
+    ],
+    "risk_score": 47,
+    "rule_id": "20dc4620-3b68-4269-8124-ca5091e00ea8",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "Threat Detection",
+      "Initial Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0001",
+          "name": "Initial Access",
+          "reference": "https://attack.mitre.org/tactics/TA0001/"
+        },
+        "technique": [
+          {
+            "id": "T1078",
+            "name": "Valid Accounts",
+            "reference": "https://attack.mitre.org/techniques/T1078/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1078",
+            "name": "Valid Accounts",
+            "reference": "https://attack.mitre.org/techniques/T1078/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Authorization plugins are used to extend the authorization services API and implement mechanisms that are not natively supported by the OS, such as multi-factor authentication with third party software. Adversaries may abuse this feature to persist and/or collect clear text credentials as they traverse the registered plugins during user logon.",
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Authorization Plugin Modification",
+    "query": "event.category:file and not event.type:deletion and\n  file.path:(/Library/Security/SecurityAgentPlugins/* and\n  not /Library/Security/SecurityAgentPlugins/TeamViewerAuthPlugin.bundle/Contents/*)\n",
+    "references": [
+      "https://developer.apple.com/documentation/security/authorization_plug-ins",
+      "https://www.xorrior.com/persistent-credential-theft/"
+    ],
+    "risk_score": 47,
+    "rule_id": "e6c98d38-633d-4b3e-9387-42112cd5ac10",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "macOS",
+      "Threat Detection",
+      "Persistence"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1547",
+            "name": "Boot or Logon Autostart Execution",
+            "reference": "https://attack.mitre.org/techniques/T1547/",
+            "subtechnique": [
+              {
+                "id": "T1547.002",
+                "name": "Authentication Package",
+                "reference": "https://attack.mitre.org/techniques/T1547/002/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic",
+      "Willem D'Haese"
+    ],
+    "description": "Identifies high risk Azure Active Directory (AD) sign-ins by leveraging Microsoft's Identity Protection machine learning and heuristics. Identity Protection categorizes risk into three tiers: low, medium, and high. While Microsoft does not provide specific details about how risk is calculated, each level brings higher confidence that the user or sign-in is compromised.",
+    "from": "now-25m",
+    "index": [
+      "filebeat-*",
+      "logs-azure*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Azure Active Directory High Risk Sign-in",
+    "note": "## Config\n\nThe Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:azure.signinlogs and\n  (azure.signinlogs.properties.risk_level_during_signin:high or azure.signinlogs.properties.risk_level_aggregated:high) and\n  event.outcome:(success or Success)\n",
+    "references": [
+      "https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/howto-conditional-access-policy-risk",
+      "https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/overview-identity-protection",
+      "https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/howto-identity-protection-investigate-risk"
+    ],
+    "risk_score": 73,
+    "rule_id": "37994bca-0611-4500-ab67-5588afe73b77",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "Azure",
+      "Continuous Monitoring",
+      "SecOps",
+      "Identity and Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0001",
+          "name": "Initial Access",
+          "reference": "https://attack.mitre.org/tactics/TA0001/"
+        },
+        "technique": [
+          {
+            "id": "T1078",
+            "name": "Valid Accounts",
+            "reference": "https://attack.mitre.org/techniques/T1078/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 3
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies a sign-in using the Azure Active Directory PowerShell module. PowerShell for Azure Active Directory allows for managing settings from the command line, which is intended for users who are members of an admin role.",
+    "false_positives": [
+      "Sign-ins using PowerShell may be done by a system or network administrator. Verify whether the username, hostname, and/or resource name should be signing into your environment. Sign-ins from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "from": "now-25m",
+    "index": [
+      "filebeat-*",
+      "logs-azure*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Azure Active Directory PowerShell Sign-in",
+    "note": "## Config\n\nThe Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:azure.signinlogs and\n  azure.signinlogs.properties.app_display_name:\"Azure Active Directory PowerShell\" and\n  azure.signinlogs.properties.token_issuer_type:AzureAD and event.outcome:(success or Success)\n",
+    "references": [
+      "https://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber-attacks/",
+      "https://docs.microsoft.com/en-us/microsoft-365/enterprise/connect-to-microsoft-365-powershell?view=o365-worldwide"
+    ],
+    "risk_score": 21,
+    "rule_id": "a605c51a-73ad-406d-bf3a-f24cc41d5c97",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "Azure",
+      "Continuous Monitoring",
+      "SecOps",
+      "Identity and Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0001",
+          "name": "Initial Access",
+          "reference": "https://attack.mitre.org/tactics/TA0001/"
+        },
+        "technique": [
+          {
+            "id": "T1078",
+            "name": "Valid Accounts",
+            "reference": "https://attack.mitre.org/techniques/T1078/",
+            "subtechnique": [
+              {
+                "id": "T1078.004",
+                "name": "Cloud Accounts",
+                "reference": "https://attack.mitre.org/techniques/T1078/004/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 4
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies when a new credential is added to an application in Azure. An application may use a certificate or secret string to prove its identity when requesting a token. Multiple certificates and secrets can be added for an application and an adversary may abuse this by creating an additional authentication method to evade defenses or persist in an environment.",
+    "false_positives": [
+      "Application credential additions may be done by a system or network administrator. Verify whether the username, hostname, and/or resource name should be making changes in your environment. Application credential additions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "from": "now-25m",
+    "index": [
+      "filebeat-*",
+      "logs-azure*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Azure Application Credential Modification",
+    "note": "## Config\n\nThe Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:azure.auditlogs and azure.auditlogs.operation_name:\"Update application - Certificates and secrets management\" and event.outcome:(success or Success)\n",
+    "references": [
+      "https://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber-attacks/"
+    ],
+    "risk_score": 47,
+    "rule_id": "1a36cace-11a7-43a8-9a10-b497c5a02cd3",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "Azure",
+      "Continuous Monitoring",
+      "SecOps",
+      "Identity and Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1550",
+            "name": "Use Alternate Authentication Material",
+            "reference": "https://attack.mitre.org/techniques/T1550/",
+            "subtechnique": [
+              {
+                "id": "T1550.001",
+                "name": "Application Access Token",
+                "reference": "https://attack.mitre.org/techniques/T1550/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 4
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies when an Azure Automation account is created. Azure Automation accounts can be used to automate management tasks and orchestrate actions across systems. An adversary may create an Automation account in order to maintain persistence in their target's environment.",
+    "from": "now-25m",
+    "index": [
+      "filebeat-*",
+      "logs-azure*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Azure Automation Account Created",
+    "note": "## Config\n\nThe Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:\"MICROSOFT.AUTOMATION/AUTOMATIONACCOUNTS/WRITE\" and event.outcome:(Success or success)\n",
+    "references": [
+      "https://powerzure.readthedocs.io/en/latest/Functions/operational.html#create-backdoor",
+      "https://github.com/hausec/PowerZure",
+      "https://posts.specterops.io/attacking-azure-azure-ad-and-introducing-powerzure-ca70b330511a",
+      "https://azure.microsoft.com/en-in/blog/azure-automation-runbook-management/"
+    ],
+    "risk_score": 21,
+    "rule_id": "df26fd74-1baa-4479-b42e-48da84642330",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "Azure",
+      "Continuous Monitoring",
+      "SecOps",
+      "Identity and Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1078",
+            "name": "Valid Accounts",
+            "reference": "https://attack.mitre.org/techniques/T1078/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1078",
+            "name": "Valid Accounts",
+            "reference": "https://attack.mitre.org/techniques/T1078/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 5
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies when an Azure Automation runbook is created or modified. An adversary may create or modify an Azure Automation runbook to execute malicious code and maintain persistence in their target's environment.",
+    "from": "now-25m",
+    "index": [
+      "filebeat-*",
+      "logs-azure*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Azure Automation Runbook Created or Modified",
+    "note": "## Config\n\nThe Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:azure.activitylogs and\n  azure.activitylogs.operation_name:\n  (\n    \"MICROSOFT.AUTOMATION/AUTOMATIONACCOUNTS/RUNBOOKS/DRAFT/WRITE\" or\n    \"MICROSOFT.AUTOMATION/AUTOMATIONACCOUNTS/RUNBOOKS/WRITE\" or\n    \"MICROSOFT.AUTOMATION/AUTOMATIONACCOUNTS/RUNBOOKS/PUBLISH/ACTION\"\n  ) and\n  event.outcome:(Success or success)\n",
+    "references": [
+      "https://powerzure.readthedocs.io/en/latest/Functions/operational.html#create-backdoor",
+      "https://github.com/hausec/PowerZure",
+      "https://posts.specterops.io/attacking-azure-azure-ad-and-introducing-powerzure-ca70b330511a",
+      "https://azure.microsoft.com/en-in/blog/azure-automation-runbook-management/"
+    ],
+    "risk_score": 21,
+    "rule_id": "16280f1e-57e6-4242-aa21-bb4d16f13b2f",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "Azure",
+      "Continuous Monitoring",
+      "SecOps",
+      "Configuration Audit"
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 5
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies when an Azure Automation runbook is deleted. An adversary may delete an Azure Automation runbook in order to disrupt their target's automated business operations or to remove a malicious runbook that was used for persistence.",
+    "from": "now-25m",
+    "index": [
+      "filebeat-*",
+      "logs-azure*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Azure Automation Runbook Deleted",
+    "note": "## Config\n\nThe Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:\"MICROSOFT.AUTOMATION/AUTOMATIONACCOUNTS/RUNBOOKS/DELETE\" and event.outcome:(Success or success)\n",
+    "references": [
+      "https://powerzure.readthedocs.io/en/latest/Functions/operational.html#create-backdoor",
+      "https://github.com/hausec/PowerZure",
+      "https://posts.specterops.io/attacking-azure-azure-ad-and-introducing-powerzure-ca70b330511a",
+      "https://azure.microsoft.com/en-in/blog/azure-automation-runbook-management/"
+    ],
+    "risk_score": 21,
+    "rule_id": "8ddab73b-3d15-4e5d-9413-47f05553c1d7",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "Azure",
+      "Continuous Monitoring",
+      "SecOps",
+      "Configuration Audit"
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 5
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies when an Azure Automation webhook is created. Azure Automation runbooks can be configured to execute via a webhook. A webhook uses a custom URL passed to Azure Automation along with a data payload specific to the runbook. An adversary may create a webhook in order to trigger a runbook that contains malicious code.",
+    "from": "now-25m",
+    "index": [
+      "filebeat-*",
+      "logs-azure*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Azure Automation Webhook Created",
+    "note": "## Config\n\nThe Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:azure.activitylogs and\n  azure.activitylogs.operation_name:\n    (\n      \"MICROSOFT.AUTOMATION/AUTOMATIONACCOUNTS/WEBHOOKS/ACTION\" or\n      \"MICROSOFT.AUTOMATION/AUTOMATIONACCOUNTS/WEBHOOKS/WRITE\"\n    ) and\n  event.outcome:(Success or success)\n",
+    "references": [
+      "https://powerzure.readthedocs.io/en/latest/Functions/operational.html#create-backdoor",
+      "https://github.com/hausec/PowerZure",
+      "https://posts.specterops.io/attacking-azure-azure-ad-and-introducing-powerzure-ca70b330511a",
+      "https://www.ciraltos.com/webhooks-and-azure-automation-runbooks/"
+    ],
+    "risk_score": 21,
+    "rule_id": "e9ff9c1c-fe36-4d0d-b3fd-9e0bf4853a62",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "Azure",
+      "Continuous Monitoring",
+      "SecOps",
+      "Configuration Audit"
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 5
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies changes to container access levels in Azure. Anonymous public read access to containers and blobs in Azure is a way to share data broadly, but can present a security risk if access to sensitive data is not managed judiciously.",
+    "false_positives": [
+      "Access level modifications may be done by a system or network administrator. Verify whether the username, hostname, and/or resource name should be making changes in your environment. Access level modifications from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "from": "now-25m",
+    "index": [
+      "filebeat-*",
+      "logs-azure*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Azure Blob Container Access Level Modification",
+    "note": "## Config\n\nThe Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:\"MICROSOFT.STORAGE/STORAGEACCOUNTS/BLOBSERVICES/CONTAINERS/WRITE\" and event.outcome:(Success or success)\n",
+    "references": [
+      "https://docs.microsoft.com/en-us/azure/storage/blobs/anonymous-read-access-prevent"
+    ],
+    "risk_score": 21,
+    "rule_id": "2636aa6c-88b5-4337-9c31-8d0192a8ef45",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "Azure",
+      "Continuous Monitoring",
+      "SecOps",
+      "Asset Visibility"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0007",
+          "name": "Discovery",
+          "reference": "https://attack.mitre.org/tactics/TA0007/"
+        },
+        "technique": [
+          {
+            "id": "T1526",
+            "name": "Cloud Service Discovery",
+            "reference": "https://attack.mitre.org/techniques/T1526/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0001",
+          "name": "Initial Access",
+          "reference": "https://attack.mitre.org/tactics/TA0001/"
+        },
+        "technique": [
+          {
+            "id": "T1190",
+            "name": "Exploit Public-Facing Application",
+            "reference": "https://attack.mitre.org/techniques/T1190/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 5
+  },
+  {
+    "author": [
+      "Austin Songer"
+    ],
+    "description": "Identifies when the Azure role-based access control (Azure RBAC) permissions are modified for an Azure Blob. An adversary may modify the permissions on a blob to weaken their target's security controls or an administrator may inadvertently modify the permissions, which could lead to data exposure or loss.",
+    "false_positives": [
+      "Blob permissions may be modified by system administrators. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior."
+    ],
+    "index": [
+      "filebeat-*",
+      "logs-azure*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Azure Blob Permissions Modification",
+    "note": "## Config\n\nThe Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:(\n     \"MICROSOFT.STORAGE/STORAGEACCOUNTS/BLOBSERVICES/CONTAINERS/BLOBS/MANAGEOWNERSHIP/ACTION\" or\n     \"MICROSOFT.STORAGE/STORAGEACCOUNTS/BLOBSERVICES/CONTAINERS/BLOBS/MODIFYPERMISSIONS/ACTION\") and \n  event.outcome:(Success or success)\n",
+    "references": [
+      "https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles"
+    ],
+    "risk_score": 47,
+    "rule_id": "d79c4b2a-6134-4edd-86e6-564a92a933f9",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "Azure",
+      "Continuous Monitoring",
+      "SecOps",
+      "Identity and Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1222",
+            "name": "File and Directory Permissions Modification",
+            "reference": "https://attack.mitre.org/techniques/T1222/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies command execution on a virtual machine (VM) in Azure. A Virtual Machine Contributor role lets you manage virtual machines, but not access them, nor access the virtual network or storage account they\u2019re connected to. However, commands can be run via PowerShell on the VM, which execute as System. Other roles, such as certain Administrator roles may be able to execute commands on a VM as well.",
+    "false_positives": [
+      "Command execution on a virtual machine may be done by a system or network administrator. Verify whether the username, hostname, and/or resource name should be making changes in your environment. Command execution from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "from": "now-25m",
+    "index": [
+      "filebeat-*",
+      "logs-azure*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Azure Command Execution on Virtual Machine",
+    "note": "## Config\n\nThe Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:\"MICROSOFT.COMPUTE/VIRTUALMACHINES/RUNCOMMAND/ACTION\" and event.outcome:(Success or success)\n",
+    "references": [
+      "https://adsecurity.org/?p=4277",
+      "https://posts.specterops.io/attacking-azure-azure-ad-and-introducing-powerzure-ca70b330511a",
+      "https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#virtual-machine-contributor"
+    ],
+    "risk_score": 47,
+    "rule_id": "60884af6-f553-4a6c-af13-300047455491",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "Azure",
+      "Continuous Monitoring",
+      "SecOps",
+      "Log Auditing"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0002",
+          "name": "Execution",
+          "reference": "https://attack.mitre.org/tactics/TA0002/"
+        },
+        "technique": [
+          {
+            "id": "T1059",
+            "name": "Command and Scripting Interpreter",
+            "reference": "https://attack.mitre.org/techniques/T1059/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 5
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies when an Azure Conditional Access policy is modified. Azure Conditional Access policies control access to resources via if-then statements. For example, if a user wants to access a resource, then they must complete an action such as using multi-factor authentication to access it. An adversary may modify a Conditional Access policy in order to weaken their target's security controls.",
+    "from": "now-25m",
+    "index": [
+      "filebeat-*",
+      "logs-azure*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Azure Conditional Access Policy Modified",
+    "note": "## Config\n\nThe Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:(azure.activitylogs or azure.auditlogs) and\n  (\n    azure.activitylogs.operation_name:\"Update policy\" or\n    azure.auditlogs.operation_name:\"Update policy\"\n  ) and\n  event.outcome:(Success or success)\n",
+    "references": [
+      "https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/overview"
+    ],
+    "risk_score": 47,
+    "rule_id": "bc48bba7-4a23-4232-b551-eca3ca1e3f20",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "Azure",
+      "Continuous Monitoring",
+      "SecOps",
+      "Configuration Audit"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1098",
+            "name": "Account Manipulation",
+            "reference": "https://attack.mitre.org/techniques/T1098/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 5
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the deletion of diagnostic settings in Azure, which send platform logs and metrics to different destinations. An adversary may delete diagnostic settings in an attempt to evade defenses.",
+    "false_positives": [
+      "Deletion of diagnostic settings may be done by a system or network administrator. Verify whether the username, hostname, and/or resource name should be making changes in your environment. Diagnostic settings deletion from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "from": "now-25m",
+    "index": [
+      "filebeat-*",
+      "logs-azure*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Azure Diagnostic Settings Deletion",
+    "note": "## Config\n\nThe Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:\"MICROSOFT.INSIGHTS/DIAGNOSTICSETTINGS/DELETE\" and event.outcome:(Success or success)\n",
+    "references": [
+      "https://docs.microsoft.com/en-us/azure/azure-monitor/platform/diagnostic-settings"
+    ],
+    "risk_score": 47,
+    "rule_id": "5370d4cd-2bb3-4d71-abf5-1e1d0ff5a2de",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "Azure",
+      "Continuous Monitoring",
+      "SecOps",
+      "Monitoring"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1562",
+            "name": "Impair Defenses",
+            "reference": "https://attack.mitre.org/techniques/T1562/",
+            "subtechnique": [
+              {
+                "id": "T1562.001",
+                "name": "Disable or Modify Tools",
+                "reference": "https://attack.mitre.org/techniques/T1562/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 5
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies when an Event Hub Authorization Rule is created or updated in Azure. An authorization rule is associated with specific rights, and carries a pair of cryptographic keys. When you create an Event Hubs namespace, a policy rule named RootManageSharedAccessKey is created for the namespace. This has manage permissions for the entire namespace and it's recommended that you treat this rule like an administrative root account and don't use it in your application.",
+    "false_positives": [
+      "Authorization rule additions or modifications may be done by a system or network administrator. Verify whether the username, hostname, and/or resource name should be making changes in your environment. Authorization rule additions or modifications from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "from": "now-25m",
+    "index": [
+      "filebeat-*",
+      "logs-azure*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Azure Event Hub Authorization Rule Created or Updated",
+    "note": "## Config\n\nThe Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:\"MICROSOFT.EVENTHUB/NAMESPACES/AUTHORIZATIONRULES/WRITE\" and event.outcome:(Success or success)\n",
+    "references": [
+      "https://docs.microsoft.com/en-us/azure/event-hubs/authorize-access-shared-access-signature"
+    ],
+    "risk_score": 47,
+    "rule_id": "b6dce542-2b75-4ffb-b7d6-38787298ba9d",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "Azure",
+      "Continuous Monitoring",
+      "SecOps",
+      "Log Auditing"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0009",
+          "name": "Collection",
+          "reference": "https://attack.mitre.org/tactics/TA0009/"
+        },
+        "technique": [
+          {
+            "id": "T1530",
+            "name": "Data from Cloud Storage Object",
+            "reference": "https://attack.mitre.org/techniques/T1530/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0010",
+          "name": "Exfiltration",
+          "reference": "https://attack.mitre.org/tactics/TA0010/"
+        },
+        "technique": [
+          {
+            "id": "T1537",
+            "name": "Transfer Data to Cloud Account",
+            "reference": "https://attack.mitre.org/techniques/T1537/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 5
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies an Event Hub deletion in Azure. An Event Hub is an event processing service that ingests and processes large volumes of events and data. An adversary may delete an Event Hub in an attempt to evade detection.",
+    "false_positives": [
+      "Event Hub deletions may be done by a system or network administrator. Verify whether the username, hostname, and/or resource name should be making changes in your environment. Event Hub deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "from": "now-25m",
+    "index": [
+      "filebeat-*",
+      "logs-azure*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Azure Event Hub Deletion",
+    "note": "## Config\n\nThe Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:\"MICROSOFT.EVENTHUB/NAMESPACES/EVENTHUBS/DELETE\" and event.outcome:(Success or success)\n",
+    "references": [
+      "https://docs.microsoft.com/en-us/azure/event-hubs/event-hubs-about",
+      "https://azure.microsoft.com/en-in/services/event-hubs/",
+      "https://docs.microsoft.com/en-us/azure/event-hubs/event-hubs-features"
+    ],
+    "risk_score": 47,
+    "rule_id": "e0f36de1-0342-453d-95a9-a068b257b053",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "Azure",
+      "Continuous Monitoring",
+      "SecOps",
+      "Log Auditing"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1562",
+            "name": "Impair Defenses",
+            "reference": "https://attack.mitre.org/techniques/T1562/",
+            "subtechnique": [
+              {
+                "id": "T1562.001",
+                "name": "Disable or Modify Tools",
+                "reference": "https://attack.mitre.org/techniques/T1562/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 5
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies an invitation to an external user in Azure Active Directory (AD). Azure AD is extended to include collaboration, allowing you to invite people from outside your organization to be guest users in your cloud account. Unless there is a business need to provision guest access, it is best practice avoid creating guest users. Guest users could potentially be overlooked indefinitely leading to a potential vulnerability.",
+    "false_positives": [
+      "Guest user invitations may be sent out by a system or network administrator. Verify whether the username, hostname, and/or resource name should be making changes in your environment. Guest user invitations from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "from": "now-25m",
+    "index": [
+      "filebeat-*",
+      "logs-azure*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Azure External Guest User Invitation",
+    "note": "## Config\n\nThe Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:azure.auditlogs and azure.auditlogs.operation_name:\"Invite external user\" and azure.auditlogs.properties.target_resources.*.display_name:guest and event.outcome:(Success or success)\n",
+    "references": [
+      "https://docs.microsoft.com/en-us/azure/governance/policy/samples/cis-azure-1-1-0"
+    ],
+    "risk_score": 21,
+    "rule_id": "141e9b3a-ff37-4756-989d-05d7cbf35b0e",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "Azure",
+      "Continuous Monitoring",
+      "SecOps",
+      "Identity and Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0001",
+          "name": "Initial Access",
+          "reference": "https://attack.mitre.org/tactics/TA0001/"
+        },
+        "technique": [
+          {
+            "id": "T1078",
+            "name": "Valid Accounts",
+            "reference": "https://attack.mitre.org/techniques/T1078/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1078",
+            "name": "Valid Accounts",
+            "reference": "https://attack.mitre.org/techniques/T1078/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 5
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the deletion of a firewall policy in Azure. An adversary may delete a firewall policy in an attempt to evade defenses and/or to eliminate barriers in carrying out their initiative.",
+    "false_positives": [
+      "Firewall policy deletions may be done by a system or network administrator. Verify whether the username, hostname, and/or resource name should be making changes in your environment. Firewall policy deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "from": "now-25m",
+    "index": [
+      "filebeat-*",
+      "logs-azure*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Azure Firewall Policy Deletion",
+    "note": "## Config\n\nThe Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:\"MICROSOFT.NETWORK/FIREWALLPOLICIES/DELETE\" and event.outcome:(Success or success)\n",
+    "references": [
+      "https://docs.microsoft.com/en-us/azure/firewall-manager/policy-overview"
+    ],
+    "risk_score": 21,
+    "rule_id": "e02bd3ea-72c6-4181-ac2b-0f83d17ad969",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "Azure",
+      "Continuous Monitoring",
+      "SecOps",
+      "Network Security"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1562",
+            "name": "Impair Defenses",
+            "reference": "https://attack.mitre.org/techniques/T1562/",
+            "subtechnique": [
+              {
+                "id": "T1562.001",
+                "name": "Disable or Modify Tools",
+                "reference": "https://attack.mitre.org/techniques/T1562/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 5
+  },
+  {
+    "author": [
+      "Austin Songer"
+    ],
+    "description": "Identifies the deletion of a Frontdoor Web Application Firewall (WAF) Policy in Azure. An adversary may delete a Frontdoor Web Application Firewall (WAF) Policy in an attempt to evade defenses and/or to eliminate barriers in carrying out their initiative.",
+    "false_positives": [
+      "Azure Front Web Application Firewall (WAF) Policy deletions may be done by a system or network administrator. Verify whether the username, hostname, and/or resource name should be making changes in your environment. Azure Front Web Application Firewall (WAF) Policy deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "from": "now-25m",
+    "index": [
+      "filebeat-*",
+      "logs-azure*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Azure Frontdoor Web Application Firewall (WAF) Policy Deleted",
+    "note": "## Config\n\nThe Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:\"MICROSOFT.NETWORK/FRONTDOORWEBAPPLICATIONFIREWALLPOLICIES/DELETE\" and event.outcome:(Success or success)\n",
+    "references": [
+      "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#networking"
+    ],
+    "risk_score": 21,
+    "rule_id": "09d028a5-dcde-409f-8ae0-557cef1b7082",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "Azure",
+      "Continuous Monitoring",
+      "SecOps",
+      "Network Security"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1562",
+            "name": "Impair Defenses",
+            "reference": "https://attack.mitre.org/techniques/T1562/",
+            "subtechnique": [
+              {
+                "id": "T1562.001",
+                "name": "Disable or Modify Tools",
+                "reference": "https://attack.mitre.org/techniques/T1562/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 1
+  },
+  {
+    "author": [
+      "Austin Songer"
+    ],
+    "description": "Identifies potential full network packet capture in Azure. Packet Capture is an Azure Network Watcher feature that can be used to inspect network traffic. This feature can potentially be abused to read sensitive data from unencrypted internal traffic.",
+    "false_positives": [
+      "Full Network Packet Capture may be done by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Full Network Packet Capture from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "from": "now-25m",
+    "index": [
+      "filebeat-*",
+      "logs-azure*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Azure Full Network Packet Capture Detected",
+    "note": "## Config\n\nThe Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:\n    (\n        \"MICROSOFT.NETWORK/*/STARTPACKETCAPTURE/ACTION\" or\n        \"MICROSOFT.NETWORK/*/VPNCONNECTIONS/STARTPACKETCAPTURE/ACTION\" or\n        \"MICROSOFT.NETWORK/*/PACKETCAPTURES/WRITE\"\n    ) and \nevent.outcome:(Success or success)\n",
+    "references": [
+      "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"
+    ],
+    "risk_score": 47,
+    "rule_id": "3ad77ed4-4dcf-4c51-8bfc-e3f7ce316b2f",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "Azure",
+      "Continuous Monitoring",
+      "SecOps",
+      "Monitoring"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0006",
+          "name": "Credential Access",
+          "reference": "https://attack.mitre.org/tactics/TA0006/"
+        },
+        "technique": [
+          {
+            "id": "T1040",
+            "name": "Network Sniffing",
+            "reference": "https://attack.mitre.org/techniques/T1040/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies an Azure Active Directory (AD) Global Administrator role addition to a Privileged Identity Management (PIM) user account. PIM is a service that enables you to manage, control, and monitor access to important resources in an organization. Users who are assigned to the Global administrator role can read and modify any administrative setting in your Azure AD organization.",
+    "false_positives": [
+      "Global administrator additions may be done by a system or network administrator. Verify whether the username, hostname, and/or resource name should be making changes in your environment. Global administrator additions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "index": [
+      "filebeat-*",
+      "logs-azure*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Azure Global Administrator Role Addition to PIM User",
+    "note": "## Config\n\nThe Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:azure.auditlogs and azure.auditlogs.properties.category:RoleManagement and\n    azure.auditlogs.operation_name:(\"Add eligible member to role in PIM completed (permanent)\" or\n                                    \"Add member to role in PIM completed (timebound)\") and\n    azure.auditlogs.properties.target_resources.*.display_name:\"Global Administrator\" and\n    event.outcome:(Success or success)\n",
+    "references": [
+      "https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/directory-assign-admin-roles"
+    ],
+    "risk_score": 73,
+    "rule_id": "ed9ecd27-e3e6-4fd9-8586-7754803f7fc8",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "Azure",
+      "Continuous Monitoring",
+      "SecOps",
+      "Identity and Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1098",
+            "name": "Account Manipulation",
+            "reference": "https://attack.mitre.org/techniques/T1098/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 5
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies modifications to a Key Vault in Azure. The Key Vault is a service that safeguards encryption keys and secrets like certificates, connection strings, and passwords. Because this data is sensitive and business critical, access to key vaults should be secured to allow only authorized applications and users.",
+    "false_positives": [
+      "Key vault modifications may be done by a system or network administrator. Verify whether the username, hostname, and/or resource name should be making changes in your environment. Key vault modifications from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "from": "now-25m",
+    "index": [
+      "filebeat-*",
+      "logs-azure*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Azure Key Vault Modified",
+    "note": "## Config\n\nThe Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:\"MICROSOFT.KEYVAULT/VAULTS/WRITE\" and event.outcome:(Success or success)\n",
+    "references": [
+      "https://docs.microsoft.com/en-us/azure/key-vault/general/basic-concepts",
+      "https://docs.microsoft.com/en-us/azure/key-vault/general/secure-your-key-vault"
+    ],
+    "risk_score": 47,
+    "rule_id": "792dd7a6-7e00-4a0a-8a9a-a7c24720b5ec",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "Azure",
+      "Continuous Monitoring",
+      "SecOps",
+      "Data Protection"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0006",
+          "name": "Credential Access",
+          "reference": "https://attack.mitre.org/tactics/TA0006/"
+        },
+        "technique": [
+          {
+            "id": "T1552",
+            "name": "Unsecured Credentials",
+            "reference": "https://attack.mitre.org/techniques/T1552/",
+            "subtechnique": [
+              {
+                "id": "T1552.001",
+                "name": "Credentials In Files",
+                "reference": "https://attack.mitre.org/techniques/T1552/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 5
+  },
+  {
+    "author": [
+      "Austin Songer"
+    ],
+    "description": "Identifies when Events are deleted in Azure Kubernetes. Kubernetes events are objects that log any state changes. Example events are a container creation, an image pull, or a pod scheduling on a node.  An adversary may delete events in Azure Kubernetes in an attempt to evade detection.",
+    "false_positives": [
+      "Events deletions may be done by a system or network administrator. Verify whether the username, hostname, and/or resource name should be making changes in your environment. Events deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "from": "now-25m",
+    "index": [
+      "filebeat-*",
+      "logs-azure*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Azure Kubernetes Events Deleted",
+    "note": "## Config\n\nThe Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:\"MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/EVENTS.K8S.IO/EVENTS/DELETE\" and \nevent.outcome:(Success or success)\n",
+    "references": [
+      "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes"
+    ],
+    "risk_score": 47,
+    "rule_id": "8b64d36a-1307-4b2e-a77b-a0027e4d27c8",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "Azure",
+      "Continuous Monitoring",
+      "SecOps",
+      "Log Auditing"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1562",
+            "name": "Impair Defenses",
+            "reference": "https://attack.mitre.org/techniques/T1562/",
+            "subtechnique": [
+              {
+                "id": "T1562.001",
+                "name": "Disable or Modify Tools",
+                "reference": "https://attack.mitre.org/techniques/T1562/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 1
+  },
+  {
+    "author": [
+      "Austin Songer"
+    ],
+    "description": "Identifies the deletion of Azure Kubernetes Pods. Adversary may delete a kubernetes pod to disrupt the normal behavior of the environment.",
+    "false_positives": [
+      "Pods may be deleted by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Pods deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "from": "now-25m",
+    "index": [
+      "filebeat-*",
+      "logs-azure*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Azure Kubernetes Pods Deleted",
+    "note": "## Config\n\nThe Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:\"MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/PODS/DELETE\" and \nevent.outcome:(Success or success)\n",
+    "references": [
+      "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes"
+    ],
+    "risk_score": 47,
+    "rule_id": "83a1931d-8136-46fc-b7b9-2db4f639e014",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "Azure",
+      "Continuous Monitoring",
+      "SecOps",
+      "Asset Visibility"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0040",
+          "name": "Impact",
+          "reference": "https://attack.mitre.org/tactics/TA0040/"
+        },
+        "technique": []
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the deletion of a Network Watcher in Azure. Network Watchers are used to monitor, diagnose, view metrics, and enable or disable logs for resources in an Azure virtual network. An adversary may delete a Network Watcher in an attempt to evade defenses.",
+    "false_positives": [
+      "Network Watcher deletions may be done by a system or network administrator. Verify whether the username, hostname, and/or resource name should be making changes in your environment. Network Watcher deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "from": "now-25m",
+    "index": [
+      "filebeat-*",
+      "logs-azure*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Azure Network Watcher Deletion",
+    "note": "## Config\n\nThe Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:\"MICROSOFT.NETWORK/NETWORKWATCHERS/DELETE\" and event.outcome:(Success or success)\n",
+    "references": [
+      "https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-monitoring-overview"
+    ],
+    "risk_score": 47,
+    "rule_id": "323cb487-279d-4218-bcbd-a568efe930c6",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "Azure",
+      "Continuous Monitoring",
+      "SecOps",
+      "Network Security"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1562",
+            "name": "Impair Defenses",
+            "reference": "https://attack.mitre.org/techniques/T1562/",
+            "subtechnique": [
+              {
+                "id": "T1562.001",
+                "name": "Disable or Modify Tools",
+                "reference": "https://attack.mitre.org/techniques/T1562/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 5
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Azure Active Directory (AD) Privileged Identity Management (PIM) is a service that enables you to manage, control, and monitor access to important resources in an organization. PIM can be used to manage the built-in Azure resource roles such as Global Administrator and Application Administrator. An adversary may add a user to a PIM role in order to maintain persistence in their target's environment or modify a PIM role to weaken their target's security controls.",
+    "from": "now-25m",
+    "index": [
+      "filebeat-*",
+      "logs-azure*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Azure Privilege Identity Management Role Modified",
+    "note": "## Config\n\nThe Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:azure.auditlogs and azure.auditlogs.operation_name:\"Update role setting in PIM\" and event.outcome:(Success or success)\n",
+    "references": [
+      "https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-resource-roles-assign-roles",
+      "https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-configure"
+    ],
+    "risk_score": 47,
+    "rule_id": "7882cebf-6cf1-4de3-9662-213aa13e8b80",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "Azure",
+      "Continuous Monitoring",
+      "SecOps",
+      "Identity and Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1078",
+            "name": "Valid Accounts",
+            "reference": "https://attack.mitre.org/techniques/T1078/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1078",
+            "name": "Valid Accounts",
+            "reference": "https://attack.mitre.org/techniques/T1078/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 5
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the deletion of a resource group in Azure, which includes all resources within the group. Deletion is permanent and irreversible. An adversary may delete a resource group in an attempt to evade defenses or intentionally destroy data.",
+    "false_positives": [
+      "Deletion of a resource group may be done by a system or network administrator. Verify whether the username, hostname, and/or resource name should be making changes in your environment. Resource group deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "from": "now-25m",
+    "index": [
+      "filebeat-*",
+      "logs-azure*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Azure Resource Group Deletion",
+    "note": "## Config\n\nThe Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:\"MICROSOFT.RESOURCES/SUBSCRIPTIONS/RESOURCEGROUPS/DELETE\" and event.outcome:(Success or success)\n",
+    "references": [
+      "https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/manage-resource-groups-portal"
+    ],
+    "risk_score": 47,
+    "rule_id": "bb4fe8d2-7ae2-475c-8b5d-55b449e4264f",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "Azure",
+      "Continuous Monitoring",
+      "SecOps",
+      "Log Auditing"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0040",
+          "name": "Impact",
+          "reference": "https://attack.mitre.org/tactics/TA0040/"
+        },
+        "technique": [
+          {
+            "id": "T1485",
+            "name": "Data Destruction",
+            "reference": "https://attack.mitre.org/techniques/T1485/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1562",
+            "name": "Impair Defenses",
+            "reference": "https://attack.mitre.org/techniques/T1562/",
+            "subtechnique": [
+              {
+                "id": "T1562.001",
+                "name": "Disable or Modify Tools",
+                "reference": "https://attack.mitre.org/techniques/T1562/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 5
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies when a new service principal is added in Azure. An application, hosted service, or automated tool that accesses or modifies resources needs an identity created. This identity is known as a service principal. For security reasons, it's always recommended to use service principals with automated tools rather than allowing them to log in with a user identity.",
+    "false_positives": [
+      "A service principal may be created by a system or network administrator. Verify whether the username, hostname, and/or resource name should be making changes in your environment. Service principal additions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "from": "now-25m",
+    "index": [
+      "filebeat-*",
+      "logs-azure*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Azure Service Principal Addition",
+    "note": "## Config\n\nThe Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:azure.auditlogs and azure.auditlogs.operation_name:\"Add service principal\" and event.outcome:(success or Success)\n",
+    "references": [
+      "https://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber-attacks/",
+      "https://docs.microsoft.com/en-us/azure/active-directory/develop/howto-create-service-principal-portal"
+    ],
+    "risk_score": 47,
+    "rule_id": "60b6b72f-0fbc-47e7-9895-9ba7627a8b50",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "Azure",
+      "Continuous Monitoring",
+      "SecOps",
+      "Identity and Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1550",
+            "name": "Use Alternate Authentication Material",
+            "reference": "https://attack.mitre.org/techniques/T1550/",
+            "subtechnique": [
+              {
+                "id": "T1550.001",
+                "name": "Application Access Token",
+                "reference": "https://attack.mitre.org/techniques/T1550/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 4
+  },
+  {
+    "author": [
+      "Elastic",
+      "Austin Songer"
+    ],
+    "description": "Identifies when new Service Principal credentials have been added in Azure. In most organizations, credentials will be added to service principals infrequently. Hijacking an application (by adding a rogue secret or certificate) with granted permissions will allow the attacker to access data that is normally protected by MFA requirements.",
+    "false_positives": [
+      "Service principal credential additions may be done by a system or network administrator. Verify whether the username, hostname, and/or resource name should be making changes in your environment. Credential additions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "from": "now-25m",
+    "index": [
+      "filebeat-*",
+      "logs-azure*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Azure Service Principal Credentials Added",
+    "note": "## Config\n\nThe Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:azure.auditlogs and azure.auditlogs.operation_name:\"Add service principal credentials.\" and event.outcome:(success or Success)\n",
+    "references": [
+      "https://www.fireeye.com/content/dam/collateral/en/wp-m-unc2452.pdf"
+    ],
+    "risk_score": 47,
+    "rule_id": "f766ffaf-9568-4909-b734-75d19b35cbf4",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "Azure",
+      "Continuous Monitoring",
+      "SecOps",
+      "Identity and Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0040",
+          "name": "Impact",
+          "reference": "https://attack.mitre.org/tactics/TA0040/"
+        },
+        "technique": [
+          {
+            "id": "T1496",
+            "name": "Resource Hijacking",
+            "reference": "https://attack.mitre.org/techniques/T1496/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies a rotation to storage account access keys in Azure. Regenerating access keys can affect any applications or Azure services that are dependent on the storage account key. Adversaries may regenerate a key as a means of acquiring credentials to access systems and resources.",
+    "false_positives": [
+      "It's recommended that you rotate your access keys periodically to help keep your storage account secure. Normal key rotation can be exempted from the rule. An abnormal time frame and/or a key rotation from unfamiliar users, hosts, or locations should be investigated."
+    ],
+    "from": "now-25m",
+    "index": [
+      "filebeat-*",
+      "logs-azure*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Azure Storage Account Key Regenerated",
+    "note": "## Config\n\nThe Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:\"MICROSOFT.STORAGE/STORAGEACCOUNTS/REGENERATEKEY/ACTION\" and event.outcome:(Success or success)\n",
+    "references": [
+      "https://docs.microsoft.com/en-us/azure/storage/common/storage-account-keys-manage?tabs=azure-portal"
+    ],
+    "risk_score": 21,
+    "rule_id": "1e0b832e-957e-43ae-b319-db82d228c908",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "Azure",
+      "Continuous Monitoring",
+      "SecOps",
+      "Identity and Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0006",
+          "name": "Credential Access",
+          "reference": "https://attack.mitre.org/tactics/TA0006/"
+        },
+        "technique": [
+          {
+            "id": "T1528",
+            "name": "Steal Application Access Token",
+            "reference": "https://attack.mitre.org/techniques/T1528/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 5
+  },
+  {
+    "author": [
+      "Austin Songer"
+    ],
+    "description": "Identifies when a virtual network device is being modified or deleted. This can be a network virtual appliance, virtual hub, or virtual router.",
+    "false_positives": [
+      "Virtual Network Device being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Virtual Network Device modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "from": "now-25m",
+    "index": [
+      "filebeat-*",
+      "logs-azure*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Azure Virtual Network Device Modified or Deleted",
+    "note": "## Config\n\nThe Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:(\"MICROSOFT.NETWORK/NETWORKINTERFACES/TAPCONFIGURATIONS/WRITE\" or\n\"MICROSOFT.NETWORK/NETWORKINTERFACES/TAPCONFIGURATIONS/DELETE\" or \"MICROSOFT.NETWORK/NETWORKINTERFACES/WRITE\" or\n\"MICROSOFT.NETWORK/NETWORKINTERFACES/JOIN/ACTION\" or \"MICROSOFT.NETWORK/NETWORKINTERFACES/DELETE\"or\n\"MICROSOFT.NETWORK/NETWORKVIRTUALAPPLIANCES/DELETE\" or \"MICROSOFT.NETWORK/NETWORKVIRTUALAPPLIANCES/WRITE\" or\n\"MICROSOFT.NETWORK/VIRTUALHUBS/DELETE\" or \"MICROSOFT.NETWORK/VIRTUALHUBS/WRITE\" or\n\"MICROSOFT.NETWORK/VIRTUALROUTERS/WRITE\" or \"MICROSOFT.NETWORK/VIRTUALROUTERS/DELETE\") and \nevent.outcome:(Success or success)\n",
+    "references": [
+      "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"
+    ],
+    "risk_score": 21,
+    "rule_id": "573f6e7a-7acf-4bcd-ad42-c4969124d3c0",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "Azure",
+      "Continuous Monitoring",
+      "SecOps",
+      "Network Security"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0040",
+          "name": "Impact",
+          "reference": "https://attack.mitre.org/tactics/TA0040/"
+        },
+        "technique": []
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Adversaries may encode/decode data in an attempt to evade detection by host- or network-based security controls.",
+    "false_positives": [
+      "Automated tools such as Jenkins may encode or decode files as part of their normal behavior. These events can be filtered by the process executable or username values."
+    ],
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Base16 or Base32 Encoding/Decoding Activity",
+    "query": "event.category:process and event.type:(start or process_started) and\n  process.name:(base16 or base32 or base32plain or base32hex)\n",
+    "risk_score": 21,
+    "rule_id": "debff20a-46bc-4a4d-bae5-5cdd14222795",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1140",
+            "name": "Deobfuscate/Decode Files or Information",
+            "reference": "https://attack.mitre.org/techniques/T1140/"
+          },
+          {
+            "id": "T1027",
+            "name": "Obfuscated Files or Information",
+            "reference": "https://attack.mitre.org/techniques/T1027/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 7
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Both ~/.bash_profile and ~/.bashrc are files containing shell commands that are run when Bash is invoked. These files are executed in a user's context, either interactively or non-interactively, when a user logs in so that their environment is set correctly. Adversaries may abuse this to establish persistence by executing malicious content triggered by a user\u2019s shell.",
+    "false_positives": [
+      "Changes to the Shell Profile tend to be noisy, a tuning per your environment will be required."
+    ],
+    "from": "now-9m",
+    "index": [
+      "logs-endpoint.events.*",
+      "auditbeat-*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Bash Shell Profile Modification",
+    "query": "event.category:file and event.type:change and\n  process.name:(* and not (sudo or\n                           vim or\n                           zsh or\n                           env or\n                           nano or\n                           bash or\n                           Terminal or\n                           xpcproxy or\n                           login or\n                           cat or\n                           cp or\n                           launchctl or\n                           java)) and\n  not process.executable:(/Applications/* or /private/var/folders/* or /usr/local/*) and\n  file.path:(/private/etc/rc.local or\n             /etc/rc.local or\n             /home/*/.profile or\n             /home/*/.profile1 or\n             /home/*/.bash_profile or\n             /home/*/.bash_profile1 or\n             /home/*/.bashrc or\n             /Users/*/.bash_profile or\n             /Users/*/.zshenv)\n",
+    "references": [
+      "https://www.anomali.com/blog/pulling-linux-rabbit-rabbot-malware-out-of-a-hat"
+    ],
+    "risk_score": 47,
+    "rule_id": "e6c1a552-7776-44ad-ae0f-8746cc07773c",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "macOS",
+      "Linux",
+      "Threat Detection",
+      "Persistence"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1546",
+            "name": "Event Triggered Execution",
+            "reference": "https://attack.mitre.org/techniques/T1546/",
+            "subtechnique": [
+              {
+                "id": "T1546.004",
+                "name": "Unix Shell Configuration Modification",
+                "reference": "https://attack.mitre.org/techniques/T1546/004/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 2
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies User Account Control (UAC) bypass via eventvwr.exe. Attackers bypass UAC to stealthily execute code with elevated permissions.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Bypass UAC via Event Viewer",
+    "query": "process where event.type in (\"start\", \"process_started\") and\n  process.parent.name : \"eventvwr.exe\" and\n  not process.executable : \n            (\"?:\\\\Windows\\\\SysWOW64\\\\mmc.exe\", \n             \"?:\\\\Windows\\\\System32\\\\mmc.exe\",\n             \"?:\\\\Windows\\\\SysWOW64\\\\WerFault.exe\",\n             \"?:\\\\Windows\\\\System32\\\\WerFault.exe\")\n",
+    "risk_score": 73,
+    "rule_id": "31b4c719-f2b4-41f6-a9bd-fce93c2eaf62",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Privilege Escalation"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0004",
+          "name": "Privilege Escalation",
+          "reference": "https://attack.mitre.org/tactics/TA0004/"
+        },
+        "technique": [
+          {
+            "id": "T1548",
+            "name": "Abuse Elevation Control Mechanism",
+            "reference": "https://attack.mitre.org/techniques/T1548/",
+            "subtechnique": [
+              {
+                "id": "T1548.002",
+                "name": "Bypass User Account Control",
+                "reference": "https://attack.mitre.org/techniques/T1548/002/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 9
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies attempts to clear or disable Windows event log stores using Windows wevetutil command. This is often done by attackers in an attempt to evade detection or destroy forensic evidence on a system.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Clearing Windows Event Logs",
+    "query": "process where event.type in (\"process_started\", \"start\") and\n  (process.name : \"wevtutil.exe\" or process.pe.original_file_name == \"wevtutil.exe\") and\n    process.args : (\"/e:false\", \"cl\", \"clear-log\") or\n  process.name : (\"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\") and process.args : \"Clear-EventLog\"\n",
+    "risk_score": 21,
+    "rule_id": "d331bbe2-6db4-4941-80a5-8270db72eb61",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1070",
+            "name": "Indicator Removal on Host",
+            "reference": "https://attack.mitre.org/techniques/T1070/",
+            "subtechnique": [
+              {
+                "id": "T1070.001",
+                "name": "Clear Windows Event Logs",
+                "reference": "https://attack.mitre.org/techniques/T1070/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 11
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Cobalt Strike is a threat emulation platform commonly modified and used by adversaries to conduct network attack and exploitation campaigns. This rule detects a network activity algorithm leveraged by Cobalt Strike implant beacons for command and control.",
+    "false_positives": [
+      "This rule should be tailored to either exclude systems, as sources or destinations, in which this behavior is expected."
+    ],
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "filebeat-*",
+      "packetbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "lucene",
+    "license": "Elastic License v2",
+    "name": "Cobalt Strike Command and Control Beacon",
+    "note": "## Threat intel\n\nThis activity has been observed in FIN7 campaigns.",
+    "query": "event.category:(network OR network_traffic) AND type:(tls OR http) AND network.transport:tcp AND destination.domain:/[a-z]{3}.stage.[0-9]{8}\\..*/\n",
+    "references": [
+      "https://blog.morphisec.com/fin7-attacks-restaurant-industry",
+      "https://www.fireeye.com/blog/threat-research/2017/04/fin7-phishing-lnk.html"
+    ],
+    "risk_score": 73,
+    "rule_id": "cf53f532-9cc9-445a-9ae7-fced307ec53c",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Network",
+      "Threat Detection",
+      "Command and Control",
+      "Host"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0011",
+          "name": "Command and Control",
+          "reference": "https://attack.mitre.org/tactics/TA0011/"
+        },
+        "technique": [
+          {
+            "id": "T1071",
+            "name": "Application Layer Protocol",
+            "reference": "https://attack.mitre.org/techniques/T1071/"
+          },
+          {
+            "id": "T1568",
+            "name": "Dynamic Resolution",
+            "reference": "https://attack.mitre.org/techniques/T1568/",
+            "subtechnique": [
+              {
+                "id": "T1568.002",
+                "name": "Domain Generation Algorithms",
+                "reference": "https://attack.mitre.org/techniques/T1568/002/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 6
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "A suspicious SolarWinds child process (Cmd.exe or Powershell.exe) was detected.",
+    "false_positives": [
+      "Trusted SolarWinds child processes. Verify process details such as network connections and file writes."
+    ],
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Command Execution via SolarWinds Process",
+    "query": "process where event.type in (\"start\", \"process_started\") and process.name: (\"cmd.exe\", \"powershell.exe\") and\nprocess.parent.name: (\n     \"ConfigurationWizard*.exe\",\n     \"NetflowDatabaseMaintenance*.exe\",\n     \"NetFlowService*.exe\",\n     \"SolarWinds.Administration*.exe\",\n     \"SolarWinds.Collector.Service*.exe\",\n     \"SolarwindsDiagnostics*.exe\"\n     )\n",
+    "references": [
+      "https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html",
+      "https://github.com/fireeye/sunburst_countermeasures/blob/main/rules/SUNBURST/hxioc/SOLARWINDS%20SUSPICIOUS%20FILEWRITES%20(METHODOLOGY).ioc"
+    ],
+    "risk_score": 47,
+    "rule_id": "d72e33fc-6e91-42ff-ac8b-e573268c5a87",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Execution"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0002",
+          "name": "Execution",
+          "reference": "https://attack.mitre.org/tactics/TA0002/"
+        },
+        "technique": [
+          {
+            "id": "T1059",
+            "name": "Command and Scripting Interpreter",
+            "reference": "https://attack.mitre.org/techniques/T1059/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0001",
+          "name": "Initial Access",
+          "reference": "https://attack.mitre.org/tactics/TA0001/"
+        },
+        "technique": [
+          {
+            "id": "T1195",
+            "name": "Supply Chain Compromise",
+            "reference": "https://attack.mitre.org/techniques/T1195/",
+            "subtechnique": [
+              {
+                "id": "T1195.002",
+                "name": "Compromise Software Supply Chain",
+                "reference": "https://attack.mitre.org/techniques/T1195/002/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 3
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies cmd.exe making a network connection. Adversaries could abuse cmd.exe to download or execute malware from a remote URL.",
+    "false_positives": [
+      "Administrators may use the command prompt for regular administrative tasks. It's important to baseline your environment for network connections being made from the command prompt to determine any abnormal use of this tool."
+    ],
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Command Prompt Network Connection",
+    "query": "sequence by process.entity_id\n  [process where process.name : \"cmd.exe\" and event.type == \"start\"]\n  [network where process.name : \"cmd.exe\" and\n     not cidrmatch(destination.ip, \"10.0.0.0/8\", \"127.0.0.0/8\", \"169.254.0.0/16\", \"172.16.0.0/12\", \"192.0.0.0/24\",\n                                  \"192.0.0.0/29\", \"192.0.0.8/32\", \"192.0.0.9/32\", \"192.0.0.10/32\", \"192.0.0.170/32\",\n                                  \"192.0.0.171/32\", \"192.0.2.0/24\", \"192.31.196.0/24\", \"192.52.193.0/24\",\n                                  \"192.168.0.0/16\", \"192.88.99.0/24\", \"224.0.0.0/4\", \"100.64.0.0/10\", \"192.175.48.0/24\",\n                                  \"198.18.0.0/15\", \"198.51.100.0/24\", \"203.0.113.0/24\", \"240.0.0.0/4\", \"::1\",\n                                  \"FE80::/10\", \"FF00::/8\")]\n",
+    "references": [
+      "https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml"
+    ],
+    "risk_score": 21,
+    "rule_id": "89f9a4b0-9f8f-4ee0-8823-c4751a6d6696",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Execution"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0002",
+          "name": "Execution",
+          "reference": "https://attack.mitre.org/tactics/TA0002/"
+        },
+        "technique": [
+          {
+            "id": "T1059",
+            "name": "Command and Scripting Interpreter",
+            "reference": "https://attack.mitre.org/techniques/T1059/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0011",
+          "name": "Command and Control",
+          "reference": "https://attack.mitre.org/tactics/TA0011/"
+        },
+        "technique": [
+          {
+            "id": "T1105",
+            "name": "Ingress Tool Transfer",
+            "reference": "https://attack.mitre.org/techniques/T1105/"
+          }
+        ]
+      }
+    ],
+    "type": "eql",
+    "version": 7
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies command shell activity started via RunDLL32, which is commonly abused by attackers to host malicious code.",
+    "false_positives": [
+      "Microsoft Windows installers leveraging RunDLL32 for installation."
+    ],
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Command Shell Activity Started via RunDLL32",
+    "query": "process where event.type == \"start\" and\n process.name : (\"cmd.exe\", \"powershell.exe\") and\n  process.parent.name : \"rundll32.exe\" and process.parent.command_line != null and\n  /* common FPs can be added here */\n  not process.parent.args : (\"C:\\\\Windows\\\\System32\\\\SHELL32.dll,RunAsNewUser_RunDLL\",\n                             \"C:\\\\WINDOWS\\\\*.tmp,zzzzInvokeManagedCustomActionOutOfProc\")\n",
+    "risk_score": 21,
+    "rule_id": "9ccf3ce0-0057-440a-91f5-870c6ad39093",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Execution"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0002",
+          "name": "Execution",
+          "reference": "https://attack.mitre.org/tactics/TA0002/"
+        },
+        "technique": [
+          {
+            "id": "T1059",
+            "name": "Command and Scripting Interpreter",
+            "reference": "https://attack.mitre.org/techniques/T1059/",
+            "subtechnique": [
+              {
+                "id": "T1059.001",
+                "name": "PowerShell",
+                "reference": "https://attack.mitre.org/techniques/T1059/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 4
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies Component Object Model (COM) hijacking via registry modification. Adversaries may establish persistence by executing malicious content triggered by hijacked references to COM objects.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Component Object Model Hijacking",
+    "query": "registry where\n /* uncomment once length is stable length(bytes_written_string) > 0 and */\n (registry.path : \"HK*}\\\\InprocServer32\\\\\" and registry.data.strings: (\"scrobj.dll\", \"C:\\\\*\\\\scrobj.dll\") and\n not registry.path : \"*\\\\{06290BD*-48AA-11D2-8432-006008C3FBFC}\\\\*\") \n or\n /* in general COM Registry changes on Users Hive is less noisy and worth alerting */\n (registry.path : (\"HKEY_USERS\\\\*Classes\\\\*\\\\InprocServer32\\\\\",\n                   \"HKEY_USERS\\\\*Classes\\\\*\\\\LocalServer32\\\\\", \n                   \"HKEY_USERS\\\\*Classes\\\\*\\\\DelegateExecute\\\\\", \n                   \"HKEY_USERS\\\\*Classes\\\\*\\\\TreatAs\\\\\", \n                   \"HKEY_USERS\\\\*Classes\\\\CLSID\\\\*\\\\ScriptletURL\\\\\") and\n /* not necessary but good for filtering privileged installations */\n user.domain != \"NT AUTHORITY\")\n",
+    "references": [
+      "https://bohops.com/2018/08/18/abusing-the-com-registry-structure-part-2-loading-techniques-for-evasion-and-persistence/"
+    ],
+    "risk_score": 47,
+    "rule_id": "16a52c14-7883-47af-8745-9357803f0d4c",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Persistence"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1546",
+            "name": "Event Triggered Execution",
+            "reference": "https://attack.mitre.org/techniques/T1546/",
+            "subtechnique": [
+              {
+                "id": "T1546.015",
+                "name": "Component Object Model Hijacking",
+                "reference": "https://attack.mitre.org/techniques/T1546/015/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 4
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Detects when the Console Window Host (conhost.exe) process is spawned by a suspicious parent process, which could be indicative of code injection.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Conhost Spawned By Suspicious Parent Process",
+    "query": "process where event.type in (\"start\", \"process_started\") and\n  process.name : \"conhost.exe\" and\n  process.parent.name : (\"svchost.exe\", \"lsass.exe\", \"services.exe\", \"smss.exe\", \"winlogon.exe\", \"explorer.exe\",\n                         \"dllhost.exe\", \"rundll32.exe\", \"regsvr32.exe\", \"userinit.exe\", \"wininit.exe\", \"spoolsv.exe\",\n                         \"wermgr.exe\", \"csrss.exe\", \"ctfmon.exe\")\n",
+    "references": [
+      "https://www.fireeye.com/blog/threat-research/2017/08/monitoring-windows-console-activity-part-one.html"
+    ],
+    "risk_score": 73,
+    "rule_id": "05b358de-aa6d-4f6c-89e6-78f74018b43b",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Execution"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0002",
+          "name": "Execution",
+          "reference": "https://attack.mitre.org/tactics/TA0002/"
+        },
+        "technique": [
+          {
+            "id": "T1059",
+            "name": "Command and Scripting Interpreter",
+            "reference": "https://attack.mitre.org/techniques/T1059/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 4
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies unusual processes connecting to domains using known free SSL certificates. Adversaries may employ a known encryption algorithm to conceal command and control traffic.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Connection to Commonly Abused Free SSL Certificate Providers",
+    "query": "network where network.protocol == \"dns\" and\n  /* Add new free SSL certificate provider domains here */\n  dns.question.name : (\"*letsencrypt.org\", \"*.sslforfree.com\", \"*.zerossl.com\", \"*.freessl.org\") and\n  \n  /* Native Windows process paths that are unlikely to have network connections to domains secured using free SSL certificates */\n  process.executable : (\"C:\\\\Windows\\\\System32\\\\*.exe\",\n                        \"C:\\\\Windows\\\\System\\\\*.exe\",\n\t                  \"C:\\\\Windows\\\\SysWOW64\\\\*.exe\",\n\t\t          \"C:\\\\Windows\\\\Microsoft.NET\\\\Framework*\\\\*.exe\",\n\t\t          \"C:\\\\Windows\\\\explorer.exe\",\n\t\t          \"C:\\\\Windows\\\\notepad.exe\") and\n  \n  /* Insert noisy false positives here */\n  not process.name : (\"svchost.exe\", \"MicrosoftEdge*.exe\", \"msedge.exe\")\n",
+    "risk_score": 21,
+    "rule_id": "e3cf38fa-d5b8-46cc-87f9-4a7513e4281d",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Command and Control"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0011",
+          "name": "Command and Control",
+          "reference": "https://attack.mitre.org/tactics/TA0011/"
+        },
+        "technique": [
+          {
+            "id": "T1573",
+            "name": "Encrypted Channel",
+            "reference": "https://attack.mitre.org/techniques/T1573/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 3
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Adversaries may implement command and control communications that use common web services in order to hide their activity. This attack technique is typically targeted to an organization and uses web services common to the victim network which allows the adversary to blend into legitimate traffic. activity. These popular services are typically targeted since they have most likely been used before a compromise and allow adversaries to blend in the network.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Connection to Commonly Abused Web Services",
+    "query": "network where network.protocol == \"dns\" and\n    process.name != null and user.id not in (\"S-1-5-18\", \"S-1-5-19\", \"S-1-5-20\") and\n    /* Add new WebSvc domains here */\n    dns.question.name :\n    (\n        \"raw.githubusercontent.*\",\n        \"*.pastebin.*\",\n        \"*drive.google.*\",\n        \"*docs.live.*\",\n        \"*api.dropboxapi.*\",\n        \"*dropboxusercontent.*\",\n        \"*onedrive.*\",\n        \"*4shared.*\",\n        \"*.file.io\",\n        \"*filebin.net\",\n        \"*slack-files.com\",\n        \"*ghostbin.*\",\n        \"*ngrok.*\",\n        \"*portmap.*\",\n        \"*serveo.net\",\n        \"*localtunnel.me\",\n        \"*pagekite.me\",\n        \"*localxpose.io\",\n        \"*notabug.org\",\n        \"rawcdn.githack.*\",\n        \"paste.nrecom.net\",\n        \"zerobin.net\",\n        \"controlc.com\",\n        \"requestbin.net\"\n    ) and\n    /* Insert noisy false positives here */\n    not process.executable :\n    (\n      \"?:\\\\Program Files\\\\*.exe\",\n      \"?:\\\\Program Files (x86)\\\\*.exe\",\n      \"?:\\\\Windows\\\\System32\\\\WWAHost.exe\",\n      \"?:\\\\Windows\\\\System32\\\\smartscreen.exe\",\n      \"?:\\\\Windows\\\\System32\\\\MicrosoftEdgeCP.exe\",\n      \"?:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\Platform\\\\*\\\\MsMpEng.exe\",\n      \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe\",\n      \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Programs\\\\Fiddler\\\\Fiddler.exe\",\n      \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Programs\\\\Microsoft VS Code\\\\Code.exe\",\n      \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Microsoft\\\\OneDrive\\\\OneDrive.exe\",\n      \"?:\\\\Windows\\\\system32\\\\mobsync.exe\",\n      \"?:\\\\Windows\\\\SysWOW64\\\\mobsync.exe\"\n    )\n",
+    "risk_score": 21,
+    "rule_id": "66883649-f908-4a5b-a1e0-54090a1d3a32",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Command and Control"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0011",
+          "name": "Command and Control",
+          "reference": "https://attack.mitre.org/tactics/TA0011/"
+        },
+        "technique": [
+          {
+            "id": "T1102",
+            "name": "Web Service",
+            "reference": "https://attack.mitre.org/techniques/T1102/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0010",
+          "name": "Exfiltration",
+          "reference": "https://attack.mitre.org/tactics/TA0010/"
+        },
+        "technique": [
+          {
+            "id": "T1567",
+            "name": "Exfiltration Over Web Service",
+            "reference": "https://attack.mitre.org/techniques/T1567/",
+            "subtechnique": [
+              {
+                "id": "T1567.001",
+                "name": "Exfiltration to Code Repository",
+                "reference": "https://attack.mitre.org/techniques/T1567/001/"
+              },
+              {
+                "id": "T1567.002",
+                "name": "Exfiltration to Cloud Storage",
+                "reference": "https://attack.mitre.org/techniques/T1567/002/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 5
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Telnet provides a command line interface for communication with a remote device or server. This rule identifies Telnet network connections to publicly routable IP addresses.",
+    "false_positives": [
+      "Telnet can be used for both benign or malicious purposes. Telnet is included by default in some Linux distributions, so its presence is not inherently suspicious. The use of Telnet to manage devices remotely has declined in recent years in favor of more secure protocols such as SSH. Telnet usage by non-automated tools or frameworks may be suspicious."
+    ],
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Connection to External Network via Telnet",
+    "query": "sequence by process.entity_id\n  [process where process.name == \"telnet\" and event.type == \"start\"]\n  [network where process.name == \"telnet\" and\n    not cidrmatch(destination.ip, \"10.0.0.0/8\", \"127.0.0.0/8\", \"169.254.0.0/16\", \"172.16.0.0/12\", \"192.0.0.0/24\",\n                                  \"192.0.0.0/29\", \"192.0.0.8/32\", \"192.0.0.9/32\", \"192.0.0.10/32\", \"192.0.0.170/32\",\n                                  \"192.0.0.171/32\", \"192.0.2.0/24\", \"192.31.196.0/24\", \"192.52.193.0/24\",\n                                  \"192.168.0.0/16\", \"192.88.99.0/24\", \"224.0.0.0/4\", \"100.64.0.0/10\", \"192.175.48.0/24\",\n                                  \"198.18.0.0/15\", \"198.51.100.0/24\", \"203.0.113.0/24\", \"240.0.0.0/4\", \"::1\",\n                                  \"FE80::/10\", \"FF00::/8\")]\n",
+    "references": [
+      "https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml"
+    ],
+    "risk_score": 47,
+    "rule_id": "e19e64ee-130e-4c07-961f-8a339f0b8362",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "Threat Detection",
+      "Lateral Movement"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0008",
+          "name": "Lateral Movement",
+          "reference": "https://attack.mitre.org/tactics/TA0008/"
+        },
+        "technique": [
+          {
+            "id": "T1021",
+            "name": "Remote Services",
+            "reference": "https://attack.mitre.org/techniques/T1021/"
+          }
+        ]
+      }
+    ],
+    "type": "eql",
+    "version": 6
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Telnet provides a command line interface for communication with a remote device or server. This rule identifies Telnet network connections to non-publicly routable IP addresses.",
+    "false_positives": [
+      "Telnet can be used for both benign or malicious purposes. Telnet is included by default in some Linux distributions, so its presence is not inherently suspicious. The use of Telnet to manage devices remotely has declined in recent years in favor of more secure protocols such as SSH. Telnet usage by non-automated tools or frameworks may be suspicious."
+    ],
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Connection to Internal Network via Telnet",
+    "query": "sequence by process.entity_id\n  [process where process.name == \"telnet\" and event.type == \"start\"]\n  [network where process.name == \"telnet\" and\n    cidrmatch(destination.ip, \"10.0.0.0/8\", \"127.0.0.0/8\", \"169.254.0.0/16\", \"172.16.0.0/12\", \"192.0.0.0/24\",\n                              \"192.0.0.0/29\", \"192.0.0.8/32\", \"192.0.0.9/32\", \"192.0.0.10/32\", \"192.0.0.170/32\",\n                              \"192.0.0.171/32\", \"192.0.2.0/24\", \"192.31.196.0/24\", \"192.52.193.0/24\",\n                              \"192.168.0.0/16\", \"192.88.99.0/24\", \"224.0.0.0/4\", \"100.64.0.0/10\", \"192.175.48.0/24\",\n                              \"198.18.0.0/15\", \"198.51.100.0/24\", \"203.0.113.0/24\", \"240.0.0.0/4\", \"::1\",\n                              \"FE80::/10\", \"FF00::/8\")]\n",
+    "references": [
+      "https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml"
+    ],
+    "risk_score": 47,
+    "rule_id": "1b21abcc-4d9f-4b08-a7f5-316f5f94b973",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "Threat Detection",
+      "Lateral Movement"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0008",
+          "name": "Lateral Movement",
+          "reference": "https://attack.mitre.org/tactics/TA0008/"
+        },
+        "technique": [
+          {
+            "id": "T1021",
+            "name": "Remote Services",
+            "reference": "https://attack.mitre.org/techniques/T1021/"
+          }
+        ]
+      }
+    ],
+    "type": "eql",
+    "version": 6
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies unusual instances of Control Panel with suspicious keywords or paths in the process command line value. Adversaries may abuse Control.exe to proxy execution of malicious code.",
+    "from": "now-9m",
+    "index": [
+      "logs-endpoint.events.*",
+      "winlogbeat-*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Control Panel Process with Unusual Arguments",
+    "query": "process where event.type in (\"start\", \"process_started\") and\n process.executable : (\"?:\\\\Windows\\\\SysWOW64\\\\control.exe\", \"?:\\\\Windows\\\\System32\\\\control.exe\") and\n process.command_line :\n          (\"*.jpg*\",\n           \"*.png*\",\n           \"*.gif*\",\n           \"*.bmp*\",\n           \"*.jpeg*\",\n           \"*.TIFF*\",\n           \"*.inf*\",\n           \"*.dat*\",\n           \"*.cpl:*/*\",\n           \"*../../..*\",\n           \"*/AppData/Local/*\",\n           \"*:\\\\Users\\\\Public\\\\*\",\n           \"*\\\\AppData\\\\Local\\\\*\")\n",
+    "references": [
+      "https://www.joesandbox.com/analysis/476188/1/html"
+    ],
+    "risk_score": 73,
+    "rule_id": "416697ae-e468-4093-a93d-59661fa619ec",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1218",
+            "name": "Signed Binary Proxy Execution",
+            "reference": "https://attack.mitre.org/techniques/T1218/",
+            "subtechnique": [
+              {
+                "id": "T1218.002",
+                "name": "Control Panel",
+                "reference": "https://attack.mitre.org/techniques/T1218/002/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Users can mark specific files as hidden simply by putting a \".\" as the first character in the file or folder name. Adversaries can use this to their advantage to hide files and folders on the system for persistence and defense evasion. This rule looks for hidden files or folders in common writable directories.",
+    "false_positives": [
+      "Certain tools may create hidden temporary files or directories upon installation or as part of their normal behavior. These events can be filtered by the process arguments, username, or process name values."
+    ],
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "max_signals": 33,
+    "name": "Creation of Hidden Files and Directories",
+    "query": "process where event.type in (\"start\", \"process_started\") and\n  process.working_directory in (\"/tmp\", \"/var/tmp\", \"/dev/shm\") and\n  process.args regex~ \"\"\"\\.[a-z0-9_\\-][a-z0-9_\\-\\.]{1,254}\"\"\" and\n  not process.name in (\"ls\", \"find\")\n",
+    "risk_score": 47,
+    "rule_id": "b9666521-4742-49ce-9ddc-b8e84c35acae",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1564",
+            "name": "Hide Artifacts",
+            "reference": "https://attack.mitre.org/techniques/T1564/",
+            "subtechnique": [
+              {
+                "id": "T1564.001",
+                "name": "Hidden Files and Directories",
+                "reference": "https://attack.mitre.org/techniques/T1564/001/"
+              }
+            ]
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": []
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 7
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the creation of a hidden launch agent or daemon. An adversary may establish persistence by installing a new launch agent or daemon which executes at login.",
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Creation of Hidden Launch Agent or Daemon",
+    "query": "file where event.type != \"deletion\" and\n  file.path : \n  (\n    \"/System/Library/LaunchAgents/.*.plist\",\n    \"/Library/LaunchAgents/.*.plist\",\n    \"/Users/*/Library/LaunchAgents/.*.plist\",\n    \"/System/Library/LaunchDaemons/.*.plist\",\n    \"/Library/LaunchDaemons/.*.plist\"\n  )\n",
+    "references": [
+      "https://developer.apple.com/library/archive/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/CreatingLaunchdJobs.html"
+    ],
+    "risk_score": 47,
+    "rule_id": "092b068f-84ac-485d-8a55-7dd9e006715f",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "macOS",
+      "Threat Detection",
+      "Persistence",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1543",
+            "name": "Create or Modify System Process",
+            "reference": "https://attack.mitre.org/techniques/T1543/",
+            "subtechnique": [
+              {
+                "id": "T1543.001",
+                "name": "Launch Agent",
+                "reference": "https://attack.mitre.org/techniques/T1543/001/"
+              }
+            ]
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1564",
+            "name": "Hide Artifacts",
+            "reference": "https://attack.mitre.org/techniques/T1564/",
+            "subtechnique": [
+              {
+                "id": "T1564.001",
+                "name": "Hidden Files and Directories",
+                "reference": "https://attack.mitre.org/techniques/T1564/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the execution of osascript to create a hidden login item. This may indicate an attempt to persist a malicious program while concealing its presence.",
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Creation of Hidden Login Item via Apple Script",
+    "query": "process where event.type in (\"start\", \"process_started\") and process.name : \"osascript\" and\n process.command_line : \"osascript*login item*hidden:true*\"\n",
+    "risk_score": 47,
+    "rule_id": "f24bcae1-8980-4b30-b5dd-f851b055c9e7",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "macOS",
+      "Threat Detection",
+      "Persistence",
+      "Execution"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1547",
+            "name": "Boot or Logon Autostart Execution",
+            "reference": "https://attack.mitre.org/techniques/T1547/",
+            "subtechnique": [
+              {
+                "id": "T1547.011",
+                "name": "Plist Modification",
+                "reference": "https://attack.mitre.org/techniques/T1547/011/"
+              }
+            ]
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0002",
+          "name": "Execution",
+          "reference": "https://attack.mitre.org/tactics/TA0002/"
+        },
+        "technique": [
+          {
+            "id": "T1059",
+            "name": "Command and Scripting Interpreter",
+            "reference": "https://attack.mitre.org/techniques/T1059/",
+            "subtechnique": [
+              {
+                "id": "T1059.002",
+                "name": "AppleScript",
+                "reference": "https://attack.mitre.org/techniques/T1059/002/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the creation of a hidden local user account by appending the dollar sign to the account name. This is sometimes done by attackers to increase access to a system and avoid appearing in the results of accounts listing using the net users command.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Creation of a Hidden Local User Account",
+    "query": "registry where registry.path : \"HKLM\\\\SAM\\\\SAM\\\\Domains\\\\Account\\\\Users\\\\Names\\\\*$\\\\\"\n",
+    "references": [
+      "https://blog.menasec.net/2019/02/threat-hunting-6-hiding-in-plain-sights_8.html",
+      "https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/tree/master/2020/2020.12.15.Lazarus_Campaign"
+    ],
+    "risk_score": 73,
+    "rule_id": "2edc8076-291e-41e9-81e4-e3fcbc97ae5e",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Persistence"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1136",
+            "name": "Create Account",
+            "reference": "https://attack.mitre.org/techniques/T1136/",
+            "subtechnique": [
+              {
+                "id": "T1136.001",
+                "name": "Local Account",
+                "reference": "https://attack.mitre.org/techniques/T1136/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 2
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the creation or modification of Domain Backup private keys. Adversaries may extract the Data Protection API (DPAPI) domain backup key from a Domain Controller (DC) to be able to decrypt any domain user master key file.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Creation or Modification of Domain Backup DPAPI private key",
+    "note": "## Triage and analysis\n\nDomain DPAPI Backup keys are stored on domain controllers and can be dumped remotely with tools such as Mimikatz. The resulting .pvk private key can be used to decrypt ANY domain user masterkeys, which then can be used to decrypt any secrets protected by those keys.",
+    "query": "file where event.type != \"deletion\" and file.name : (\"ntds_capi_*.pfx\", \"ntds_capi_*.pvk\")\n",
+    "references": [
+      "https://www.dsinternals.com/en/retrieving-dpapi-backup-keys-from-active-directory/",
+      "https://www.harmj0y.net/blog/redteaming/operational-guidance-for-offensive-user-dpapi-abuse/"
+    ],
+    "risk_score": 73,
+    "rule_id": "b83a7e96-2eb3-4edf-8346-427b6858d3bd",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Credential Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0006",
+          "name": "Credential Access",
+          "reference": "https://attack.mitre.org/tactics/TA0006/"
+        },
+        "technique": [
+          {
+            "id": "T1552",
+            "name": "Unsecured Credentials",
+            "reference": "https://attack.mitre.org/techniques/T1552/",
+            "subtechnique": [
+              {
+                "id": "T1552.004",
+                "name": "Private Keys",
+                "reference": "https://attack.mitre.org/techniques/T1552/004/"
+              }
+            ]
+          },
+          {
+            "id": "T1555",
+            "name": "Credentials from Password Stores",
+            "reference": "https://attack.mitre.org/techniques/T1555/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 6
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the creation or modification of a local trusted root certificate in Windows. The install of a malicious root certificate would allow an attacker the ability to masquerade malicious files as valid signed components from any entity (e.g. Microsoft). It could also allow an attacker to decrypt SSL traffic.",
+    "false_positives": [
+      "Certain applications may install root certificates for the purpose of inspecting SSL traffic."
+    ],
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Creation or Modification of Root Certificate",
+    "query": "registry where event.type in (\"creation\", \"change\") and\n  registry.path :\n    (\n      \"HKLM\\\\Software\\\\Microsoft\\\\SystemCertificates\\\\Root\\\\Certificates\\\\*\\\\Blob\",\n      \"HKLM\\\\Software\\\\Microsoft\\\\SystemCertificates\\\\AuthRoot\\\\Certificates\\\\*\\\\Blob\",\n      \"HKLM\\\\Software\\\\Policies\\\\Microsoft\\\\SystemCertificates\\\\Root\\\\Certificates\\\\*\\\\Blob\",\n      \"HKLM\\\\Software\\\\Policies\\\\Microsoft\\\\SystemCertificates\\\\AuthRoot\\\\Certificates\\\\*\\\\Blob\"\n    )\n",
+    "references": [
+      "https://posts.specterops.io/code-signing-certificate-cloning-attacks-and-defenses-6f98657fc6ec",
+      "https://www.ired.team/offensive-security/persistence/t1130-install-root-certificate"
+    ],
+    "risk_score": 21,
+    "rule_id": "203ab79b-239b-4aa5-8e54-fc50623ee8e4",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1553",
+            "name": "Subvert Trust Controls",
+            "reference": "https://attack.mitre.org/techniques/T1553/",
+            "subtechnique": [
+              {
+                "id": "T1553.004",
+                "name": "Install Root Certificate",
+                "reference": "https://attack.mitre.org/techniques/T1553/004/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Detects the creation or modification of a new Group Policy based scheduled task or service. These methods are used for legitimate system administration, but can also be abused by an attacker with domain admin permissions to execute a malicious payload remotely on all or a subset of the domain joined machines.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Creation or Modification of a new GPO Scheduled Task or Service",
+    "query": "file where event.type != \"deletion\" and\n  file.path : (\"?:\\\\Windows\\\\SYSVOL\\\\domain\\\\Policies\\\\*\\\\MACHINE\\\\Preferences\\\\ScheduledTasks\\\\ScheduledTasks.xml\",\n               \"?:\\\\Windows\\\\SYSVOL\\\\domain\\\\Policies\\\\*\\\\MACHINE\\\\Preferences\\\\Preferences\\\\Services\\\\Services.xml\") and\n  not process.name : \"dfsrs.exe\"\n",
+    "risk_score": 21,
+    "rule_id": "c0429aa8-9974-42da-bfb6-53a0a515a145",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Persistence"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1053",
+            "name": "Scheduled Task/Job",
+            "reference": "https://attack.mitre.org/techniques/T1053/",
+            "subtechnique": [
+              {
+                "id": "T1053.005",
+                "name": "Scheduled Task",
+                "reference": "https://attack.mitre.org/techniques/T1053/005/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 6
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies attempts to export a registry hive which may contain credentials using the Windows reg.exe tool.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Credential Acquisition via Registry Hive Dumping",
+    "query": "process where event.type in (\"start\", \"process_started\") and\n process.pe.original_file_name == \"reg.exe\" and\n process.args : (\"save\", \"export\") and\n process.args : (\"hklm\\\\sam\", \"hklm\\\\security\")\n",
+    "references": [
+      "https://medium.com/threatpunter/detecting-attempts-to-steal-passwords-from-the-registry-7512674487f8"
+    ],
+    "risk_score": 73,
+    "rule_id": "a7e7bfa3-088e-4f13-b29e-3986e0e756b8",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Credential Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0006",
+          "name": "Credential Access",
+          "reference": "https://attack.mitre.org/tactics/TA0006/"
+        },
+        "technique": [
+          {
+            "id": "T1003",
+            "name": "OS Credential Dumping",
+            "reference": "https://attack.mitre.org/techniques/T1003/",
+            "subtechnique": [
+              {
+                "id": "T1003.002",
+                "name": "Security Account Manager",
+                "reference": "https://attack.mitre.org/techniques/T1003/002/"
+              },
+              {
+                "id": "T1003.004",
+                "name": "LSA Secrets",
+                "reference": "https://attack.mitre.org/techniques/T1003/004/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 4
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Elastic Endgame detected Credential Dumping. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information.",
+    "from": "now-15m",
+    "index": [
+      "endgame-*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Credential Dumping - Detected - Elastic Endgame",
+    "query": "event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:cred_theft_event or endgame.event_subtype_full:cred_theft_event)\n",
+    "risk_score": 73,
+    "rule_id": "571afc56-5ed9-465d-a2a9-045f099f6e7e",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Elastic Endgame"
+    ],
+    "type": "query",
+    "version": 6
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Elastic Endgame prevented Credential Dumping. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information.",
+    "from": "now-15m",
+    "index": [
+      "endgame-*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Credential Dumping - Prevented - Elastic Endgame",
+    "query": "event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:cred_theft_event or endgame.event_subtype_full:cred_theft_event)\n",
+    "risk_score": 47,
+    "rule_id": "db8c33a8-03cd-4988-9e2c-d0a4863adb13",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Elastic Endgame"
+    ],
+    "type": "query",
+    "version": 6
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Elastic Endgame detected Credential Manipulation. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information.",
+    "from": "now-15m",
+    "index": [
+      "endgame-*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Credential Manipulation - Detected - Elastic Endgame",
+    "query": "event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:token_manipulation_event or endgame.event_subtype_full:token_manipulation_event)\n",
+    "risk_score": 73,
+    "rule_id": "c0be5f31-e180-48ed-aa08-96b36899d48f",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Elastic Endgame"
+    ],
+    "type": "query",
+    "version": 6
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Elastic Endgame prevented Credential Manipulation. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information.",
+    "from": "now-15m",
+    "index": [
+      "endgame-*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Credential Manipulation - Prevented - Elastic Endgame",
+    "query": "event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:token_manipulation_event or endgame.event_subtype_full:token_manipulation_event)\n",
+    "risk_score": 47,
+    "rule_id": "c9e38e64-3f4c-4bf3-ad48-0e61a60ea1fa",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Elastic Endgame"
+    ],
+    "type": "query",
+    "version": 6
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the occurrence of a CyberArk Privileged Access Security (PAS) error level audit event. The event.code correlates to the CyberArk Vault Audit Action Code.",
+    "false_positives": [
+      "To tune this rule, add exceptions to exclude any event.code which should not trigger this rule."
+    ],
+    "from": "now-30m",
+    "index": [
+      "filebeat-*",
+      "logs-cyberarkpas.audit*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "CyberArk Privileged Access Security Error",
+    "note": "## Config\n\nThe CyberArk Privileged Access Security (PAS) Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\n\n## Triage and analysis\n\nThis is a promotion rule for CyberArk error events, which are alertable events per the vendor.\nConsult vendor documentation on interpreting specific events.\n",
+    "query": "event.dataset:cyberarkpas.audit and event.type:error\n",
+    "references": [
+      "https://docs.cyberark.com/Product-Doc/OnlineHelp/PAS/Latest/en/Content/PASREF/Vault%20Audit%20Action%20Codes.htm?tocpath=Administration%7CReferences%7C_____3"
+    ],
+    "risk_score": 73,
+    "rule_id": "3f0e5410-a4bf-4e8c-bcfc-79d67a285c54",
+    "rule_name_override": "event.action",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "cyberarkpas",
+      "SecOps",
+      "Log Auditing",
+      "Threat Detection",
+      "Privilege Escalation"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0004",
+          "name": "Privilege Escalation",
+          "reference": "https://attack.mitre.org/tactics/TA0004/"
+        },
+        "technique": [
+          {
+            "id": "T1078",
+            "name": "Valid Accounts",
+            "reference": "https://attack.mitre.org/techniques/T1078/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0001",
+          "name": "Initial Access",
+          "reference": "https://attack.mitre.org/tactics/TA0001/"
+        },
+        "technique": []
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the occurrence of a CyberArk Privileged Access Security (PAS) non-error level audit event which is recommended for monitoring by the vendor. The event.code correlates to the CyberArk Vault Audit Action Code.",
+    "false_positives": [
+      "To tune this rule, add exceptions to exclude any event.code which should not trigger this rule."
+    ],
+    "from": "now-30m",
+    "index": [
+      "filebeat-*",
+      "logs-cyberarkpas.audit*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "CyberArk Privileged Access Security Recommended Monitor",
+    "note": "## Config\n\nThe CyberArk Privileged Access Security (PAS) Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\n\n## Triage and analysis\n\nThis is a promotion rule for CyberArk events, which the vendor recommends should be monitored.\nConsult vendor documentation on interpreting specific events.\n",
+    "query": "event.dataset:cyberarkpas.audit and\n  event.code:(4 or 22 or 24 or 31 or 38 or 57 or 60 or 130 or 295 or 300 or 302 or\n              308 or 319 or 344 or 346 or 359 or 361 or 378 or 380 or 411) and\n  not event.type:error\n",
+    "references": [
+      "https://docs.cyberark.com/Product-Doc/OnlineHelp/PAS/Latest/en/Content/PASREF/Vault%20Audit%20Action%20Codes.htm?tocpath=Administration%7CReferences%7C_____3#RecommendedActionCodesforMonitoring"
+    ],
+    "risk_score": 73,
+    "rule_id": "c5f81243-56e0-47f9-b5bb-55a5ed89ba57",
+    "rule_name_override": "event.action",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "cyberarkpas",
+      "SecOps",
+      "Log Auditing",
+      "Threat Detection",
+      "Privilege Escalation"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0004",
+          "name": "Privilege Escalation",
+          "reference": "https://attack.mitre.org/tactics/TA0004/"
+        },
+        "technique": [
+          {
+            "id": "T1078",
+            "name": "Valid Accounts",
+            "reference": "https://attack.mitre.org/techniques/T1078/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0001",
+          "name": "Initial Access",
+          "reference": "https://attack.mitre.org/tactics/TA0001/"
+        },
+        "technique": []
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "This rule detects when an internal network client sends DNS traffic directly to the Internet. This is atypical behavior for a managed network and can be indicative of malware, exfiltration, command and control, or simply misconfiguration. This DNS activity also impacts your organization's ability to provide enterprise monitoring and logging of DNS, and it opens your network to a variety of abuses and malicious communications.",
+    "false_positives": [
+      "Exclude DNS servers from this rule as this is expected behavior. Endpoints usually query local DNS servers defined in their DHCP scopes, but this may be overridden if a user configures their endpoint to use a remote DNS server. This is uncommon in managed enterprise networks because it could break intranet name resolution when split horizon DNS is utilized. Some consumer VPN services and browser plug-ins may send DNS traffic to remote Internet destinations. In that case, such devices or networks can be excluded from this rule when this is expected behavior."
+    ],
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "filebeat-*",
+      "packetbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "DNS Activity to the Internet",
+    "query": "event.category:(network or network_traffic) and (event.type:connection or type:dns) and (destination.port:53 or event.dataset:zeek.dns)\n  and source.ip:(\n    10.0.0.0/8 or\n    172.16.0.0/12 or\n    192.168.0.0/16\n  ) and\n  not destination.ip:(\n    10.0.0.0/8 or\n    127.0.0.0/8 or\n    169.254.0.0/16 or\n    172.16.0.0/12 or\n    192.0.0.0/24 or\n    192.0.0.0/29 or\n    192.0.0.8/32 or\n    192.0.0.9/32 or\n    192.0.0.10/32 or\n    192.0.0.170/32 or\n    192.0.0.171/32 or\n    192.0.2.0/24 or\n    192.31.196.0/24 or\n    192.52.193.0/24 or\n    192.168.0.0/16 or\n    192.88.99.0/24 or\n    224.0.0.0/4 or\n    100.64.0.0/10 or\n    192.175.48.0/24 or\n    198.18.0.0/15 or\n    198.51.100.0/24 or\n    203.0.113.0/24 or\n    240.0.0.0/4 or\n    \"::1\" or\n    \"FE80::/10\" or\n    \"FF00::/8\"\n  )\n",
+    "references": [
+      "https://www.us-cert.gov/ncas/alerts/TA15-240A",
+      "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-81-2.pdf",
+      "https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml"
+    ],
+    "risk_score": 47,
+    "rule_id": "6ea71ff0-9e95-475b-9506-2580d1ce6154",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Network",
+      "Threat Detection",
+      "Command and Control",
+      "Host"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0011",
+          "name": "Command and Control",
+          "reference": "https://attack.mitre.org/tactics/TA0011/"
+        },
+        "technique": []
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 12
+  },
+  {
+    "anomaly_threshold": 50,
+    "author": [
+      "Elastic"
+    ],
+    "description": "A machine learning job detected unusually large numbers of DNS queries for a single top-level DNS domain, which is often used for DNS tunneling. DNS tunneling can be used for command-and-control, persistence, or data exfiltration activity. For example, dnscat tends to generate many DNS questions for a top-level domain as it uses the DNS protocol to tunnel data.",
+    "false_positives": [
+      "DNS domains that use large numbers of child domains, such as software or content distribution networks, can trigger this alert and such parent domains can be excluded."
+    ],
+    "from": "now-45m",
+    "interval": "15m",
+    "license": "Elastic License v2",
+    "machine_learning_job_id": "packetbeat_dns_tunneling",
+    "name": "DNS Tunneling",
+    "references": [
+      "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"
+    ],
+    "risk_score": 21,
+    "rule_id": "91f02f01-969f-4167-8f66-07827ac3bdd9",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Network",
+      "Threat Detection",
+      "ML"
+    ],
+    "type": "machine_learning",
+    "version": 4
+  },
+  {
+    "author": [
+      "Austin Songer"
+    ],
+    "description": "Identifies when a user enables DNS-over-HTTPS. This can be used to hide internet activity or be used to hide the process of exfiltrating data. With this enabled organization will lose visibility into data such as query type, response and originating IP that are used to determine bad actors.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "DNS-over-HTTPS Enabled via Registry",
+    "query": "registry where event.type in (\"creation\", \"change\") and\n  (registry.path : \"*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Edge\\\\BuiltInDnsClientEnabled\" and\n  registry.data.strings : \"1\") or\n  (registry.path : \"*\\\\SOFTWARE\\\\Google\\\\Chrome\\\\DnsOverHttpsMode\" and\n  registry.data.strings : \"secure\") or\n  (registry.path : \"*\\\\SOFTWARE\\\\Policies\\\\Mozilla\\\\Firefox\\\\DNSOverHTTPS\" and\n  registry.data.strings : \"1\")\n",
+    "references": [
+      "https://www.tenforums.com/tutorials/151318-how-enable-disable-dns-over-https-doh-microsoft-edge.html",
+      "https://chromeenterprise.google/policies/?policy=DnsOverHttpsMode"
+    ],
+    "risk_score": 21,
+    "rule_id": "a22a09c2-2162-4df0-a356-9aacbeb56a04",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1562",
+            "name": "Impair Defenses",
+            "reference": "https://attack.mitre.org/techniques/T1562/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "This rule detects the use of the default Cobalt Strike Team Server TLS certificate. Cobalt Strike is software for Adversary Simulations and Red Team Operations which are security assessments that replicate the tactics and techniques of an advanced adversary in a network. Modifications to the Packetbeat configuration can be made to include MD5 and SHA256 hashing algorithms (the default is SHA1). See the References section for additional information on module configuration.",
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "filebeat-*",
+      "packetbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Default Cobalt Strike Team Server Certificate",
+    "note": "## Threat intel\n\nWhile Cobalt Strike is intended to be used for penetration tests and IR training, it is frequently used by actual threat actors (TA) such as APT19, APT29, APT32, APT41, FIN6, DarkHydrus, CopyKittens, Cobalt Group, Leviathan, and many other unnamed criminal TAs. This rule uses high-confidence atomic indicators, so alerts should be investigated rapidly.",
+    "query": "event.category:(network or network_traffic) and (tls.server.hash.md5:950098276A495286EB2A2556FBAB6D83 or\n  tls.server.hash.sha1:6ECE5ECE4192683D2D84E25B0BA7E04F9CB7EB7C or\n  tls.server.hash.sha256:87F2085C32B6A2CC709B365F55873E207A9CAA10BFFECF2FD16D3CF9D94D390C)\n",
+    "references": [
+      "https://attack.mitre.org/software/S0154/",
+      "https://www.cobaltstrike.com/help-setup-collaboration",
+      "https://www.elastic.co/guide/en/beats/packetbeat/current/configuration-tls.html",
+      "https://www.elastic.co/guide/en/beats/filebeat/7.9/filebeat-module-suricata.html",
+      "https://www.elastic.co/guide/en/beats/filebeat/7.9/filebeat-module-zeek.html"
+    ],
+    "risk_score": 99,
+    "rule_id": "e7075e8d-a966-458e-a183-85cd331af255",
+    "severity": "critical",
+    "tags": [
+      "Command and Control",
+      "Post-Execution",
+      "Threat Detection",
+      "Elastic",
+      "Network",
+      "Host"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0011",
+          "name": "Command and Control",
+          "reference": "https://attack.mitre.org/tactics/TA0011/"
+        },
+        "technique": [
+          {
+            "id": "T1071",
+            "name": "Application Layer Protocol",
+            "reference": "https://attack.mitre.org/techniques/T1071/",
+            "subtechnique": [
+              {
+                "id": "T1071.001",
+                "name": "Web Protocols",
+                "reference": "https://attack.mitre.org/techniques/T1071/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 6
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies use of the fsutil.exe to delete the volume USNJRNL. This technique is used by attackers to eliminate evidence of files created during post-exploitation activities.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Delete Volume USN Journal with Fsutil",
+    "query": "process where event.type in (\"start\", \"process_started\") and\n  (process.name : \"fsutil.exe\" or process.pe.original_file_name == \"fsutil.exe\") and \n  process.args : \"deletejournal\" and process.args : \"usn\"\n",
+    "risk_score": 21,
+    "rule_id": "f675872f-6d85-40a3-b502-c0d2ef101e92",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1070",
+            "name": "Indicator Removal on Host",
+            "reference": "https://attack.mitre.org/techniques/T1070/",
+            "subtechnique": [
+              {
+                "id": "T1070.004",
+                "name": "File Deletion",
+                "reference": "https://attack.mitre.org/techniques/T1070/004/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 9
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies use of the wbadmin.exe to delete the backup catalog. Ransomware and other malware may do this to prevent system recovery.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Deleting Backup Catalogs with Wbadmin",
+    "query": "process where event.type in (\"start\", \"process_started\") and\n  (process.name : \"wbadmin.exe\" or process.pe.original_file_name == \"WBADMIN.EXE\") and\n  process.args : \"catalog\" and process.args : \"delete\"\n",
+    "risk_score": 21,
+    "rule_id": "581add16-df76-42bb-af8e-c979bfb39a59",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Impact"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0040",
+          "name": "Impact",
+          "reference": "https://attack.mitre.org/tactics/TA0040/"
+        },
+        "technique": [
+          {
+            "id": "T1490",
+            "name": "Inhibit System Recovery",
+            "reference": "https://attack.mitre.org/techniques/T1490/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 10
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies unexpected processes making network connections over port 445. Windows File Sharing is typically implemented over Server Message Block (SMB), which communicates between hosts using port 445. When legitimate, these network connections are established by the kernel. Processes making 445/tcp connections may be port scanners, exploits, or suspicious user-level processes moving laterally.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Direct Outbound SMB Connection",
+    "query": "sequence by process.entity_id\n  [process where event.type == \"start\" and process.pid != 4]\n  [network where destination.port == 445 and process.pid != 4 and\n     not cidrmatch(destination.ip, \"127.0.0.1\", \"::1\")]\n",
+    "risk_score": 47,
+    "rule_id": "c82c7d8f-fb9e-4874-a4bd-fd9e3f9becf1",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Lateral Movement"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0008",
+          "name": "Lateral Movement",
+          "reference": "https://attack.mitre.org/tactics/TA0008/"
+        },
+        "technique": [
+          {
+            "id": "T1021",
+            "name": "Remote Services",
+            "reference": "https://attack.mitre.org/techniques/T1021/",
+            "subtechnique": [
+              {
+                "id": "T1021.002",
+                "name": "SMB/Windows Admin Shares",
+                "reference": "https://attack.mitre.org/techniques/T1021/002/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "type": "eql",
+    "version": 7
+  },
+  {
+    "author": [
+      "Elastic",
+      "Ivan Ninichuck",
+      "Austin Songer"
+    ],
+    "description": "Identifies attempts to disable EventLog via the logman Windows utility, PowerShell, or auditpol. This is often done by attackers in an attempt to evade detection on a system.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Disable Windows Event and Security Logs Using Built-in Tools",
+    "query": "process where event.type in (\"start\", \"process_started\") and\n\n  ((process.name:\"logman.exe\" or process.pe.original_file_name == \"Logman.exe\") and\n      process.args : \"EventLog-*\" and process.args : (\"stop\", \"delete\")) or\n\n  ((process.name : (\"pwsh.exe\", \"powershell.exe\", \"powershell_ise.exe\") or process.pe.original_file_name in\n      (\"pwsh.exe\", \"powershell.exe\", \"powershell_ise.exe\")) and\n\tprocess.args : \"Set-Service\" and process.args: \"EventLog\" and process.args : \"Disabled\")  or\n\t\n  ((process.name:\"auditpol.exe\" or process.pe.original_file_name == \"AUDITPOL.EXE\") and process.args : \"/success:disable\")\n",
+    "references": [
+      "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/logman"
+    ],
+    "risk_score": 21,
+    "rule_id": "4de76544-f0e5-486a-8f84-eae0b6063cdc",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1070",
+            "name": "Indicator Removal on Host",
+            "reference": "https://attack.mitre.org/techniques/T1070/",
+            "subtechnique": [
+              {
+                "id": "T1070.001",
+                "name": "Clear Windows Event Logs",
+                "reference": "https://attack.mitre.org/techniques/T1070/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 2
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies use of the netsh.exe to disable or weaken the local firewall. Attackers will use this command line tool to disable the firewall during troubleshooting or to enable network mobility.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Disable Windows Firewall Rules via Netsh",
+    "query": "process where event.type in (\"start\", \"process_started\") and\n  process.name : \"netsh.exe\" and\n  (process.args : \"disable\" and process.args : \"firewall\" and process.args : \"set\") or\n  (process.args : \"advfirewall\" and process.args : \"off\" and process.args : \"state\")\n",
+    "risk_score": 47,
+    "rule_id": "4b438734-3793-4fda-bd42-ceeada0be8f9",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1562",
+            "name": "Impair Defenses",
+            "reference": "https://attack.mitre.org/techniques/T1562/",
+            "subtechnique": [
+              {
+                "id": "T1562.004",
+                "name": "Disable or Modify System Firewall",
+                "reference": "https://attack.mitre.org/techniques/T1562/004/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 10
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "User Account Control (UAC) can help mitigate the impact of malware on Windows hosts. With UAC, apps and tasks always run in the security context of a non-administrator account, unless an administrator specifically authorizes administrator-level access to the system. This rule identifies registry value changes to bypass User Access Control (UAC) protection.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Disabling User Account Control via Registry Modification",
+    "query": "registry where event.type == \"change\" and\n  registry.path :\n    (\n      \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\EnableLUA\",\n      \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\ConsentPromptBehaviorAdmin\",\n      \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\PromptOnSecureDesktop\"\n    ) and\n  registry.data.strings : \"0\"\n",
+    "references": [
+      "https://www.greyhathacker.net/?p=796",
+      "https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/user-account-control-group-policy-and-registry-key-settings",
+      "https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/user-account-control-overview"
+    ],
+    "risk_score": 47,
+    "rule_id": "d31f183a-e5b1-451b-8534-ba62bca0b404",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Privilege Escalation"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0004",
+          "name": "Privilege Escalation",
+          "reference": "https://attack.mitre.org/tactics/TA0004/"
+        },
+        "technique": [
+          {
+            "id": "T1548",
+            "name": "Abuse Elevation Control Mechanism",
+            "reference": "https://attack.mitre.org/techniques/T1548/",
+            "subtechnique": [
+              {
+                "id": "T1548.002",
+                "name": "Bypass User Account Control",
+                "reference": "https://attack.mitre.org/techniques/T1548/002/"
+              }
+            ]
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1548",
+            "name": "Abuse Elevation Control Mechanism",
+            "reference": "https://attack.mitre.org/techniques/T1548/",
+            "subtechnique": [
+              {
+                "id": "T1548.002",
+                "name": "Bypass User Account Control",
+                "reference": "https://attack.mitre.org/techniques/T1548/002/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 2
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies use of the Set-MpPreference PowerShell command to disable or weaken certain Windows Defender settings.",
+    "false_positives": [
+      "Planned Windows Defender configuration changes."
+    ],
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Disabling Windows Defender Security Settings via PowerShell",
+    "query": "process where event.type == \"start\" and\n (process.name : (\"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\") or process.pe.original_file_name in (\"powershell.exe\", \"pwsh.dll\", \"powershell_ise.exe\")) and\n process.args : \"Set-MpPreference\" and process.args : (\"-Disable*\", \"Disabled\", \"NeverSend\", \"-Exclusion*\")\n",
+    "references": [
+      "https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2019-ps"
+    ],
+    "risk_score": 47,
+    "rule_id": "c8cccb06-faf2-4cd5-886e-2c9636cfcb87",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1562",
+            "name": "Impair Defenses",
+            "reference": "https://attack.mitre.org/techniques/T1562/",
+            "subtechnique": [
+              {
+                "id": "T1562.001",
+                "name": "Disable or Modify Tools",
+                "reference": "https://attack.mitre.org/techniques/T1562/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 2
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Detects when a domain is added to the list of trusted Google Workspace domains. An adversary may add a trusted domain in order to collect and exfiltrate data from their target\u2019s organization with less restrictive security controls.",
+    "false_positives": [
+      "Trusted domains may be added by system administrators. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior."
+    ],
+    "from": "now-130m",
+    "index": [
+      "filebeat-*",
+      "logs-google_workspace*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Domain Added to Google Workspace Trusted Domains",
+    "note": "## Config\n\nThe Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\n\n### Important Information Regarding Google Workspace Event Lag Times\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information:\n  - https://support.google.com/a/answer/7061566\n  - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-gsuite.html",
+    "query": "event.dataset:(gsuite.admin or google_workspace.admin) and event.provider:admin and event.category:iam and event.action:ADD_TRUSTED_DOMAINS\n",
+    "references": [
+      "https://support.google.com/a/answer/6160020?hl=en"
+    ],
+    "risk_score": 73,
+    "rule_id": "cf549724-c577-4fd6-8f9b-d1b8ec519ec0",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "Google Workspace",
+      "Continuous Monitoring",
+      "SecOps",
+      "Configuration Audit"
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 5
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the execution of macOS built-in commands used to dump user account hashes. Adversaries may attempt to dump credentials to obtain account login information in the form of a hash. These hashes can be cracked or leveraged for lateral movement.",
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Dumping Account Hashes via Built-In Commands",
+    "query": "event.category:process and event.type:start and\n process.name:(defaults or mkpassdb) and process.args:(ShadowHashData or \"-dump\")\n",
+    "references": [
+      "https://apple.stackexchange.com/questions/186893/os-x-10-9-where-are-password-hashes-stored",
+      "https://www.unix.com/man-page/osx/8/mkpassdb/"
+    ],
+    "risk_score": 73,
+    "rule_id": "02ea4563-ec10-4974-b7de-12e65aa4f9b3",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "macOS",
+      "Threat Detection",
+      "Credential Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0006",
+          "name": "Credential Access",
+          "reference": "https://attack.mitre.org/tactics/TA0006/"
+        },
+        "technique": [
+          {
+            "id": "T1003",
+            "name": "OS Credential Dumping",
+            "reference": "https://attack.mitre.org/techniques/T1003/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Adversaries may dump the content of the keychain storage data from a system to acquire credentials. Keychains are the built-in way for macOS to keep track of users' passwords and credentials for many services and features, including Wi-Fi and website passwords, secure notes, certificates, and Kerberos.",
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Dumping of Keychain Content via Security Command",
+    "query": "process where event.type in (\"start\", \"process_started\") and process.args : \"dump-keychain\" and process.args : \"-d\"\n",
+    "references": [
+      "https://ss64.com/osx/security.html"
+    ],
+    "risk_score": 73,
+    "rule_id": "565d6ca5-75ba-4c82-9b13-add25353471c",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "macOS",
+      "Threat Detection",
+      "Credential Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0006",
+          "name": "Credential Access",
+          "reference": "https://attack.mitre.org/tactics/TA0006/"
+        },
+        "technique": [
+          {
+            "id": "T1555",
+            "name": "Credentials from Password Stores",
+            "reference": "https://attack.mitre.org/techniques/T1555/",
+            "subtechnique": [
+              {
+                "id": "T1555.001",
+                "name": "Keychain",
+                "reference": "https://attack.mitre.org/techniques/T1555/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the execution of and EggShell Backdoor. EggShell is a known post exploitation tool for macOS and Linux.",
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "EggShell Backdoor Execution",
+    "query": "event.category:process and event.type:(start or process_started) and process.name:espl and process.args:eyJkZWJ1ZyI6*\n",
+    "references": [
+      "https://github.com/neoneggplant/EggShell"
+    ],
+    "risk_score": 73,
+    "rule_id": "41824afb-d68c-4d0e-bfee-474dac1fa56e",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "macOS",
+      "Threat Detection",
+      "Execution"
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the creation or modification of the Event Monitor Daemon (emond) rules. Adversaries may abuse this service by writing a rule to execute commands when a defined event occurs, such as system start up or user authentication.",
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Emond Rules Creation or Modification",
+    "query": "file where event.type != \"deletion\" and\n file.path : (\"/private/etc/emond.d/rules/*.plist\", \"/etc/emon.d/rules/*.plist\")\n",
+    "references": [
+      "https://www.xorrior.com/emond-persistence/"
+    ],
+    "risk_score": 47,
+    "rule_id": "a6bf4dd4-743e-4da8-8c03-3ebd753a6c90",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "macOS",
+      "Threat Detection",
+      "Persistence"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1546",
+            "name": "Event Triggered Execution",
+            "reference": "https://attack.mitre.org/techniques/T1546/",
+            "subtechnique": [
+              {
+                "id": "T1546.014",
+                "name": "Emond",
+                "reference": "https://attack.mitre.org/techniques/T1546/014/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies use of the netsh.exe program to enable host discovery via the network. Attackers can use this command-line tool to weaken the host firewall settings.",
+    "false_positives": [
+      "Host Windows Firewall planned system administration changes."
+    ],
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Enable Host Network Discovery via Netsh",
+    "query": "process where event.type == \"start\" and\nprocess.name : \"netsh.exe\" and\nprocess.args : (\"firewall\", \"advfirewall\") and process.args : \"group=Network Discovery\" and process.args : \"enable=Yes\"\n",
+    "risk_score": 47,
+    "rule_id": "8b4f0816-6a65-4630-86a6-c21c179c0d09",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1562",
+            "name": "Impair Defenses",
+            "reference": "https://attack.mitre.org/techniques/T1562/",
+            "subtechnique": [
+              {
+                "id": "T1562.004",
+                "name": "Disable or Modify System Firewall",
+                "reference": "https://attack.mitre.org/techniques/T1562/004/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 2
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies registry write modifications to hide an encoded portable executable. This could be indicative of adversary defense evasion by avoiding the storing of malicious content directly on disk.",
+    "from": "now-9m",
+    "index": [
+      "logs-endpoint.events.*",
+      "winlogbeat-*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Encoded Executable Stored in the Registry",
+    "query": "registry where\n/* update here with encoding combinations */\n registry.data.strings : \"TVqQAAMAAAAEAAAA*\"\n",
+    "risk_score": 47,
+    "rule_id": "93c1ce76-494c-4f01-8167-35edfb52f7b1",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1140",
+            "name": "Deobfuscate/Decode Files or Information",
+            "reference": "https://attack.mitre.org/techniques/T1140/"
+          },
+          {
+            "id": "T1112",
+            "name": "Modify Registry",
+            "reference": "https://attack.mitre.org/techniques/T1112/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 4
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies use of WinRar or 7z to create an encrypted files. Adversaries will often compress and encrypt data in preparation for exfiltration.",
+    "from": "now-9m",
+    "index": [
+      "logs-endpoint.events.*",
+      "winlogbeat-*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Encrypting Files with WinRar or 7z",
+    "query": "process where event.type in (\"start\", \"process_started\") and\n  ((process.name:\"rar.exe\" or process.code_signature.subject_name == \"win.rar GmbH\" or\n      process.pe.original_file_name == \"Command line RAR\") and\n    process.args == \"a\" and process.args : (\"-hp*\", \"-p*\", \"-dw\", \"-tb\", \"-ta\", \"/hp*\", \"/p*\", \"/dw\", \"/tb\", \"/ta\"))\n\n  or\n  (process.pe.original_file_name in (\"7z.exe\", \"7za.exe\") and\n     process.args == \"a\" and process.args : (\"-p*\", \"-sdel\"))\n\n  /* uncomment if noisy for backup software related FPs */\n  /* not process.parent.executable : (\"C:\\\\Program Files\\\\*.exe\", \"C:\\\\Program Files (x86)\\\\*.exe\") */\n",
+    "references": [
+      "https://www.welivesecurity.com/2020/12/02/turla-crutch-keeping-back-door-open/"
+    ],
+    "risk_score": 47,
+    "rule_id": "45d273fb-1dca-457d-9855-bcb302180c21",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Collection"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0009",
+          "name": "Collection",
+          "reference": "https://attack.mitre.org/tactics/TA0009/"
+        },
+        "technique": [
+          {
+            "id": "T1560",
+            "name": "Archive Collected Data",
+            "reference": "https://attack.mitre.org/techniques/T1560/",
+            "subtechnique": [
+              {
+                "id": "T1560.001",
+                "name": "Archive via Utility",
+                "reference": "https://attack.mitre.org/techniques/T1560/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 4
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Generates a detection alert each time an Elastic Endpoint Security alert is received. Enabling this rule allows you to immediately begin investigating your Endpoint alerts.",
+    "enabled": true,
+    "exceptions_list": [
+      {
+        "id": "endpoint_list",
+        "list_id": "endpoint_list",
+        "namespace_type": "agnostic",
+        "type": "endpoint"
+      }
+    ],
+    "from": "now-10m",
+    "index": [
+      "logs-endpoint.alerts-*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "max_signals": 10000,
+    "name": "Endpoint Security",
+    "query": "event.kind:alert and event.module:(endpoint and not endgame)\n",
+    "risk_score": 47,
+    "risk_score_mapping": [
+      {
+        "field": "event.risk_score",
+        "operator": "equals",
+        "value": ""
+      }
+    ],
+    "rule_id": "9a1a2dae-0b5f-4c3d-8305-a268d404c306",
+    "rule_name_override": "message",
+    "severity": "medium",
+    "severity_mapping": [
+      {
+        "field": "event.severity",
+        "operator": "equals",
+        "severity": "low",
+        "value": "21"
+      },
+      {
+        "field": "event.severity",
+        "operator": "equals",
+        "severity": "medium",
+        "value": "47"
+      },
+      {
+        "field": "event.severity",
+        "operator": "equals",
+        "severity": "high",
+        "value": "73"
+      },
+      {
+        "field": "event.severity",
+        "operator": "equals",
+        "severity": "critical",
+        "value": "99"
+      }
+    ],
+    "tags": [
+      "Elastic",
+      "Endpoint Security"
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 3
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies native Windows host and network enumeration commands spawned by the Windows Management Instrumentation Provider Service (WMIPrvSE).",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Enumeration Command Spawned via WMIPrvSE",
+    "query": "process where event.type in (\"start\", \"process_started\") and\n  process.name:\n  (\n    \"arp.exe\",\n    \"dsquery.exe\",\n    \"dsget.exe\",\n    \"gpresult.exe\",\n    \"hostname.exe\",\n    \"ipconfig.exe\",\n    \"nbtstat.exe\",\n    \"net.exe\",\n    \"net1.exe\",\n    \"netsh.exe\",\n    \"netstat.exe\",\n    \"nltest.exe\",\n    \"ping.exe\",\n    \"qprocess.exe\",\n    \"quser.exe\",\n    \"qwinsta.exe\",\n    \"reg.exe\",\n    \"sc.exe\",\n    \"systeminfo.exe\",\n    \"tasklist.exe\",\n    \"tracert.exe\",\n    \"whoami.exe\"\n  ) and\n  process.parent.name:\"wmiprvse.exe\"\n",
+    "risk_score": 21,
+    "rule_id": "770e0c4d-b998-41e5-a62e-c7901fd7f470",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Execution"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0002",
+          "name": "Execution",
+          "reference": "https://attack.mitre.org/tactics/TA0002/"
+        },
+        "technique": [
+          {
+            "id": "T1047",
+            "name": "Windows Management Instrumentation",
+            "reference": "https://attack.mitre.org/techniques/T1047/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0007",
+          "name": "Discovery",
+          "reference": "https://attack.mitre.org/tactics/TA0007/"
+        },
+        "technique": [
+          {
+            "id": "T1518",
+            "name": "Software Discovery",
+            "reference": "https://attack.mitre.org/techniques/T1518/"
+          },
+          {
+            "id": "T1087",
+            "name": "Account Discovery",
+            "reference": "https://attack.mitre.org/techniques/T1087/"
+          },
+          {
+            "id": "T1018",
+            "name": "Remote System Discovery",
+            "reference": "https://attack.mitre.org/techniques/T1018/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 2
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies instances of lower privilege accounts enumerating Administrator accounts or groups using built-in Windows tools.",
+    "from": "now-9m",
+    "index": [
+      "logs-endpoint.events.*",
+      "winlogbeat-*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Enumeration of Administrator Accounts",
+    "query": "process where event.type in (\"start\", \"process_started\") and\n  (((process.name : \"net.exe\" or process.pe.original_file_name == \"net.exe\") or\n    ((process.name : \"net1.exe\" or process.pe.original_file_name == \"net1.exe\") and\n        not process.parent.name : \"net.exe\")) and\n   process.args : (\"group\", \"user\", \"localgroup\") and\n   process.args : (\"admin\", \"Domain Admins\", \"Remote Desktop Users\", \"Enterprise Admins\", \"Organization Management\") and\n   not process.args : \"/add\")\n\n   or\n\n  ((process.name : \"wmic.exe\" or process.pe.original_file_name == \"wmic.exe\") and\n     process.args : (\"group\", \"useraccount\"))\n",
+    "risk_score": 21,
+    "rule_id": "871ea072-1b71-4def-b016-6278b505138d",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Discovery"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0007",
+          "name": "Discovery",
+          "reference": "https://attack.mitre.org/tactics/TA0007/"
+        },
+        "technique": [
+          {
+            "id": "T1069",
+            "name": "Permission Groups Discovery",
+            "reference": "https://attack.mitre.org/techniques/T1069/",
+            "subtechnique": [
+              {
+                "id": "T1069.002",
+                "name": "Domain Groups",
+                "reference": "https://attack.mitre.org/techniques/T1069/002/"
+              }
+            ]
+          },
+          {
+            "id": "T1087",
+            "name": "Account Discovery",
+            "reference": "https://attack.mitre.org/techniques/T1087/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 4
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Loadable Kernel Modules (or LKMs) are pieces of code that can be loaded and unloaded into the kernel upon demand. They extend the functionality of the kernel without the need to reboot the system. This identifies attempts to enumerate information about a kernel module.",
+    "false_positives": [
+      "Security tools and device drivers may run these programs in order to enumerate kernel modules. Use of these programs by ordinary users is uncommon. These can be exempted by process name or username."
+    ],
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Enumeration of Kernel Modules",
+    "query": "event.category:process and event.type:(start or process_started) and\n  process.args:(kmod and list and sudo or sudo and (depmod or lsmod or modinfo))\n",
+    "risk_score": 47,
+    "rule_id": "2d8043ed-5bda-4caf-801c-c1feb7410504",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "Threat Detection",
+      "Discovery"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0007",
+          "name": "Discovery",
+          "reference": "https://attack.mitre.org/tactics/TA0007/"
+        },
+        "technique": [
+          {
+            "id": "T1082",
+            "name": "System Information Discovery",
+            "reference": "https://attack.mitre.org/techniques/T1082/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 6
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the execution of macOS built-in commands related to account or group enumeration.",
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Enumeration of Users or Groups via Built-in Commands",
+    "query": "process where event.type in (\"start\", \"process_started\") and\n  not process.parent.executable : (\"/Applications/NoMAD.app/Contents/MacOS/NoMAD\", \n    \"/Applications/ZoomPresence.app/Contents/MacOS/ZoomPresence\",\n     \"/Applications/Sourcetree.app/Contents/MacOS/Sourcetree\",\n     \"/Library/Application Support/JAMF/Jamf.app/Contents/MacOS/JamfDaemon.app/Contents/MacOS/JamfDaemon\",\n     \"/usr/local/jamf/bin/jamf\"\n    ) and \n  process.name : (\"ldapsearch\", \"dsmemberutil\") or\n  (process.name : \"dscl\" and \n     process.args : (\"read\", \"-read\", \"list\", \"-list\", \"ls\", \"search\", \"-search\") and \n     process.args : (\"/Active Directory/*\", \"/Users*\", \"/Groups*\"))\n",
+    "risk_score": 21,
+    "rule_id": "6e9b351e-a531-4bdc-b73e-7034d6eed7ff",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "macOS",
+      "Threat Detection",
+      "Discovery"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0007",
+          "name": "Discovery",
+          "reference": "https://attack.mitre.org/tactics/TA0007/"
+        },
+        "technique": [
+          {
+            "id": "T1069",
+            "name": "Permission Groups Discovery",
+            "reference": "https://attack.mitre.org/techniques/T1069/"
+          },
+          {
+            "id": "T1087",
+            "name": "Account Discovery",
+            "reference": "https://attack.mitre.org/techniques/T1087/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 2
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Masquerading can allow an adversary to evade defenses and better blend in with the environment. One way it occurs is when the name or location of a file is manipulated as a means of tricking a user into executing what they think is a benign file type but is actually executable code.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Executable File Creation with Multiple Extensions",
+    "query": "file where event.type == \"creation\" and file.extension : \"exe\" and\n  file.name regex~ \"\"\".*\\.(vbs|vbe|bat|js|cmd|wsh|ps1|pdf|docx?|xlsx?|pptx?|txt|rtf|gif|jpg|png|bmp|hta|txt|img|iso)\\.exe\"\"\"\n",
+    "risk_score": 47,
+    "rule_id": "8b2b3a62-a598-4293-bc14-3d5fa22bb98f",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1036",
+            "name": "Masquerading",
+            "reference": "https://attack.mitre.org/techniques/T1036/",
+            "subtechnique": [
+              {
+                "id": "T1036.004",
+                "name": "Masquerade Task or Service",
+                "reference": "https://attack.mitre.org/techniques/T1036/004/"
+              }
+            ]
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0002",
+          "name": "Execution",
+          "reference": "https://attack.mitre.org/tactics/TA0002/"
+        },
+        "technique": [
+          {
+            "id": "T1204",
+            "name": "User Execution",
+            "reference": "https://attack.mitre.org/techniques/T1204/",
+            "subtechnique": [
+              {
+                "id": "T1204.002",
+                "name": "Malicious File",
+                "reference": "https://attack.mitre.org/techniques/T1204/002/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 3
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies process execution from suspicious default Windows directories. This may be abused by adversaries to hide malware in trusted paths.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Execution from Unusual Directory - Command Line",
+    "note": "## Triage and analysis\n\nThis is related to the `Process Execution from an Unusual Directory rule`.",
+    "query": "process where event.type in (\"start\", \"process_started\", \"info\") and\n  process.name : (\"wscript.exe\", \n                  \"cscript.exe\", \n                  \"rundll32.exe\", \n                  \"regsvr32.exe\", \n                  \"cmstp.exe\",\n                  \"RegAsm.exe\",\n                  \"installutil.exe\",\n                  \"mshta.exe\",\n                  \"RegSvcs.exe\", \n                  \"powershell.exe\", \n                  \"pwsh.exe\", \n                  \"cmd.exe\") and\n                  \n  /* add suspicious execution paths here */\n  process.args : (\"C:\\\\PerfLogs\\\\*\",\n                  \"C:\\\\Users\\\\Public\\\\*\",\n                  \"C:\\\\Users\\\\Default\\\\*\",\n                  \"C:\\\\Windows\\\\Tasks\\\\*\",\n                  \"C:\\\\Intel\\\\*\", \n                  \"C:\\\\AMD\\\\Temp\\\\*\", \n                  \"C:\\\\Windows\\\\AppReadiness\\\\*\", \n                  \"C:\\\\Windows\\\\ServiceState\\\\*\",\n                  \"C:\\\\Windows\\\\security\\\\*\",\n                  \"C:\\\\Windows\\\\IdentityCRL\\\\*\",\n                  \"C:\\\\Windows\\\\Branding\\\\*\",\n                  \"C:\\\\Windows\\\\csc\\\\*\",\n                  \"C:\\\\Windows\\\\DigitalLocker\\\\*\",\n                  \"C:\\\\Windows\\\\en-US\\\\*\",\n                  \"C:\\\\Windows\\\\wlansvc\\\\*\",\n                  \"C:\\\\Windows\\\\Prefetch\\\\*\",\n                  \"C:\\\\Windows\\\\Fonts\\\\*\",\n                  \"C:\\\\Windows\\\\diagnostics\\\\*\",\n                  \"C:\\\\Windows\\\\TAPI\\\\*\",\n                  \"C:\\\\Windows\\\\INF\\\\*\",\n                  \"C:\\\\Windows\\\\System32\\\\Speech\\\\*\",\n                  \"C:\\\\windows\\\\tracing\\\\*\",\n                  \"c:\\\\windows\\\\IME\\\\*\",\n                  \"c:\\\\Windows\\\\Performance\\\\*\",\n                  \"c:\\\\windows\\\\intel\\\\*\",\n                  \"c:\\\\windows\\\\ms\\\\*\",\n                  \"C:\\\\Windows\\\\dot3svc\\\\*\",\n                  \"C:\\\\Windows\\\\ServiceProfiles\\\\*\",\n                  \"C:\\\\Windows\\\\panther\\\\*\",\n                  \"C:\\\\Windows\\\\RemotePackages\\\\*\",\n                  \"C:\\\\Windows\\\\OCR\\\\*\",\n                  \"C:\\\\Windows\\\\appcompat\\\\*\",\n                  \"C:\\\\Windows\\\\apppatch\\\\*\",\n                  \"C:\\\\Windows\\\\addins\\\\*\",\n                  \"C:\\\\Windows\\\\Setup\\\\*\",\n                  \"C:\\\\Windows\\\\Help\\\\*\",\n                  \"C:\\\\Windows\\\\SKB\\\\*\",\n                  \"C:\\\\Windows\\\\Vss\\\\*\",\n                  \"C:\\\\Windows\\\\Web\\\\*\",\n                  \"C:\\\\Windows\\\\servicing\\\\*\",\n                  \"C:\\\\Windows\\\\CbsTemp\\\\*\",\n                  \"C:\\\\Windows\\\\Logs\\\\*\",\n                  \"C:\\\\Windows\\\\WaaS\\\\*\",\n                  \"C:\\\\Windows\\\\twain_32\\\\*\",\n                  \"C:\\\\Windows\\\\ShellExperiences\\\\*\",\n                  \"C:\\\\Windows\\\\ShellComponents\\\\*\",\n                  \"C:\\\\Windows\\\\PLA\\\\*\",\n                  \"C:\\\\Windows\\\\Migration\\\\*\",\n                  \"C:\\\\Windows\\\\debug\\\\*\",\n                  \"C:\\\\Windows\\\\Cursors\\\\*\",\n                  \"C:\\\\Windows\\\\Containers\\\\*\",\n                  \"C:\\\\Windows\\\\Boot\\\\*\",\n                  \"C:\\\\Windows\\\\bcastdvr\\\\*\",\n                  \"C:\\\\Windows\\\\assembly\\\\*\",\n                  \"C:\\\\Windows\\\\TextInput\\\\*\",\n                  \"C:\\\\Windows\\\\security\\\\*\",\n                  \"C:\\\\Windows\\\\schemas\\\\*\",\n                  \"C:\\\\Windows\\\\SchCache\\\\*\",\n                  \"C:\\\\Windows\\\\Resources\\\\*\",\n                  \"C:\\\\Windows\\\\rescache\\\\*\",\n                  \"C:\\\\Windows\\\\Provisioning\\\\*\",\n                  \"C:\\\\Windows\\\\PrintDialog\\\\*\",\n                  \"C:\\\\Windows\\\\PolicyDefinitions\\\\*\",\n                  \"C:\\\\Windows\\\\media\\\\*\",\n                  \"C:\\\\Windows\\\\Globalization\\\\*\",\n                  \"C:\\\\Windows\\\\L2Schemas\\\\*\",\n                  \"C:\\\\Windows\\\\LiveKernelReports\\\\*\",\n                  \"C:\\\\Windows\\\\ModemLogs\\\\*\",\n                  \"C:\\\\Windows\\\\ImmersiveControlPanel\\\\*\",\n                  \"C:\\\\$Recycle.Bin\\\\*\") and\n  not process.parent.executable : (\"C:\\\\WINDOWS\\\\System32\\\\DriverStore\\\\FileRepository\\\\*\\\\igfxCUIService*.exe\",\n                                   \"C:\\\\Windows\\\\System32\\\\spacedeskService.exe\",\n                                   \"C:\\\\Program Files\\\\Dell\\\\SupportAssistAgent\\\\SRE\\\\SRE.exe\") and\n  not (process.name : \"rundll32.exe\" and process.args : (\"uxtheme.dll,#64\", \"PRINTUI.DLL,PrintUIEntry\"))\n",
+    "risk_score": 47,
+    "rule_id": "cff92c41-2225-4763-b4ce-6f71e5bda5e6",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Execution"
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 4
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Windows Component Object Model (COM) is an inter-process communication (IPC) component of the native Windows application programming interface (API) that enables interaction between software objects or executable code. Xwizard can be used to run a COM object created in registry to evade defensive counter measures.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Execution of COM object via Xwizard",
+    "query": "process where event.type in (\"start\", \"process_started\") and\n process.pe.original_file_name : \"xwizard.exe\" and\n (\n   (process.args : \"RunWizard\" and process.args : \"{*}\") or\n   (process.executable != null and\n     not process.executable : (\"C:\\\\Windows\\\\SysWOW64\\\\xwizard.exe\", \"C:\\\\Windows\\\\System32\\\\xwizard.exe\")\n   )\n )\n",
+    "references": [
+      "https://lolbas-project.github.io/lolbas/Binaries/Xwizard/",
+      "http://www.hexacorn.com/blog/2017/07/31/the-wizard-of-x-oppa-plugx-style/"
+    ],
+    "risk_score": 47,
+    "rule_id": "1a6075b0-7479-450e-8fe7-b8b8438ac570",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Execution"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0002",
+          "name": "Execution",
+          "reference": "https://attack.mitre.org/tactics/TA0002/"
+        },
+        "technique": [
+          {
+            "id": "T1559",
+            "name": "Inter-Process Communication",
+            "reference": "https://attack.mitre.org/techniques/T1559/",
+            "subtechnique": [
+              {
+                "id": "T1559.001",
+                "name": "Component Object Model",
+                "reference": "https://attack.mitre.org/techniques/T1559/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies an executable created by a Microsoft Office application and subsequently executed. These processes are often launched via scripts inside documents or during exploitation of Microsoft Office applications.",
+    "from": "now-120m",
+    "index": [
+      "logs-endpoint.events.*",
+      "winlogbeat-*",
+      "logs-windows.*"
+    ],
+    "interval": "60m",
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Execution of File Written or Modified by Microsoft Office",
+    "query": "sequence with maxspan=2h\n  [file where event.type != \"deletion\" and file.extension : \"exe\" and\n     (process.name : \"WINWORD.EXE\" or\n      process.name : \"EXCEL.EXE\" or\n      process.name : \"OUTLOOK.EXE\" or\n      process.name : \"POWERPNT.EXE\" or\n      process.name : \"eqnedt32.exe\" or\n      process.name : \"fltldr.exe\" or\n      process.name : \"MSPUB.EXE\" or\n      process.name : \"MSACCESS.EXE\")\n  ] by host.id, file.path\n  [process where event.type in (\"start\", \"process_started\")] by host.id, process.executable\n",
+    "risk_score": 21,
+    "rule_id": "0d8ad79f-9025-45d8-80c1-4f0cd3c5e8e5",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Execution"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0002",
+          "name": "Execution",
+          "reference": "https://attack.mitre.org/tactics/TA0002/"
+        },
+        "technique": []
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0001",
+          "name": "Initial Access",
+          "reference": "https://attack.mitre.org/tactics/TA0001/"
+        },
+        "technique": [
+          {
+            "id": "T1566",
+            "name": "Phishing",
+            "reference": "https://attack.mitre.org/techniques/T1566/",
+            "subtechnique": [
+              {
+                "id": "T1566.001",
+                "name": "Spearphishing Attachment",
+                "reference": "https://attack.mitre.org/techniques/T1566/001/"
+              },
+              {
+                "id": "T1566.002",
+                "name": "Spearphishing Link",
+                "reference": "https://attack.mitre.org/techniques/T1566/002/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "type": "eql",
+    "version": 5
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies a suspicious file that was written by a PDF reader application and subsequently executed. These processes are often launched via exploitation of PDF applications.",
+    "from": "now-120m",
+    "index": [
+      "logs-endpoint.events.*",
+      "winlogbeat-*",
+      "logs-windows.*"
+    ],
+    "interval": "60m",
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Execution of File Written or Modified by PDF Reader",
+    "query": "sequence with maxspan=2h\n  [file where event.type != \"deletion\" and file.extension : \"exe\" and\n     (process.name : \"AcroRd32.exe\" or\n      process.name : \"rdrcef.exe\" or\n      process.name : \"FoxitPhantomPDF.exe\" or\n      process.name : \"FoxitReader.exe\") and\n     not (file.name : \"FoxitPhantomPDF.exe\" or\n          file.name : \"FoxitPhantomPDFUpdater.exe\" or\n          file.name : \"FoxitReader.exe\" or\n          file.name : \"FoxitReaderUpdater.exe\" or\n          file.name : \"AcroRd32.exe\" or\n          file.name : \"rdrcef.exe\")\n  ] by host.id, file.path\n  [process where event.type in (\"start\", \"process_started\")] by host.id, process.executable\n",
+    "risk_score": 21,
+    "rule_id": "1defdd62-cd8d-426e-a246-81a37751bb2b",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Execution"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0002",
+          "name": "Execution",
+          "reference": "https://attack.mitre.org/tactics/TA0002/"
+        },
+        "technique": []
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0001",
+          "name": "Initial Access",
+          "reference": "https://attack.mitre.org/tactics/TA0001/"
+        },
+        "technique": [
+          {
+            "id": "T1566",
+            "name": "Phishing",
+            "reference": "https://attack.mitre.org/techniques/T1566/",
+            "subtechnique": [
+              {
+                "id": "T1566.001",
+                "name": "Spearphishing Attachment",
+                "reference": "https://attack.mitre.org/techniques/T1566/001/"
+              },
+              {
+                "id": "T1566.002",
+                "name": "Spearphishing Link",
+                "reference": "https://attack.mitre.org/techniques/T1566/002/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "type": "eql",
+    "version": 4
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies execution of suspicious persistent programs (scripts, rundll32, etc.) by looking at process lineage and command line usage.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Execution of Persistent Suspicious Program",
+    "query": "/* userinit followed by explorer followed by early child process of explorer (unlikely to be launched interactively) within 1m */\nsequence by host.id, user.name with maxspan=1m\n  [process where event.type in (\"start\", \"process_started\") and process.name : \"userinit.exe\" and process.parent.name : \"winlogon.exe\"]\n  [process where event.type in (\"start\", \"process_started\") and process.name : \"explorer.exe\"]\n  [process where event.type in (\"start\", \"process_started\") and process.parent.name : \"explorer.exe\" and\n   /* add suspicious programs here */\n   process.pe.original_file_name in (\"cscript.exe\",\n                                     \"wscript.exe\",\n                                     \"PowerShell.EXE\",\n                                     \"MSHTA.EXE\",\n                                     \"RUNDLL32.EXE\",\n                                     \"REGSVR32.EXE\",\n                                     \"RegAsm.exe\",\n                                     \"MSBuild.exe\",\n                                     \"InstallUtil.exe\") and\n    /* add potential suspicious paths here */\n    process.args : (\"C:\\\\Users\\\\*\", \"C:\\\\ProgramData\\\\*\", \"C:\\\\Windows\\\\Temp\\\\*\", \"C:\\\\Windows\\\\Tasks\\\\*\", \"C:\\\\PerfLogs\\\\*\", \"C:\\\\Intel\\\\*\")\n   ]\n",
+    "risk_score": 47,
+    "rule_id": "e7125cea-9fe1-42a5-9a05-b0792cf86f5a",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Persistence"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1547",
+            "name": "Boot or Logon Autostart Execution",
+            "reference": "https://attack.mitre.org/techniques/T1547/",
+            "subtechnique": [
+              {
+                "id": "T1547.001",
+                "name": "Registry Run Keys / Startup Folder",
+                "reference": "https://attack.mitre.org/techniques/T1547/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "type": "eql",
+    "version": 2
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies attempts to execute a child process from within the context of an Electron application using the child_process Node.js module. Adversaries may abuse this technique to inherit permissions from parent processes.",
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Execution via Electron Child Process Node.js Module",
+    "query": "event.category:process and event.type:(start or process_started) and process.args:(\"-e\" and const*require*child_process*)\n",
+    "references": [
+      "https://www.matthewslipper.com/2019/09/22/everything-you-wanted-electron-child-process.html",
+      "https://www.trustedsec.com/blog/macos-injection-via-third-party-frameworks/",
+      "https://nodejs.org/api/child_process.html"
+    ],
+    "risk_score": 47,
+    "rule_id": "35330ba2-c859-4c98-8b7f-c19159ea0e58",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "macOS",
+      "Threat Detection",
+      "Defense Evasion",
+      "Execution"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0002",
+          "name": "Execution",
+          "reference": "https://attack.mitre.org/tactics/TA0002/"
+        },
+        "technique": [
+          {
+            "id": "T1059",
+            "name": "Command and Scripting Interpreter",
+            "reference": "https://attack.mitre.org/techniques/T1059/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1548",
+            "name": "Abuse Elevation Control Mechanism",
+            "reference": "https://attack.mitre.org/techniques/T1548/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies execution via MSSQL xp_cmdshell stored procedure. Malicious users may attempt to elevate their privileges by using xp_cmdshell, which is disabled by default, thus, it's important to review the context of it's use.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Execution via MSSQL xp_cmdshell Stored Procedure",
+    "query": "process where event.type in (\"start\", \"process_started\") and\n  process.name : \"cmd.exe\" and process.parent.name : \"sqlservr.exe\"\n",
+    "risk_score": 73,
+    "rule_id": "4ed493fc-d637-4a36-80ff-ac84937e5461",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Execution"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0002",
+          "name": "Execution",
+          "reference": "https://attack.mitre.org/tactics/TA0002/"
+        },
+        "technique": [
+          {
+            "id": "T1059",
+            "name": "Command and Scripting Interpreter",
+            "reference": "https://attack.mitre.org/techniques/T1059/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 4
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies execution from the Remote Desktop Protocol (RDP) shared mountpoint tsclient on the target host. This may indicate a lateral movement attempt.",
+    "from": "now-9m",
+    "index": [
+      "logs-endpoint.events.*",
+      "winlogbeat-*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Execution via TSClient Mountpoint",
+    "query": "process where event.type in (\"start\", \"process_started\") and process.executable : \"\\\\Device\\\\Mup\\\\tsclient\\\\*.exe\"\n",
+    "references": [
+      "https://posts.specterops.io/revisiting-remote-desktop-lateral-movement-8fb905cb46c3"
+    ],
+    "risk_score": 73,
+    "rule_id": "4fe9d835-40e1-452d-8230-17c147cafad8",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Lateral Movement"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0008",
+          "name": "Lateral Movement",
+          "reference": "https://attack.mitre.org/tactics/TA0008/"
+        },
+        "technique": [
+          {
+            "id": "T1021",
+            "name": "Remote Services",
+            "reference": "https://attack.mitre.org/techniques/T1021/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 3
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the creation, change, or deletion of a DLL module within a Windows SxS local folder. Adversaries may abuse shared modules to execute malicious payloads by instructing the Windows module loader to load DLLs from arbitrary local paths.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Execution via local SxS Shared Module",
+    "note": "## Triage and analysis\n\nThe SxS DotLocal folder is a legitimate feature that can be abused to hijack standard modules loading order by forcing an executable on the same application.exe.local folder to load a malicious DLL module from the same directory.",
+    "query": "file where file.extension : \"dll\" and file.path : \"C:\\\\*\\\\*.exe.local\\\\*.dll\"\n",
+    "references": [
+      "https://docs.microsoft.com/en-us/windows/win32/dlls/dynamic-link-library-redirection"
+    ],
+    "risk_score": 47,
+    "rule_id": "a3ea12f3-0d4e-4667-8b44-4230c63f3c75",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Execution"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0002",
+          "name": "Execution",
+          "reference": "https://attack.mitre.org/tactics/TA0002/"
+        },
+        "technique": [
+          {
+            "id": "T1129",
+            "name": "Shared Modules",
+            "reference": "https://attack.mitre.org/techniques/T1129/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 4
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies execution of the security_authtrampoline process via a scripting interpreter. This occurs when programs use AuthorizationExecute-WithPrivileges from the Security.framework to run another program with root privileges. It should not be run by itself, as this is a sign of execution with explicit logon credentials.",
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Execution with Explicit Credentials via Scripting",
+    "query": "event.category:process and event.type:(start or process_started) and\n process.name:\"security_authtrampoline\" and\n process.parent.name:(osascript or com.apple.automator.runner or sh or bash or dash or zsh or python* or perl* or php* or ruby or pwsh)\n",
+    "references": [
+      "https://objectivebythesea.com/v2/talks/OBTS_v2_Thomas.pdf",
+      "https://www.manpagez.com/man/8/security_authtrampoline/"
+    ],
+    "risk_score": 47,
+    "rule_id": "f0eb70e9-71e9-40cd-813f-bf8e8c812cb1",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "macOS",
+      "Threat Detection",
+      "Execution",
+      "Privilege Escalation"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0004",
+          "name": "Privilege Escalation",
+          "reference": "https://attack.mitre.org/tactics/TA0004/"
+        },
+        "technique": [
+          {
+            "id": "T1078",
+            "name": "Valid Accounts",
+            "reference": "https://attack.mitre.org/techniques/T1078/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0002",
+          "name": "Execution",
+          "reference": "https://attack.mitre.org/tactics/TA0002/"
+        },
+        "technique": [
+          {
+            "id": "T1059",
+            "name": "Command and Scripting Interpreter",
+            "reference": "https://attack.mitre.org/techniques/T1059/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 2
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Elastic Endgame detected an Exploit. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information.",
+    "from": "now-15m",
+    "index": [
+      "endgame-*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Exploit - Detected - Elastic Endgame",
+    "query": "event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:exploit_event or endgame.event_subtype_full:exploit_event)\n",
+    "risk_score": 73,
+    "rule_id": "2003cdc8-8d83-4aa5-b132-1f9a8eb48514",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Elastic Endgame"
+    ],
+    "type": "query",
+    "version": 6
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Elastic Endgame prevented an Exploit. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information.",
+    "from": "now-15m",
+    "index": [
+      "endgame-*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Exploit - Prevented - Elastic Endgame",
+    "query": "event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:exploit_event or endgame.event_subtype_full:exploit_event)\n",
+    "risk_score": 47,
+    "rule_id": "2863ffeb-bf77-44dd-b7a5-93ef94b72036",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Elastic Endgame"
+    ],
+    "type": "query",
+    "version": 6
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the use of the Exchange PowerShell cmdlet, New-MailBoxExportRequest, to export the contents of a primary mailbox or archive to a .pst file. Adversaries may target user email to collect sensitive information.",
+    "false_positives": [
+      "Legitimate exchange system administration activity."
+    ],
+    "from": "now-9m",
+    "index": [
+      "logs-endpoint.events.*",
+      "winlogbeat-*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Exporting Exchange Mailbox via PowerShell",
+    "query": "process where event.type in (\"start\", \"process_started\") and\n  process.name: (\"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\") and process.args : \"New-MailboxExportRequest*\"\n",
+    "references": [
+      "https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/",
+      "https://docs.microsoft.com/en-us/powershell/module/exchange/new-mailboxexportrequest?view=exchange-ps"
+    ],
+    "risk_score": 47,
+    "rule_id": "6aace640-e631-4870-ba8e-5fdda09325db",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Collection"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0009",
+          "name": "Collection",
+          "reference": "https://attack.mitre.org/tactics/TA0009/"
+        },
+        "technique": [
+          {
+            "id": "T1114",
+            "name": "Email Collection",
+            "reference": "https://attack.mitre.org/techniques/T1114/",
+            "subtechnique": [
+              {
+                "id": "T1114.002",
+                "name": "Remote Email Collection",
+                "reference": "https://attack.mitre.org/techniques/T1114/002/"
+              }
+            ]
+          },
+          {
+            "id": "T1005",
+            "name": "Data from Local System",
+            "reference": "https://attack.mitre.org/techniques/T1005/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 6
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Generates a detection alert for each external alert written to the configured indices. Enabling this rule allows you to immediately begin investigating external alerts in the app.",
+    "index": [
+      "apm-*-transaction*",
+      "traces-apm*",
+      "auditbeat-*",
+      "filebeat-*",
+      "logs-*",
+      "packetbeat-*",
+      "winlogbeat-*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "max_signals": 10000,
+    "name": "External Alerts",
+    "query": "event.kind:alert and not event.module:(endgame or endpoint)\n",
+    "risk_score": 47,
+    "risk_score_mapping": [
+      {
+        "field": "event.risk_score",
+        "operator": "equals",
+        "value": ""
+      }
+    ],
+    "rule_id": "eb079c62-4481-4d6e-9643-3ca499df7aaa",
+    "rule_name_override": "message",
+    "severity": "medium",
+    "severity_mapping": [
+      {
+        "field": "event.severity",
+        "operator": "equals",
+        "severity": "low",
+        "value": "21"
+      },
+      {
+        "field": "event.severity",
+        "operator": "equals",
+        "severity": "medium",
+        "value": "47"
+      },
+      {
+        "field": "event.severity",
+        "operator": "equals",
+        "severity": "high",
+        "value": "73"
+      },
+      {
+        "field": "event.severity",
+        "operator": "equals",
+        "severity": "critical",
+        "value": "99"
+      }
+    ],
+    "tags": [
+      "Elastic",
+      "Network",
+      "Windows",
+      "APM",
+      "macOS",
+      "Linux"
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 4
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies domains commonly used by adversaries for post-exploitation IP lookups. It is common for adversaries to test for Internet access and acquire their external IP address after they have gained access to a system. Among others, this has been observed in campaigns leveraging the information stealer, Trickbot.",
+    "false_positives": [
+      "If the domains listed in this rule are used as part of an authorized workflow, this rule will be triggered by those events. Validate that this is expected activity and tune the rule to fit your environment variables."
+    ],
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "External IP Lookup from Non-Browser Process",
+    "query": "network where network.protocol == \"dns\" and\n    process.name != null and user.id not in (\"S-1-5-19\", \"S-1-5-20\") and\n    event.action == \"lookup_requested\" and\n    /* Add new external IP lookup services here */\n    dns.question.name :\n    (\n        \"*api.ipify.org\",\n        \"*freegeoip.app\",\n        \"*checkip.amazonaws.com\",\n        \"*checkip.dyndns.org\",\n        \"*freegeoip.app\",\n        \"*icanhazip.com\",\n        \"*ifconfig.*\",\n        \"*ipecho.net\",\n        \"*ipgeoapi.com\",\n        \"*ipinfo.io\",\n        \"*ip.anysrc.net\",\n        \"*myexternalip.com\",\n        \"*myipaddress.com\",\n        \"*showipaddress.com\",\n        \"*whatismyipaddress.com\",\n        \"*wtfismyip.com\",\n        \"*ipapi.co\",\n        \"*ip-lookup.net\",\n        \"*ipstack.com\"\n    ) and\n    /* Insert noisy false positives here */\n    not process.executable :\n    (\n      \"?:\\\\Program Files\\\\*.exe\",\n      \"?:\\\\Program Files (x86)\\\\*.exe\",\n      \"?:\\\\Windows\\\\System32\\\\WWAHost.exe\",\n      \"?:\\\\Windows\\\\System32\\\\smartscreen.exe\",\n      \"?:\\\\Windows\\\\System32\\\\MicrosoftEdgeCP.exe\",\n      \"?:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\Platform\\\\*\\\\MsMpEng.exe\",\n      \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe\",\n      \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Programs\\\\Fiddler\\\\Fiddler.exe\",\n      \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Programs\\\\Microsoft VS Code\\\\Code.exe\",\n      \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Microsoft\\\\OneDrive\\\\OneDrive.exe\"\n    )\n",
+    "references": [
+      "https://community.jisc.ac.uk/blogs/csirt/article/trickbot-analysis-and-mitigation",
+      "https://www.cybereason.com/blog/dropping-anchor-from-a-trickbot-infection-to-the-discovery-of-the-anchor-malware"
+    ],
+    "risk_score": 21,
+    "rule_id": "1d72d014-e2ab-4707-b056-9b96abe7b511",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Discovery"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0007",
+          "name": "Discovery",
+          "reference": "https://attack.mitre.org/tactics/TA0007/"
+        },
+        "technique": [
+          {
+            "id": "T1016",
+            "name": "System Network Configuration Discovery",
+            "reference": "https://attack.mitre.org/techniques/T1016/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 6
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Malware or other files dropped or created on a system by an adversary may leave traces behind as to what was done within a network and how. Adversaries may remove these files over the course of an intrusion to keep their footprint low or remove them at the end as part of the post-intrusion cleanup process.",
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "File Deletion via Shred",
+    "query": "event.category:process and event.type:(start or process_started) and process.name:shred and\n  process.args:(\"-u\" or \"--remove\" or \"-z\" or \"--zero\")\n",
+    "risk_score": 21,
+    "rule_id": "a1329140-8de3-4445-9f87-908fb6d824f4",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1070",
+            "name": "Indicator Removal on Host",
+            "reference": "https://attack.mitre.org/techniques/T1070/",
+            "subtechnique": [
+              {
+                "id": "T1070.004",
+                "name": "File Deletion",
+                "reference": "https://attack.mitre.org/techniques/T1070/004/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 7
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies file permission modifications in common writable directories by a non-root user. Adversaries often drop files or payloads into a writable directory and change permissions prior to execution.",
+    "false_positives": [
+      "Certain programs or applications may modify files or change ownership in writable directories. These can be exempted by username."
+    ],
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "File Permission Modification in Writable Directory",
+    "query": "event.category:process and event.type:(start or process_started) and\n  process.name:(chmod or chown or chattr or chgrp) and\n  process.working_directory:(/tmp or /var/tmp or /dev/shm) and\n  not user.name:root\n",
+    "risk_score": 21,
+    "rule_id": "9f9a2a82-93a8-4b1a-8778-1780895626d4",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1222",
+            "name": "File and Directory Permissions Modification",
+            "reference": "https://attack.mitre.org/techniques/T1222/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 6
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Enumeration of files and directories using built-in tools. Adversaries may use the information discovered to plan follow-on activity.",
+    "false_positives": [
+      "Enumeration of files and directories may not be inherently malicious and noise may come from scripts, automation tools, or normal command line usage. It's important to baseline your environment to determine the amount of expected noise and exclude any known FP's from the rule."
+    ],
+    "from": "now-9m",
+    "index": [
+      "logs-endpoint.events.*",
+      "winlogbeat-*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "File and Directory Discovery",
+    "query": "sequence by agent.id, user.name with maxspan=1m\n[process where event.type in (\"start\", \"process_started\") and\n  ((process.name : \"cmd.exe\" or process.pe.original_file_name == \"Cmd.Exe\") and process.args : \"dir\") or\n    process.name : \"tree.com\"]\n[process where event.type in (\"start\", \"process_started\") and\n  ((process.name : \"cmd.exe\" or process.pe.original_file_name == \"Cmd.Exe\") and process.args : \"dir\") or\n    process.name : \"tree.com\"]\n[process where event.type in (\"start\", \"process_started\") and\n  ((process.name : \"cmd.exe\" or process.pe.original_file_name == \"Cmd.Exe\") and process.args : \"dir\") or\n    process.name : \"tree.com\"]\n",
+    "risk_score": 21,
+    "rule_id": "7b08314d-47a0-4b71-ae4e-16544176924f",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Discovery"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0007",
+          "name": "Discovery",
+          "reference": "https://attack.mitre.org/tactics/TA0007/"
+        },
+        "technique": [
+          {
+            "id": "T1083",
+            "name": "File and Directory Discovery",
+            "reference": "https://attack.mitre.org/techniques/T1083/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 3
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Finder Sync plugins enable users to extend Finder\u2019s functionality by modifying the user interface. Adversaries may abuse this feature by adding a rogue Finder Plugin to repeatedly execute malicious payloads for persistence.",
+    "false_positives": [
+      "Trusted Finder Sync Plugins"
+    ],
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Finder Sync Plugin Registered and Enabled",
+    "query": "sequence by host.id, user.id with maxspan = 5s\n  [process where event.type in (\"start\", \"process_started\") and process.name : \"pluginkit\" and process.args : \"-a\"]\n  [process where event.type in (\"start\", \"process_started\") and process.name : \"pluginkit\" and\n    process.args : \"-e\" and process.args : \"use\" and process.args : \"-i\" and\n    not process.args :\n    (\n      \"com.google.GoogleDrive.FinderSyncAPIExtension\",\n      \"com.google.drivefs.findersync\",\n      \"com.boxcryptor.osx.Rednif\",\n      \"com.adobe.accmac.ACCFinderSync\",\n      \"com.microsoft.OneDrive.FinderSync\",\n      \"com.insynchq.Insync.Insync-Finder-Integration\",\n      \"com.box.desktop.findersyncext\"\n    )\n  ]\n",
+    "references": [
+      "https://github.com/specterops/presentations/raw/master/Leo%20Pitt/Hey_Im_Still_in_Here_Modern_macOS_Persistence_SO-CON2020.pdf"
+    ],
+    "risk_score": 47,
+    "rule_id": "37f638ea-909d-4f94-9248-edd21e4a9906",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "macOS",
+      "Threat Detection",
+      "Persistence"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1543",
+            "name": "Create or Modify System Process",
+            "reference": "https://attack.mitre.org/techniques/T1543/"
+          }
+        ]
+      }
+    ],
+    "type": "eql",
+    "version": 2
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies when a firewall rule is created in Google Cloud Platform (GCP). Virtual Private Cloud (VPC) firewall rules can be configured to allow or deny connections to or from virtual machine (VM) instances. An adversary may create a new firewall rule in order to weaken their target's security controls and allow more permissive ingress or egress traffic flows for their benefit.",
+    "false_positives": [
+      "Firewall rules may be created by system administrators. Verify that the firewall configuration change was expected. Exceptions can be added to this rule to filter expected behavior."
+    ],
+    "index": [
+      "filebeat-*",
+      "logs-gcp*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "GCP Firewall Rule Creation",
+    "note": "## Config\n\nThe GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:(googlecloud.audit or gcp.audit) and event.action:v*.compute.firewalls.insert\n",
+    "references": [
+      "https://cloud.google.com/vpc/docs/firewalls"
+    ],
+    "risk_score": 21,
+    "rule_id": "30562697-9859-4ae0-a8c5-dab45d664170",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "GCP",
+      "Continuous Monitoring",
+      "SecOps",
+      "Configuration Audit"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1562",
+            "name": "Impair Defenses",
+            "reference": "https://attack.mitre.org/techniques/T1562/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 5
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies when a firewall rule is deleted in Google Cloud Platform (GCP). Virtual Private Cloud (VPC) firewall rules can be configured to allow or deny connections to or from virtual machine (VM) instances. An adversary may delete a firewall rule in order to weaken their target's security controls.",
+    "false_positives": [
+      "Firewall rules may be deleted by system administrators. Verify that the firewall configuration change was expected. Exceptions can be added to this rule to filter expected behavior."
+    ],
+    "index": [
+      "filebeat-*",
+      "logs-gcp*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "GCP Firewall Rule Deletion",
+    "note": "## Config\n\nThe GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:(googlecloud.audit or gcp.audit) and event.action:v*.compute.firewalls.delete\n",
+    "references": [
+      "https://cloud.google.com/vpc/docs/firewalls"
+    ],
+    "risk_score": 47,
+    "rule_id": "ff9b571e-61d6-4f6c-9561-eb4cca3bafe1",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "GCP",
+      "Continuous Monitoring",
+      "SecOps",
+      "Configuration Audit"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1562",
+            "name": "Impair Defenses",
+            "reference": "https://attack.mitre.org/techniques/T1562/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 5
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies when a firewall rule is modified in Google Cloud Platform (GCP). Virtual Private Cloud (VPC) firewall rules can be configured to allow or deny connections to or from virtual machine (VM) instances. An adversary may modify a firewall rule in order to weaken their target's security controls.",
+    "false_positives": [
+      "Firewall rules may be modified by system administrators. Verify that the firewall configuration change was expected. Exceptions can be added to this rule to filter expected behavior."
+    ],
+    "index": [
+      "filebeat-*",
+      "logs-gcp*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "GCP Firewall Rule Modification",
+    "note": "## Config\n\nThe GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:(googlecloud.audit or gcp.audit) and event.action:v*.compute.firewalls.patch\n",
+    "references": [
+      "https://cloud.google.com/vpc/docs/firewalls"
+    ],
+    "risk_score": 47,
+    "rule_id": "2783d84f-5091-4d7d-9319-9fceda8fa71b",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "GCP",
+      "Continuous Monitoring",
+      "SecOps",
+      "Configuration Audit"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1562",
+            "name": "Impair Defenses",
+            "reference": "https://attack.mitre.org/techniques/T1562/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 5
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies an Identity and Access Management (IAM) custom role creation in Google Cloud Platform (GCP). Custom roles are user-defined, and allow for the bundling of one or more supported permissions to meet specific needs. Custom roles will not be updated automatically and could lead to privilege creep if not carefully scrutinized.",
+    "false_positives": [
+      "Custom role creations may be done by a system or network administrator. Verify whether the user email, resource name, and/or hostname should be making changes in your environment. Role creations from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "index": [
+      "filebeat-*",
+      "logs-gcp*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "GCP IAM Custom Role Creation",
+    "note": "## Config\n\nThe GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:(googlecloud.audit or gcp.audit) and event.action:google.iam.admin.v*.CreateRole and event.outcome:success\n",
+    "references": [
+      "https://cloud.google.com/iam/docs/understanding-custom-roles"
+    ],
+    "risk_score": 47,
+    "rule_id": "aa8007f0-d1df-49ef-8520-407857594827",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "GCP",
+      "Continuous Monitoring",
+      "SecOps",
+      "Identity and Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0001",
+          "name": "Initial Access",
+          "reference": "https://attack.mitre.org/tactics/TA0001/"
+        },
+        "technique": [
+          {
+            "id": "T1078",
+            "name": "Valid Accounts",
+            "reference": "https://attack.mitre.org/techniques/T1078/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1078",
+            "name": "Valid Accounts",
+            "reference": "https://attack.mitre.org/techniques/T1078/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 5
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies an Identity and Access Management (IAM) role deletion in Google Cloud Platform (GCP). A role contains a set of permissions that allows you to perform specific actions on Google Cloud resources. An adversary may delete an IAM role to inhibit access to accounts utilized by legitimate users.",
+    "false_positives": [
+      "Role deletions may be done by a system or network administrator. Verify whether the user email, resource name, and/or hostname should be making changes in your environment. Role deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "index": [
+      "filebeat-*",
+      "logs-gcp*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "GCP IAM Role Deletion",
+    "note": "## Config\n\nThe GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:(googlecloud.audit or gcp.audit) and event.action:google.iam.admin.v*.DeleteRole and event.outcome:success\n",
+    "references": [
+      "https://cloud.google.com/iam/docs/understanding-roles"
+    ],
+    "risk_score": 21,
+    "rule_id": "e2fb5b18-e33c-4270-851e-c3d675c9afcd",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "GCP",
+      "Continuous Monitoring",
+      "SecOps",
+      "Identity and Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0040",
+          "name": "Impact",
+          "reference": "https://attack.mitre.org/tactics/TA0040/"
+        },
+        "technique": [
+          {
+            "id": "T1531",
+            "name": "Account Access Removal",
+            "reference": "https://attack.mitre.org/techniques/T1531/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 5
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the deletion of an Identity and Access Management (IAM) service account key in Google Cloud Platform (GCP). Each service account is associated with two sets of public/private RSA key pairs that are used to authenticate. If a key is deleted, the application will no longer be able to access Google Cloud resources using that key. A security best practice is to rotate your service account keys regularly.",
+    "false_positives": [
+      "Service account key deletions may be done by a system or network administrator. Verify whether the user email, resource name, and/or hostname should be making changes in your environment. Key deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "index": [
+      "filebeat-*",
+      "logs-gcp*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "GCP IAM Service Account Key Deletion",
+    "note": "## Config\n\nThe GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:(googlecloud.audit or gcp.audit) and event.action:google.iam.admin.v*.DeleteServiceAccountKey and event.outcome:success\n",
+    "references": [
+      "https://cloud.google.com/iam/docs/service-accounts",
+      "https://cloud.google.com/iam/docs/creating-managing-service-account-keys"
+    ],
+    "risk_score": 21,
+    "rule_id": "9890ee61-d061-403d-9bf6-64934c51f638",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "GCP",
+      "Continuous Monitoring",
+      "SecOps",
+      "Identity and Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1098",
+            "name": "Account Manipulation",
+            "reference": "https://attack.mitre.org/techniques/T1098/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 5
+  },
+  {
+    "author": [
+      "Elastic",
+      "Austin Songer"
+    ],
+    "description": "Identifies the creation or patching of potential malicious rolebinding. You can assign these roles to Kubernetes subjects (users, groups, or service accounts) with role bindings and cluster role bindings.",
+    "from": "now-20m",
+    "index": [
+      "filebeat-*",
+      "logs-gcp*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "GCP Kubernetes Rolebindings Created or Patched",
+    "note": "## Config\n\nThe GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:(googlecloud.audit or gcp.audit) and event.action:(io.k8s.authorization.rbac.v*.clusterrolebindings.create or \nio.k8s.authorization.rbac.v*.rolebindings.create or io.k8s.authorization.rbac.v*.clusterrolebindings.patch or \nio.k8s.authorization.rbac.v*.rolebindings.patch) and event.outcome:success\n",
+    "references": [
+      "https://cloud.google.com/kubernetes-engine/docs/how-to/audit-logging",
+      "https://unofficial-kubernetes.readthedocs.io/en/latest/admin/authorization/rbac/",
+      "https://cloud.google.com/kubernetes-engine/docs/how-to/role-based-access-control"
+    ],
+    "risk_score": 47,
+    "rule_id": "2f0bae2d-bf20-4465-be86-1311addebaa3",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "GCP",
+      "Continuous Monitoring",
+      "SecOps",
+      "Configuration Audit"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0004",
+          "name": "Privilege Escalation",
+          "reference": "https://attack.mitre.org/tactics/TA0004/"
+        },
+        "technique": []
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies a Logging bucket deletion in Google Cloud Platform (GCP). Log buckets are containers that store and organize log data. A deleted bucket stays in a pending state for 7 days, and Logging continues to route logs to the bucket during that time. To stop routing logs to a deleted bucket, the log sinks can be deleted that have the bucket as a destination, or the filter for the sinks can be modified to stop routing logs to the deleted bucket. An adversary may delete a log bucket to evade detection.",
+    "false_positives": [
+      "Logging bucket deletions may be done by a system or network administrator. Verify whether the user email, resource name, and/or hostname should be making changes in your environment. Logging bucket deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "index": [
+      "filebeat-*",
+      "logs-gcp*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "GCP Logging Bucket Deletion",
+    "note": "## Config\n\nThe GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:(googlecloud.audit or gcp.audit) and event.action:google.logging.v*.ConfigServiceV*.DeleteBucket and event.outcome:success\n",
+    "references": [
+      "https://cloud.google.com/logging/docs/buckets",
+      "https://cloud.google.com/logging/docs/storage"
+    ],
+    "risk_score": 47,
+    "rule_id": "5663b693-0dea-4f2e-8275-f1ae5ff2de8e",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "GCP",
+      "Continuous Monitoring",
+      "SecOps",
+      "Log Auditing"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1562",
+            "name": "Impair Defenses",
+            "reference": "https://attack.mitre.org/techniques/T1562/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 5
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies a Logging sink deletion in Google Cloud Platform (GCP). Every time a log entry arrives, Logging compares the log entry to the sinks in that resource. Each sink whose filter matches the log entry writes a copy of the log entry to the sink's export destination. An adversary may delete a Logging sink to evade detection.",
+    "false_positives": [
+      "Logging sink deletions may be done by a system or network administrator. Verify whether the user email, resource name, and/or hostname should be making changes in your environment. Logging sink deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "index": [
+      "filebeat-*",
+      "logs-gcp*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "GCP Logging Sink Deletion",
+    "note": "## Config\n\nThe GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:(googlecloud.audit or gcp.audit) and event.action:google.logging.v*.ConfigServiceV*.DeleteSink and event.outcome:success\n",
+    "references": [
+      "https://cloud.google.com/logging/docs/export"
+    ],
+    "risk_score": 47,
+    "rule_id": "51859fa0-d86b-4214-bf48-ebb30ed91305",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "GCP",
+      "Continuous Monitoring",
+      "SecOps",
+      "Log Auditing"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1562",
+            "name": "Impair Defenses",
+            "reference": "https://attack.mitre.org/techniques/T1562/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 5
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies a modification to a Logging sink in Google Cloud Platform (GCP). Logging compares the log entry to the sinks in that resource. Each sink whose filter matches the log entry writes a copy of the log entry to the sink's export destination. An adversary may update a Logging sink to exfiltrate logs to a different export destination.",
+    "false_positives": [
+      "Logging sink modifications may be done by a system or network administrator. Verify whether the user email, resource name, and/or hostname should be making changes in your environment. Sink modifications from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "index": [
+      "filebeat-*",
+      "logs-gcp*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "GCP Logging Sink Modification",
+    "note": "## Config\n\nThe GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:(googlecloud.audit or gcp.audit) and event.action:google.logging.v*.ConfigServiceV*.UpdateSink and event.outcome:success\n",
+    "references": [
+      "https://cloud.google.com/logging/docs/export#how_sinks_work"
+    ],
+    "risk_score": 21,
+    "rule_id": "184dfe52-2999-42d9-b9d1-d1ca54495a61",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "GCP",
+      "Continuous Monitoring",
+      "SecOps",
+      "Log Auditing"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0010",
+          "name": "Exfiltration",
+          "reference": "https://attack.mitre.org/tactics/TA0010/"
+        },
+        "technique": [
+          {
+            "id": "T1537",
+            "name": "Transfer Data to Cloud Account",
+            "reference": "https://attack.mitre.org/techniques/T1537/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 5
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the creation of a subscription in Google Cloud Platform (GCP). In GCP, the publisher-subscriber relationship (Pub/Sub) is an asynchronous messaging service that decouples event-producing and event-processing services. A subscription is a named resource representing the stream of messages to be delivered to the subscribing application.",
+    "false_positives": [
+      "Subscription creations may be done by a system or network administrator. Verify whether the user email, resource name, and/or hostname should be making changes in your environment. Subscription creations from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "index": [
+      "filebeat-*",
+      "logs-gcp*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "GCP Pub/Sub Subscription Creation",
+    "note": "## Config\n\nThe GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:(googlecloud.audit or gcp.audit) and event.action:google.pubsub.v*.Subscriber.CreateSubscription and event.outcome:success\n",
+    "references": [
+      "https://cloud.google.com/pubsub/docs/overview"
+    ],
+    "risk_score": 21,
+    "rule_id": "d62b64a8-a7c9-43e5-aee3-15a725a794e7",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "GCP",
+      "Continuous Monitoring",
+      "SecOps",
+      "Log Auditing"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0009",
+          "name": "Collection",
+          "reference": "https://attack.mitre.org/tactics/TA0009/"
+        },
+        "technique": [
+          {
+            "id": "T1530",
+            "name": "Data from Cloud Storage Object",
+            "reference": "https://attack.mitre.org/techniques/T1530/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 5
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the deletion of a subscription in Google Cloud Platform (GCP). In GCP, the publisher-subscriber relationship (Pub/Sub) is an asynchronous messaging service that decouples event-producing and event-processing services. A subscription is a named resource representing the stream of messages to be delivered to the subscribing application.",
+    "false_positives": [
+      "Subscription deletions may be done by a system or network administrator. Verify whether the user email, resource name, and/or hostname should be making changes in your environment. Subscription deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "index": [
+      "filebeat-*",
+      "logs-gcp*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "GCP Pub/Sub Subscription Deletion",
+    "note": "## Config\n\nThe GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:(googlecloud.audit or gcp.audit) and event.action:google.pubsub.v*.Subscriber.DeleteSubscription and event.outcome:success\n",
+    "references": [
+      "https://cloud.google.com/pubsub/docs/overview"
+    ],
+    "risk_score": 21,
+    "rule_id": "cc89312d-6f47-48e4-a87c-4977bd4633c3",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "GCP",
+      "Continuous Monitoring",
+      "SecOps",
+      "Log Auditing"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1562",
+            "name": "Impair Defenses",
+            "reference": "https://attack.mitre.org/techniques/T1562/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 5
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the creation of a topic in Google Cloud Platform (GCP). In GCP, the publisher-subscriber relationship (Pub/Sub) is an asynchronous messaging service that decouples event-producing and event-processing services. A topic is used to forward messages from publishers to subscribers.",
+    "false_positives": [
+      "Topic creations may be done by a system or network administrator. Verify whether the user email, resource name, and/or hostname should be making changes in your environment. Topic creations from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "index": [
+      "filebeat-*",
+      "logs-gcp*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "GCP Pub/Sub Topic Creation",
+    "note": "## Config\n\nThe GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:(googlecloud.audit or gcp.audit) and event.action:google.pubsub.v*.Publisher.CreateTopic and event.outcome:success\n",
+    "references": [
+      "https://cloud.google.com/pubsub/docs/admin"
+    ],
+    "risk_score": 21,
+    "rule_id": "a10d3d9d-0f65-48f1-8b25-af175e2594f5",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "GCP",
+      "Continuous Monitoring",
+      "SecOps",
+      "Log Auditing"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0009",
+          "name": "Collection",
+          "reference": "https://attack.mitre.org/tactics/TA0009/"
+        },
+        "technique": [
+          {
+            "id": "T1530",
+            "name": "Data from Cloud Storage Object",
+            "reference": "https://attack.mitre.org/techniques/T1530/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 5
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the deletion of a topic in Google Cloud Platform (GCP). In GCP, the publisher-subscriber relationship (Pub/Sub) is an asynchronous messaging service that decouples event-producing and event-processing services. A publisher application creates and sends messages to a topic. Deleting a topic can interrupt message flow in the Pub/Sub pipeline.",
+    "false_positives": [
+      "Topic deletions may be done by a system or network administrator. Verify whether the user email, resource name, and/or hostname should be making changes in your environment. Topic deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "index": [
+      "filebeat-*",
+      "logs-gcp*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "GCP Pub/Sub Topic Deletion",
+    "note": "## Config\n\nThe GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:(googlecloud.audit or gcp.audit) and event.action:google.pubsub.v*.Publisher.DeleteTopic and event.outcome:success\n",
+    "references": [
+      "https://cloud.google.com/pubsub/docs/overview"
+    ],
+    "risk_score": 21,
+    "rule_id": "3202e172-01b1-4738-a932-d024c514ba72",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "GCP",
+      "Continuous Monitoring",
+      "SecOps",
+      "Log Auditing"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1562",
+            "name": "Impair Defenses",
+            "reference": "https://attack.mitre.org/techniques/T1562/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 5
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies when a new service account is created in Google Cloud Platform (GCP). A service account is a special type of account used by an application or a virtual machine (VM) instance, not a person. Applications use service accounts to make authorized API calls, authorized as either the service account itself, or as G Suite or Cloud Identity users through domain-wide delegation. If service accounts are not tracked and managed properly, they can present a security risk. An adversary may create a new service account to use during their operations in order to avoid using a standard user account and attempt to evade detection.",
+    "false_positives": [
+      "Service accounts can be created by system administrators. Verify that the behavior was expected. Exceptions can be added to this rule to filter expected behavior."
+    ],
+    "index": [
+      "filebeat-*",
+      "logs-gcp*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "GCP Service Account Creation",
+    "note": "## Config\n\nThe GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:(googlecloud.audit or gcp.audit) and event.action:google.iam.admin.v*.CreateServiceAccount and event.outcome:success\n",
+    "references": [
+      "https://cloud.google.com/iam/docs/service-accounts"
+    ],
+    "risk_score": 21,
+    "rule_id": "7ceb2216-47dd-4e64-9433-cddc99727623",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "GCP",
+      "Continuous Monitoring",
+      "SecOps",
+      "Identity and Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1136",
+            "name": "Create Account",
+            "reference": "https://attack.mitre.org/techniques/T1136/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 5
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies when a service account is deleted in Google Cloud Platform (GCP). A service account is a special type of account used by an application or a virtual machine (VM) instance, not a person. Applications use service accounts to make authorized API calls, authorized as either the service account itself, or as G Suite or Cloud Identity users through domain-wide delegation. An adversary may delete a service account in order to disrupt their target's business operations.",
+    "false_positives": [
+      "Service accounts may be deleted by system administrators. Verify that the behavior was expected. Exceptions can be added to this rule to filter expected behavior."
+    ],
+    "index": [
+      "filebeat-*",
+      "logs-gcp*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "GCP Service Account Deletion",
+    "note": "## Config\n\nThe GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:(googlecloud.audit or gcp.audit) and event.action:google.iam.admin.v*.DeleteServiceAccount and event.outcome:success\n",
+    "references": [
+      "https://cloud.google.com/iam/docs/service-accounts"
+    ],
+    "risk_score": 47,
+    "rule_id": "8fb75dda-c47a-4e34-8ecd-34facf7aad13",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "GCP",
+      "Continuous Monitoring",
+      "SecOps",
+      "Identity and Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0040",
+          "name": "Impact",
+          "reference": "https://attack.mitre.org/tactics/TA0040/"
+        },
+        "technique": [
+          {
+            "id": "T1531",
+            "name": "Account Access Removal",
+            "reference": "https://attack.mitre.org/techniques/T1531/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 5
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies when a service account is disabled in Google Cloud Platform (GCP). A service account is a special type of account used by an application or a virtual machine (VM) instance, not a person. Applications use service accounts to make authorized API calls, authorized as either the service account itself, or as G Suite or Cloud Identity users through domain-wide delegation. An adversary may disable a service account in order to disrupt to disrupt their target's business operations.",
+    "false_positives": [
+      "Service accounts may be disabled by system administrators. Verify that the behavior was expected. Exceptions can be added to this rule to filter expected behavior."
+    ],
+    "index": [
+      "filebeat-*",
+      "logs-gcp*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "GCP Service Account Disabled",
+    "note": "## Config\n\nThe GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:(googlecloud.audit or gcp.audit) and event.action:google.iam.admin.v*.DisableServiceAccount and event.outcome:success\n",
+    "references": [
+      "https://cloud.google.com/iam/docs/service-accounts"
+    ],
+    "risk_score": 47,
+    "rule_id": "bca7d28e-4a48-47b1-adb7-5074310e9a61",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "GCP",
+      "Continuous Monitoring",
+      "SecOps",
+      "Identity and Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0040",
+          "name": "Impact",
+          "reference": "https://attack.mitre.org/tactics/TA0040/"
+        },
+        "technique": [
+          {
+            "id": "T1531",
+            "name": "Account Access Removal",
+            "reference": "https://attack.mitre.org/techniques/T1531/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 5
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies when a new key is created for a service account in Google Cloud Platform (GCP). A service account is a special type of account used by an application or a virtual machine (VM) instance, not a person. Applications use service accounts to make authorized API calls, authorized as either the service account itself, or as G Suite or Cloud Identity users through domain-wide delegation. If private keys are not tracked and managed properly, they can present a security risk. An adversary may create a new key for a service account in order to attempt to abuse the permissions assigned to that account and evade detection.",
+    "false_positives": [
+      "Service account keys may be created by system administrators. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior."
+    ],
+    "index": [
+      "filebeat-*",
+      "logs-gcp*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "GCP Service Account Key Creation",
+    "note": "## Config\n\nThe GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:(googlecloud.audit or gcp.audit) and event.action:google.iam.admin.v*.CreateServiceAccountKey and event.outcome:success\n",
+    "references": [
+      "https://cloud.google.com/iam/docs/service-accounts",
+      "https://cloud.google.com/iam/docs/creating-managing-service-account-keys"
+    ],
+    "risk_score": 21,
+    "rule_id": "0e5acaae-6a64-4bbc-adb8-27649c03f7e1",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "GCP",
+      "Continuous Monitoring",
+      "SecOps",
+      "Identity and Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1098",
+            "name": "Account Manipulation",
+            "reference": "https://attack.mitre.org/techniques/T1098/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 5
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies when the configuration is modified for a storage bucket in Google Cloud Platform (GCP). An adversary may modify the configuration of a storage bucket in order to weaken the security controls of their target's environment.",
+    "false_positives": [
+      "Storage bucket configuration may be modified by system administrators. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior."
+    ],
+    "index": [
+      "filebeat-*",
+      "logs-gcp*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "GCP Storage Bucket Configuration Modification",
+    "note": "## Config\n\nThe GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:(googlecloud.audit or gcp.audit) and event.action:\"storage.buckets.update\" and event.outcome:success\n",
+    "references": [
+      "https://cloud.google.com/storage/docs/key-terms#buckets"
+    ],
+    "risk_score": 47,
+    "rule_id": "97359fd8-757d-4b1d-9af1-ef29e4a8680e",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "GCP",
+      "Continuous Monitoring",
+      "SecOps",
+      "Identity and Access"
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 5
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies when a Google Cloud Platform (GCP) storage bucket is deleted. An adversary may delete a storage bucket in order to disrupt their target's business operations.",
+    "false_positives": [
+      "Storage buckets may be deleted by a system or network administrator. Verify whether the user email, resource name, and/or hostname should be making changes in your environment. Bucket deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "index": [
+      "filebeat-*",
+      "logs-gcp*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "GCP Storage Bucket Deletion",
+    "note": "## Config\n\nThe GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:(googlecloud.audit or gcp.audit) and event.action:\"storage.buckets.delete\"\n",
+    "references": [
+      "https://cloud.google.com/storage/docs/key-terms#buckets"
+    ],
+    "risk_score": 47,
+    "rule_id": "bc0f2d83-32b8-4ae2-b0e6-6a45772e9331",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "GCP",
+      "Continuous Monitoring",
+      "SecOps",
+      "Monitoring"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0040",
+          "name": "Impact",
+          "reference": "https://attack.mitre.org/tactics/TA0040/"
+        },
+        "technique": [
+          {
+            "id": "T1485",
+            "name": "Data Destruction",
+            "reference": "https://attack.mitre.org/techniques/T1485/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 5
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies when the Identity and Access Management (IAM) permissions are modified for a Google Cloud Platform (GCP) storage bucket. An adversary may modify the permissions on a storage bucket to weaken their target's security controls or an administrator may inadvertently modify the permissions, which could lead to data exposure or loss.",
+    "false_positives": [
+      "Storage bucket permissions may be modified by system administrators. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior."
+    ],
+    "index": [
+      "filebeat-*",
+      "logs-gcp*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "GCP Storage Bucket Permissions Modification",
+    "note": "## Config\n\nThe GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:(googlecloud.audit or gcp.audit) and event.action:\"storage.setIamPermissions\" and event.outcome:success\n",
+    "references": [
+      "https://cloud.google.com/storage/docs/access-control/iam-permissions"
+    ],
+    "risk_score": 47,
+    "rule_id": "2326d1b2-9acf-4dee-bd21-867ea7378b4d",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "GCP",
+      "Continuous Monitoring",
+      "SecOps",
+      "Identity and Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1222",
+            "name": "File and Directory Permissions Modification",
+            "reference": "https://attack.mitre.org/techniques/T1222/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 5
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies when a Virtual Private Cloud (VPC) network is deleted in Google Cloud Platform (GCP). A VPC network is a virtual version of a physical network within a GCP project. Each VPC network has its own subnets, routes, and firewall, as well as other elements. An adversary may delete a VPC network in order to disrupt their target's network and business operations.",
+    "false_positives": [
+      "Virtual Private Cloud networks may be deleted by system administrators. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior."
+    ],
+    "index": [
+      "filebeat-*",
+      "logs-gcp*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "GCP Virtual Private Cloud Network Deletion",
+    "note": "## Config\n\nThe GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:(googlecloud.audit or gcp.audit) and event.action:v*.compute.networks.delete and event.outcome:success\n",
+    "references": [
+      "https://cloud.google.com/vpc/docs/vpc"
+    ],
+    "risk_score": 47,
+    "rule_id": "c58c3081-2e1d-4497-8491-e73a45d1a6d6",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "GCP",
+      "Continuous Monitoring",
+      "SecOps",
+      "Configuration Audit"
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 5
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies when a Virtual Private Cloud (VPC) route is created in Google Cloud Platform (GCP). Google Cloud routes define the paths that network traffic takes from a virtual machine (VM) instance to other destinations. These destinations can be inside a Google VPC network or outside it. An adversary may create a route in order to impact the flow of network traffic in their target's cloud environment.",
+    "false_positives": [
+      "Virtual Private Cloud routes may be created by system administrators. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior."
+    ],
+    "index": [
+      "filebeat-*",
+      "logs-gcp*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "GCP Virtual Private Cloud Route Creation",
+    "note": "## Config\n\nThe GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:(googlecloud.audit or gcp.audit) and event.action:(v*.compute.routes.insert or \"beta.compute.routes.insert\")\n",
+    "references": [
+      "https://cloud.google.com/vpc/docs/routes",
+      "https://cloud.google.com/vpc/docs/using-routes"
+    ],
+    "risk_score": 21,
+    "rule_id": "9180ffdf-f3d0-4db3-bf66-7a14bcff71b8",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "GCP",
+      "Continuous Monitoring",
+      "SecOps",
+      "Configuration Audit"
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 5
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies when a Virtual Private Cloud (VPC) route is deleted in Google Cloud Platform (GCP). Google Cloud routes define the paths that network traffic takes from a virtual machine (VM) instance to other destinations. These destinations can be inside a Google VPC network or outside it. An adversary may delete a route in order to impact the flow of network traffic in their target's cloud environment.",
+    "false_positives": [
+      "Virtual Private Cloud routes may be deleted by system administrators. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior."
+    ],
+    "index": [
+      "filebeat-*",
+      "logs-gcp*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "GCP Virtual Private Cloud Route Deletion",
+    "note": "## Config\n\nThe GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:(googlecloud.audit or gcp.audit) and event.action:v*.compute.routes.delete and event.outcome:success\n",
+    "references": [
+      "https://cloud.google.com/vpc/docs/routes",
+      "https://cloud.google.com/vpc/docs/using-routes"
+    ],
+    "risk_score": 47,
+    "rule_id": "a17bcc91-297b-459b-b5ce-bc7460d8f82a",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "GCP",
+      "Continuous Monitoring",
+      "SecOps",
+      "Configuration Audit"
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 5
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Detects when a domain-wide delegation of authority is granted to a service account. Domain-wide delegation can be configured to grant third-party and internal applications to access the data of Google Workspace users. An adversary may configure domain-wide delegation to maintain access to their target\u2019s data.",
+    "false_positives": [
+      "Domain-wide delegation of authority may be granted to service accounts by system administrators. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior."
+    ],
+    "from": "now-130m",
+    "index": [
+      "filebeat-*",
+      "logs-google_workspace*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Google Workspace API Access Granted via Domain-Wide Delegation of Authority",
+    "note": "## Config\n\nThe Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\n\n### Important Information Regarding Google Workspace Event Lag Times\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information:\n  - https://support.google.com/a/answer/7061566\n  - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-gsuite.html",
+    "query": "event.dataset:(gsuite.admin or google_workspace.admin) and event.provider:admin and event.category:iam and event.action:AUTHORIZE_API_CLIENT_ACCESS\n",
+    "references": [
+      "https://developers.google.com/admin-sdk/directory/v1/guides/delegation"
+    ],
+    "risk_score": 47,
+    "rule_id": "acbc8bb9-2486-49a8-8779-45fb5f9a93ee",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "Google Workspace",
+      "Continuous Monitoring",
+      "SecOps",
+      "Identity and Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1098",
+            "name": "Account Manipulation",
+            "reference": "https://attack.mitre.org/techniques/T1098/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 5
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Detects when an admin role is assigned to a Google Workspace user. An adversary may assign an admin role to a user in order to elevate the permissions of another user account and persist in their target\u2019s environment.",
+    "false_positives": [
+      "Google Workspace admin role assignments may be modified by system administrators. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior."
+    ],
+    "from": "now-130m",
+    "index": [
+      "filebeat-*",
+      "logs-google_workspace*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Google Workspace Admin Role Assigned to a User",
+    "note": "## Config\n\nThe Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\n\n### Important Information Regarding Google Workspace Event Lag Times\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information:\n  - https://support.google.com/a/answer/7061566\n  - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-gsuite.html",
+    "query": "event.dataset:(gsuite.admin or google_workspace.admin) and event.provider:admin and event.category:iam and event.action:ASSIGN_ROLE\n",
+    "references": [
+      "https://support.google.com/a/answer/172176?hl=en"
+    ],
+    "risk_score": 47,
+    "rule_id": "68994a6c-c7ba-4e82-b476-26a26877adf6",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "Google Workspace",
+      "Continuous Monitoring",
+      "SecOps",
+      "Identity and Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1098",
+            "name": "Account Manipulation",
+            "reference": "https://attack.mitre.org/techniques/T1098/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 5
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Detects when a custom admin role is deleted. An adversary may delete a custom admin role in order to impact the permissions or capabilities of system administrators.",
+    "false_positives": [
+      "Google Workspace admin roles may be deleted by system administrators. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior."
+    ],
+    "from": "now-130m",
+    "index": [
+      "filebeat-*",
+      "logs-google_workspace*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Google Workspace Admin Role Deletion",
+    "note": "## Config\n\nThe Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\n\n### Important Information Regarding Google Workspace Event Lag Times\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information:\n  - https://support.google.com/a/answer/7061566\n  - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-gsuite.html",
+    "query": "event.dataset:(gsuite.admin or google_workspace.admin) and event.provider:admin and event.category:iam and event.action:DELETE_ROLE\n",
+    "references": [
+      "https://support.google.com/a/answer/2406043?hl=en"
+    ],
+    "risk_score": 47,
+    "rule_id": "93e63c3e-4154-4fc6-9f86-b411e0987bbf",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "Google Workspace",
+      "Continuous Monitoring",
+      "SecOps",
+      "Identity and Access"
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 5
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Detects when a custom admin role is created in Google Workspace. An adversary may create a custom admin role in order to elevate the permissions of other user accounts and persist in their target\u2019s environment.",
+    "false_positives": [
+      "Custom Google Workspace admin roles may be created by system administrators. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior."
+    ],
+    "from": "now-130m",
+    "index": [
+      "filebeat-*",
+      "logs-google_workspace*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Google Workspace Custom Admin Role Created",
+    "note": "## Config\n\nThe Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\n\n### Important Information Regarding Google Workspace Event Lag Times\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information:\n  - https://support.google.com/a/answer/7061566\n  - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-gsuite.html",
+    "query": "event.dataset:(gsuite.admin or google_workspace.admin) and event.provider:admin and event.category:iam and event.action:CREATE_ROLE\n",
+    "references": [
+      "https://support.google.com/a/answer/2406043?hl=en"
+    ],
+    "risk_score": 47,
+    "rule_id": "ad3f2807-2b3e-47d7-b282-f84acbbe14be",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "Google Workspace",
+      "Continuous Monitoring",
+      "SecOps",
+      "Identity and Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1098",
+            "name": "Account Manipulation",
+            "reference": "https://attack.mitre.org/techniques/T1098/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 5
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Detects when multi-factor authentication (MFA) enforcement is disabled for Google Workspace users. An adversary may disable MFA enforcement in order to weaken an organization\u2019s security controls.",
+    "false_positives": [
+      "MFA policies may be modified by system administrators. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior."
+    ],
+    "from": "now-130m",
+    "index": [
+      "filebeat-*",
+      "logs-google_workspace*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Google Workspace MFA Enforcement Disabled",
+    "note": "## Config\n\nThe Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\n\n### Important Information Regarding Google Workspace Event Lag Times\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information:\n  - https://support.google.com/a/answer/7061566\n  - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-gsuite.html",
+    "query": "event.dataset:(gsuite.admin or google_workspace.admin) and event.provider:admin and event.category:iam and event.action:ENFORCE_STRONG_AUTHENTICATION and (gsuite.admin.new_value:false or google_workspace.admin.new_value:false)\n",
+    "references": [
+      "https://support.google.com/a/answer/9176657?hl=en#"
+    ],
+    "risk_score": 47,
+    "rule_id": "cad4500a-abd7-4ef3-b5d3-95524de7cfe1",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "Google Workspace",
+      "Continuous Monitoring",
+      "SecOps",
+      "Configuration Audit"
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 6
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Detects when a Google Workspace password policy is modified. An adversary may attempt to modify a password policy in order to weaken an organization\u2019s security controls.",
+    "false_positives": [
+      "Password policies may be modified by system administrators. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior."
+    ],
+    "from": "now-130m",
+    "index": [
+      "filebeat-*",
+      "logs-google_workspace*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Google Workspace Password Policy Modified",
+    "note": "## Config\n\nThe Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\n\n### Important Information Regarding Google Workspace Event Lag Times\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information:\n  - https://support.google.com/a/answer/7061566\n  - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-gsuite.html",
+    "query": "event.dataset:(gsuite.admin or google_workspace.admin) and\n  event.provider:admin and event.category:iam and\n  event.action:(CHANGE_APPLICATION_SETTING or CREATE_APPLICATION_SETTING) and\n  gsuite.admin.setting.name:(\n    \"Password Management - Enforce strong password\" or\n    \"Password Management - Password reset frequency\" or\n    \"Password Management - Enable password reuse\" or\n    \"Password Management - Enforce password policy at next login\" or\n    \"Password Management - Minimum password length\" or\n    \"Password Management - Maximum password length\"\n  ) or\n  google_workspace.admin.setting.name:(\n    \"Password Management - Enforce strong password\" or\n    \"Password Management - Password reset frequency\" or\n    \"Password Management - Enable password reuse\" or\n    \"Password Management - Enforce password policy at next login\" or\n    \"Password Management - Minimum password length\" or\n    \"Password Management - Maximum password length\"\n  )\n",
+    "risk_score": 47,
+    "rule_id": "a99f82f5-8e77-4f8b-b3ce-10c0f6afbc73",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "Google Workspace",
+      "Continuous Monitoring",
+      "SecOps",
+      "Identity and Access"
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 6
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Detects when a custom admin role or its permissions are modified. An adversary may modify a custom admin role in order to elevate the permissions of other user accounts and persist in their target\u2019s environment.",
+    "false_positives": [
+      "Google Workspace admin roles may be modified by system administrators. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior."
+    ],
+    "from": "now-130m",
+    "index": [
+      "filebeat-*",
+      "logs-google_workspace*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Google Workspace Role Modified",
+    "note": "## Config\n\nThe Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\n\n### Important Information Regarding Google Workspace Event Lag Times\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information:\n  - https://support.google.com/a/answer/7061566\n  - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-gsuite.html",
+    "query": "event.dataset:(gsuite.admin or google_workspace.admin) and event.provider:admin and event.category:iam and event.action:(ADD_PRIVILEGE or UPDATE_ROLE)\n",
+    "references": [
+      "https://support.google.com/a/answer/2406043?hl=en"
+    ],
+    "risk_score": 47,
+    "rule_id": "6f435062-b7fc-4af9-acea-5b1ead65c5a5",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "Google Workspace",
+      "Continuous Monitoring",
+      "SecOps",
+      "Identity and Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1098",
+            "name": "Account Manipulation",
+            "reference": "https://attack.mitre.org/techniques/T1098/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 5
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Halfbaked is a malware family used to establish persistence in a contested network. This rule detects a network activity algorithm leveraged by Halfbaked implant beacons for command and control.",
+    "false_positives": [
+      "This rule should be tailored to exclude systems, either as sources or destinations, in which this behavior is expected."
+    ],
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "filebeat-*",
+      "packetbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "lucene",
+    "license": "Elastic License v2",
+    "name": "Halfbaked Command and Control Beacon",
+    "note": "## Threat intel\n\nThis activity has been observed in FIN7 campaigns.",
+    "query": "event.category:(network OR network_traffic) AND network.protocol:http AND\n  network.transport:tcp AND url.full:/http:\\/\\/[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}\\/cd/ AND\n  destination.port:(53 OR 80 OR 8080 OR 443)\n",
+    "references": [
+      "https://www.fireeye.com/blog/threat-research/2017/04/fin7-phishing-lnk.html",
+      "https://attack.mitre.org/software/S0151/"
+    ],
+    "risk_score": 73,
+    "rule_id": "2e580225-2a58-48ef-938b-572933be06fe",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Network",
+      "Threat Detection",
+      "Command and Control",
+      "Host"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0011",
+          "name": "Command and Control",
+          "reference": "https://attack.mitre.org/tactics/TA0011/"
+        },
+        "technique": [
+          {
+            "id": "T1071",
+            "name": "Application Layer Protocol",
+            "reference": "https://attack.mitre.org/techniques/T1071/"
+          },
+          {
+            "id": "T1568",
+            "name": "Dynamic Resolution",
+            "reference": "https://attack.mitre.org/techniques/T1568/",
+            "subtechnique": [
+              {
+                "id": "T1568.002",
+                "name": "Domain Generation Algorithms",
+                "reference": "https://attack.mitre.org/techniques/T1568/002/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 6
+  },
+  {
+    "author": [
+      "Elastic",
+      "@BenB196",
+      "Austin Songer"
+    ],
+    "description": "Identifies a high number of Okta user password reset or account unlock attempts. An adversary may attempt to obtain unauthorized access to Okta user accounts using these methods and attempt to blend in with normal activity in their target's environment and evade detection.",
+    "false_positives": [
+      "The number of Okta user password reset or account unlock attempts will likely vary between organizations. To fit this rule to their organization, users can duplicate this rule and edit the schedule and threshold values in the new rule."
+    ],
+    "from": "now-60m",
+    "index": [
+      "filebeat-*",
+      "logs-okta*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "High Number of Okta User Password Reset or Unlock Attempts",
+    "note": "## Config\n\nThe Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:okta.system and\n  event.action:(system.email.account_unlock.sent_message or system.email.password_reset.sent_message or\n                system.sms.send_account_unlock_message or system.sms.send_password_reset_message or\n                system.voice.send_account_unlock_call or system.voice.send_password_reset_call or\n                user.account.unlock_token)\n",
+    "references": [
+      "https://developer.okta.com/docs/reference/api/system-log/",
+      "https://developer.okta.com/docs/reference/api/event-types/"
+    ],
+    "risk_score": 47,
+    "rule_id": "e90ee3af-45fc-432e-a850-4a58cf14a457",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Identity",
+      "Okta",
+      "Continuous Monitoring",
+      "SecOps",
+      "Identity and Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1078",
+            "name": "Valid Accounts",
+            "reference": "https://attack.mitre.org/techniques/T1078/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1078",
+            "name": "Valid Accounts",
+            "reference": "https://attack.mitre.org/techniques/T1078/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0001",
+          "name": "Initial Access",
+          "reference": "https://attack.mitre.org/tactics/TA0001/"
+        },
+        "technique": [
+          {
+            "id": "T1078",
+            "name": "Valid Accounts",
+            "reference": "https://attack.mitre.org/techniques/T1078/"
+          }
+        ]
+      }
+    ],
+    "threshold": {
+      "field": [
+        "okta.actor.alternate_id"
+      ],
+      "value": 5
+    },
+    "type": "threshold",
+    "version": 5
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "This rule identifies a high number (10) of process terminations (stop, delete, or suspend) from the same host within a short time period.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "High Number of Process and/or Service Terminations",
+    "query": "event.category:process and event.type:start and process.name:(net.exe or sc.exe or taskkill.exe) and\n process.args:(stop or pause or delete or \"/PID\" or \"/IM\" or \"/T\" or \"/F\" or \"/t\" or \"/f\" or \"/im\" or \"/pid\")\n",
+    "risk_score": 47,
+    "rule_id": "035889c4-2686-4583-a7df-67f89c292f2c",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Impact"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0040",
+          "name": "Impact",
+          "reference": "https://attack.mitre.org/tactics/TA0040/"
+        },
+        "technique": [
+          {
+            "id": "T1489",
+            "name": "Service Stop",
+            "reference": "https://attack.mitre.org/techniques/T1489/"
+          }
+        ]
+      }
+    ],
+    "threshold": {
+      "field": [
+        "host.id"
+      ],
+      "value": 10
+    },
+    "type": "threshold",
+    "version": 3
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "The hosts file on endpoints is used to control manual IP address to hostname resolutions. The hosts file is the first point of lookup for DNS hostname resolution so if adversaries can modify the endpoint hosts file, they can route traffic to malicious infrastructure. This rule detects modifications to the hosts file on Microsoft Windows, Linux (Ubuntu or RHEL) and macOS systems.",
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Hosts File Modified",
+    "note": "## Config\n\nFor Windows systems using Auditbeat, this rule requires adding `C:/Windows/System32/drivers/etc` as an additional path in the 'file_integrity' module of auditbeat.yml.",
+    "query": "any where\n\n  /* file events for creation; file change events are not captured by some of the included sources for linux and so may\n     miss this, which is the purpose of the process + command line args logic below */\n  (\n   event.category == \"file\" and event.type in (\"change\", \"creation\") and\n     file.path : (\"/private/etc/hosts\", \"/etc/hosts\", \"?:\\\\Windows\\\\System32\\\\drivers\\\\etc\\\\hosts\")\n  )\n  or\n\n  /* process events for change targeting linux only */\n  (\n   event.category == \"process\" and event.type in (\"start\") and\n     process.name in (\"nano\", \"vim\", \"vi\", \"emacs\", \"echo\", \"sed\") and\n     process.args : (\"/etc/hosts\")\n  )\n",
+    "references": [
+      "https://www.elastic.co/guide/en/beats/auditbeat/current/auditbeat-reference-yml.html"
+    ],
+    "risk_score": 47,
+    "rule_id": "9c260313-c811-4ec8-ab89-8f6530e0246c",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "Windows",
+      "macOS",
+      "Threat Detection",
+      "Impact"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0040",
+          "name": "Impact",
+          "reference": "https://attack.mitre.org/tactics/TA0040/"
+        },
+        "technique": [
+          {
+            "id": "T1565",
+            "name": "Data Manipulation",
+            "reference": "https://attack.mitre.org/techniques/T1565/",
+            "subtechnique": [
+              {
+                "id": "T1565.001",
+                "name": "Stored Data Manipulation",
+                "reference": "https://attack.mitre.org/techniques/T1565/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 6
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Hping ran on a Linux host. Hping is a FOSS command-line packet analyzer and has the ability to construct network packets for a wide variety of network security testing applications, including scanning and firewall auditing.",
+    "false_positives": [
+      "Normal use of hping is uncommon apart from security testing and research. Use by non-security engineers is very uncommon."
+    ],
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Hping Process Activity",
+    "query": "event.category:process and event.type:(start or process_started) and process.name:(hping or hping2 or hping3)\n",
+    "references": [
+      "https://en.wikipedia.org/wiki/Hping"
+    ],
+    "risk_score": 73,
+    "rule_id": "90169566-2260-4824-b8e4-8615c3b4ed52",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "Threat Detection"
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 7
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies when Internet Information Services (IIS) HTTP Logging is disabled on a server. An attacker with IIS server access via a webshell or other mechanism can disable HTTP Logging as an effective anti-forensics measure.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "max_signals": 33,
+    "name": "IIS HTTP Logging Disabled",
+    "query": "process where event.type in (\"start\", \"process_started\") and\n  (process.name : \"appcmd.exe\" or process.pe.original_file_name == \"appcmd.exe\") and\n  process.args : \"/dontLog*:*True\" and\n  not process.parent.name : \"iissetup.exe\"\n",
+    "risk_score": 73,
+    "rule_id": "ebf1adea-ccf2-4943-8b96-7ab11ca173a5",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1562",
+            "name": "Impair Defenses",
+            "reference": "https://attack.mitre.org/techniques/T1562/",
+            "subtechnique": [
+              {
+                "id": "T1562.002",
+                "name": "Disable Windows Event Logging",
+                "reference": "https://attack.mitre.org/techniques/T1562/002/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 6
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "This rule detects events that could be describing IPSEC NAT Traversal traffic. IPSEC is a VPN technology that allows one system to talk to another using encrypted tunnels. NAT Traversal enables these tunnels to communicate over the Internet where one of the sides is behind a NAT router gateway. This may be common on your network, but this technique is also used by threat actors to avoid detection.",
+    "false_positives": [
+      "Some networks may utilize these protocols but usage that is unfamiliar to local network administrators can be unexpected and suspicious. Because this port is in the ephemeral range, this rule may false under certain conditions, such as when an application server with a public IP address replies to a client which has used a UDP port in the range by coincidence. This is uncommon but such servers can be excluded."
+    ],
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "filebeat-*",
+      "packetbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "IPSEC NAT Traversal Port Activity",
+    "query": "event.category:(network or network_traffic) and network.transport:udp and destination.port:4500\n",
+    "risk_score": 21,
+    "rule_id": "a9cb3641-ff4b-4cdc-a063-b4b8d02a67c7",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Network",
+      "Threat Detection",
+      "Command and Control",
+      "Host"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0011",
+          "name": "Command and Control",
+          "reference": "https://attack.mitre.org/tactics/TA0011/"
+        },
+        "technique": []
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 8
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "The Debugger and SilentProcessExit registry keys can allow an adversary to intercept the execution of files, causing a different process to be executed. This functionality can be abused by an adversary to establish persistence.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Image File Execution Options Injection",
+    "query": "registry where length(registry.data.strings) > 0 and\n registry.path : (\"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\*.exe\\\\Debugger\", \n                  \"HKLM\\\\SOFTWARE\\\\WOW6432Node\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\*\\\\Debugger\", \n                  \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\SilentProcessExit\\\\*\\\\MonitorProcess\", \n                  \"HKLM\\\\SOFTWARE\\\\WOW6432Node\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\SilentProcessExit\\\\*\\\\MonitorProcess\") and\n   /* add FPs here */\n not registry.data.strings regex~ (\"\"\"C:\\\\Program Files( \\(x86\\))?\\\\ThinKiosk\\\\thinkiosk\\.exe\"\"\", \"\"\".*\\\\PSAppDeployToolkit\\\\.*\"\"\")\n",
+    "references": [
+      "https://oddvar.moe/2018/04/10/persistence-using-globalflags-in-image-file-execution-options-hidden-from-autoruns-exe/"
+    ],
+    "risk_score": 41,
+    "rule_id": "6839c821-011d-43bd-bd5b-acff00257226",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Persistence"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1546",
+            "name": "Event Triggered Execution",
+            "reference": "https://attack.mitre.org/techniques/T1546/",
+            "subtechnique": [
+              {
+                "id": "T1546.012",
+                "name": "Image File Execution Options Injection",
+                "reference": "https://attack.mitre.org/techniques/T1546/012/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 4
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies abuse of the Windows Update Auto Update Client (wuauclt.exe) to load an arbitrary DLL. This behavior is used as a defense evasion technique to blend-in malicious activity with legitimate Windows software.",
+    "from": "now-9m",
+    "index": [
+      "logs-endpoint.events.*",
+      "winlogbeat-*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "ImageLoad via Windows Update Auto Update Client",
+    "query": "process where event.type in (\"start\", \"process_started\") and\n  (process.pe.original_file_name == \"wuauclt.exe\" or process.name : \"wuauclt.exe\") and\n   /* necessary windows update client args to load a dll */\n   process.args : \"/RunHandlerComServer\" and process.args : \"/UpdateDeploymentProvider\" and\n   /* common paths writeable by a standard user where the target DLL can be placed */\n   process.args : (\"C:\\\\Users\\\\*.dll\", \"C:\\\\ProgramData\\\\*.dll\", \"C:\\\\Windows\\\\Temp\\\\*.dll\", \"C:\\\\Windows\\\\Tasks\\\\*.dll\")\n",
+    "references": [
+      "https://dtm.uk/wuauclt/"
+    ],
+    "risk_score": 47,
+    "rule_id": "edf8ee23-5ea7-4123-ba19-56b41e424ae3",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1218",
+            "name": "Signed Binary Proxy Execution",
+            "reference": "https://attack.mitre.org/techniques/T1218/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 3
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies Elasticsearch nodes that do not have Transport Layer Security (TLS), and/or lack authentication, and are accepting inbound network connections over the default Elasticsearch port.",
+    "false_positives": [
+      "If you have front-facing proxies that provide authentication and TLS, this rule would need to be tuned to eliminate the source IP address of your reverse-proxy."
+    ],
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "filebeat-*",
+      "packetbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "lucene",
+    "license": "Elastic License v2",
+    "name": "Inbound Connection to an Unsecure Elasticsearch Node",
+    "note": "## Config\n\nThis rule requires the addition of port `9200` and `send_all_headers` to the `HTTP` protocol configuration in `packetbeat.yml`. See the References section for additional configuration documentation.",
+    "query": "event.category:network_traffic AND network.protocol:http AND status:OK AND destination.port:9200 AND network.direction:inbound AND NOT http.response.headers.content-type:\"image/x-icon\" AND NOT _exists_:http.request.headers.authorization\n",
+    "references": [
+      "https://www.elastic.co/guide/en/elasticsearch/reference/current/configuring-security.html",
+      "https://www.elastic.co/guide/en/beats/packetbeat/current/packetbeat-http-options.html#_send_all_headers"
+    ],
+    "risk_score": 47,
+    "rule_id": "31295df3-277b-4c56-a1fb-84e31b4222a9",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Network",
+      "Threat Detection",
+      "Initial Access",
+      "Host"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0001",
+          "name": "Initial Access",
+          "reference": "https://attack.mitre.org/tactics/TA0001/"
+        },
+        "technique": [
+          {
+            "id": "T1190",
+            "name": "Exploit Public-Facing Application",
+            "reference": "https://attack.mitre.org/techniques/T1190/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 5
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the use of Distributed Component Object Model (DCOM) to execute commands from a remote host, which are launched via the HTA Application COM Object. This behavior may indicate an attacker abusing a DCOM application to move laterally while attempting to evading detection.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Incoming DCOM Lateral Movement via MSHTA",
+    "query": "sequence with maxspan=1m\n  [process where event.type in (\"start\", \"process_started\") and\n     process.name : \"mshta.exe\" and process.args : \"-Embedding\"\n  ] by host.id, process.entity_id\n  [network where event.type == \"start\" and process.name : \"mshta.exe\" and \n     network.direction : (\"incoming\", \"ingress\") and network.transport == \"tcp\" and\n     source.port > 49151 and destination.port > 49151 and not source.address in (\"127.0.0.1\", \"::1\")\n  ] by host.id, process.entity_id\n",
+    "references": [
+      "https://codewhitesec.blogspot.com/2018/07/lethalhta.html"
+    ],
+    "risk_score": 73,
+    "rule_id": "622ecb68-fa81-4601-90b5-f8cd661e4520",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Lateral Movement"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0008",
+          "name": "Lateral Movement",
+          "reference": "https://attack.mitre.org/tactics/TA0008/"
+        },
+        "technique": [
+          {
+            "id": "T1021",
+            "name": "Remote Services",
+            "reference": "https://attack.mitre.org/techniques/T1021/",
+            "subtechnique": [
+              {
+                "id": "T1021.003",
+                "name": "Distributed Component Object Model",
+                "reference": "https://attack.mitre.org/techniques/T1021/003/"
+              }
+            ]
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1218",
+            "name": "Signed Binary Proxy Execution",
+            "reference": "https://attack.mitre.org/techniques/T1218/",
+            "subtechnique": [
+              {
+                "id": "T1218.005",
+                "name": "Mshta",
+                "reference": "https://attack.mitre.org/techniques/T1218/005/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "type": "eql",
+    "version": 4
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the use of Distributed Component Object Model (DCOM) to run commands from a remote host, which are launched via the MMC20 Application COM Object. This behavior may indicate an attacker abusing a DCOM application to move laterally.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Incoming DCOM Lateral Movement with MMC",
+    "query": "sequence by host.id with maxspan=1m\n [network where event.type == \"start\" and process.name : \"mmc.exe\" and\n  source.port >= 49152 and destination.port >= 49152 and source.address not in (\"127.0.0.1\", \"::1\") and\n  network.direction : (\"incoming\", \"ingress\") and network.transport == \"tcp\"\n ] by process.entity_id\n [process where event.type in (\"start\", \"process_started\") and process.parent.name : \"mmc.exe\"\n ] by process.parent.entity_id\n",
+    "references": [
+      "https://enigma0x3.net/2017/01/05/lateral-movement-using-the-mmc20-application-com-object/"
+    ],
+    "risk_score": 73,
+    "rule_id": "51ce96fb-9e52-4dad-b0ba-99b54440fc9a",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Lateral Movement"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0008",
+          "name": "Lateral Movement",
+          "reference": "https://attack.mitre.org/tactics/TA0008/"
+        },
+        "technique": [
+          {
+            "id": "T1021",
+            "name": "Remote Services",
+            "reference": "https://attack.mitre.org/techniques/T1021/",
+            "subtechnique": [
+              {
+                "id": "T1021.003",
+                "name": "Distributed Component Object Model",
+                "reference": "https://attack.mitre.org/techniques/T1021/003/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "type": "eql",
+    "version": 4
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies use of Distributed Component Object Model (DCOM) to run commands from a remote host, which are launched via the ShellBrowserWindow or ShellWindows Application COM Object. This behavior may indicate an attacker abusing a DCOM application to stealthily move laterally.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Incoming DCOM Lateral Movement with ShellBrowserWindow or ShellWindows",
+    "query": "sequence by host.id with maxspan=5s\n [network where event.type == \"start\" and process.name : \"explorer.exe\" and\n  network.direction : (\"incoming\", \"ingress\") and network.transport == \"tcp\" and\n  source.port > 49151 and destination.port > 49151 and not source.address in (\"127.0.0.1\", \"::1\")\n ] by process.entity_id\n [process where event.type in (\"start\", \"process_started\") and\n  process.parent.name : \"explorer.exe\"\n ] by process.parent.entity_id\n",
+    "references": [
+      "https://enigma0x3.net/2017/01/23/lateral-movement-via-dcom-round-2/"
+    ],
+    "risk_score": 47,
+    "rule_id": "8f919d4b-a5af-47ca-a594-6be59cd924a4",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Lateral Movement"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0008",
+          "name": "Lateral Movement",
+          "reference": "https://attack.mitre.org/tactics/TA0008/"
+        },
+        "technique": [
+          {
+            "id": "T1021",
+            "name": "Remote Services",
+            "reference": "https://attack.mitre.org/techniques/T1021/",
+            "subtechnique": [
+              {
+                "id": "T1021.003",
+                "name": "Distributed Component Object Model",
+                "reference": "https://attack.mitre.org/techniques/T1021/003/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "type": "eql",
+    "version": 4
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies remote execution via Windows PowerShell remoting. Windows PowerShell remoting allows for running any Windows PowerShell command on one or more remote computers. This could be an indication of lateral movement.",
+    "false_positives": [
+      "PowerShell remoting is a dual-use protocol that can be used for benign or malicious activity. It's important to baseline your environment to determine the amount of noise to expect from this tool."
+    ],
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Incoming Execution via PowerShell Remoting",
+    "query": "sequence by host.id with maxspan = 30s\n   [network where network.direction : (\"incoming\", \"ingress\") and destination.port in (5985, 5986) and\n    network.protocol == \"http\" and source.address != \"127.0.0.1\" and source.address != \"::1\"\n   ]\n   [process where event.type == \"start\" and process.parent.name : \"wsmprovhost.exe\" and not process.name : \"conhost.exe\"]\n",
+    "references": [
+      "https://docs.microsoft.com/en-us/powershell/scripting/learn/remoting/running-remote-commands?view=powershell-7.1"
+    ],
+    "risk_score": 47,
+    "rule_id": "2772264c-6fb9-4d9d-9014-b416eed21254",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Lateral Movement"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0008",
+          "name": "Lateral Movement",
+          "reference": "https://attack.mitre.org/tactics/TA0008/"
+        },
+        "technique": [
+          {
+            "id": "T1021",
+            "name": "Remote Services",
+            "reference": "https://attack.mitre.org/techniques/T1021/"
+          }
+        ]
+      }
+    ],
+    "type": "eql",
+    "version": 3
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies remote execution via Windows Remote Management (WinRM) remote shell on a target host. This could be an indication of lateral movement.",
+    "false_positives": [
+      "WinRM is a dual-use protocol that can be used for benign or malicious activity. It's important to baseline your environment to determine the amount of noise to expect from this tool."
+    ],
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Incoming Execution via WinRM Remote Shell",
+    "query": "sequence by host.id with maxspan=30s\n   [network where process.pid == 4 and network.direction : (\"incoming\", \"ingress\") and\n    destination.port in (5985, 5986) and network.protocol == \"http\" and not source.address in (\"::1\", \"127.0.0.1\")\n   ]\n   [process where event.type == \"start\" and process.parent.name : \"winrshost.exe\" and not process.name : \"conhost.exe\"]\n",
+    "risk_score": 47,
+    "rule_id": "1cd01db9-be24-4bef-8e7c-e923f0ff78ab",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Lateral Movement"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0008",
+          "name": "Lateral Movement",
+          "reference": "https://attack.mitre.org/tactics/TA0008/"
+        },
+        "technique": [
+          {
+            "id": "T1021",
+            "name": "Remote Services",
+            "reference": "https://attack.mitre.org/techniques/T1021/"
+          }
+        ]
+      }
+    ],
+    "type": "eql",
+    "version": 3
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies InstallUtil.exe making outbound network connections. This may indicate adversarial activity as InstallUtil is often leveraged by adversaries to execute code and evade detection.",
+    "from": "now-9m",
+    "index": [
+      "logs-endpoint.events.*",
+      "winlogbeat-*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "InstallUtil Process Making Network Connections",
+    "query": "/* the benefit of doing this as an eql sequence vs kql is this will limit to alerting only on the first network connection */\n\nsequence by process.entity_id\n  [process where event.type in (\"start\", \"process_started\") and process.name : \"installutil.exe\"]\n  [network where process.name : \"installutil.exe\" and network.direction : (\"outgoing\", \"egress\")]\n",
+    "risk_score": 21,
+    "rule_id": "a13167f1-eec2-4015-9631-1fee60406dcf",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1218",
+            "name": "Signed Binary Proxy Execution",
+            "reference": "https://attack.mitre.org/techniques/T1218/",
+            "subtechnique": [
+              {
+                "id": "T1218.004",
+                "name": "InstallUtil",
+                "reference": "https://attack.mitre.org/techniques/T1218/004/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "type": "eql",
+    "version": 4
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the installation of custom Application Compatibility Shim databases. This Windows functionality has been abused by attackers to stealthily gain persistence and arbitrary code execution in legitimate Windows processes.",
+    "from": "now-9m",
+    "index": [
+      "logs-endpoint.events.*",
+      "winlogbeat-*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Installation of Custom Shim Databases",
+    "query": "sequence by process.entity_id with maxspan = 5m\n  [process where event.type in (\"start\", \"process_started\") and\n    not (process.name : \"sdbinst.exe\" and process.parent.name : \"msiexec.exe\")]\n  [registry where event.type in (\"creation\", \"change\") and\n    registry.path : \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\AppCompatFlags\\\\Custom\\\\*.sdb\"]\n",
+    "risk_score": 21,
+    "rule_id": "c5ce48a6-7f57-4ee8-9313-3d0024caee10",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Persistence"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1546",
+            "name": "Event Triggered Execution",
+            "reference": "https://attack.mitre.org/techniques/T1546/",
+            "subtechnique": [
+              {
+                "id": "T1546.011",
+                "name": "Application Shimming",
+                "reference": "https://attack.mitre.org/techniques/T1546/011/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "type": "eql",
+    "version": 3
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies registry modifications related to the Windows Security Support Provider (SSP) configuration. Adversaries may abuse this to establish persistence in an environment.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Installation of Security Support Provider",
+    "query": "registry where\n   registry.path : (\"HKLM\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\Lsa\\\\Security Packages*\", \n                    \"HKLM\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\Lsa\\\\OSConfig\\\\Security Packages*\") and\n   not process.executable : (\"C:\\\\Windows\\\\System32\\\\msiexec.exe\", \"C:\\\\Windows\\\\SysWOW64\\\\msiexec.exe\")\n",
+    "risk_score": 47,
+    "rule_id": "e86da94d-e54b-4fb5-b96c-cecff87e8787",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Persistence"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1547",
+            "name": "Boot or Logon Autostart Execution",
+            "reference": "https://attack.mitre.org/techniques/T1547/",
+            "subtechnique": [
+              {
+                "id": "T1547.005",
+                "name": "Security Support Provider",
+                "reference": "https://attack.mitre.org/techniques/T1547/005/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 3
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies when a terminal (tty) is spawned via Perl. Attackers may upgrade a simple reverse shell to a fully interactive tty after obtaining initial access to a host.",
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Interactive Terminal Spawned via Perl",
+    "query": "event.category:process and event.type:(start or process_started) and process.name:perl and\n  process.args:(\"exec \\\"/bin/sh\\\";\" or \"exec \\\"/bin/dash\\\";\" or \"exec \\\"/bin/bash\\\";\")\n",
+    "risk_score": 73,
+    "rule_id": "05e5a668-7b51-4a67-93ab-e9af405c9ef3",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "Threat Detection",
+      "Execution"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0002",
+          "name": "Execution",
+          "reference": "https://attack.mitre.org/tactics/TA0002/"
+        },
+        "technique": [
+          {
+            "id": "T1059",
+            "name": "Command and Scripting Interpreter",
+            "reference": "https://attack.mitre.org/techniques/T1059/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 6
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies when a terminal (tty) is spawned via Python. Attackers may upgrade a simple reverse shell to a fully interactive tty after obtaining initial access to a host.",
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Interactive Terminal Spawned via Python",
+    "query": "event.category:process and event.type:(start or process_started) and process.name:python and\n  process.args:(\"import pty; pty.spawn(\\\"/bin/sh\\\")\" or\n                \"import pty; pty.spawn(\\\"/bin/dash\\\")\" or\n                \"import pty; pty.spawn(\\\"/bin/bash\\\")\")\n",
+    "risk_score": 73,
+    "rule_id": "d76b02ef-fc95-4001-9297-01cb7412232f",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "Threat Detection",
+      "Execution"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0002",
+          "name": "Execution",
+          "reference": "https://attack.mitre.org/tactics/TA0002/"
+        },
+        "technique": [
+          {
+            "id": "T1059",
+            "name": "Command and Scripting Interpreter",
+            "reference": "https://attack.mitre.org/techniques/T1059/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 6
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the use of the Kerberos credential cache (kcc) utility to dump locally cached Kerberos tickets.",
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Kerberos Cached Credentials Dumping",
+    "query": "event.category:process and event.type:(start or process_started) and\n  process.name:kcc and\n  process.args:copy_cred_cache\n",
+    "references": [
+      "https://github.com/EmpireProject/EmPyre/blob/master/lib/modules/collection/osx/kerberosdump.py",
+      "https://opensource.apple.com/source/Heimdal/Heimdal-323.12/kuser/kcc-commands.in.auto.html"
+    ],
+    "risk_score": 73,
+    "rule_id": "ad88231f-e2ab-491c-8fc6-64746da26cfe",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "macOS",
+      "Threat Detection",
+      "Credential Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0006",
+          "name": "Credential Access",
+          "reference": "https://attack.mitre.org/tactics/TA0006/"
+        },
+        "technique": [
+          {
+            "id": "T1003",
+            "name": "OS Credential Dumping",
+            "reference": "https://attack.mitre.org/techniques/T1003/"
+          },
+          {
+            "id": "T1558",
+            "name": "Steal or Forge Kerberos Tickets",
+            "reference": "https://attack.mitre.org/techniques/T1558/",
+            "subtechnique": [
+              {
+                "id": "T1558.003",
+                "name": "Kerberoasting",
+                "reference": "https://attack.mitre.org/techniques/T1558/003/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 4
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies network connections to the standard Kerberos port from an unusual process. On Windows, the only process that normally performs Kerberos traffic from a domain joined host is lsass.exe.",
+    "false_positives": [
+      "HTTP traffic on a non standard port. Verify that the destination IP address is not related to a Domain Controller."
+    ],
+    "from": "now-9m",
+    "index": [
+      "logs-endpoint.events.*",
+      "winlogbeat-*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Kerberos Traffic from Unusual Process",
+    "query": "network where event.type == \"start\" and network.direction : (\"outgoing\", \"egress\") and\n destination.port == 88 and source.port >= 49152 and\n process.executable != \"C:\\\\Windows\\\\System32\\\\lsass.exe\" and destination.address !=\"127.0.0.1\" and destination.address !=\"::1\" and\n /* insert False Positives here */\n not process.name in (\"swi_fc.exe\", \"fsIPcam.exe\", \"IPCamera.exe\", \"MicrosoftEdgeCP.exe\", \"MicrosoftEdge.exe\", \"iexplore.exe\", \"chrome.exe\", \"msedge.exe\", \"opera.exe\", \"firefox.exe\")\n",
+    "risk_score": 47,
+    "rule_id": "897dc6b5-b39f-432a-8d75-d3730d50c782",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Credential Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0006",
+          "name": "Credential Access",
+          "reference": "https://attack.mitre.org/tactics/TA0006/"
+        },
+        "technique": [
+          {
+            "id": "T1558",
+            "name": "Steal or Forge Kerberos Tickets",
+            "reference": "https://attack.mitre.org/techniques/T1558/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 4
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Kernel modules are pieces of code that can be loaded and unloaded into the kernel upon demand. They extend the functionality of the kernel without the need to reboot the system. This rule identifies attempts to remove a kernel module.",
+    "false_positives": [
+      "There is usually no reason to remove modules, but some buggy modules require it. These can be exempted by username. Note that some Linux distributions are not built to support the removal of modules at all."
+    ],
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Kernel Module Removal",
+    "query": "event.category:process and event.type:(start or process_started) and\n  process.args:((rmmod and sudo) or (modprobe and sudo and (\"--remove\" or \"-r\")))\n",
+    "references": [
+      "http://man7.org/linux/man-pages/man8/modprobe.8.html"
+    ],
+    "risk_score": 73,
+    "rule_id": "cd66a5af-e34b-4bb0-8931-57d0a043f2ef",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1562",
+            "name": "Impair Defenses",
+            "reference": "https://attack.mitre.org/techniques/T1562/",
+            "subtechnique": [
+              {
+                "id": "T1562.001",
+                "name": "Disable or Modify Tools",
+                "reference": "https://attack.mitre.org/techniques/T1562/001/"
+              }
+            ]
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1547",
+            "name": "Boot or Logon Autostart Execution",
+            "reference": "https://attack.mitre.org/techniques/T1547/",
+            "subtechnique": [
+              {
+                "id": "T1547.006",
+                "name": "Kernel Modules and Extensions",
+                "reference": "https://attack.mitre.org/techniques/T1547/006/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 7
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Adversaries may collect keychain storage data from a system to in order to acquire credentials. Keychains are the built-in way for macOS to keep track of users' passwords and credentials for many services and features, including Wi-Fi and website passwords, secure notes, certificates, and Kerberos.",
+    "false_positives": [
+      "Applications for password management."
+    ],
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Keychain Password Retrieval via Command Line",
+    "query": "process where event.type == \"start\" and\n process.name : \"security\" and process.args : \"-wa\" and process.args : (\"find-generic-password\", \"find-internet-password\") and\n process.args : (\"Chrome*\", \"Chromium\", \"Opera\", \"Safari*\", \"Brave\", \"Microsoft Edge\", \"Edge\", \"Firefox*\") and\n not process.parent.executable : \"/Applications/Keeper Password Manager.app/Contents/Frameworks/Keeper Password Manager Helper*/Contents/MacOS/Keeper Password Manager Helper*\"\n",
+    "references": [
+      "https://www.netmeister.org/blog/keychain-passwords.html",
+      "https://github.com/priyankchheda/chrome_password_grabber/blob/master/chrome.py",
+      "https://ss64.com/osx/security.html",
+      "https://www.intezer.com/blog/research/operation-electrorat-attacker-creates-fake-companies-to-drain-your-crypto-wallets/"
+    ],
+    "risk_score": 73,
+    "rule_id": "9092cd6c-650f-4fa3-8a8a-28256c7489c9",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "macOS",
+      "Threat Detection",
+      "Credential Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0006",
+          "name": "Credential Access",
+          "reference": "https://attack.mitre.org/tactics/TA0006/"
+        },
+        "technique": [
+          {
+            "id": "T1555",
+            "name": "Credentials from Password Stores",
+            "reference": "https://attack.mitre.org/techniques/T1555/",
+            "subtechnique": [
+              {
+                "id": "T1555.001",
+                "name": "Keychain",
+                "reference": "https://attack.mitre.org/techniques/T1555/001/"
+              }
+            ]
+          },
+          {
+            "id": "T1555",
+            "name": "Credentials from Password Stores",
+            "reference": "https://attack.mitre.org/techniques/T1555/",
+            "subtechnique": [
+              {
+                "id": "T1555.003",
+                "name": "Credentials from Web Browsers",
+                "reference": "https://attack.mitre.org/techniques/T1555/003/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 2
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the creation of a Local Security Authority Subsystem Service (lsass.exe) default memory dump. This may indicate a credential access attempt via trusted system utilities such as Task Manager (taskmgr.exe) and SQL Dumper (sqldumper.exe) or known pentesting tools such as Dumpert and AndrewSpecial.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "LSASS Memory Dump Creation",
+    "query": "file where file.name : (\"lsass*.dmp\", \"dumpert.dmp\", \"Andrew.dmp\", \"SQLDmpr*.mdmp\", \"Coredump.dmp\")\n",
+    "references": [
+      "https://github.com/outflanknl/Dumpert",
+      "https://github.com/hoangprod/AndrewSpecial"
+    ],
+    "risk_score": 73,
+    "rule_id": "f2f46686-6f3c-4724-bd7d-24e31c70f98f",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Credential Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0006",
+          "name": "Credential Access",
+          "reference": "https://attack.mitre.org/tactics/TA0006/"
+        },
+        "technique": [
+          {
+            "id": "T1003",
+            "name": "OS Credential Dumping",
+            "reference": "https://attack.mitre.org/techniques/T1003/",
+            "subtechnique": [
+              {
+                "id": "T1003.001",
+                "name": "LSASS Memory",
+                "reference": "https://attack.mitre.org/techniques/T1003/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 5
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies suspicious file creations in the startup folder of a remote system. An adversary could abuse this to move laterally by dropping a malicious script or executable that will be executed after a reboot or user logon.",
+    "from": "now-9m",
+    "index": [
+      "logs-endpoint.events.*",
+      "winlogbeat-*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Lateral Movement via Startup Folder",
+    "query": "file where event.type in (\"creation\", \"change\") and\n /* via RDP TSClient mounted share or SMB */\n  (process.name : \"mstsc.exe\" or process.pid == 4) and\n   file.path : \"C:\\\\*\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\\\\*\"\n",
+    "references": [
+      "https://www.mdsec.co.uk/2017/06/rdpinception/"
+    ],
+    "risk_score": 73,
+    "rule_id": "25224a80-5a4a-4b8a-991e-6ab390465c4f",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Lateral Movement"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0008",
+          "name": "Lateral Movement",
+          "reference": "https://attack.mitre.org/tactics/TA0008/"
+        },
+        "technique": [
+          {
+            "id": "T1021",
+            "name": "Remote Services",
+            "reference": "https://attack.mitre.org/techniques/T1021/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1547",
+            "name": "Boot or Logon Autostart Execution",
+            "reference": "https://attack.mitre.org/techniques/T1547/",
+            "subtechnique": [
+              {
+                "id": "T1547.001",
+                "name": "Registry Run Keys / Startup Folder",
+                "reference": "https://attack.mitre.org/techniques/T1547/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 3
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the creation or change of a Windows executable file over network shares. Adversaries may transfer tools or other files between systems in a compromised environment.",
+    "from": "now-9m",
+    "index": [
+      "logs-endpoint.events.*",
+      "winlogbeat-*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Lateral Tool Transfer",
+    "query": "sequence by host.id with maxspan=30s\n  [network where event.type == \"start\" and process.pid == 4 and destination.port == 445 and\n   network.direction : (\"incoming\", \"ingress\") and network.transport == \"tcp\" and\n   source.address != \"127.0.0.1\" and source.address != \"::1\"\n  ] by process.entity_id\n  /* add more executable extensions here if they are not noisy in your environment */\n  [file where event.type in (\"creation\", \"change\") and process.pid == 4 and file.extension : (\"exe\", \"dll\", \"bat\", \"cmd\")] by process.entity_id\n",
+    "risk_score": 47,
+    "rule_id": "58bc134c-e8d2-4291-a552-b4b3e537c60b",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Lateral Movement"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0008",
+          "name": "Lateral Movement",
+          "reference": "https://attack.mitre.org/tactics/TA0008/"
+        },
+        "technique": [
+          {
+            "id": "T1570",
+            "name": "Lateral Tool Transfer",
+            "reference": "https://attack.mitre.org/techniques/T1570/"
+          }
+        ]
+      }
+    ],
+    "type": "eql",
+    "version": 3
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "An adversary can establish persistence by installing a new launch agent that executes at login by using launchd or launchctl to load a plist into the appropriate directories.",
+    "false_positives": [
+      "Trusted applications persisting via LaunchAgent"
+    ],
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Launch Agent Creation or Modification and Immediate Loading",
+    "query": "sequence by host.id with maxspan=1m\n [file where event.type != \"deletion\" and \n  file.path : (\"/System/Library/LaunchAgents/*\", \"/Library/LaunchAgents/*\", \"/Users/*/Library/LaunchAgents/*\")\n ]\n [process where event.type in (\"start\", \"process_started\") and process.name == \"launchctl\" and process.args == \"load\"]\n",
+    "references": [
+      "https://developer.apple.com/library/archive/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/CreatingLaunchdJobs.html"
+    ],
+    "risk_score": 21,
+    "rule_id": "082e3f8c-6f80-485c-91eb-5b112cb79b28",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "macOS",
+      "Threat Detection",
+      "Persistence"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1543",
+            "name": "Create or Modify System Process",
+            "reference": "https://attack.mitre.org/techniques/T1543/",
+            "subtechnique": [
+              {
+                "id": "T1543.001",
+                "name": "Launch Agent",
+                "reference": "https://attack.mitre.org/techniques/T1543/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "type": "eql",
+    "version": 2
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Adversaries may create or modify launch daemons to repeatedly execute malicious payloads as part of persistence.",
+    "false_positives": [
+      "Trusted applications persisting via LaunchDaemons"
+    ],
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "LaunchDaemon Creation or Modification and Immediate Loading",
+    "query": "sequence by host.id with maxspan=1m\n [file where event.type != \"deletion\" and file.path in (\"/System/Library/LaunchDaemons/*\", \" /Library/LaunchDaemons/*\")]\n [process where event.type in (\"start\", \"process_started\") and process.name == \"launchctl\" and process.args == \"load\"]\n",
+    "references": [
+      "https://developer.apple.com/library/archive/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/CreatingLaunchdJobs.html"
+    ],
+    "risk_score": 21,
+    "rule_id": "9d19ece6-c20e-481a-90c5-ccca596537de",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "macOS",
+      "Threat Detection",
+      "Persistence"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1543",
+            "name": "Create or Modify System Process",
+            "reference": "https://attack.mitre.org/techniques/T1543/"
+          }
+        ]
+      }
+    ],
+    "type": "eql",
+    "version": 2
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "A scheduled task can be used by an adversary to establish persistence, move laterally, and/or escalate privileges.",
+    "false_positives": [
+      "Legitimate scheduled tasks may be created during installation of new software."
+    ],
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Local Scheduled Task Creation",
+    "query": "sequence with maxspan=1m\n  [process where event.type != \"end\" and\n    ((process.name : (\"cmd.exe\", \"wscript.exe\", \"rundll32.exe\", \"regsvr32.exe\", \"wmic.exe\", \"mshta.exe\",\n                      \"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\", \"WmiPrvSe.exe\", \"wsmprovhost.exe\", \"winrshost.exe\") or\n    process.pe.original_file_name : (\"cmd.exe\", \"wscript.exe\", \"rundll32.exe\", \"regsvr32.exe\", \"wmic.exe\", \"mshta.exe\",\n                                     \"powershell.exe\", \"pwsh.dll\", \"powershell_ise.exe\", \"WmiPrvSe.exe\", \"wsmprovhost.exe\",\n                                     \"winrshost.exe\")) or\n    process.code_signature.trusted == false)] by process.entity_id\n  [process where event.type == \"start\" and\n    (process.name : \"schtasks.exe\" or process.pe.original_file_name == \"schtasks.exe\") and\n    process.args : (\"/create\", \"-create\") and process.args : (\"/RU\", \"/SC\", \"/TN\", \"/TR\", \"/F\", \"/XML\") and\n    /* exclude SYSTEM SIDs - look for task creations by non-SYSTEM user */\n    not user.id : (\"S-1-5-18\", \"S-1-5-19\", \"S-1-5-20\")] by process.parent.entity_id\n",
+    "risk_score": 21,
+    "rule_id": "afcce5ad-65de-4ed2-8516-5e093d3ac99a",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Persistence"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1053",
+            "name": "Scheduled Task/Job",
+            "reference": "https://attack.mitre.org/techniques/T1053/",
+            "subtechnique": [
+              {
+                "id": "T1053.005",
+                "name": "Scheduled Task",
+                "reference": "https://attack.mitre.org/techniques/T1053/005/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 9
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Detects when multi-factor authentication (MFA) is disabled for a Google Workspace organization. An adversary may attempt to modify a password policy in order to weaken an organization\u2019s security controls.",
+    "false_positives": [
+      "MFA settings may be modified by system administrators. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior."
+    ],
+    "from": "now-130m",
+    "index": [
+      "filebeat-*",
+      "logs-google_workspace*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "MFA Disabled for Google Workspace Organization",
+    "note": "## Config\n\nThe Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\n\n### Important Information Regarding Google Workspace Event Lag Times\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information:\n  - https://support.google.com/a/answer/7061566\n  - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-gsuite.html",
+    "query": "event.dataset:(gsuite.admin or google_workspace.admin) and event.provider:admin and event.category:iam and event.action:(ENFORCE_STRONG_AUTHENTICATION or ALLOW_STRONG_AUTHENTICATION) and (gsuite.admin.new_value:false or google_workspace.admin.new_value:false)\n",
+    "risk_score": 47,
+    "rule_id": "e555105c-ba6d-481f-82bb-9b633e7b4827",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "Google Workspace",
+      "Continuous Monitoring",
+      "SecOps",
+      "Identity and Access"
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 6
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Elastic Endgame detected Malware. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information.",
+    "from": "now-15m",
+    "index": [
+      "endgame-*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Malware - Detected - Elastic Endgame",
+    "query": "event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:file_classification_event or endgame.event_subtype_full:file_classification_event)\n",
+    "risk_score": 99,
+    "rule_id": "0a97b20f-4144-49ea-be32-b540ecc445de",
+    "severity": "critical",
+    "tags": [
+      "Elastic",
+      "Elastic Endgame"
+    ],
+    "type": "query",
+    "version": 6
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Elastic Endgame prevented Malware. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information.",
+    "from": "now-15m",
+    "index": [
+      "endgame-*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Malware - Prevented - Elastic Endgame",
+    "query": "event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:file_classification_event or endgame.event_subtype_full:file_classification_event)\n",
+    "risk_score": 73,
+    "rule_id": "3b382770-efbb-44f4-beed-f5e0a051b895",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Elastic Endgame"
+    ],
+    "type": "query",
+    "version": 6
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the deletion of an anti-phishing policy in Microsoft 365. By default, Microsoft 365 includes built-in features that help protect users from phishing attacks. Anti-phishing polices increase this protection by refining settings to better detect and prevent attacks.",
+    "false_positives": [
+      "An anti-phishing policy may be deleted by a system or network administrator. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior."
+    ],
+    "from": "now-30m",
+    "index": [
+      "filebeat-*",
+      "logs-o365*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Microsoft 365 Exchange Anti-Phish Policy Deletion",
+    "note": "## Config\n\nThe Microsoft 365 Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:\"Remove-AntiPhishPolicy\" and event.outcome:success\n",
+    "references": [
+      "https://docs.microsoft.com/en-us/powershell/module/exchange/remove-antiphishpolicy?view=exchange-ps",
+      "https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/set-up-anti-phishing-policies?view=o365-worldwide"
+    ],
+    "risk_score": 47,
+    "rule_id": "d68eb1b5-5f1c-4b6d-9e63-5b6b145cd4aa",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "Microsoft 365",
+      "Continuous Monitoring",
+      "SecOps",
+      "Configuration Audit"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0001",
+          "name": "Initial Access",
+          "reference": "https://attack.mitre.org/tactics/TA0001/"
+        },
+        "technique": [
+          {
+            "id": "T1566",
+            "name": "Phishing",
+            "reference": "https://attack.mitre.org/techniques/T1566/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 4
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the modification of an anti-phishing rule in Microsoft 365. By default, Microsoft 365 includes built-in features that help protect users from phishing attacks. Anti-phishing rules increase this protection by refining settings to better detect and prevent attacks.",
+    "false_positives": [
+      "An anti-phishing rule may be deleted by a system or network administrator. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior."
+    ],
+    "from": "now-30m",
+    "index": [
+      "filebeat-*",
+      "logs-o365*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Microsoft 365 Exchange Anti-Phish Rule Modification",
+    "note": "## Config\n\nThe Microsoft 365 Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:(\"Remove-AntiPhishRule\" or \"Disable-AntiPhishRule\") and event.outcome:success\n",
+    "references": [
+      "https://docs.microsoft.com/en-us/powershell/module/exchange/remove-antiphishrule?view=exchange-ps",
+      "https://docs.microsoft.com/en-us/powershell/module/exchange/disable-antiphishrule?view=exchange-ps"
+    ],
+    "risk_score": 47,
+    "rule_id": "97314185-2568-4561-ae81-f3e480e5e695",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "Microsoft 365",
+      "Continuous Monitoring",
+      "SecOps",
+      "Configuration Audit"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0001",
+          "name": "Initial Access",
+          "reference": "https://attack.mitre.org/tactics/TA0001/"
+        },
+        "technique": [
+          {
+            "id": "T1566",
+            "name": "Phishing",
+            "reference": "https://attack.mitre.org/techniques/T1566/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 4
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies when a DomainKeys Identified Mail (DKIM) signing configuration is disabled in Microsoft 365. With DKIM in Microsoft 365, messages that are sent from Exchange Online will be cryptographically signed. This will allow the receiving email system to validate that the messages were generated by a server that the organization authorized and not being spoofed.",
+    "false_positives": [
+      "Disabling a DKIM configuration may be done by a system or network administrator. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior."
+    ],
+    "from": "now-30m",
+    "index": [
+      "filebeat-*",
+      "logs-o365*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Microsoft 365 Exchange DKIM Signing Configuration Disabled",
+    "note": "## Config\n\nThe Microsoft 365 Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:\"Set-DkimSigningConfig\" and o365.audit.Parameters.Enabled:False and event.outcome:success\n",
+    "references": [
+      "https://docs.microsoft.com/en-us/powershell/module/exchange/set-dkimsigningconfig?view=exchange-ps"
+    ],
+    "risk_score": 47,
+    "rule_id": "514121ce-c7b6-474a-8237-68ff71672379",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "Microsoft 365",
+      "Continuous Monitoring",
+      "SecOps",
+      "Data Protection"
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 4
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies when a Data Loss Prevention (DLP) policy is removed in Microsoft 365. An adversary may remove a DLP policy to evade existing DLP monitoring.",
+    "false_positives": [
+      "A DLP policy may be removed by a system or network administrator. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior."
+    ],
+    "from": "now-30m",
+    "index": [
+      "filebeat-*",
+      "logs-o365*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Microsoft 365 Exchange DLP Policy Removed",
+    "note": "## Config\n\nThe Microsoft 365 Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:\"Remove-DlpPolicy\" and event.outcome:success\n",
+    "references": [
+      "https://docs.microsoft.com/en-us/powershell/module/exchange/remove-dlppolicy?view=exchange-ps",
+      "https://docs.microsoft.com/en-us/microsoft-365/compliance/data-loss-prevention-policies?view=o365-worldwide"
+    ],
+    "risk_score": 47,
+    "rule_id": "60f3adec-1df9-4104-9c75-b97d9f078b25",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "Microsoft 365",
+      "Continuous Monitoring",
+      "SecOps",
+      "Configuration Audit"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1562",
+            "name": "Impair Defenses",
+            "reference": "https://attack.mitre.org/techniques/T1562/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 4
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies when a malware filter policy has been deleted in Microsoft 365. A malware filter policy is used to alert administrators that an internal user sent a message that contained malware. This may indicate an account or machine compromise that would need to be investigated. Deletion of a malware filter policy may be done to evade detection.",
+    "false_positives": [
+      "A malware filter policy may be deleted by a system or network administrator. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior."
+    ],
+    "from": "now-30m",
+    "index": [
+      "filebeat-*",
+      "logs-o365*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Microsoft 365 Exchange Malware Filter Policy Deletion",
+    "note": "## Config\n\nThe Microsoft 365 Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:\"Remove-MalwareFilterPolicy\" and event.outcome:success\n",
+    "references": [
+      "https://docs.microsoft.com/en-us/powershell/module/exchange/remove-malwarefilterpolicy?view=exchange-ps"
+    ],
+    "risk_score": 47,
+    "rule_id": "d743ff2a-203e-4a46-a3e3-40512cfe8fbb",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "Microsoft 365",
+      "Continuous Monitoring",
+      "SecOps",
+      "Configuration Audit"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1562",
+            "name": "Impair Defenses",
+            "reference": "https://attack.mitre.org/techniques/T1562/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 4
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies when a malware filter rule has been deleted or disabled in Microsoft 365. An adversary or insider threat may want to modify a malware filter rule to evade detection.",
+    "false_positives": [
+      "A malware filter rule may be deleted by a system or network administrator. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior."
+    ],
+    "from": "now-30m",
+    "index": [
+      "filebeat-*",
+      "logs-o365*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Microsoft 365 Exchange Malware Filter Rule Modification",
+    "note": "## Config\n\nThe Microsoft 365 Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:(\"Remove-MalwareFilterRule\" or \"Disable-MalwareFilterRule\") and event.outcome:success\n",
+    "references": [
+      "https://docs.microsoft.com/en-us/powershell/module/exchange/remove-malwarefilterrule?view=exchange-ps",
+      "https://docs.microsoft.com/en-us/powershell/module/exchange/disable-malwarefilterrule?view=exchange-ps"
+    ],
+    "risk_score": 47,
+    "rule_id": "ca79768e-40e1-4e45-a097-0e5fbc876ac2",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "Microsoft 365",
+      "Continuous Monitoring",
+      "SecOps",
+      "Configuration Audit"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1562",
+            "name": "Impair Defenses",
+            "reference": "https://attack.mitre.org/techniques/T1562/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 4
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies when a new role is assigned to a management group in Microsoft 365. An adversary may attempt to add a role in order to maintain persistence in an environment.",
+    "false_positives": [
+      "A new role may be assigned to a management group by a system or network administrator. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior."
+    ],
+    "from": "now-30m",
+    "index": [
+      "filebeat-*",
+      "logs-o365*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Microsoft 365 Exchange Management Group Role Assignment",
+    "note": "## Config\n\nThe Microsoft 365 Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:\"New-ManagementRoleAssignment\" and event.outcome:success\n",
+    "references": [
+      "https://docs.microsoft.com/en-us/powershell/module/exchange/new-managementroleassignment?view=exchange-ps",
+      "https://docs.microsoft.com/en-us/microsoft-365/admin/add-users/about-admin-roles?view=o365-worldwide"
+    ],
+    "risk_score": 47,
+    "rule_id": "98995807-5b09-4e37-8a54-5cae5dc932d7",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "Microsoft 365",
+      "Continuous Monitoring",
+      "SecOps",
+      "Identity and Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1098",
+            "name": "Account Manipulation",
+            "reference": "https://attack.mitre.org/techniques/T1098/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 4
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies when a safe attachment rule is disabled in Microsoft 365. Safe attachment rules can extend malware protections to include routing all messages and attachments without a known malware signature to a special hypervisor environment. An adversary or insider threat may disable a safe attachment rule to exfiltrate data or evade defenses.",
+    "false_positives": [
+      "A safe attachment rule may be disabled by a system or network administrator. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior."
+    ],
+    "from": "now-30m",
+    "index": [
+      "filebeat-*",
+      "logs-o365*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Microsoft 365 Exchange Safe Attachment Rule Disabled",
+    "note": "## Config\n\nThe Microsoft 365 Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:\"Disable-SafeAttachmentRule\" and event.outcome:success\n",
+    "references": [
+      "https://docs.microsoft.com/en-us/powershell/module/exchange/disable-safeattachmentrule?view=exchange-ps"
+    ],
+    "risk_score": 21,
+    "rule_id": "03024bd9-d23f-4ec1-8674-3cf1a21e130b",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "Microsoft 365",
+      "Continuous Monitoring",
+      "SecOps",
+      "Configuration Audit"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1562",
+            "name": "Impair Defenses",
+            "reference": "https://attack.mitre.org/techniques/T1562/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 4
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies when a Safe Link policy is disabled in Microsoft 365. Safe Link policies for Office applications extend phishing protection to documents that contain hyperlinks, even after they have been delivered to a user.",
+    "false_positives": [
+      "Disabling safe links may be done by a system or network administrator. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior."
+    ],
+    "from": "now-30m",
+    "index": [
+      "filebeat-*",
+      "logs-o365*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Microsoft 365 Exchange Safe Link Policy Disabled",
+    "note": "## Config\n\nThe Microsoft 365 Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:\"Disable-SafeLinksRule\" and event.outcome:success\n",
+    "references": [
+      "https://docs.microsoft.com/en-us/powershell/module/exchange/disable-safelinksrule?view=exchange-ps",
+      "https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/atp-safe-links?view=o365-worldwide"
+    ],
+    "risk_score": 47,
+    "rule_id": "a989fa1b-9a11-4dd8-a3e9-f0de9c6eb5f2",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "Microsoft 365",
+      "Continuous Monitoring",
+      "SecOps",
+      "Identity and Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0001",
+          "name": "Initial Access",
+          "reference": "https://attack.mitre.org/tactics/TA0001/"
+        },
+        "technique": [
+          {
+            "id": "T1566",
+            "name": "Phishing",
+            "reference": "https://attack.mitre.org/techniques/T1566/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 4
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies a transport rule creation in Microsoft 365. Exchange Online mail transport rules should be set to not forward email to domains outside of your organization as a best practice. An adversary may create transport rules to exfiltrate data.",
+    "false_positives": [
+      "A new transport rule may be created by a system or network administrator. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior."
+    ],
+    "from": "now-30m",
+    "index": [
+      "filebeat-*",
+      "logs-o365*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Microsoft 365 Exchange Transport Rule Creation",
+    "note": "## Config\n\nThe Microsoft 365 Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:\"New-TransportRule\" and event.outcome:success\n",
+    "references": [
+      "https://docs.microsoft.com/en-us/powershell/module/exchange/new-transportrule?view=exchange-ps",
+      "https://docs.microsoft.com/en-us/exchange/security-and-compliance/mail-flow-rules/mail-flow-rules"
+    ],
+    "risk_score": 47,
+    "rule_id": "ff4dd44a-0ac6-44c4-8609-3f81bc820f02",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "Microsoft 365",
+      "Continuous Monitoring",
+      "SecOps",
+      "Configuration Audit"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0010",
+          "name": "Exfiltration",
+          "reference": "https://attack.mitre.org/tactics/TA0010/"
+        },
+        "technique": [
+          {
+            "id": "T1537",
+            "name": "Transfer Data to Cloud Account",
+            "reference": "https://attack.mitre.org/techniques/T1537/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 4
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies when a transport rule has been disabled or deleted in Microsoft 365. Mail flow rules (also known as transport rules) are used to identify and take action on messages that flow through your organization. An adversary or insider threat may modify a transport rule to exfiltrate data or evade defenses.",
+    "false_positives": [
+      "A transport rule may be modified by a system or network administrator. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior."
+    ],
+    "from": "now-30m",
+    "index": [
+      "filebeat-*",
+      "logs-o365*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Microsoft 365 Exchange Transport Rule Modification",
+    "note": "## Config\n\nThe Microsoft 365 Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:(\"Remove-TransportRule\" or \"Disable-TransportRule\") and event.outcome:success\n",
+    "references": [
+      "https://docs.microsoft.com/en-us/powershell/module/exchange/remove-transportrule?view=exchange-ps",
+      "https://docs.microsoft.com/en-us/powershell/module/exchange/disable-transportrule?view=exchange-ps",
+      "https://docs.microsoft.com/en-us/exchange/security-and-compliance/mail-flow-rules/mail-flow-rules"
+    ],
+    "risk_score": 47,
+    "rule_id": "272a6484-2663-46db-a532-ef734bf9a796",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "Microsoft 365",
+      "Continuous Monitoring",
+      "SecOps",
+      "Configuration Audit"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0010",
+          "name": "Exfiltration",
+          "reference": "https://attack.mitre.org/tactics/TA0010/"
+        },
+        "technique": [
+          {
+            "id": "T1537",
+            "name": "Transfer Data to Cloud Account",
+            "reference": "https://attack.mitre.org/techniques/T1537/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 4
+  },
+  {
+    "author": [
+      "Elastic",
+      "Gary Blackwell",
+      "Austin Songer"
+    ],
+    "description": "Identifies when a new Inbox rule is created in Microsoft 365. Inbox rules process messages in the Inbox based on conditions and take actions, such as moving a message to a specified folder or deleting a message. Adequate permissions are required on the mailbox to create an Inbox rule.",
+    "false_positives": [
+      "An inbox rule may be created by a system or network administrator. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior."
+    ],
+    "from": "now-30m",
+    "index": [
+      "filebeat-*",
+      "logs-o365*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Microsoft 365 New Inbox Rule Created",
+    "note": "## Config\n\nThe Microsoft 365 Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:\"New-InboxRule\" and event.outcome:success\n",
+    "references": [
+      "https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/responding-to-a-compromised-email-account?view=o365-worldwide",
+      "https://docs.microsoft.com/en-us/powershell/module/exchange/new-inboxrule?view=exchange-ps",
+      "https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/detect-and-remediate-outlook-rules-forms-attack?view=o365-worldwide"
+    ],
+    "risk_score": 21,
+    "rule_id": "ec8efb0c-604d-42fa-ac46-ed1cfbc38f78",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "Microsoft 365",
+      "Continuous Monitoring",
+      "SecOps",
+      "Configuration Audit"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0009",
+          "name": "Collection",
+          "reference": "https://attack.mitre.org/tactics/TA0009/"
+        },
+        "technique": [
+          {
+            "id": "T1114",
+            "name": "Email Collection",
+            "reference": "https://attack.mitre.org/techniques/T1114/",
+            "subtechnique": [
+              {
+                "id": "T1114.003",
+                "name": "Email Forwarding Rule",
+                "reference": "https://attack.mitre.org/techniques/T1114/003/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 1
+  },
+  {
+    "author": [
+      "Austin Songer"
+    ],
+    "description": "Identifies when Microsoft Cloud App Security reported when a user uploads files to the cloud that might be infected with ransomware.",
+    "false_positives": [
+      "If Cloud App Security identifies, for example, a high rate of file uploads or file deletion activities it may represent an adverse encryption process."
+    ],
+    "from": "now-30m",
+    "index": [
+      "filebeat-*",
+      "logs-o365*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Microsoft 365 Potential ransomware activity",
+    "note": "## Config\n\nThe Microsoft 365 Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\n",
+    "query": "event.dataset:o365.audit and event.provider:SecurityComplianceCenter and event.category:web and event.action:\"Potential ransomware activity\" and event.outcome:success\n",
+    "references": [
+      "https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy",
+      "https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference"
+    ],
+    "risk_score": 47,
+    "rule_id": "721999d0-7ab2-44bf-b328-6e63367b9b29",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "Microsoft 365",
+      "Continuous Monitoring",
+      "SecOps",
+      "Configuration Audit"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0040",
+          "name": "Impact",
+          "reference": "https://attack.mitre.org/tactics/TA0040/"
+        },
+        "technique": [
+          {
+            "id": "T1486",
+            "name": "Data Encrypted for Impact",
+            "reference": "https://attack.mitre.org/techniques/T1486/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies when custom applications are allowed in Microsoft Teams. If an organization requires applications other than those available in the Teams app store, custom applications can be developed as packages and uploaded. An adversary may abuse this behavior to establish persistence in an environment.",
+    "false_positives": [
+      "Custom applications may be allowed by a system or network administrator. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior."
+    ],
+    "from": "now-30m",
+    "index": [
+      "filebeat-*",
+      "logs-o365*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Microsoft 365 Teams Custom Application Interaction Allowed",
+    "note": "## Config\n\nThe Microsoft 365 Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:o365.audit and event.provider:MicrosoftTeams and\nevent.category:web and event.action:TeamsTenantSettingChanged and\no365.audit.Name:\"Allow sideloading and interaction of custom apps\" and\no365.audit.NewValue:True and event.outcome:success\n",
+    "references": [
+      "https://docs.microsoft.com/en-us/microsoftteams/platform/concepts/deploy-and-publish/apps-upload"
+    ],
+    "risk_score": 47,
+    "rule_id": "bbd1a775-8267-41fa-9232-20e5582596ac",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "Microsoft 365",
+      "Continuous Monitoring",
+      "SecOps",
+      "Configuration Audit"
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 4
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies when external access is enabled in Microsoft Teams. External access lets Teams and Skype for Business users communicate with other users that are outside their organization. An adversary may enable external access or add an allowed domain to exfiltrate data or maintain persistence in an environment.",
+    "false_positives": [
+      "Teams external access may be enabled by a system or network administrator. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior."
+    ],
+    "from": "now-30m",
+    "index": [
+      "filebeat-*",
+      "logs-o365*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Microsoft 365 Teams External Access Enabled",
+    "note": "## Config\n\nThe Microsoft 365 Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:o365.audit and event.provider:(SkypeForBusiness or MicrosoftTeams) and\nevent.category:web and event.action:\"Set-CsTenantFederationConfiguration\" and\no365.audit.Parameters.AllowFederatedUsers:True and event.outcome:success\n",
+    "references": [
+      "https://docs.microsoft.com/en-us/microsoftteams/manage-external-access"
+    ],
+    "risk_score": 47,
+    "rule_id": "27f7c15a-91f8-4c3d-8b9e-1f99cc030a51",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "Microsoft 365",
+      "Continuous Monitoring",
+      "SecOps",
+      "Configuration Audit"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1098",
+            "name": "Account Manipulation",
+            "reference": "https://attack.mitre.org/techniques/T1098/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 4
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies when guest access is enabled in Microsoft Teams. Guest access in Teams allows people outside the organization to access teams and channels. An adversary may enable guest access to maintain persistence in an environment.",
+    "false_positives": [
+      "Teams guest access may be enabled by a system or network administrator. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior."
+    ],
+    "from": "now-30m",
+    "index": [
+      "filebeat-*",
+      "logs-o365*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Microsoft 365 Teams Guest Access Enabled",
+    "note": "## Config\n\nThe Microsoft 365 Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:o365.audit and event.provider:(SkypeForBusiness or MicrosoftTeams) and\nevent.category:web and event.action:\"Set-CsTeamsClientConfiguration\" and\no365.audit.Parameters.AllowGuestUser:True and event.outcome:success\n",
+    "references": [
+      "https://docs.microsoft.com/en-us/powershell/module/skype/get-csteamsclientconfiguration?view=skype-ps"
+    ],
+    "risk_score": 47,
+    "rule_id": "5e552599-ddec-4e14-bad1-28aa42404388",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "Microsoft 365",
+      "Continuous Monitoring",
+      "SecOps",
+      "Configuration Audit"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1098",
+            "name": "Account Manipulation",
+            "reference": "https://attack.mitre.org/techniques/T1098/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 4
+  },
+  {
+    "author": [
+      "Austin Songer"
+    ],
+    "description": "Identifies that a user has deleted an unusually large volume of files  as reported by Microsoft Cloud App Security.",
+    "false_positives": [
+      "Users or System Administrator cleaning out folders."
+    ],
+    "from": "now-30m",
+    "index": [
+      "filebeat-*",
+      "logs-o365*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Microsoft 365 Unusual Volume of File Deletion",
+    "note": "## Config\n\nThe Microsoft 365 Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\n",
+    "query": "event.dataset:o365.audit and event.provider:SecurityComplianceCenter and event.category:web and event.action:\"Unusual volume of file deletion\" and event.outcome:success\n",
+    "references": [
+      "https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy",
+      "https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference"
+    ],
+    "risk_score": 47,
+    "rule_id": "b2951150-658f-4a60-832f-a00d1e6c6745",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "Microsoft 365",
+      "Continuous Monitoring",
+      "SecOps",
+      "Configuration Audit"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0040",
+          "name": "Impact",
+          "reference": "https://attack.mitre.org/tactics/TA0040/"
+        },
+        "technique": [
+          {
+            "id": "T1485",
+            "name": "Data Destruction",
+            "reference": "https://attack.mitre.org/techniques/T1485/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 1
+  },
+  {
+    "author": [
+      "Austin Songer"
+    ],
+    "description": "Identifies when a user has been restricted from sending email due to exceeding sending limits of the service policies per the Security Compliance Center.",
+    "false_positives": [
+      "A user sending emails using personal distribution folders may trigger the event."
+    ],
+    "from": "now-30m",
+    "index": [
+      "filebeat-*",
+      "logs-o365*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Microsoft 365 User Restricted from Sending Email",
+    "note": "## Config\n\nThe Microsoft 365 Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\n",
+    "query": "event.dataset:o365.audit and event.provider:SecurityComplianceCenter and event.category:web and event.action:\"User restricted from sending email\" and event.outcome:success\n",
+    "references": [
+      "https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy",
+      "https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference"
+    ],
+    "risk_score": 47,
+    "rule_id": "0136b315-b566-482f-866c-1d8e2477ba16",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "Microsoft 365",
+      "Continuous Monitoring",
+      "SecOps",
+      "Configuration Audit"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0001",
+          "name": "Initial Access",
+          "reference": "https://attack.mitre.org/tactics/TA0001/"
+        },
+        "technique": [
+          {
+            "id": "T1078",
+            "name": "Valid Accounts",
+            "reference": "https://attack.mitre.org/techniques/T1078/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "An instance of MSBuild, the Microsoft Build Engine, loaded DLLs (dynamically linked libraries) responsible for Windows credential management. This technique is sometimes used for credential dumping.",
+    "false_positives": [
+      "The Build Engine is commonly used by Windows developers but use by non-engineers is unusual."
+    ],
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Microsoft Build Engine Loading Windows Credential Libraries",
+    "query": "sequence by process.entity_id\n [process where event.type == \"start\" and (process.name : \"MSBuild.exe\" or process.pe.original_file_name == \"MSBuild.exe\")]\n [library where dll.name : (\"vaultcli.dll\", \"SAMLib.DLL\")]\n",
+    "risk_score": 73,
+    "rule_id": "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae5",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Credential Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0006",
+          "name": "Credential Access",
+          "reference": "https://attack.mitre.org/tactics/TA0006/"
+        },
+        "technique": [
+          {
+            "id": "T1003",
+            "name": "OS Credential Dumping",
+            "reference": "https://attack.mitre.org/techniques/T1003/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 8
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "An instance of MSBuild, the Microsoft Build Engine, started a PowerShell script or the Visual C# Command Line Compiler. This technique is sometimes used to deploy a malicious payload using the Build Engine.",
+    "false_positives": [
+      "The Build Engine is commonly used by Windows developers but use by non-engineers is unusual. If a build system triggers this rule it can be exempted by process, user or host name."
+    ],
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Microsoft Build Engine Started an Unusual Process",
+    "query": "process where event.type in (\"start\", \"process_started\") and\n  process.parent.name : \"MSBuild.exe\" and\n  process.name : (\"csc.exe\", \"iexplore.exe\", \"powershell.exe\")\n",
+    "references": [
+      "https://blog.talosintelligence.com/2020/02/building-bypass-with-msbuild.html"
+    ],
+    "risk_score": 21,
+    "rule_id": "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae6",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1027",
+            "name": "Obfuscated Files or Information",
+            "reference": "https://attack.mitre.org/techniques/T1027/",
+            "subtechnique": [
+              {
+                "id": "T1027.004",
+                "name": "Compile After Delivery",
+                "reference": "https://attack.mitre.org/techniques/T1027/004/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 8
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "An instance of MSBuild, the Microsoft Build Engine, was started by a script or the Windows command interpreter. This behavior is unusual and is sometimes used by malicious payloads.",
+    "false_positives": [
+      "The Build Engine is commonly used by Windows developers but use by non-engineers is unusual."
+    ],
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Microsoft Build Engine Started by a Script Process",
+    "query": "process where event.type == \"start\" and\n  (process.name : \"MSBuild.exe\" or process.pe.original_file_name == \"MSBuild.exe\") and\n  process.parent.name : (\"cmd.exe\", \"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\", \"cscript.exe\", \"wscript.exe\", \"mshta.exe\")\n",
+    "risk_score": 21,
+    "rule_id": "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae2",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1127",
+            "name": "Trusted Developer Utilities Proxy Execution",
+            "reference": "https://attack.mitre.org/techniques/T1127/",
+            "subtechnique": [
+              {
+                "id": "T1127.001",
+                "name": "MSBuild",
+                "reference": "https://attack.mitre.org/techniques/T1127/001/"
+              }
+            ]
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0002",
+          "name": "Execution",
+          "reference": "https://attack.mitre.org/tactics/TA0002/"
+        },
+        "technique": []
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 10
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "An instance of MSBuild, the Microsoft Build Engine, was started by Explorer or the WMI (Windows Management Instrumentation) subsystem. This behavior is unusual and is sometimes used by malicious payloads.",
+    "false_positives": [
+      "The Build Engine is commonly used by Windows developers but use by non-engineers is unusual."
+    ],
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Microsoft Build Engine Started by a System Process",
+    "query": "process where event.type in (\"start\", \"process_started\") and\n  process.name : \"MSBuild.exe\" and\n  process.parent.name : (\"explorer.exe\", \"wmiprvse.exe\")\n",
+    "risk_score": 47,
+    "rule_id": "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae3",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1127",
+            "name": "Trusted Developer Utilities Proxy Execution",
+            "reference": "https://attack.mitre.org/techniques/T1127/",
+            "subtechnique": [
+              {
+                "id": "T1127.001",
+                "name": "MSBuild",
+                "reference": "https://attack.mitre.org/techniques/T1127/001/"
+              }
+            ]
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0002",
+          "name": "Execution",
+          "reference": "https://attack.mitre.org/tactics/TA0002/"
+        },
+        "technique": []
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 9
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "An instance of MSBuild, the Microsoft Build Engine, was started by Excel or Word. This is unusual behavior for the Build Engine and could have been caused by an Excel or Word document executing a malicious script payload.",
+    "false_positives": [
+      "The Build Engine is commonly used by Windows developers but use by non-engineers is unusual. It is quite unusual for this program to be started by an Office application like Word or Excel."
+    ],
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Microsoft Build Engine Started by an Office Application",
+    "query": "process where event.type in (\"start\", \"process_started\") and\n  process.name : \"MSBuild.exe\" and\n  process.parent.name : (\"eqnedt32.exe\",\n                         \"excel.exe\",\n                         \"fltldr.exe\",\n                         \"msaccess.exe\",\n                         \"mspub.exe\",\n                         \"outlook.exe\",\n                         \"powerpnt.exe\",\n                         \"winword.exe\" )\n",
+    "references": [
+      "https://blog.talosintelligence.com/2020/02/building-bypass-with-msbuild.html"
+    ],
+    "risk_score": 73,
+    "rule_id": "c5dc3223-13a2-44a2-946c-e9dc0aa0449c",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1127",
+            "name": "Trusted Developer Utilities Proxy Execution",
+            "reference": "https://attack.mitre.org/techniques/T1127/",
+            "subtechnique": [
+              {
+                "id": "T1127.001",
+                "name": "MSBuild",
+                "reference": "https://attack.mitre.org/techniques/T1127/001/"
+              }
+            ]
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0002",
+          "name": "Execution",
+          "reference": "https://attack.mitre.org/tactics/TA0002/"
+        },
+        "technique": []
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 9
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "An instance of MSBuild, the Microsoft Build Engine, was started after being renamed. This is uncommon behavior and may indicate an attempt to run unnoticed or undetected.",
+    "false_positives": [
+      "The Build Engine is commonly used by Windows developers but use by non-engineers is unusual."
+    ],
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Microsoft Build Engine Using an Alternate Name",
+    "query": "process where event.type in (\"start\", \"process_started\") and\n  process.pe.original_file_name == \"MSBuild.exe\" and\n  not process.name : \"MSBuild.exe\"\n",
+    "risk_score": 21,
+    "rule_id": "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae4",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1036",
+            "name": "Masquerading",
+            "reference": "https://attack.mitre.org/techniques/T1036/",
+            "subtechnique": [
+              {
+                "id": "T1036.003",
+                "name": "Rename System Utilities",
+                "reference": "https://attack.mitre.org/techniques/T1036/003/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 9
+  },
+  {
+    "author": [
+      "Elastic",
+      "Austin Songer"
+    ],
+    "description": "Identifies suspicious processes being spawned by the Microsoft Exchange Server Unified Messaging (UM) service. This activity has been observed exploiting CVE-2021-26857.",
+    "false_positives": [
+      "Legitimate processes may be spawned from the Microsoft Exchange Server Unified Messaging (UM) service. If known processes are causing false positives, they can be exempted from the rule."
+    ],
+    "from": "now-9m",
+    "index": [
+      "logs-endpoint.events.*",
+      "winlogbeat-*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Microsoft Exchange Server UM Spawning Suspicious Processes",
+    "query": "process where event.type == \"start\" and\n  process.parent.name : (\"UMService.exe\", \"UMWorkerProcess.exe\") and\n    not process.name : (\"werfault.exe\", \"wermgr.exe\")\n",
+    "references": [
+      "https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers",
+      "https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities"
+    ],
+    "risk_score": 47,
+    "rule_id": "483c4daf-b0c6-49e0-adf3-0bfa93231d6b",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Initial Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0001",
+          "name": "Initial Access",
+          "reference": "https://attack.mitre.org/tactics/TA0001/"
+        },
+        "technique": [
+          {
+            "id": "T1190",
+            "name": "Exploit Public-Facing Application",
+            "reference": "https://attack.mitre.org/techniques/T1190/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic",
+      "Austin Songer"
+    ],
+    "description": "Identifies suspicious files being written by the Microsoft Exchange Server Unified Messaging (UM) service. This activity has been observed exploiting CVE-2021-26858.",
+    "false_positives": [
+      "Files generated during installation will generate a lot of noise, so the rule should only be enabled after the fact.",
+      "This rule was tuned using the following baseline: https://raw.githubusercontent.com/microsoft/CSS-Exchange/main/Security/Baselines/baseline_15.2.792.5.csv from Microsoft. Depending on version, consult https://github.com/microsoft/CSS-Exchange/tree/main/Security/Baselines to help determine normalcy."
+    ],
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Microsoft Exchange Server UM Writing Suspicious Files",
+    "note": "## Triage and analysis\n\nPositive hits can be checked against the established Microsoft [baselines](https://github.com/microsoft/CSS-Exchange/tree/main/Security/Baselines).\n\nMicrosoft highly recommends that the best course of action is patching, but this may not protect already compromised systems\nfrom existing intrusions. Other tools for detecting and mitigating can be found within their Exchange support\n[repository](https://github.com/microsoft/CSS-Exchange/tree/main/Security)\n",
+    "query": "file where event.type == \"creation\" and\n  process.name : (\"UMWorkerProcess.exe\", \"umservice.exe\") and\n  file.extension : (\"php\", \"jsp\", \"js\", \"aspx\", \"asmx\", \"asax\", \"cfm\", \"shtml\") and\n  (\n    file.path : \"?:\\\\inetpub\\\\wwwroot\\\\aspnet_client\\\\*\" or\n\n    (file.path : \"?:\\\\*\\\\Microsoft\\\\Exchange Server*\\\\FrontEnd\\\\HttpProxy\\\\owa\\\\auth\\\\*\" and\n       not (file.path : \"?:\\\\*\\\\Microsoft\\\\Exchange Server*\\\\FrontEnd\\\\HttpProxy\\\\owa\\\\auth\\\\version\\\\*\" or\n            file.name : (\"errorFE.aspx\", \"expiredpassword.aspx\", \"frowny.aspx\", \"GetIdToken.htm\", \"logoff.aspx\",\n                        \"logon.aspx\", \"OutlookCN.aspx\", \"RedirSuiteServiceProxy.aspx\", \"signout.aspx\"))) or\n\n    (file.path : \"?:\\\\*\\\\Microsoft\\\\Exchange Server*\\\\FrontEnd\\\\HttpProxy\\\\ecp\\\\auth\\\\*\" and\n       not file.name : \"TimeoutLogoff.aspx\")\n  )\n",
+    "references": [
+      "https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers",
+      "https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities"
+    ],
+    "risk_score": 47,
+    "rule_id": "6cd1779c-560f-4b68-a8f1-11009b27fe63",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Initial Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0001",
+          "name": "Initial Access",
+          "reference": "https://attack.mitre.org/tactics/TA0001/"
+        },
+        "technique": [
+          {
+            "id": "T1190",
+            "name": "Exploit Public-Facing Application",
+            "reference": "https://attack.mitre.org/techniques/T1190/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 2
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies suspicious processes being spawned by the Microsoft Exchange Server worker process (w3wp). This activity may indicate exploitation activity or access to an existing web shell backdoor.",
+    "from": "now-9m",
+    "index": [
+      "logs-endpoint.events.*",
+      "winlogbeat-*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Microsoft Exchange Worker Spawning Suspicious Processes",
+    "query": "process where event.type == \"start\" and\n  process.parent.name : \"w3wp.exe\" and process.parent.args : \"MSExchange*AppPool\" and\n  (process.name : (\"cmd.exe\", \"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\") or\n  process.pe.original_file_name in (\"cmd.exe\", \"powershell.exe\", \"pwsh.dll\", \"powershell_ise.exe\"))\n",
+    "references": [
+      "https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers",
+      "https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities",
+      "https://discuss.elastic.co/t/detection-and-response-for-hafnium-activity/266289"
+    ],
+    "risk_score": 73,
+    "rule_id": "f81ee52c-297e-46d9-9205-07e66931df26",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Initial Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0001",
+          "name": "Initial Access",
+          "reference": "https://attack.mitre.org/tactics/TA0001/"
+        },
+        "technique": [
+          {
+            "id": "T1190",
+            "name": "Exploit Public-Facing Application",
+            "reference": "https://attack.mitre.org/techniques/T1190/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 2
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies use of aspnet_regiis to decrypt Microsoft IIS connection strings. An attacker with Microsoft IIS web server access via a webshell or alike can decrypt and dump any hardcoded connection strings, such as the MSSQL service account password using aspnet_regiis command.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "max_signals": 33,
+    "name": "Microsoft IIS Connection Strings Decryption",
+    "query": "process where event.type in (\"start\", \"process_started\") and\n  (process.name : \"aspnet_regiis.exe\" or process.pe.original_file_name == \"aspnet_regiis.exe\") and\n  process.args : \"connectionStrings\" and process.args : \"-pdf\"\n",
+    "references": [
+      "https://blog.netspi.com/decrypting-iis-passwords-to-break-out-of-the-dmz-part-1/",
+      "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/greenbug-espionage-telco-south-asia"
+    ],
+    "risk_score": 73,
+    "rule_id": "c25e9c87-95e1-4368-bfab-9fd34cf867ec",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Credential Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0006",
+          "name": "Credential Access",
+          "reference": "https://attack.mitre.org/tactics/TA0006/"
+        },
+        "technique": [
+          {
+            "id": "T1003",
+            "name": "OS Credential Dumping",
+            "reference": "https://attack.mitre.org/techniques/T1003/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 4
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the Internet Information Services (IIS) command-line tool, AppCmd, being used to list passwords. An attacker with IIS web server access via a web shell can decrypt and dump the IIS AppPool service account password using AppCmd.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "max_signals": 33,
+    "name": "Microsoft IIS Service Account Password Dumped",
+    "query": "process where event.type in (\"start\", \"process_started\") and\n   (process.name : \"appcmd.exe\" or process.pe.original_file_name == \"appcmd.exe\") and \n   process.args : \"/list\" and process.args : \"/text*password\"\n",
+    "references": [
+      "https://blog.netspi.com/decrypting-iis-passwords-to-break-out-of-the-dmz-part-1/"
+    ],
+    "risk_score": 73,
+    "rule_id": "0564fb9d-90b9-4234-a411-82a546dc1343",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Credential Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0006",
+          "name": "Credential Access",
+          "reference": "https://attack.mitre.org/tactics/TA0006/"
+        },
+        "technique": [
+          {
+            "id": "T1003",
+            "name": "OS Credential Dumping",
+            "reference": "https://attack.mitre.org/techniques/T1003/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 4
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the password log file from the default Mimikatz memssp module.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Mimikatz Memssp Log File Detected",
+    "query": "file where file.name : \"mimilsa.log\" and process.name : \"lsass.exe\"\n",
+    "risk_score": 73,
+    "rule_id": "ebb200e8-adf0-43f8-a0bb-4ee5b5d852c6",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Credential Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0006",
+          "name": "Credential Access",
+          "reference": "https://attack.mitre.org/tactics/TA0006/"
+        },
+        "technique": [
+          {
+            "id": "T1003",
+            "name": "OS Credential Dumping",
+            "reference": "https://attack.mitre.org/techniques/T1003/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 4
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "JScript tries to query the AmsiEnable registry key from the HKEY_USERS registry hive before initializing Antimalware Scan Interface (AMSI). If this key is set to 0, AMSI is not enabled for the JScript process. An adversary can modify this key to disable AMSI protections.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Modification of AmsiEnable Registry Key",
+    "query": "registry where event.type in (\"creation\", \"change\") and\n  registry.path: \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows Script\\\\Settings\\\\AmsiEnable\" and\n  registry.data.strings: \"0\"\n",
+    "references": [
+      "https://hackinparis.com/data/slides/2019/talks/HIP2019-Dominic_Chell-Cracking_The_Perimeter_With_Sharpshooter.pdf",
+      "https://docs.microsoft.com/en-us/windows/win32/amsi/antimalware-scan-interface-portal"
+    ],
+    "risk_score": 73,
+    "rule_id": "f874315d-5188-4b4a-8521-d1c73093a7e4",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1562",
+            "name": "Impair Defenses",
+            "reference": "https://attack.mitre.org/techniques/T1562/",
+            "subtechnique": [
+              {
+                "id": "T1562.001",
+                "name": "Disable or Modify Tools",
+                "reference": "https://attack.mitre.org/techniques/T1562/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 2
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies use of bcdedit.exe to delete boot configuration data. This tactic is sometimes used as by malware or an attacker as a destructive technique.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Modification of Boot Configuration",
+    "query": "process where event.type in (\"start\", \"process_started\") and\n  (process.name : \"bcdedit.exe\" or process.pe.original_file_name == \"bcdedit.exe\") and\n  (process.args : \"/set\" and process.args : \"bootstatuspolicy\" and process.args : \"ignoreallfailures\") or\n  (process.args : \"no\" and process.args : \"recoveryenabled\")\n",
+    "risk_score": 21,
+    "rule_id": "69c251fb-a5d6-4035-b5ec-40438bd829ff",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Impact"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0040",
+          "name": "Impact",
+          "reference": "https://attack.mitre.org/tactics/TA0040/"
+        },
+        "technique": [
+          {
+            "id": "T1490",
+            "name": "Inhibit System Recovery",
+            "reference": "https://attack.mitre.org/techniques/T1490/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 9
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies modification of the dynamic linker preload shared object (ld.so.preload). Adversaries may execute malicious payloads by hijacking the dynamic linker used to load libraries.",
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Modification of Dynamic Linker Preload Shared Object",
+    "query": "event.category:file and not event.type:deletion and file.path:/etc/ld.so.preload\n",
+    "references": [
+      "https://www.anomali.com/blog/rocke-evolves-its-arsenal-with-a-new-malware-family-written-in-golang"
+    ],
+    "risk_score": 47,
+    "rule_id": "717f82c2-7741-4f9b-85b8-d06aeb853f4f",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "Threat Detection",
+      "Privilege Escalation"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0004",
+          "name": "Privilege Escalation",
+          "reference": "https://attack.mitre.org/tactics/TA0004/"
+        },
+        "technique": [
+          {
+            "id": "T1574",
+            "name": "Hijack Execution Flow",
+            "reference": "https://attack.mitre.org/techniques/T1574/",
+            "subtechnique": [
+              {
+                "id": "T1574.006",
+                "name": "Dynamic Linker Hijacking",
+                "reference": "https://attack.mitre.org/techniques/T1574/006/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 2
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies modifications to an environment variable using the built-in launchctl command. Adversaries may execute their own malicious payloads by hijacking certain environment variables to load arbitrary libraries or bypass certain restrictions.",
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Modification of Environment Variable via Launchctl",
+    "query": "event.category:process and event.type:start and\n  process.name:launchctl and\n  process.args:(setenv and not (JAVA*_HOME or\n                                RUNTIME_JAVA_HOME or\n                                DBUS_LAUNCHD_SESSION_BUS_SOCKET or\n                                ANT_HOME or\n                                LG_WEBOS_TV_SDK_HOME or\n                                WEBOS_CLI_TV or\n                                EDEN_ENV)\n                ) and\n  not process.parent.executable:(\"/Applications/NoMachine.app/Contents/Frameworks/bin/nxserver.bin\" or\n                                 \"/usr/local/bin/kr\" or\n                                 \"/Applications/NoMachine.app/Contents/Frameworks/bin/nxserver.bin\" or\n                                 \"/Applications/IntelliJ IDEA CE.app/Contents/jbr/Contents/Home/lib/jspawnhelper\")\n",
+    "references": [
+      "https://github.com/rapid7/metasploit-framework/blob/master//modules/post/osx/escalate/tccbypass.rb"
+    ],
+    "risk_score": 47,
+    "rule_id": "7453e19e-3dbf-4e4e-9ae0-33d6c6ed15e1",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "macOS",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1574",
+            "name": "Hijack Execution Flow",
+            "reference": "https://attack.mitre.org/techniques/T1574/",
+            "subtechnique": [
+              {
+                "id": "T1574.007",
+                "name": "Path Interception by PATH Environment Variable",
+                "reference": "https://attack.mitre.org/techniques/T1574/007/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 2
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Adversaries may modify SSH related binaries for persistence or credential access by patching sensitive functions to enable unauthorized access or by logging SSH credentials for exfiltration.",
+    "false_positives": [
+      "Trusted OpenSSH executable updates. It's recommended to verify the integrity of OpenSSH binary changes."
+    ],
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Modification of OpenSSH Binaries",
+    "query": "event.category:file and event.type:change and \n process.name:* and\n (file.path:(/usr/sbin/sshd or /usr/bin/ssh or /usr/bin/sftp or /usr/bin/scp) or file.name:libkeyutils.so) and\n not process.executable:/usr/bin/dpkg\n",
+    "references": [
+      "https://blog.angelalonso.es/2016/09/anatomy-of-real-linux-intrusion-part-ii.html"
+    ],
+    "risk_score": 47,
+    "rule_id": "0415f22a-2336-45fa-ba07-618a5942e22c",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "Threat Detection",
+      "Credential Access",
+      "Persistence"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1543",
+            "name": "Create or Modify System Process",
+            "reference": "https://attack.mitre.org/techniques/T1543/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0006",
+          "name": "Credential Access",
+          "reference": "https://attack.mitre.org/tactics/TA0006/"
+        },
+        "technique": [
+          {
+            "id": "T1556",
+            "name": "Modify Authentication Process",
+            "reference": "https://attack.mitre.org/techniques/T1556/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies changes to the Safari configuration using the built-in defaults command. Adversaries may attempt to enable or disable certain Safari settings, such as enabling JavaScript from Apple Events to ease in the hijacking of the users browser.",
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Modification of Safari Settings via Defaults Command",
+    "query": "event.category:process and event.type:start and\n  process.name:defaults and process.args:\n    (com.apple.Safari and write and not\n      (\n      UniversalSearchEnabled or\n      SuppressSearchSuggestions or\n      WebKitTabToLinksPreferenceKey or\n      ShowFullURLInSmartSearchField or\n      com.apple.Safari.ContentPageGroupIdentifier.WebKit2TabsToLinks\n      )\n    )\n",
+    "references": [
+      "https://objectivebythesea.com/v2/talks/OBTS_v2_Zohar.pdf"
+    ],
+    "risk_score": 47,
+    "rule_id": "6482255d-f468-45ea-a5b3-d3a7de1331ae",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "macOS",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1562",
+            "name": "Impair Defenses",
+            "reference": "https://attack.mitre.org/techniques/T1562/",
+            "subtechnique": [
+              {
+                "id": "T1562.001",
+                "name": "Disable or Modify Tools",
+                "reference": "https://attack.mitre.org/techniques/T1562/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Adversaries may modify the standard authentication module for persistence via patching the normal authorization process or modifying the login configuration to allow unauthorized access or elevate privileges.",
+    "false_positives": [
+      "Trusted system module updates or allowed Pluggable Authentication Module (PAM) daemon configuration changes."
+    ],
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Modification of Standard Authentication Module or Configuration",
+    "query": "event.category:file and event.type:change and \n  (file.name:pam_*.so or file.path:(/etc/pam.d/* or /private/etc/pam.d/*)) and \n  process.executable:\n    (* and \n      not \n      (\n        /bin/yum or \n        \"/usr/sbin/pam-auth-update\" or \n        /usr/libexec/packagekitd or \n        /usr/bin/dpkg or \n        /usr/bin/vim or \n        /usr/libexec/xpcproxy or \n        /usr/bin/bsdtar or \n        /usr/local/bin/brew or\n        /usr/bin/rsync or\n        /usr/bin/yum or\n        /var/lib/docker/*/bin/yum or\n        /var/lib/docker/*/bin/dpkg or\n        ./merged/var/lib/docker/*/bin/dpkg or\n        \"/System/Library/PrivateFrameworks/PackageKit.framework/Versions/A/XPCServices/package_script_service.xpc/Contents/MacOS/package_script_service\"\n      )\n    ) and\n  not file.path:\n         (\n           /tmp/snap.rootfs_*/pam_*.so or\n           /tmp/newroot/lib/*/pam_*.so or\n           /private/var/folders/*/T/com.apple.fileprovider.ArchiveService/TemporaryItems/*/lib/security/pam_*.so or\n           /tmp/newroot/usr/lib64/security/pam_*.so\n         )\n",
+    "references": [
+      "https://github.com/zephrax/linux-pam-backdoor",
+      "https://github.com/eurialo/pambd",
+      "http://0x90909090.blogspot.com/2016/06/creating-backdoor-in-pam-in-5-line-of.html",
+      "https://www.trendmicro.com/en_us/research/19/i/skidmap-linux-malware-uses-rootkit-capabilities-to-hide-cryptocurrency-mining-payload.html"
+    ],
+    "risk_score": 47,
+    "rule_id": "93f47b6f-5728-4004-ba00-625083b3dcb0",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "macOS",
+      "Linux",
+      "Threat Detection",
+      "Credential Access",
+      "Persistence"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1543",
+            "name": "Create or Modify System Process",
+            "reference": "https://attack.mitre.org/techniques/T1543/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0006",
+          "name": "Credential Access",
+          "reference": "https://attack.mitre.org/tactics/TA0006/"
+        },
+        "technique": [
+          {
+            "id": "T1556",
+            "name": "Modify Authentication Process",
+            "reference": "https://attack.mitre.org/techniques/T1556/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 2
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies attempts to modify the WDigest security provider in the registry to force the user's password to be stored in clear text in memory. This behavior can be indicative of an adversary attempting to weaken the security configuration of an endpoint. Once the UseLogonCredential value is modified, the adversary may attempt to dump clear text passwords from memory.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Modification of WDigest Security Provider",
+    "query": "registry where event.type in (\"creation\", \"change\") and\n  registry.path:\"HKLM\\\\SYSTEM\\\\*ControlSet*\\\\Control\\\\SecurityProviders\\\\WDigest\\\\UseLogonCredential\" and\n  registry.data.strings:\"1\"\n",
+    "references": [
+      "https://www.csoonline.com/article/3438824/how-to-detect-and-halt-credential-theft-via-windows-wdigest.html",
+      "https://www.praetorian.com/blog/mitigating-mimikatz-wdigest-cleartext-credential-theft?edition=2019"
+    ],
+    "risk_score": 73,
+    "rule_id": "d703a5af-d5b0-43bd-8ddb-7a5d500b7da5",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Credential Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0006",
+          "name": "Credential Access",
+          "reference": "https://attack.mitre.org/tactics/TA0006/"
+        },
+        "technique": [
+          {
+            "id": "T1003",
+            "name": "OS Credential Dumping",
+            "reference": "https://attack.mitre.org/techniques/T1003/",
+            "subtechnique": [
+              {
+                "id": "T1003.001",
+                "name": "LSASS Memory",
+                "reference": "https://attack.mitre.org/techniques/T1003/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Detects attempts to modify or delete a sign on policy for an Okta application. An adversary may attempt to modify or delete the sign on policy for an Okta application in order to remove or weaken an organization's security controls.",
+    "false_positives": [
+      "Consider adding exceptions to this rule to filter false positives if sign on policies for Okta applications are regularly modified or deleted in your organization."
+    ],
+    "index": [
+      "filebeat-*",
+      "logs-okta*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Modification or Removal of an Okta Application Sign-On Policy",
+    "note": "## Config\n\nThe Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:okta.system and event.action:(application.policy.sign_on.update or application.policy.sign_on.rule.delete)\n",
+    "references": [
+      "https://help.okta.com/en/prod/Content/Topics/Security/App_Based_Signon.htm",
+      "https://developer.okta.com/docs/reference/api/system-log/",
+      "https://developer.okta.com/docs/reference/api/event-types/"
+    ],
+    "risk_score": 47,
+    "rule_id": "cd16fb10-0261-46e8-9932-a0336278cdbe",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Identity",
+      "Okta",
+      "Continuous Monitoring",
+      "SecOps",
+      "Identity and Access"
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 6
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the use of net.exe to mount a WebDav or hidden remote share. This may indicate lateral movement or preparation for data exfiltration.",
+    "from": "now-9m",
+    "index": [
+      "logs-endpoint.events.*",
+      "winlogbeat-*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Mounting Hidden or WebDav Remote Shares",
+    "query": "process where event.type in (\"start\", \"process_started\") and\n ((process.name : \"net.exe\" or process.pe.original_file_name == \"net.exe\") or ((process.name : \"net1.exe\" or process.pe.original_file_name == \"net1.exe\") and\n not process.parent.name : \"net.exe\")) and\n process.args : \"use\" and\n /* including hidden and webdav based online shares such as onedrive  */\n process.args : (\"\\\\\\\\*\\\\*$*\", \"\\\\\\\\*@SSL\\\\*\", \"http*\") and\n /* excluding shares deletion operation */\n not process.args : \"/d*\"\n",
+    "risk_score": 21,
+    "rule_id": "c4210e1c-64f2-4f48-b67e-b5a8ffe3aa14",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Lateral Movement"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0008",
+          "name": "Lateral Movement",
+          "reference": "https://attack.mitre.org/tactics/TA0008/"
+        },
+        "technique": [
+          {
+            "id": "T1021",
+            "name": "Remote Services",
+            "reference": "https://attack.mitre.org/techniques/T1021/",
+            "subtechnique": [
+              {
+                "id": "T1021.002",
+                "name": "SMB/Windows Admin Shares",
+                "reference": "https://attack.mitre.org/techniques/T1021/002/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 3
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies MsBuild.exe making outbound network connections. This may indicate adversarial activity as MsBuild is often leveraged by adversaries to execute code and evade detection.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "MsBuild Making Network Connections",
+    "query": "sequence by process.entity_id\n  [process where process.name : \"MSBuild.exe\" and event.type == \"start\"]\n  [network where process.name : \"MSBuild.exe\" and\n     not cidrmatch(destination.ip, \"127.0.0.1\", \"::1\")]\n",
+    "risk_score": 47,
+    "rule_id": "0e79980b-4250-4a50-a509-69294c14e84b",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1127",
+            "name": "Trusted Developer Utilities Proxy Execution",
+            "reference": "https://attack.mitre.org/techniques/T1127/",
+            "subtechnique": [
+              {
+                "id": "T1127.001",
+                "name": "MSBuild",
+                "reference": "https://attack.mitre.org/techniques/T1127/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "type": "eql",
+    "version": 8
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies Mshta.exe making outbound network connections. This may indicate adversarial activity, as Mshta is often leveraged by adversaries to execute malicious scripts and evade detection.",
+    "from": "now-20m",
+    "index": [
+      "logs-endpoint.events.*",
+      "winlogbeat-*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Mshta Making Network Connections",
+    "query": "sequence by process.entity_id with maxspan=10m\n  [process where event.type in (\"start\", \"process_started\") and process.name : \"mshta.exe\" and\n     not process.parent.name : \"Microsoft.ConfigurationManagement.exe\" and\n     not (process.parent.executable : \"C:\\\\Amazon\\\\Amazon Assistant\\\\amazonAssistantService.exe\" or\n          process.parent.executable : \"C:\\\\TeamViewer\\\\TeamViewer.exe\") and\n     not process.args : \"ADSelfService_Enroll.hta\"]\n  [network where process.name : \"mshta.exe\"]\n",
+    "risk_score": 21,
+    "rule_id": "c2d90150-0133-451c-a783-533e736c12d7",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1218",
+            "name": "Signed Binary Proxy Execution",
+            "reference": "https://attack.mitre.org/techniques/T1218/",
+            "subtechnique": [
+              {
+                "id": "T1218.005",
+                "name": "Mshta",
+                "reference": "https://attack.mitre.org/techniques/T1218/005/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "type": "eql",
+    "version": 5
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies when multi-factor authentication (MFA) is disabled for an Azure user account. An adversary may disable MFA for a user account in order to weaken the authentication requirements for the account.",
+    "from": "now-25m",
+    "index": [
+      "filebeat-*",
+      "logs-azure*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Multi-Factor Authentication Disabled for an Azure User",
+    "note": "## Config\n\nThe Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:azure.auditlogs and azure.auditlogs.operation_name:\"Disable Strong Authentication\" and event.outcome:(Success or success)\n",
+    "risk_score": 47,
+    "rule_id": "dafa3235-76dc-40e2-9f71-1773b96d24cf",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "Azure",
+      "Continuous Monitoring",
+      "SecOps",
+      "Identity and Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1098",
+            "name": "Account Manipulation",
+            "reference": "https://attack.mitre.org/techniques/T1098/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 5
+  },
+  {
+    "author": [
+      "Elastic",
+      "Austin Songer"
+    ],
+    "description": "Identifies a copy operation of the Active Directory Domain Database (ntds.dit) or Security Account Manager (SAM) files. Those files contain sensitive information including hashed domain and/or local credentials.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "max_signals": 33,
+    "name": "NTDS or SAM Database File Copied",
+    "query": "process where event.type in (\"start\", \"process_started\") and\n  (\n    (process.pe.original_file_name in (\"Cmd.Exe\", \"PowerShell.EXE\", \"XCOPY.EXE\") and\n       process.args : (\"copy\", \"xcopy\", \"Copy-Item\", \"move\", \"cp\", \"mv\")\n    ) or\n    (process.pe.original_file_name : \"esentutl.exe\" and process.args : (\"*/y*\", \"*/vss*\", \"*/d*\"))\n  ) and\n  process.args : (\"*\\\\ntds.dit\", \"*\\\\config\\\\SAM\", \"\\\\*\\\\GLOBALROOT\\\\Device\\\\HarddiskVolumeShadowCopy*\\\\*\", \"*/system32/config/SAM*\")\n",
+    "references": [
+      "https://thedfirreport.com/2020/11/23/pysa-mespinoza-ransomware/",
+      "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.002/T1003.002.md#atomic-test-3---esentutlexe-sam-copy"
+    ],
+    "risk_score": 73,
+    "rule_id": "3bc6deaa-fbd4-433a-ae21-3e892f95624f",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Credential Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0006",
+          "name": "Credential Access",
+          "reference": "https://attack.mitre.org/tactics/TA0006/"
+        },
+        "technique": [
+          {
+            "id": "T1003",
+            "name": "OS Credential Dumping",
+            "reference": "https://attack.mitre.org/techniques/T1003/",
+            "subtechnique": [
+              {
+                "id": "T1003.002",
+                "name": "Security Account Manager",
+                "reference": "https://attack.mitre.org/techniques/T1003/002/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 5
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the SYSTEM account using an account discovery utility. This could be a sign of discovery activity after an adversary has achieved privilege escalation.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Net command via SYSTEM account",
+    "query": "process where event.type in (\"start\", \"process_started\") and \n  user.id in (\"S-1-5-18\", \"S-1-5-19\", \"S-1-5-20\") and\n  process.name : \"whoami.exe\" or\n  (process.name : \"net1.exe\" and not process.parent.name : \"net.exe\")\n",
+    "risk_score": 21,
+    "rule_id": "2856446a-34e6-435b-9fb5-f8f040bfa7ed",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Discovery"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0007",
+          "name": "Discovery",
+          "reference": "https://attack.mitre.org/tactics/TA0007/"
+        },
+        "technique": [
+          {
+            "id": "T1033",
+            "name": "System Owner/User Discovery",
+            "reference": "https://attack.mitre.org/techniques/T1033/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 8
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "A netcat process is engaging in network activity on a Linux host. Netcat is often used as a persistence mechanism by exporting a reverse shell or by serving a shell on a listening port. Netcat is also sometimes used for data exfiltration.",
+    "false_positives": [
+      "Netcat is a dual-use tool that can be used for benign or malicious activity. Netcat is included in some Linux distributions so its presence is not necessarily suspicious. Some normal use of this program, while uncommon, may originate from scripts, automation tools, and frameworks."
+    ],
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Netcat Network Activity",
+    "query": "sequence by process.entity_id\n  [process where (process.name == \"nc\" or process.name == \"ncat\" or process.name == \"netcat\" or\n                  process.name == \"netcat.openbsd\" or process.name == \"netcat.traditional\") and\n     event.type == \"start\"]\n  [network where (process.name == \"nc\" or process.name == \"ncat\" or process.name == \"netcat\" or\n                  process.name == \"netcat.openbsd\" or process.name == \"netcat.traditional\")]\n",
+    "references": [
+      "http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet",
+      "https://www.sans.org/security-resources/sec560/netcat_cheat_sheet_v1.pdf",
+      "https://en.wikipedia.org/wiki/Netcat"
+    ],
+    "risk_score": 47,
+    "rule_id": "adb961e0-cb74-42a0-af9e-29fc41f88f5f",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "Threat Detection"
+    ],
+    "type": "eql",
+    "version": 6
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies certutil.exe making a network connection. Adversaries could abuse certutil.exe to download a certificate, or malware, from a remote URL.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Network Connection via Certutil",
+    "query": "sequence by process.entity_id\n  [process where process.name : \"certutil.exe\" and event.type == \"start\"]\n  [network where process.name : \"certutil.exe\" and\n    not cidrmatch(destination.ip, \"10.0.0.0/8\", \"127.0.0.0/8\", \"169.254.0.0/16\", \"172.16.0.0/12\", \"192.0.0.0/24\",\n                                  \"192.0.0.0/29\", \"192.0.0.8/32\", \"192.0.0.9/32\", \"192.0.0.10/32\", \"192.0.0.170/32\",\n                                  \"192.0.0.171/32\", \"192.0.2.0/24\", \"192.31.196.0/24\", \"192.52.193.0/24\",\n                                  \"192.168.0.0/16\", \"192.88.99.0/24\", \"224.0.0.0/4\", \"100.64.0.0/10\", \"192.175.48.0/24\",\n                                  \"198.18.0.0/15\", \"198.51.100.0/24\", \"203.0.113.0/24\", \"240.0.0.0/4\", \"::1\",\n                                  \"FE80::/10\", \"FF00::/8\")]\n",
+    "references": [
+      "https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml"
+    ],
+    "risk_score": 21,
+    "rule_id": "3838e0e3-1850-4850-a411-2e8c5ba40ba8",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Command and Control"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0011",
+          "name": "Command and Control",
+          "reference": "https://attack.mitre.org/tactics/TA0011/"
+        },
+        "technique": [
+          {
+            "id": "T1105",
+            "name": "Ingress Tool Transfer",
+            "reference": "https://attack.mitre.org/techniques/T1105/"
+          }
+        ]
+      }
+    ],
+    "type": "eql",
+    "version": 6
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Compiled HTML files (.chm) are commonly distributed as part of the Microsoft HTML Help system. Adversaries may conceal malicious code in a CHM file and deliver it to a victim for execution. CHM content is loaded by the HTML Help executable program (hh.exe).",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Network Connection via Compiled HTML File",
+    "query": "sequence by process.entity_id\n  [process where process.name : \"hh.exe\" and event.type == \"start\"]\n  [network where process.name : \"hh.exe\" and\n     not cidrmatch(destination.ip, \"10.0.0.0/8\", \"127.0.0.0/8\", \"169.254.0.0/16\", \"172.16.0.0/12\", \"192.0.0.0/24\",\n       \"192.0.0.0/29\", \"192.0.0.8/32\", \"192.0.0.9/32\", \"192.0.0.10/32\", \"192.0.0.170/32\", \"192.0.0.171/32\",\n       \"192.0.2.0/24\", \"192.31.196.0/24\", \"192.52.193.0/24\", \"192.168.0.0/16\", \"192.88.99.0/24\", \"224.0.0.0/4\",\n       \"100.64.0.0/10\", \"192.175.48.0/24\",\"198.18.0.0/15\", \"198.51.100.0/24\", \"203.0.113.0/24\", \"240.0.0.0/4\", \"::1\",\n       \"FE80::/10\", \"FF00::/8\")]\n",
+    "references": [
+      "https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml"
+    ],
+    "risk_score": 21,
+    "rule_id": "b29ee2be-bf99-446c-ab1a-2dc0183394b8",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Execution"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0002",
+          "name": "Execution",
+          "reference": "https://attack.mitre.org/tactics/TA0002/"
+        },
+        "technique": [
+          {
+            "id": "T1204",
+            "name": "User Execution",
+            "reference": "https://attack.mitre.org/techniques/T1204/",
+            "subtechnique": [
+              {
+                "id": "T1204.002",
+                "name": "Malicious File",
+                "reference": "https://attack.mitre.org/techniques/T1204/002/"
+              }
+            ]
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1218",
+            "name": "Signed Binary Proxy Execution",
+            "reference": "https://attack.mitre.org/techniques/T1218/",
+            "subtechnique": [
+              {
+                "id": "T1218.001",
+                "name": "Compiled HTML File",
+                "reference": "https://attack.mitre.org/techniques/T1218/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "type": "eql",
+    "version": 9
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies msxsl.exe making a network connection. This may indicate adversarial activity as msxsl.exe is often leveraged by adversaries to execute malicious scripts and evade detection.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Network Connection via MsXsl",
+    "query": "sequence by process.entity_id\n  [process where process.name : \"msxsl.exe\" and event.type == \"start\"]\n  [network where process.name : \"msxsl.exe\" and\n     not cidrmatch(destination.ip, \"10.0.0.0/8\", \"127.0.0.0/8\", \"169.254.0.0/16\", \"172.16.0.0/12\", \"192.0.0.0/24\",\n       \"192.0.0.0/29\", \"192.0.0.8/32\", \"192.0.0.9/32\", \"192.0.0.10/32\", \"192.0.0.170/32\", \"192.0.0.171/32\",\n       \"192.0.2.0/24\", \"192.31.196.0/24\", \"192.52.193.0/24\", \"192.168.0.0/16\", \"192.88.99.0/24\", \"224.0.0.0/4\",\n       \"100.64.0.0/10\", \"192.175.48.0/24\",\"198.18.0.0/15\", \"198.51.100.0/24\", \"203.0.113.0/24\", \"240.0.0.0/4\", \"::1\",\n       \"FE80::/10\", \"FF00::/8\")]\n",
+    "references": [
+      "https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml"
+    ],
+    "risk_score": 21,
+    "rule_id": "b86afe07-0d98-4738-b15d-8d7465f95ff5",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1220",
+            "name": "XSL Script Processing",
+            "reference": "https://attack.mitre.org/techniques/T1220/"
+          }
+        ]
+      }
+    ],
+    "type": "eql",
+    "version": 7
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the native Windows tools regsvr32.exe, regsvr64.exe, RegSvcs.exe, or RegAsm.exe making a network connection. This may be indicative of an attacker bypassing allowlists or running arbitrary scripts via a signed Microsoft binary.",
+    "false_positives": [
+      "Security testing may produce events like this. Activity of this kind performed by non-engineers and ordinary users is unusual."
+    ],
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Network Connection via Registration Utility",
+    "query": "sequence by process.entity_id\n  [process where event.type == \"start\" and\n   process.name : (\"regsvr32.exe\", \"RegAsm.exe\", \"RegSvcs.exe\") and\n   not (\n         user.id == \"S-1-5-18\" and\n         (process.parent.name : \"msiexec.exe\" or process.parent.executable : (\"C:\\\\Program Files (x86)\\\\*.exe\", \"C:\\\\Program Files\\\\*.exe\"))\n       )\n   ]\n  [network where process.name : (\"regsvr32.exe\", \"RegAsm.exe\", \"RegSvcs.exe\")  and\n   not cidrmatch(destination.ip, \"10.0.0.0/8\", \"127.0.0.0/8\", \"169.254.0.0/16\", \"172.16.0.0/12\", \"192.0.0.0/24\",\n       \"192.0.0.0/29\", \"192.0.0.8/32\", \"192.0.0.9/32\", \"192.0.0.10/32\", \"192.0.0.170/32\", \"192.0.0.171/32\",\n       \"192.0.2.0/24\", \"192.31.196.0/24\", \"192.52.193.0/24\", \"192.168.0.0/16\", \"192.88.99.0/24\", \"224.0.0.0/4\",\n       \"100.64.0.0/10\", \"192.175.48.0/24\",\"198.18.0.0/15\", \"198.51.100.0/24\", \"203.0.113.0/24\", \"240.0.0.0/4\", \"::1\",\n       \"FE80::/10\", \"FF00::/8\") and network.protocol != \"dns\"]\n",
+    "references": [
+      "https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml"
+    ],
+    "risk_score": 21,
+    "rule_id": "fb02b8d3-71ee-4af1-bacd-215d23f17efa",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Execution"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0002",
+          "name": "Execution",
+          "reference": "https://attack.mitre.org/tactics/TA0002/"
+        },
+        "technique": []
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1218",
+            "name": "Signed Binary Proxy Execution",
+            "reference": "https://attack.mitre.org/techniques/T1218/",
+            "subtechnique": [
+              {
+                "id": "T1218.010",
+                "name": "Regsvr32",
+                "reference": "https://attack.mitre.org/techniques/T1218/010/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "type": "eql",
+    "version": 9
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Binaries signed with trusted digital certificates can execute on Windows systems protected by digital signature validation. Adversaries may use these binaries to 'live off the land' and execute malicious files that could bypass application allowlists and signature validation.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Network Connection via Signed Binary",
+    "query": "sequence by process.entity_id\n  [process where (process.name : \"expand.exe\" or process.name : \"extrac32.exe\" or\n                 process.name : \"ieexec.exe\" or process.name : \"makecab.exe\") and\n                 event.type == \"start\"]\n  [network where (process.name : \"expand.exe\" or process.name : \"extrac32.exe\" or\n                 process.name : \"ieexec.exe\" or process.name : \"makecab.exe\") and\n    not cidrmatch(destination.ip,\n      \"10.0.0.0/8\", \"127.0.0.0/8\", \"169.254.0.0/16\", \"172.16.0.0/12\", \"192.0.0.0/24\", \"192.0.0.0/29\", \"192.0.0.8/32\",\n      \"192.0.0.9/32\", \"192.0.0.10/32\", \"192.0.0.170/32\", \"192.0.0.171/32\", \"192.0.2.0/24\", \"192.31.196.0/24\",\n      \"192.52.193.0/24\", \"192.168.0.0/16\", \"192.88.99.0/24\", \"224.0.0.0/4\", \"100.64.0.0/10\", \"192.175.48.0/24\",\n      \"198.18.0.0/15\", \"198.51.100.0/24\", \"203.0.113.0/24\", \"240.0.0.0/4\", \"::1\", \"FE80::/10\", \"FF00::/8\")]\n",
+    "references": [
+      "https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml"
+    ],
+    "risk_score": 21,
+    "rule_id": "63e65ec3-43b1-45b0-8f2d-45b34291dc44",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1218",
+            "name": "Signed Binary Proxy Execution",
+            "reference": "https://attack.mitre.org/techniques/T1218/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0002",
+          "name": "Execution",
+          "reference": "https://attack.mitre.org/tactics/TA0002/"
+        },
+        "technique": []
+      }
+    ],
+    "type": "eql",
+    "version": 9
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Adversaries may register a rogue network logon provider module for persistence and/or credential access via intercepting the authentication credentials in clear text during user logon.",
+    "false_positives": [
+      "Authorized third party network logon providers."
+    ],
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Network Logon Provider Registry Modification",
+    "query": "registry where registry.data.strings != null and\n registry.path : \"HKLM\\\\SYSTEM\\\\*ControlSet*\\\\Services\\\\*\\\\NetworkProvider\\\\ProviderPath\" and\n /* Excluding default NetworkProviders RDPNP, LanmanWorkstation and webclient. */\n not ( user.id : \"S-1-5-18\" and\n       registry.data.strings in\n                (\"%SystemRoot%\\\\System32\\\\ntlanman.dll\",\n                 \"%SystemRoot%\\\\System32\\\\drprov.dll\",\n                 \"%SystemRoot%\\\\System32\\\\davclnt.dll\")\n      )\n",
+    "references": [
+      "https://github.com/gtworek/PSBits/tree/master/PasswordStealing/NPPSpy",
+      "https://docs.microsoft.com/en-us/windows/win32/api/npapi/nf-npapi-nplogonnotify"
+    ],
+    "risk_score": 47,
+    "rule_id": "54c3d186-0461-4dc3-9b33-2dc5c7473936",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Persistence",
+      "Credential Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0006",
+          "name": "Credential Access",
+          "reference": "https://attack.mitre.org/tactics/TA0006/"
+        },
+        "technique": [
+          {
+            "id": "T1556",
+            "name": "Modify Authentication Process",
+            "reference": "https://attack.mitre.org/techniques/T1556/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1543",
+            "name": "Create or Modify System Process",
+            "reference": "https://attack.mitre.org/techniques/T1543/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 1
+  },
+  {
+    "anomaly_threshold": 75,
+    "author": [
+      "Elastic"
+    ],
+    "description": "A machine learning job detected a rare destination country name in the network logs. This can be due to initial access, persistence, command-and-control, or exfiltration activity. For example, when a user clicks on a link in a phishing email or opens a malicious document, a request may be sent to download and run a payload from a server in a country which does not normally appear in network traffic or business work-flows. Malware instances and persistence mechanisms may communicate with command-and-control (C2) infrastructure in their country of origin, which may be an unusual destination country for the source network.",
+    "false_positives": [
+      "Business workflows that occur very occasionally, and involve a business relationship with an organization in a country that does not routinely appear in network events, can trigger this alert. A new business workflow with an organization in a country with which no workflows previously existed may trigger this alert - although the model will learn that the new destination country is no longer anomalous as the activity becomes ongoing. Business travelers who roam to many countries for brief periods may trigger this alert."
+    ],
+    "from": "now-30m",
+    "interval": "15m",
+    "license": "Elastic License v2",
+    "machine_learning_job_id": "rare_destination_country",
+    "name": "Network Traffic to Rare Destination Country",
+    "references": [
+      "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"
+    ],
+    "risk_score": 21,
+    "rule_id": "35f86980-1fb1-4dff-b311-3be941549c8d",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Network",
+      "Threat Detection",
+      "ML"
+    ],
+    "type": "machine_learning",
+    "version": 2
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the use of the Exchange PowerShell cmdlet, Set-CASMailbox, to add a new ActiveSync allowed device. Adversaries may target user email to collect sensitive information.",
+    "false_positives": [
+      "Legitimate exchange system administration activity."
+    ],
+    "from": "now-9m",
+    "index": [
+      "logs-endpoint.events.*",
+      "winlogbeat-*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "New ActiveSyncAllowedDeviceID Added via PowerShell",
+    "query": "process where event.type in (\"start\", \"process_started\") and\n  process.name: (\"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\") and process.args : \"Set-CASMailbox*ActiveSyncAllowedDeviceIDs*\"\n",
+    "references": [
+      "https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/",
+      "https://docs.microsoft.com/en-us/powershell/module/exchange/set-casmailbox?view=exchange-ps"
+    ],
+    "risk_score": 47,
+    "rule_id": "ce64d965-6cb0-466d-b74f-8d2c76f47f05",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Persistence"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1098",
+            "name": "Account Manipulation",
+            "reference": "https://attack.mitre.org/techniques/T1098/",
+            "subtechnique": [
+              {
+                "id": "T1098.002",
+                "name": "Exchange Email Delegate Permissions",
+                "reference": "https://attack.mitre.org/techniques/T1098/002/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 6
+  },
+  {
+    "author": [
+      "Austin Songer"
+    ],
+    "description": "Identifies a new or modified federation domain, which can be used to create a trust between O365 and an external identity provider.",
+    "index": [
+      "filebeat-*",
+      "logs-o365*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "New or Modified Federation Domain",
+    "note": "## Config\n\nThe Microsoft 365 Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:(\"Set-AcceptedDomain\" or \n\"Set-MsolDomainFederationSettings\" or \"Add-FederatedDomain\" or \"New-AcceptedDomain\" or \"Remove-AcceptedDomain\" or \"Remove-FederatedDomain\") and \nevent.outcome:success\n",
+    "references": [
+      "https://docs.microsoft.com/en-us/powershell/module/exchange/remove-accepteddomain?view=exchange-ps",
+      "https://docs.microsoft.com/en-us/powershell/module/exchange/remove-federateddomain?view=exchange-ps",
+      "https://docs.microsoft.com/en-us/powershell/module/exchange/new-accepteddomain?view=exchange-ps",
+      "https://docs.microsoft.com/en-us/powershell/module/exchange/add-federateddomain?view=exchange-ps",
+      "https://docs.microsoft.com/en-us/powershell/module/exchange/set-accepteddomain?view=exchange-ps",
+      "https://docs.microsoft.com/en-us/powershell/module/msonline/set-msoldomainfederationsettings?view=azureadps-1.0"
+    ],
+    "risk_score": 21,
+    "rule_id": "684554fc-0777-47ce-8c9b-3d01f198d7f8",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "Microsoft 365",
+      "Continuous Monitoring",
+      "SecOps",
+      "Identity and Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0004",
+          "name": "Privilege Escalation",
+          "reference": "https://attack.mitre.org/tactics/TA0004/"
+        },
+        "technique": [
+          {
+            "id": "T1484",
+            "name": "Domain Policy Modification",
+            "reference": "https://attack.mitre.org/techniques/T1484/",
+            "subtechnique": [
+              {
+                "id": "T1484.002",
+                "name": "Domain Trust Modification",
+                "reference": "https://attack.mitre.org/techniques/T1484/002/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Nping ran on a Linux host. Nping is part of the Nmap tool suite and has the ability to construct raw packets for a wide variety of security testing applications, including denial of service testing.",
+    "false_positives": [
+      "Some normal use of this command may originate from security engineers and network or server administrators, but this is usually not routine or unannounced. Use of `Nping` by non-engineers or ordinary users is uncommon."
+    ],
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Nping Process Activity",
+    "query": "event.category:process and event.type:(start or process_started) and process.name:nping\n",
+    "references": [
+      "https://en.wikipedia.org/wiki/Nmap"
+    ],
+    "risk_score": 47,
+    "rule_id": "0d69150b-96f8-467c-a86d-a67a3378ce77",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "Threat Detection"
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 7
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies NullSessionPipe registry modifications that specify which pipes can be accessed anonymously. This could be indicative of adversary lateral movement preparation by making the added pipe available to everyone.",
+    "from": "now-9m",
+    "index": [
+      "logs-endpoint.events.*",
+      "winlogbeat-*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "NullSessionPipe Registry Modification",
+    "query": "registry where\nregistry.path : \"HKLM\\\\SYSTEM\\\\*ControlSet*\\\\services\\\\LanmanServer\\\\Parameters\\\\NullSessionPipes\" and\nregistry.data.strings != null\n",
+    "references": [
+      "https://www.welivesecurity.com/2019/05/29/turla-powershell-usage/",
+      "https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/network-access-restrict-anonymous-access-to-named-pipes-and-shares"
+    ],
+    "risk_score": 47,
+    "rule_id": "ddab1f5f-7089-44f5-9fda-de5b11322e77",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Lateral Movement"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0008",
+          "name": "Lateral Movement",
+          "reference": "https://attack.mitre.org/tactics/TA0008/"
+        },
+        "technique": [
+          {
+            "id": "T1021",
+            "name": "Remote Services",
+            "reference": "https://attack.mitre.org/techniques/T1021/",
+            "subtechnique": [
+              {
+                "id": "T1021.002",
+                "name": "SMB/Windows Admin Shares",
+                "reference": "https://attack.mitre.org/techniques/T1021/002/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic",
+      "Austin Songer"
+    ],
+    "description": "Identifies accounts with a high number of single sign-on (SSO) logon errors. Excessive logon errors may indicate an attempt to brute force a password or SSO token.",
+    "false_positives": [
+      "Automated processes that attempt to authenticate using expired credentials and unbounded retries may lead to false positives."
+    ],
+    "from": "now-20m",
+    "index": [
+      "filebeat-*",
+      "logs-o365*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "O365 Excessive Single Sign-On Logon Errors",
+    "note": "## Config\n\nThe Microsoft 365 Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:o365.audit and event.provider:AzureActiveDirectory and event.category:web and o365.audit.LogonError:\"SsoArtifactInvalidOrExpired\"\n",
+    "risk_score": 73,
+    "rule_id": "2de10e77-c144-4e69-afb7-344e7127abd0",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "Microsoft 365",
+      "Continuous Monitoring",
+      "SecOps",
+      "Identity and Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0006",
+          "name": "Credential Access",
+          "reference": "https://attack.mitre.org/tactics/TA0006/"
+        },
+        "technique": [
+          {
+            "id": "T1110",
+            "name": "Brute Force",
+            "reference": "https://attack.mitre.org/techniques/T1110/"
+          }
+        ]
+      }
+    ],
+    "threshold": {
+      "field": [
+        "user.id"
+      ],
+      "value": 5
+    },
+    "type": "threshold",
+    "version": 2
+  },
+  {
+    "author": [
+      "Elastic",
+      "Austin Songer"
+    ],
+    "description": "Identifies the assignment of rights to accesss content from another mailbox. An adversary may use the compromised account to send messages to other accounts in the network of the target business while creating inbox rules, so messages can evade spam/phishing detection mechanisms.",
+    "false_positives": [
+      "Assignment of rights to a service account."
+    ],
+    "index": [
+      "filebeat-*",
+      "logs-o365*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "O365 Exchange Suspicious Mailbox Right Delegation",
+    "note": "## Config\n\nThe Microsoft 365 Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:o365.audit and event.provider:Exchange and event.action:Add-MailboxPermission and \no365.audit.Parameters.AccessRights:(FullAccess or SendAs or SendOnBehalf) and event.outcome:success\n",
+    "risk_score": 21,
+    "rule_id": "0ce6487d-8069-4888-9ddd-61b52490cebc",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "Microsoft 365",
+      "Continuous Monitoring",
+      "SecOps",
+      "Configuration Audit"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1098",
+            "name": "Account Manipulation",
+            "reference": "https://attack.mitre.org/techniques/T1098/",
+            "subtechnique": [
+              {
+                "id": "T1098.002",
+                "name": "Exchange Email Delegate Permissions",
+                "reference": "https://attack.mitre.org/techniques/T1098/002/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies a high number of failed Okta user authentication attempts from a single IP address, which could be indicative of a brute force or password spraying attack. An adversary may attempt a brute force or password spraying attack to obtain unauthorized access to user accounts.",
+    "false_positives": [
+      "Automated processes that attempt to authenticate using expired credentials and unbounded retries may lead to false positives."
+    ],
+    "index": [
+      "filebeat-*",
+      "logs-okta*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Okta Brute Force or Password Spraying Attack",
+    "note": "## Config\n\nThe Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:okta.system and event.category:authentication and event.outcome:failure\n",
+    "references": [
+      "https://developer.okta.com/docs/reference/api/system-log/",
+      "https://developer.okta.com/docs/reference/api/event-types/"
+    ],
+    "risk_score": 47,
+    "rule_id": "42bf698b-4738-445b-8231-c834ddefd8a0",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Identity",
+      "Okta",
+      "Continuous Monitoring",
+      "SecOps",
+      "Identity and Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0006",
+          "name": "Credential Access",
+          "reference": "https://attack.mitre.org/tactics/TA0006/"
+        },
+        "technique": [
+          {
+            "id": "T1110",
+            "name": "Brute Force",
+            "reference": "https://attack.mitre.org/techniques/T1110/"
+          }
+        ]
+      }
+    ],
+    "threshold": {
+      "field": [
+        "source.ip"
+      ],
+      "value": 25
+    },
+    "type": "threshold",
+    "version": 5
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the PowerShell process loading the Task Scheduler COM DLL followed by an outbound RPC network connection within a short time period. This may indicate lateral movement or remote discovery via scheduled tasks.",
+    "false_positives": [
+      "Legitimate scheduled tasks may be created during installation of new software."
+    ],
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Outbound Scheduled Task Activity via PowerShell",
+    "query": "sequence by host.id, process.entity_id with maxspan = 5s\n [library where dll.name : \"taskschd.dll\" and process.name : (\"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\")]\n [network where process.name : (\"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\") and destination.port == 135 and not destination.address in (\"127.0.0.1\", \"::1\")]\n",
+    "references": [
+      "https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/"
+    ],
+    "risk_score": 47,
+    "rule_id": "5cd55388-a19c-47c7-8ec4-f41656c2fded",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Execution"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0002",
+          "name": "Execution",
+          "reference": "https://attack.mitre.org/tactics/TA0002/"
+        },
+        "technique": [
+          {
+            "id": "T1053",
+            "name": "Scheduled Task/Job",
+            "reference": "https://attack.mitre.org/techniques/T1053/",
+            "subtechnique": [
+              {
+                "id": "T1053.005",
+                "name": "Scheduled Task",
+                "reference": "https://attack.mitre.org/techniques/T1053/005/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "type": "eql",
+    "version": 4
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies parent process spoofing used to thwart detection. Adversaries may spoof the parent process identifier (PPID) of a new process to evade process-monitoring defenses or to elevate privileges.",
+    "from": "now-9m",
+    "index": [
+      "logs-endpoint.events.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Parent Process PID Spoofing",
+    "query": "/* This rule is compatible with Elastic Endpoint only */\n\nsequence by host.id, user.id with maxspan=5m\n [process where event.type == \"start\" and\n  process.Ext.token.integrity_level_name != \"system\" and\n  (\n    process.pe.original_file_name : (\"winword.exe\", \"excel.exe\", \"outlook.exe\", \"powerpnt.exe\", \"eqnedt32.exe\",\n                                     \"fltldr.exe\", \"mspub.exe\", \"msaccess.exe\", \"powershell.exe\", \"pwsh.exe\",\n                                     \"cscript.exe\", \"wscript.exe\", \"rundll32.exe\", \"regsvr32.exe\", \"msbuild.exe\",\n                                     \"mshta.exe\", \"wmic.exe\", \"cmstp.exe\", \"msxsl.exe\") or\n    process.executable : (\"?:\\\\Users\\\\*.exe\",\n                          \"?:\\\\ProgramData\\\\*.exe\",\n                          \"?:\\\\Windows\\\\Microsoft.NET\\\\*.exe\",\n                          \"?:\\\\Windows\\\\Temp\\\\*.exe\",\n                          \"?:\\\\Windows\\\\Tasks\\\\*\") or\n    process.code_signature.trusted != true\n  )\n  ] by process.pid\n [process where event.type == \"start\" and process.parent.Ext.real.pid > 0 and\n  /* process.parent.Ext.real.pid is only populated if the parent process pid doesn't match */\n  \n  not (process.name : \"msedge.exe\" and process.parent.name : \"sihost.exe\")\n ] by process.parent.Ext.real.pid\n",
+    "references": [
+      "https://blog.didierstevens.com/2017/03/20/"
+    ],
+    "risk_score": 73,
+    "rule_id": "c88d4bd0-5649-4c52-87ea-9be59dbfbcf2",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1134",
+            "name": "Access Token Manipulation",
+            "reference": "https://attack.mitre.org/techniques/T1134/",
+            "subtechnique": [
+              {
+                "id": "T1134.004",
+                "name": "Parent PID Spoofing",
+                "reference": "https://attack.mitre.org/techniques/T1134/004/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "type": "eql",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies use of the Windows file system utility (fsutil.exe ) to gather information about attached peripheral devices and components connected to a computer system.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Peripheral Device Discovery",
+    "query": "process where event.type in (\"start\", \"process_started\") and\n  (process.name : \"fsutil.exe\" or process.pe.original_file_name == \"fsutil.exe\") and \n  process.args : \"fsinfo\" and process.args : \"drives\"\n",
+    "risk_score": 21,
+    "rule_id": "0c7ca5c2-728d-4ad9-b1c5-bbba83ecb1f4",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Discovery"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0007",
+          "name": "Discovery",
+          "reference": "https://attack.mitre.org/tactics/TA0007/"
+        },
+        "technique": [
+          {
+            "id": "T1120",
+            "name": "Peripheral Device Discovery",
+            "reference": "https://attack.mitre.org/techniques/T1120/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 3
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Elastic Endgame detected Permission Theft. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information.",
+    "from": "now-15m",
+    "index": [
+      "endgame-*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Permission Theft - Detected - Elastic Endgame",
+    "query": "event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:token_protection_event or endgame.event_subtype_full:token_protection_event)\n",
+    "risk_score": 73,
+    "rule_id": "c3167e1b-f73c-41be-b60b-87f4df707fe3",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Elastic Endgame"
+    ],
+    "type": "query",
+    "version": 6
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Elastic Endgame prevented Permission Theft. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information.",
+    "from": "now-15m",
+    "index": [
+      "endgame-*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Permission Theft - Prevented - Elastic Endgame",
+    "query": "event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:token_protection_event or endgame.event_subtype_full:token_protection_event)\n",
+    "risk_score": 47,
+    "rule_id": "453f659e-0429-40b1-bfdb-b6957286e04b",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Elastic Endgame"
+    ],
+    "type": "query",
+    "version": 6
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "An adversary can use the Background Intelligent Transfer Service (BITS) SetNotifyCmdLine method to execute a program that runs after a job finishes transferring data or after a job enters a specified state in order to persist on a system.",
+    "from": "now-9m",
+    "index": [
+      "logs-endpoint.events.*",
+      "winlogbeat-*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Persistence via BITS Job Notify Cmdline",
+    "query": "process where event.type == \"start\" and\n  process.parent.name : \"svchost.exe\" and process.parent.args : \"BITS\" and\n  not process.executable :\n              (\"?:\\\\Windows\\\\System32\\\\WerFaultSecure.exe\",\n               \"?:\\\\Windows\\\\System32\\\\WerFault.exe\",\n               \"?:\\\\Windows\\\\System32\\\\wermgr.exe\",\n               \"?:\\\\WINDOWS\\\\system32\\\\directxdatabaseupdater.exe\")\n",
+    "references": [
+      "https://pentestlab.blog/2019/10/30/persistence-bits-jobs/",
+      "https://docs.microsoft.com/en-us/windows/win32/api/bits1_5/nf-bits1_5-ibackgroundcopyjob2-setnotifycmdline",
+      "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/bitsadmin-setnotifycmdline",
+      "https://www.elastic.co/blog/hunting-for-persistence-using-elastic-security-part-2"
+    ],
+    "risk_score": 47,
+    "rule_id": "c3b915e0-22f3-4bf7-991d-b643513c722f",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Persistence"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1197",
+            "name": "BITS Jobs",
+            "reference": "https://attack.mitre.org/techniques/T1197/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the creation or modification of a DirectoryService PlugIns (dsplug) file. The DirectoryService daemonlaunches on each system boot and automatically reloads after crash. It scans and executes bundles that are located in the DirectoryServices PlugIns folder and can be abused by adversaries to maintain persistence.",
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Persistence via DirectoryService Plugin Modification",
+    "query": "event.category:file and not event.type:deletion and\n  file.path:/Library/DirectoryServices/PlugIns/*.dsplug\n",
+    "references": [
+      "https://blog.chichou.me/2019/11/21/two-macos-persistence-tricks-abusing-plugins/"
+    ],
+    "risk_score": 47,
+    "rule_id": "89fa6cb7-6b53-4de2-b604-648488841ab8",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "macOS",
+      "Threat Detection",
+      "Persistence"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1547",
+            "name": "Boot or Logon Autostart Execution",
+            "reference": "https://attack.mitre.org/techniques/T1547/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "An adversary can establish persistence by modifying an existing macOS dock property list in order to execute a malicious application instead of the intended one when invoked.",
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Persistence via Docker Shortcut Modification",
+    "query": "event.category : file and event.action : modification and \n file.path : /Users/*/Library/Preferences/com.apple.dock.plist and \n not process.name : (xpcproxy or cfprefsd or plutil or jamf or PlistBuddy or InstallerRemotePluginService)\n",
+    "references": [
+      "https://github.com/specterops/presentations/raw/master/Leo%20Pitt/Hey_Im_Still_in_Here_Modern_macOS_Persistence_SO-CON2020.pdf"
+    ],
+    "risk_score": 47,
+    "rule_id": "c81cefcb-82b9-4408-a533-3c3df549e62d",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "macOS",
+      "Threat Detection",
+      "Persistence"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1543",
+            "name": "Create or Modify System Process",
+            "reference": "https://attack.mitre.org/techniques/T1543/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 2
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "A Folder Action script is executed when the folder to which it is attached has items added or removed, or when its window is opened, closed, moved, or resized. Adversaries may abuse this feature to establish persistence by utilizing a malicious script.",
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Persistence via Folder Action Script",
+    "query": "sequence by host.id with maxspan=5s\n [process where event.type in (\"start\", \"process_started\", \"info\") and process.name == \"com.apple.foundation.UserScriptService\"] by process.pid\n [process where event.type in (\"start\", \"process_started\") and process.name in (\"osascript\", \"sh\")] by process.parent.pid\n",
+    "references": [
+      "https://posts.specterops.io/folder-actions-for-persistence-on-macos-8923f222343d"
+    ],
+    "risk_score": 47,
+    "rule_id": "c292fa52-4115-408a-b897-e14f684b3cb7",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "macOS",
+      "Threat Detection",
+      "Execution",
+      "Persistence"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1037",
+            "name": "Boot or Logon Initialization Scripts",
+            "reference": "https://attack.mitre.org/techniques/T1037/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0002",
+          "name": "Execution",
+          "reference": "https://attack.mitre.org/tactics/TA0002/"
+        },
+        "technique": [
+          {
+            "id": "T1059",
+            "name": "Command and Scripting Interpreter",
+            "reference": "https://attack.mitre.org/techniques/T1059/"
+          }
+        ]
+      }
+    ],
+    "type": "eql",
+    "version": 3
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies a persistence mechanism that utilizes the NtSetValueKey native API to create a hidden (null terminated) registry key. An adversary may use this method to hide from system utilities such as the Registry Editor (regedit).",
+    "from": "now-9m",
+    "index": [
+      "logs-endpoint.events.*",
+      "winlogbeat-*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Persistence via Hidden Run Key Detected",
+    "query": "/* Registry Path ends with backslash */\nregistry where /* length(registry.data.strings) > 0 and */\n registry.path : (\"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\\", \n                  \"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\\", \n                  \"HKLM\\\\Software\\\\WOW6432Node\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\\", \n                  \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\\\\", \n                  \"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\\\\")\n",
+    "references": [
+      "https://github.com/outflanknl/SharpHide",
+      "https://github.com/ewhitehats/InvisiblePersistence/blob/master/InvisibleRegValues_Whitepaper.pdf"
+    ],
+    "risk_score": 73,
+    "rule_id": "a9b05c3b-b304-4bf9-970d-acdfaef2944c",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Persistence"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1547",
+            "name": "Boot or Logon Autostart Execution",
+            "reference": "https://attack.mitre.org/techniques/T1547/",
+            "subtechnique": [
+              {
+                "id": "T1547.001",
+                "name": "Registry Run Keys / Startup Folder",
+                "reference": "https://attack.mitre.org/techniques/T1547/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 3
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the creation or modification of a K Desktop Environment (KDE) AutoStart script or desktop file that will execute upon each user logon. Adversaries may abuse this method for persistence.",
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Persistence via KDE AutoStart Script or Desktop File Modification",
+    "query": "file where event.type != \"deletion\" and\n  file.extension in (\"sh\", \"desktop\") and\n  file.path :\n    (\n      \"/home/*/.config/autostart/*\", \"/root/.config/autostart/*\",\n      \"/home/*/.kde/Autostart/*\", \"/root/.kde/Autostart/*\",\n      \"/home/*/.kde4/Autostart/*\", \"/root/.kde4/Autostart/*\",\n      \"/home/*/.kde/share/autostart/*\", \"/root/.kde/share/autostart/*\",\n      \"/home/*/.kde4/share/autostart/*\", \"/root/.kde4/share/autostart/*\",\n      \"/home/*/.local/share/autostart/*\", \"/root/.local/share/autostart/*\",\n      \"/home/*/.config/autostart-scripts/*\", \"/root/.config/autostart-scripts/*\",\n      \"/etc/xdg/autostart/*\", \"/usr/share/autostart/*\"\n    )\n",
+    "references": [
+      "https://userbase.kde.org/System_Settings/Autostart",
+      "https://www.amnesty.org/en/latest/research/2020/09/german-made-finspy-spyware-found-in-egypt-and-mac-and-linux-versions-revealed/",
+      "https://www.intezer.com/blog/research/operation-electrorat-attacker-creates-fake-companies-to-drain-your-crypto-wallets/"
+    ],
+    "risk_score": 47,
+    "rule_id": "e3e904b3-0a8e-4e68-86a8-977a163e21d3",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "Threat Detection",
+      "Persistence"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1547",
+            "name": "Boot or Logon Autostart Execution",
+            "reference": "https://attack.mitre.org/techniques/T1547/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies use of the Defaults command to install a login or logoff hook in MacOS. An adversary may abuse this capability to establish persistence in an environment by inserting code to be executed at login or logout.",
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Persistence via Login or Logout Hook",
+    "query": "process where event.type == \"start\" and\n process.name == \"defaults\" and process.args == \"write\" and process.args in (\"LoginHook\", \"LogoutHook\") and\n not process.args :\n       (\n         \"Support/JAMF/ManagementFrameworkScripts/logouthook.sh\",\n         \"Support/JAMF/ManagementFrameworkScripts/loginhook.sh\",\n         \"/Library/Application Support/JAMF/ManagementFrameworkScripts/logouthook.sh\",\n         \"/Library/Application Support/JAMF/ManagementFrameworkScripts/loginhook.sh\"\n       )\n",
+    "references": [
+      "https://www.virusbulletin.com/uploads/pdf/conference_slides/2014/Wardle-VB2014.pdf",
+      "https://www.manpagez.com/man/1/defaults/"
+    ],
+    "risk_score": 47,
+    "rule_id": "5d0265bf-dea9-41a9-92ad-48a8dcd05080",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "macOS",
+      "Threat Detection",
+      "Persistence"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1037",
+            "name": "Boot or Logon Initialization Scripts",
+            "reference": "https://attack.mitre.org/techniques/T1037/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 4
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Detects attempts to establish persistence on an endpoint by abusing Microsoft Office add-ins.",
+    "from": "now-9m",
+    "index": [
+      "logs-endpoint.events.*",
+      "winlogbeat-*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Persistence via Microsoft Office AddIns",
+    "query": "file where event.type != \"deletion\" and\n file.extension : (\"wll\",\"xll\",\"ppa\",\"ppam\",\"xla\",\"xlam\") and\n file.path :\n    (\n    \"C:\\\\Users\\\\*\\\\AppData\\\\Roaming\\\\Microsoft\\\\Word\\\\Startup\\\\*\",\n    \"C:\\\\Users\\\\*\\\\AppData\\\\Roaming\\\\Microsoft\\\\AddIns\\\\*\",\n    \"C:\\\\Users\\\\*\\\\AppData\\\\Roaming\\\\Microsoft\\\\Excel\\\\XLSTART\\\\*\"\n    )\n",
+    "references": [
+      "https://labs.mwrinfosecurity.com/blog/add-in-opportunities-for-office-persistence/"
+    ],
+    "risk_score": 73,
+    "rule_id": "f44fa4b6-524c-4e87-8d9e-a32599e4fb7c",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Persistence"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1137",
+            "name": "Office Application Startup",
+            "reference": "https://attack.mitre.org/techniques/T1137/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 3
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Detects attempts to establish persistence on an endpoint by installing a rogue Microsoft Outlook VBA Template.",
+    "false_positives": [
+      "A legitimate VBA for Outlook is usually configured interactively via OUTLOOK.EXE."
+    ],
+    "from": "now-9m",
+    "index": [
+      "logs-endpoint.events.*",
+      "winlogbeat-*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Persistence via Microsoft Outlook VBA",
+    "query": "file where event.type != \"deletion\" and\n file.path : \"C:\\\\Users\\\\*\\\\AppData\\\\Roaming\\\\Microsoft\\\\Outlook\\\\VbaProject.OTM\"\n",
+    "references": [
+      "https://www.mdsec.co.uk/2020/11/a-fresh-outlook-on-mail-based-persistence/",
+      "https://www.linkedin.com/pulse/outlook-backdoor-using-vba-samir-b-/"
+    ],
+    "risk_score": 47,
+    "rule_id": "397945f3-d39a-4e6f-8bcb-9656c2031438",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Persistence"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1137",
+            "name": "Office Application Startup",
+            "reference": "https://attack.mitre.org/techniques/T1137/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 3
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "A job can be used to schedule programs or scripts to be executed at a specified date and time. Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code.",
+    "false_positives": [
+      "Legitimate scheduled jobs may be created during installation of new software."
+    ],
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Persistence via Scheduled Job Creation",
+    "query": "file where event.type != \"deletion\" and\n file.path : \"?:\\\\Windows\\\\Tasks\\\\*\" and file.extension : \"job\"\n",
+    "risk_score": 47,
+    "rule_id": "1327384f-00f3-44d5-9a8c-2373ba071e92",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Persistence"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1053",
+            "name": "Scheduled Task/Job",
+            "reference": "https://attack.mitre.org/techniques/T1053/",
+            "subtechnique": [
+              {
+                "id": "T1053.005",
+                "name": "Scheduled Task",
+                "reference": "https://attack.mitre.org/techniques/T1053/005/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 2
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Detects the successful hijack of Microsoft Compatibility Appraiser scheduled task to establish persistence with an integrity level of system.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Persistence via TelemetryController Scheduled Task Hijack",
+    "query": "process where event.type in (\"start\", \"process_started\") and\n  process.parent.name : \"CompatTelRunner.exe\" and process.args : \"-cv*\" and\n  not process.name : (\"conhost.exe\",\n                      \"DeviceCensus.exe\",\n                      \"CompatTelRunner.exe\",\n                      \"DismHost.exe\",\n                      \"rundll32.exe\",\n                      \"powershell.exe\")\n",
+    "references": [
+      "https://www.trustedsec.com/blog/abusing-windows-telemetry-for-persistence/?utm_content=131234033&utm_medium=social&utm_source=twitter&hss_channel=tw-403811306"
+    ],
+    "risk_score": 73,
+    "rule_id": "68921d85-d0dc-48b3-865f-43291ca2c4f2",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Persistence"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1053",
+            "name": "Scheduled Task/Job",
+            "reference": "https://attack.mitre.org/techniques/T1053/",
+            "subtechnique": [
+              {
+                "id": "T1053.005",
+                "name": "Scheduled Task",
+                "reference": "https://attack.mitre.org/techniques/T1053/005/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 6
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies potential hijacking of the Microsoft Update Orchestrator Service to establish persistence with an integrity level of SYSTEM.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Persistence via Update Orchestrator Service Hijack",
+    "query": "process where event.type == \"start\" and\n  process.parent.executable : \"C:\\\\Windows\\\\System32\\\\svchost.exe\" and\n  process.parent.args : \"UsoSvc\" and\n  not process.executable :\n         (\n          \"C:\\\\Windows\\\\System32\\\\UsoClient.exe\",\n          \"C:\\\\Windows\\\\System32\\\\MusNotification.exe\",\n          \"C:\\\\Windows\\\\System32\\\\MusNotificationUx.exe\",\n          \"C:\\\\Windows\\\\System32\\\\MusNotifyIcon.exe\",\n          \"C:\\\\Windows\\\\System32\\\\WerFault.exe\",\n          \"C:\\\\Windows\\\\System32\\\\WerMgr.exe\"\n          )\n",
+    "references": [
+      "https://github.com/irsl/CVE-2020-1313"
+    ],
+    "risk_score": 73,
+    "rule_id": "265db8f5-fc73-4d0d-b434-6483b56372e2",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Persistence"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1543",
+            "name": "Create or Modify System Process",
+            "reference": "https://attack.mitre.org/techniques/T1543/",
+            "subtechnique": [
+              {
+                "id": "T1543.003",
+                "name": "Windows Service",
+                "reference": "https://attack.mitre.org/techniques/T1543/003/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 4
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "An adversary can use Windows Management Instrumentation (WMI) to install event filters, providers, consumers, and bindings that execute code when a defined event occurs. Adversaries may use the capabilities of WMI to subscribe to an event and execute arbitrary code when that event occurs, providing persistence on a system.",
+    "from": "now-9m",
+    "index": [
+      "logs-endpoint.events.*",
+      "winlogbeat-*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Persistence via WMI Event Subscription",
+    "query": "process where event.type in (\"start\", \"process_started\") and\n  (process.name : \"wmic.exe\" or process.pe.original_file_name == \"wmic.exe\") and\n  process.args : \"create\" and\n  process.args : (\"ActiveScriptEventConsumer\", \"CommandLineEventConsumer\")\n",
+    "risk_score": 21,
+    "rule_id": "9b6813a1-daf1-457e-b0e6-0bb4e55b8a4c",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Persistence"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1546",
+            "name": "Event Triggered Execution",
+            "reference": "https://attack.mitre.org/techniques/T1546/",
+            "subtechnique": [
+              {
+                "id": "T1546.003",
+                "name": "Windows Management Instrumentation Event Subscription",
+                "reference": "https://attack.mitre.org/techniques/T1546/003/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 4
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies use of the Windows Management Instrumentation StdRegProv (registry provider) to modify commonly abused registry locations for persistence.",
+    "from": "now-9m",
+    "index": [
+      "logs-endpoint.events.*",
+      "winlogbeat-*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Persistence via WMI Standard Registry Provider",
+    "query": "registry where \n registry.data.strings != null and process.name : \"WmiPrvSe.exe\" and\n registry.path : (\n                  \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\*\",\n                  \"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\*\",\n                  \"HKLM\\\\Software\\\\WOW6432Node\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\*\",\n                  \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\\\*\",\n                  \"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\\\*\",\n                  \"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\*\",\n                  \"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnceEx\\\\*\",\n                  \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\*\",\n                  \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnceEx\\\\*\",\n                  \"HKLM\\\\SYSTEM\\\\*ControlSet*\\\\Services\\\\*\\\\ServiceDLL\",\n                  \"HKLM\\\\SYSTEM\\\\*ControlSet*\\\\Services\\\\*\\\\ImagePath\",\n                  \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\Shell\\\\*\", \n                  \"HKEY_USERS\\\\*\\\\Environment\\\\UserInitMprLogonScript\", \n                  \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows\\\\Load\", \n                  \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\Shell\", \n                  \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\Shell\", \n                  \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Logoff\\\\Script\", \n                  \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Logon\\\\Script\", \n                  \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Shutdown\\\\Script\", \n                  \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Startup\\\\Script\", \n                  \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Ctf\\\\LangBarAddin\\\\*\\\\FilePath\", \n                  \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Internet Explorer\\\\Extensions\\\\*\\\\Exec\", \n                  \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Internet Explorer\\\\Extensions\\\\*\\\\Script\", \n                  \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Command Processor\\\\Autorun\"\n                  )\n",
+    "references": [
+      "https://docs.microsoft.com/en-us/previous-versions/windows/desktop/regprov/stdregprov"
+    ],
+    "risk_score": 73,
+    "rule_id": "70d12c9c-0dbd-4a1a-bc44-1467502c9cf6",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Persistence"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1547",
+            "name": "Boot or Logon Autostart Execution",
+            "reference": "https://attack.mitre.org/techniques/T1547/",
+            "subtechnique": [
+              {
+                "id": "T1547.001",
+                "name": "Registry Run Keys / Startup Folder",
+                "reference": "https://attack.mitre.org/techniques/T1547/001/"
+              }
+            ]
+          },
+          {
+            "id": "T1543",
+            "name": "Create or Modify System Process",
+            "reference": "https://attack.mitre.org/techniques/T1543/",
+            "subtechnique": [
+              {
+                "id": "T1543.003",
+                "name": "Windows Service",
+                "reference": "https://attack.mitre.org/techniques/T1543/003/"
+              }
+            ]
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0002",
+          "name": "Execution",
+          "reference": "https://attack.mitre.org/tactics/TA0002/"
+        },
+        "technique": [
+          {
+            "id": "T1047",
+            "name": "Windows Management Instrumentation",
+            "reference": "https://attack.mitre.org/techniques/T1047/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies script engines creating files in the startup folder, or the creation of script files in the startup folder.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Persistent Scripts in the Startup Directory",
+    "query": "file where event.type != \"deletion\" and user.domain != \"NT AUTHORITY\" and\n  \n  /* detect shortcuts created by wscript.exe or cscript.exe */\n  (file.path : \"C:\\\\*\\\\Programs\\\\Startup\\\\*.lnk\" and\n     process.name : (\"wscript.exe\", \"cscript.exe\")) or\n\n  /* detect vbs or js files created by any process */\n  file.path : (\"C:\\\\*\\\\Programs\\\\Startup\\\\*.vbs\", \n               \"C:\\\\*\\\\Programs\\\\Startup\\\\*.vbe\", \n               \"C:\\\\*\\\\Programs\\\\Startup\\\\*.wsh\", \n               \"C:\\\\*\\\\Programs\\\\Startup\\\\*.wsf\", \n               \"C:\\\\*\\\\Programs\\\\Startup\\\\*.js\")\n",
+    "risk_score": 47,
+    "rule_id": "f7c4dc5a-a58d-491d-9f14-9b66507121c0",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Persistence"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1547",
+            "name": "Boot or Logon Autostart Execution",
+            "reference": "https://attack.mitre.org/techniques/T1547/",
+            "subtechnique": [
+              {
+                "id": "T1547.001",
+                "name": "Registry Run Keys / Startup Folder",
+                "reference": "https://attack.mitre.org/techniques/T1547/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 3
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the creation of a new port forwarding rule. An adversary may abuse this technique to bypass network segmentation restrictions.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Port Forwarding Rule Addition",
+    "query": "registry where registry.path : \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Services\\\\PortProxy\\\\v4tov4\\\\*\"\n",
+    "references": [
+      "https://www.fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html"
+    ],
+    "risk_score": 47,
+    "rule_id": "3535c8bb-3bd5-40f4-ae32-b7cd589d5372",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Command and Control"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0011",
+          "name": "Command and Control",
+          "reference": "https://attack.mitre.org/tactics/TA0011/"
+        },
+        "technique": [
+          {
+            "id": "T1572",
+            "name": "Protocol Tunneling",
+            "reference": "https://attack.mitre.org/techniques/T1572/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 4
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Detects when a user grants permissions to an Azure-registered application or when an administrator grants tenant-wide permissions to an application. An adversary may create an Azure-registered application that requests access to data such as contact information, email, or documents.",
+    "from": "now-25m",
+    "index": [
+      "filebeat-*",
+      "logs-azure*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Possible Consent Grant Attack via Azure-Registered Application",
+    "note": "## Triage and analysis\n\n- In a consent grant attack, an attacker tricks an end user into granting a malicious application consent to access their data, usually via a phishing attack. After the malicious application has been granted consent, it has account-level access to data without the need for an organizational account.\n- Normal remediation steps, like resetting passwords for breached accounts or requiring Multi-Factor Authentication (MFA) on accounts, are not effective against this type of attack, since these are third-party applications and are external to the organization.\n- Security analysts should review the list of trusted applications for any suspicious items.\n\n\n## Config\n\nThe Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:(azure.activitylogs or azure.auditlogs or o365.audit) and \n  (\n    azure.activitylogs.operation_name:\"Consent to application\" or\n    azure.auditlogs.operation_name:\"Consent to application\" or\n    o365.audit.Operation:\"Consent to application.\"\n  ) and\n  event.outcome:(Success or success)\n",
+    "references": [
+      "https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/detect-and-remediate-illicit-consent-grants?view=o365-worldwide"
+    ],
+    "risk_score": 47,
+    "rule_id": "1c6a8c7a-5cb6-4a82-ba27-d5a5b8a40a38",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "Azure",
+      "Continuous Monitoring",
+      "SecOps",
+      "Identity and Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0001",
+          "name": "Initial Access",
+          "reference": "https://attack.mitre.org/tactics/TA0001/"
+        },
+        "technique": [
+          {
+            "id": "T1566",
+            "name": "Phishing",
+            "reference": "https://attack.mitre.org/techniques/T1566/",
+            "subtechnique": [
+              {
+                "id": "T1566.002",
+                "name": "Spearphishing Link",
+                "reference": "https://attack.mitre.org/techniques/T1566/002/"
+              }
+            ]
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0006",
+          "name": "Credential Access",
+          "reference": "https://attack.mitre.org/tactics/TA0006/"
+        },
+        "technique": [
+          {
+            "id": "T1528",
+            "name": "Steal Application Access Token",
+            "reference": "https://attack.mitre.org/techniques/T1528/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 5
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "This rule detects a known command and control pattern in network events. The FIN7 threat group is known to use this command and control technique, while maintaining persistence in their target's network.",
+    "false_positives": [
+      "This rule could identify benign domains that are formatted similarly to FIN7's command and control algorithm. Alerts should be investigated by an analyst to assess the validity of the individual observations."
+    ],
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "filebeat-*",
+      "packetbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "lucene",
+    "license": "Elastic License v2",
+    "name": "Possible FIN7 DGA Command and Control Behavior",
+    "note": "## Triage and analysis\n\nIn the event this rule identifies benign domains in your environment, the `destination.domain` field in the rule can be modified to include those domains. Example: `...AND NOT destination.domain:(zoom.us OR benign.domain1 OR benign.domain2)`.",
+    "query": "event.category:(network OR network_traffic) AND type:(tls OR http) AND network.transport:tcp\nAND destination.domain:/[a-zA-Z]{4,5}\\.(pw|us|club|info|site|top)/ AND NOT destination.domain:zoom.us\n",
+    "references": [
+      "https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html"
+    ],
+    "risk_score": 73,
+    "rule_id": "4a4e23cf-78a2-449c-bac3-701924c269d3",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Network",
+      "Threat Detection",
+      "Command and Control",
+      "Host"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0011",
+          "name": "Command and Control",
+          "reference": "https://attack.mitre.org/tactics/TA0011/"
+        },
+        "technique": [
+          {
+            "id": "T1071",
+            "name": "Application Layer Protocol",
+            "reference": "https://attack.mitre.org/techniques/T1071/"
+          },
+          {
+            "id": "T1568",
+            "name": "Dynamic Resolution",
+            "reference": "https://attack.mitre.org/techniques/T1568/",
+            "subtechnique": [
+              {
+                "id": "T1568.002",
+                "name": "Domain Generation Algorithms",
+                "reference": "https://attack.mitre.org/techniques/T1568/002/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 6
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Detects possible Denial of Service (DoS) attacks against an Okta organization. An adversary may attempt to disrupt an organization's business operations by performing a DoS attack against its Okta service.",
+    "index": [
+      "filebeat-*",
+      "logs-okta*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Possible Okta DoS Attack",
+    "note": "## Config\n\nThe Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:okta.system and event.action:(application.integration.rate_limit_exceeded or system.org.rate_limit.warning or system.org.rate_limit.violation or core.concurrency.org.limit.violation)\n",
+    "references": [
+      "https://developer.okta.com/docs/reference/api/system-log/",
+      "https://developer.okta.com/docs/reference/api/event-types/"
+    ],
+    "risk_score": 47,
+    "rule_id": "e6e3ecff-03dd-48ec-acbd-54a04de10c68",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Identity",
+      "Okta",
+      "Continuous Monitoring",
+      "SecOps",
+      "Monitoring"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0040",
+          "name": "Impact",
+          "reference": "https://attack.mitre.org/tactics/TA0040/"
+        },
+        "technique": [
+          {
+            "id": "T1498",
+            "name": "Network Denial of Service",
+            "reference": "https://attack.mitre.org/techniques/T1498/"
+          },
+          {
+            "id": "T1499",
+            "name": "Endpoint Denial of Service",
+            "reference": "https://attack.mitre.org/techniques/T1499/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 6
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies attempts to add an account to the admin group via the command line. This could be an indication of privilege escalation activity.",
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Potential Admin Group Account Addition",
+    "query": "event.category:process and event.type:(start or process_started) and\n process.name:(dscl or dseditgroup) and process.args:((\"/Groups/admin\" or admin) and (\"-a\" or \"-append\"))\n",
+    "references": [
+      "https://managingosx.wordpress.com/2010/01/14/add-a-user-to-the-admin-group-via-command-line-3-0/"
+    ],
+    "risk_score": 47,
+    "rule_id": "565c2b44-7a21-4818-955f-8d4737967d2e",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "macOS",
+      "Threat Detection",
+      "Privilege Escalation"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0004",
+          "name": "Privilege Escalation",
+          "reference": "https://attack.mitre.org/tactics/TA0004/"
+        },
+        "technique": [
+          {
+            "id": "T1078",
+            "name": "Valid Accounts",
+            "reference": "https://attack.mitre.org/techniques/T1078/",
+            "subtechnique": [
+              {
+                "id": "T1078.003",
+                "name": "Local Accounts",
+                "reference": "https://attack.mitre.org/techniques/T1078/003/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "The Application Shim was created to allow for backward compatibility of software as the operating system codebase changes over time. This Windows functionality has been abused by attackers to stealthily gain persistence and arbitrary code execution in legitimate Windows processes.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Potential Application Shimming via Sdbinst",
+    "query": "process where event.type in (\"start\", \"process_started\") and process.name : \"sdbinst.exe\"\n",
+    "risk_score": 21,
+    "rule_id": "fd4a992d-6130-4802-9ff8-829b89ae801f",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Persistence"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1546",
+            "name": "Event Triggered Execution",
+            "reference": "https://attack.mitre.org/techniques/T1546/",
+            "subtechnique": [
+              {
+                "id": "T1546.011",
+                "name": "Application Shimming",
+                "reference": "https://attack.mitre.org/techniques/T1546/011/"
+              }
+            ]
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0004",
+          "name": "Privilege Escalation",
+          "reference": "https://attack.mitre.org/tactics/TA0004/"
+        },
+        "technique": [
+          {
+            "id": "T1546",
+            "name": "Event Triggered Execution",
+            "reference": "https://attack.mitre.org/techniques/T1546/",
+            "subtechnique": [
+              {
+                "id": "T1546.011",
+                "name": "Application Shimming",
+                "reference": "https://attack.mitre.org/techniques/T1546/011/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 8
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies instances of Internet Explorer (iexplore.exe) being started via the Component Object Model (COM) making unusual network connections. Adversaries could abuse Internet Explorer via COM to avoid suspicious processes making network connections and bypass host-based firewall restrictions.",
+    "false_positives": [
+      "Processes such as MS Office using IEproxy to render HTML content."
+    ],
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Potential Command and Control via Internet Explorer",
+    "query": "sequence by host.id, user.id with maxspan = 5s\n  [library where dll.name : \"IEProxy.dll\" and process.name : (\"rundll32.exe\", \"regsvr32.exe\")]\n  [process where event.type == \"start\" and process.parent.name : \"iexplore.exe\" and process.parent.args : \"-Embedding\"]\n  /* IE started via COM in normal conditions makes few connections, mainly to Microsoft and OCSP related domains, add FPs here */\n  [network where network.protocol == \"dns\" and process.name : \"iexplore.exe\" and\n   not dns.question.name :\n   (\n    \"*.microsoft.com\",\n    \"*.digicert.com\",\n    \"*.msocsp.com\",\n    \"*.windowsupdate.com\",\n    \"*.bing.com\",\n    \"*.identrust.com\",\n    \"*.sharepoint.com\",\n    \"*.office365.com\",\n    \"*.office.com\"\n    )\n  ]\n",
+    "risk_score": 47,
+    "rule_id": "acd611f3-2b93-47b3-a0a3-7723bcc46f6d",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Command and Control"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0011",
+          "name": "Command and Control",
+          "reference": "https://attack.mitre.org/tactics/TA0011/"
+        },
+        "technique": [
+          {
+            "id": "T1071",
+            "name": "Application Layer Protocol",
+            "reference": "https://attack.mitre.org/techniques/T1071/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0002",
+          "name": "Execution",
+          "reference": "https://attack.mitre.org/tactics/TA0002/"
+        },
+        "technique": [
+          {
+            "id": "T1559",
+            "name": "Inter-Process Communication",
+            "reference": "https://attack.mitre.org/techniques/T1559/",
+            "subtechnique": [
+              {
+                "id": "T1559.001",
+                "name": "Component Object Model",
+                "reference": "https://attack.mitre.org/techniques/T1559/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "type": "eql",
+    "version": 4
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the execution of a Chromium based browser with the debugging process argument, which may indicate an attempt to steal authentication cookies. An adversary may steal web application or service session cookies and use them to gain access web applications or Internet services as an authenticated user without needing credentials.",
+    "false_positives": [
+      "Developers performing browsers plugin or extension debugging."
+    ],
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "max_signals": 33,
+    "name": "Potential Cookies Theft via Browser Debugging",
+    "query": "process where event.type in (\"start\", \"process_started\", \"info\") and\n  process.name in (\n             \"Microsoft Edge\",\n             \"chrome.exe\",\n             \"Google Chrome\",\n             \"google-chrome-stable\",\n             \"google-chrome-beta\",\n             \"google-chrome\",\n             \"msedge.exe\") and\n   process.args : (\"--remote-debugging-port=*\", \n                   \"--remote-debugging-targets=*\",  \n                   \"--remote-debugging-pipe=*\") and\n   process.args : \"--user-data-dir=*\" and not process.args:\"--remote-debugging-port=0\"\n",
+    "references": [
+      "https://github.com/defaultnamehere/cookie_crimes",
+      "https://embracethered.com/blog/posts/2020/cookie-crimes-on-mirosoft-edge/",
+      "https://github.com/rapid7/metasploit-framework/blob/master/documentation/modules/post/multi/gather/chrome_cookies.md",
+      "https://posts.specterops.io/hands-in-the-cookie-jar-dumping-cookies-with-chromiums-remote-debugger-port-34c4f468844e"
+    ],
+    "risk_score": 47,
+    "rule_id": "027ff9ea-85e7-42e3-99d2-bbb7069e02eb",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "Windows",
+      "macOS",
+      "Threat Detection",
+      "Credential Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0006",
+          "name": "Credential Access",
+          "reference": "https://attack.mitre.org/tactics/TA0006/"
+        },
+        "technique": [
+          {
+            "id": "T1539",
+            "name": "Steal Web Session Cookie",
+            "reference": "https://attack.mitre.org/techniques/T1539/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies suspicious access to an LSASS handle via DuplicateHandle from an unknown call trace module. This may indicate an attempt to bypass the NtOpenProcess API to evade detection and dump Lsass memory for credential access.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Potential Credential Access via DuplicateHandle in LSASS",
+    "query": "process where event.code == \"10\" and \n\n /* LSASS requesting DuplicateHandle access right to another process */\n process.name : \"lsass.exe\" and winlog.event_data.GrantedAccess == \"0x40\" and\n\n /* call is coming from an unknown executable region */\n winlog.event_data.CallTrace : \"*UNKNOWN*\"\n",
+    "references": [
+      "https://github.com/CCob/MirrorDump"
+    ],
+    "risk_score": 47,
+    "rule_id": "02a4576a-7480-4284-9327-548a806b5e48",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Credential Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0006",
+          "name": "Credential Access",
+          "reference": "https://attack.mitre.org/tactics/TA0006/"
+        },
+        "technique": [
+          {
+            "id": "T1003",
+            "name": "OS Credential Dumping",
+            "reference": "https://attack.mitre.org/techniques/T1003/",
+            "subtechnique": [
+              {
+                "id": "T1003.001",
+                "name": "LSASS Memory",
+                "reference": "https://attack.mitre.org/techniques/T1003/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the execution of known Windows utilities often abused to dump LSASS memory or the Active Directory database (NTDS.dit) in preparation for credential access.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Potential Credential Access via Windows Utilities",
+    "query": "process where event.type in (\"start\", \"process_started\") and\n/* update here with any new lolbas with dump capability */\n(process.pe.original_file_name == \"procdump\" and process.args : \"-ma\") or\n(process.name : \"ProcessDump.exe\" and not process.parent.executable regex~ \"\"\"C:\\\\Program Files( \\(x86\\))?\\\\Cisco Systems\\\\.*\"\"\") or\n(process.pe.original_file_name == \"WriteMiniDump.exe\" and not process.parent.executable regex~ \"\"\"C:\\\\Program Files( \\(x86\\))?\\\\Steam\\\\.*\"\"\") or\n(process.pe.original_file_name == \"RUNDLL32.EXE\" and (process.args : \"MiniDump*\" or process.command_line : \"*comsvcs.dll*#24*\")) or\n(process.pe.original_file_name == \"RdrLeakDiag.exe\" and process.args : \"/fullmemdmp\") or\n(process.pe.original_file_name == \"SqlDumper.exe\" and process.args : \"0x01100*\") or\n(process.pe.original_file_name == \"TTTracer.exe\" and process.args : \"-dumpFull\" and process.args : \"-attach\") or\n(process.pe.original_file_name == \"ntdsutil.exe\" and process.args : \"create*full*\") or\n(process.pe.original_file_name == \"diskshadow.exe\" and process.args : \"/s\")\n",
+    "references": [
+      "https://lolbas-project.github.io/"
+    ],
+    "risk_score": 73,
+    "rule_id": "00140285-b827-4aee-aa09-8113f58a08f3",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Credential Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0006",
+          "name": "Credential Access",
+          "reference": "https://attack.mitre.org/tactics/TA0006/"
+        },
+        "technique": [
+          {
+            "id": "T1003",
+            "name": "OS Credential Dumping",
+            "reference": "https://attack.mitre.org/techniques/T1003/",
+            "subtechnique": [
+              {
+                "id": "T1003.001",
+                "name": "LSASS Memory",
+                "reference": "https://attack.mitre.org/techniques/T1003/001/"
+              },
+              {
+                "id": "T1003.003",
+                "name": "NTDS",
+                "reference": "https://attack.mitre.org/techniques/T1003/003/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 5
+  },
+  {
+    "author": [
+      "Elastic",
+      "Dennis Perto"
+    ],
+    "description": "Identifies a Windows trusted program that is known to be vulnerable to DLL Search Order Hijacking starting after being renamed or from a non-standard path. This is uncommon behavior and may indicate an attempt to evade defenses via side-loading a malicious DLL within the memory space of one of those processes.",
+    "false_positives": [
+      "Microsoft Antimalware Service Executable installed on non default installation path."
+    ],
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Potential DLL Side-Loading via Microsoft Antimalware Service Executable",
+    "query": "process where event.type == \"start\" and\n  (process.pe.original_file_name == \"MsMpEng.exe\" and not process.name : \"MsMpEng.exe\") or\n  (process.name : \"MsMpEng.exe\" and not\n        process.executable : (\"?:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\*.exe\",\n                              \"?:\\\\Program Files\\\\Windows Defender\\\\*.exe\",\n                              \"?:\\\\Program Files (x86)\\\\Windows Defender\\\\*.exe\",\n                              \"?:\\\\Program Files\\\\Microsoft Security Client\\\\*.exe\",\n                              \"?:\\\\Program Files (x86)\\\\Microsoft Security Client\\\\*.exe\"))\n",
+    "references": [
+      "https://news.sophos.com/en-us/2021/07/04/independence-day-revil-uses-supply-chain-exploit-to-attack-hundreds-of-businesses/"
+    ],
+    "risk_score": 73,
+    "rule_id": "053a0387-f3b5-4ba5-8245-8002cca2bd08",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1574",
+            "name": "Hijack Execution Flow",
+            "reference": "https://attack.mitre.org/techniques/T1574/",
+            "subtechnique": [
+              {
+                "id": "T1574.002",
+                "name": "DLL Side-Loading",
+                "reference": "https://attack.mitre.org/techniques/T1574/002/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 2
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies an instance of a Windows trusted program that is known to be vulnerable to DLL Search Order Hijacking starting after being renamed or from a non-standard path. This is uncommon behavior and may indicate an attempt to evade defenses via side loading a malicious DLL within the memory space of one of those processes.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Potential DLL SideLoading via Trusted Microsoft Programs",
+    "query": "process where event.type == \"start\" and\n  process.pe.original_file_name in (\"WinWord.exe\", \"EXPLORER.EXE\", \"w3wp.exe\", \"DISM.EXE\") and\n  not (process.name : (\"winword.exe\", \"explorer.exe\", \"w3wp.exe\", \"Dism.exe\") or\n         process.executable : (\"?:\\\\Windows\\\\explorer.exe\",\n                               \"?:\\\\Program Files\\\\Microsoft Office\\\\root\\\\Office*\\\\WINWORD.EXE\",\n                               \"?:\\\\Program Files?(x86)\\\\Microsoft Office\\\\root\\\\Office*\\\\WINWORD.EXE\",\n                               \"?:\\\\Windows\\\\System32\\\\Dism.exe\",\n                               \"?:\\\\Windows\\\\SysWOW64\\\\Dism.exe\",\n                               \"?:\\\\Windows\\\\System32\\\\inetsrv\\\\w3wp.exe\")\n         )\n",
+    "risk_score": 73,
+    "rule_id": "1160dcdb-0a0a-4a79-91d8-9b84616edebd",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1036",
+            "name": "Masquerading",
+            "reference": "https://attack.mitre.org/techniques/T1036/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 5
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Iodine is a tool for tunneling Internet protocol version 4 (IPV4) traffic over the DNS protocol to circumvent firewalls, network security groups, and network access lists while evading detection.",
+    "false_positives": [
+      "Normal use of Iodine is uncommon apart from security testing and research. Use by non-security engineers is very uncommon."
+    ],
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Potential DNS Tunneling via Iodine",
+    "query": "event.category:process and event.type:(start or process_started) and process.name:(iodine or iodined)\n",
+    "references": [
+      "https://code.kryo.se/iodine/"
+    ],
+    "risk_score": 73,
+    "rule_id": "041d4d41-9589-43e2-ba13-5680af75ebc2",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "Threat Detection"
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 7
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "This rule identifies a large number (15) of nslookup.exe executions with an explicit query type from the same host. This may indicate command and control activity utilizing the DNS protocol.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Potential DNS Tunneling via NsLookup",
+    "query": "event.category:process and event.type:start and process.name:nslookup.exe and process.args:(-querytype=* or -qt=* or -q=* or -type=*)\n",
+    "references": [
+      "https://unit42.paloaltonetworks.com/dns-tunneling-in-the-wild-overview-of-oilrigs-dns-tunneling/"
+    ],
+    "risk_score": 47,
+    "rule_id": "3a59fc81-99d3-47ea-8cd6-d48d561fca20",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Command and Control"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0011",
+          "name": "Command and Control",
+          "reference": "https://attack.mitre.org/tactics/TA0011/"
+        },
+        "technique": [
+          {
+            "id": "T1071",
+            "name": "Application Layer Protocol",
+            "reference": "https://attack.mitre.org/techniques/T1071/",
+            "subtechnique": [
+              {
+                "id": "T1071.004",
+                "name": "DNS",
+                "reference": "https://attack.mitre.org/techniques/T1071/004/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "threshold": {
+      "field": [
+        "host.id"
+      ],
+      "value": 15
+    },
+    "type": "threshold",
+    "version": 3
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies potential attempts to disable Security-Enhanced Linux (SELinux), which is a Linux kernel security feature to support access control policies. Adversaries may disable security tools to avoid possible detection of their tools and activities.",
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Potential Disabling of SELinux",
+    "query": "event.category:process and event.type:(start or process_started) and process.name:setenforce and process.args:0\n",
+    "risk_score": 47,
+    "rule_id": "eb9eb8ba-a983-41d9-9c93-a1c05112ca5e",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1562",
+            "name": "Impair Defenses",
+            "reference": "https://attack.mitre.org/techniques/T1562/",
+            "subtechnique": [
+              {
+                "id": "T1562.001",
+                "name": "Disable or Modify Tools",
+                "reference": "https://attack.mitre.org/techniques/T1562/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 7
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "The Filter Manager Control Program (fltMC.exe) binary may be abused by adversaries to unload a filter driver and evade defenses.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Potential Evasion via Filter Manager",
+    "query": "process where event.type in (\"start\", \"process_started\") and \n process.name : \"fltMC.exe\" and process.args : \"unload\"\n",
+    "risk_score": 47,
+    "rule_id": "06dceabf-adca-48af-ac79-ffdf4c3b1e9a",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1562",
+            "name": "Impair Defenses",
+            "reference": "https://attack.mitre.org/techniques/T1562/",
+            "subtechnique": [
+              {
+                "id": "T1562.001",
+                "name": "Disable or Modify Tools",
+                "reference": "https://attack.mitre.org/techniques/T1562/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 8
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies attempts to create a local account that will be hidden from the macOS logon window. This may indicate an attempt to evade user attention while maintaining persistence using a separate local account.",
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Potential Hidden Local User Account Creation",
+    "query": "event.category:process and event.type:(start or process_started) and\n process.name:dscl and process.args:(IsHidden and create and (true or 1 or yes))\n",
+    "references": [
+      "https://support.apple.com/en-us/HT203998"
+    ],
+    "risk_score": 47,
+    "rule_id": "41b638a1-8ab6-4f8e-86d9-466317ef2db5",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "macOS",
+      "Threat Detection",
+      "Persistence"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1078",
+            "name": "Valid Accounts",
+            "reference": "https://attack.mitre.org/techniques/T1078/",
+            "subtechnique": [
+              {
+                "id": "T1078.003",
+                "name": "Local Accounts",
+                "reference": "https://attack.mitre.org/techniques/T1078/003/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies use of Bifrost, a known macOS Kerberos pentesting tool, which can be used to dump cached Kerberos tickets or attempt unauthorized authentication techniques such as pass-the-ticket/hash and kerberoasting.",
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Potential Kerberos Attack via Bifrost",
+    "query": "event.category:process and event.type:start and \n process.args:(\"-action\" and (\"-kerberoast\" or askhash or asktgs or asktgt or s4u or (\"-ticket\" and ptt) or (dump and (tickets or keytab))))\n",
+    "references": [
+      "https://github.com/its-a-feature/bifrost"
+    ],
+    "risk_score": 73,
+    "rule_id": "16904215-2c95-4ac8-bf5c-12354e047192",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "macOS",
+      "Threat Detection",
+      "Credential Access",
+      "Lateral Movement"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0008",
+          "name": "Lateral Movement",
+          "reference": "https://attack.mitre.org/tactics/TA0008/"
+        },
+        "technique": [
+          {
+            "id": "T1550",
+            "name": "Use Alternate Authentication Material",
+            "reference": "https://attack.mitre.org/techniques/T1550/",
+            "subtechnique": [
+              {
+                "id": "T1550.003",
+                "name": "Pass the Ticket",
+                "reference": "https://attack.mitre.org/techniques/T1550/003/"
+              }
+            ]
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0006",
+          "name": "Credential Access",
+          "reference": "https://attack.mitre.org/tactics/TA0006/"
+        },
+        "technique": [
+          {
+            "id": "T1558",
+            "name": "Steal or Forge Kerberos Tickets",
+            "reference": "https://attack.mitre.org/techniques/T1558/",
+            "subtechnique": [
+              {
+                "id": "T1558.003",
+                "name": "Kerberoasting",
+                "reference": "https://attack.mitre.org/techniques/T1558/003/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 2
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Adversaries can use the autostart mechanism provided by the Local Security Authority (LSA) authentication packages for privilege escalation or persistence by placing a reference to a binary in the Windows registry. The binary will then be executed by SYSTEM when the authentication packages are loaded.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Potential LSA Authentication Package Abuse",
+    "query": "registry where event.type == \"change\" and\n  registry.path : \"HKLM\\\\SYSTEM\\\\*ControlSet*\\\\Control\\\\Lsa\\\\Authentication Packages\" and\n  /* exclude SYSTEM SID - look for changes by non-SYSTEM user */\n  not user.id : \"S-1-5-18\"\n",
+    "risk_score": 47,
+    "rule_id": "e9abe69b-1deb-4e19-ac4a-5d5ac00f72eb",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Privilege Escalation"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0004",
+          "name": "Privilege Escalation",
+          "reference": "https://attack.mitre.org/tactics/TA0004/"
+        },
+        "technique": [
+          {
+            "id": "T1547",
+            "name": "Boot or Logon Autostart Execution",
+            "reference": "https://attack.mitre.org/techniques/T1547/",
+            "subtechnique": [
+              {
+                "id": "T1547.002",
+                "name": "Authentication Package",
+                "reference": "https://attack.mitre.org/techniques/T1547/002/"
+              }
+            ]
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1547",
+            "name": "Boot or Logon Autostart Execution",
+            "reference": "https://attack.mitre.org/techniques/T1547/",
+            "subtechnique": [
+              {
+                "id": "T1547.002",
+                "name": "Authentication Package",
+                "reference": "https://attack.mitre.org/techniques/T1547/002/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the creation of a suspicious zip file prepended with special characters. Sandboxed Microsoft Office applications on macOS are allowed to write files that start with special characters, which can be combined with an AutoStart location to achieve sandbox evasion.",
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Potential Microsoft Office Sandbox Evasion",
+    "query": "event.category:file and not event.type:deletion and file.name:~$*.zip\n",
+    "references": [
+      "https://i.blackhat.com/USA-20/Wednesday/us-20-Wardle-Office-Drama-On-macOS.pdf",
+      "https://www.mdsec.co.uk/2018/08/escaping-the-sandbox-microsoft-office-on-macos/",
+      "https://desi-jarvis.medium.com/office365-macos-sandbox-escape-fcce4fa4123c"
+    ],
+    "risk_score": 73,
+    "rule_id": "d22a85c6-d2ad-4cc4-bf7b-54787473669a",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "macOS",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Windows contains accessibility features that may be launched with a key combination before a user has logged in. An adversary can modify the way these programs are launched to get a command prompt or backdoor without logging in to the system.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Potential Modification of Accessibility Binaries",
+    "query": "process where event.type in (\"start\", \"process_started\", \"info\") and\n process.parent.name : (\"Utilman.exe\", \"winlogon.exe\") and user.name == \"SYSTEM\" and\n process.args :\n    (\n    \"C:\\\\Windows\\\\System32\\\\osk.exe\",\n    \"C:\\\\Windows\\\\System32\\\\Magnify.exe\",\n    \"C:\\\\Windows\\\\System32\\\\Narrator.exe\",\n    \"C:\\\\Windows\\\\System32\\\\Sethc.exe\",\n    \"utilman.exe\",\n    \"ATBroker.exe\",\n    \"DisplaySwitch.exe\",\n    \"sethc.exe\"\n    )\n and not process.pe.original_file_name in\n    (\n    \"osk.exe\",\n    \"sethc.exe\",\n    \"utilman2.exe\",\n    \"DisplaySwitch.exe\",\n    \"ATBroker.exe\",\n    \"ScreenMagnifier.exe\",\n    \"SR.exe\",\n    \"Narrator.exe\",\n    \"magnify.exe\",\n    \"MAGNIFY.EXE\"\n    )\n\n/* uncomment once in winlogbeat to avoid bypass with rogue process with matching pe original file name */\n/* and process.code_signature.subject_name == \"Microsoft Windows\" and process.code_signature.status == \"trusted\" */\n",
+    "references": [
+      "https://www.elastic.co/blog/practical-security-engineering-stateful-detection"
+    ],
+    "risk_score": 73,
+    "rule_id": "7405ddf1-6c8e-41ce-818f-48bea6bcaed8",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Persistence"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1546",
+            "name": "Event Triggered Execution",
+            "reference": "https://attack.mitre.org/techniques/T1546/",
+            "subtechnique": [
+              {
+                "id": "T1546.008",
+                "name": "Accessibility Features",
+                "reference": "https://attack.mitre.org/techniques/T1546/008/"
+              }
+            ]
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0004",
+          "name": "Privilege Escalation",
+          "reference": "https://attack.mitre.org/tactics/TA0004/"
+        },
+        "technique": [
+          {
+            "id": "T1546",
+            "name": "Event Triggered Execution",
+            "reference": "https://attack.mitre.org/techniques/T1546/",
+            "subtechnique": [
+              {
+                "id": "T1546.008",
+                "name": "Accessibility Features",
+                "reference": "https://attack.mitre.org/techniques/T1546/008/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 7
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies a Secure Shell (SSH) client or server process creating or writing to a known SSH backdoor log file. Adversaries may modify SSH related binaries for persistence or credential access via patching sensitive functions to enable unauthorized access or to log SSH credentials for exfiltration.",
+    "false_positives": [
+      "Updates to approved and trusted SSH executables can trigger this rule."
+    ],
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Potential OpenSSH Backdoor Logging Activity",
+    "query": "file where event.type == \"change\" and process.executable : (\"/usr/sbin/sshd\", \"/usr/bin/ssh\") and\n  (\n    file.name : (\".*\", \"~*\") or\n    file.extension : (\"in\", \"out\", \"ini\", \"h\", \"gz\", \"so\", \"sock\", \"sync\", \"0\", \"1\", \"2\", \"3\", \"4\", \"5\", \"6\", \"7\", \"8\", \"9\") or\n    file.path : \n    (\n      \"/private/etc/*--\", \n      \"/usr/share/*\", \n      \"/usr/include/*\", \n      \"/usr/local/include/*\", \n      \"/private/tmp/*\", \n      \"/private/var/tmp/*\",\n      \"/usr/tmp/*\", \n      \"/usr/share/man/*\", \n      \"/usr/local/share/*\", \n      \"/usr/lib/*.so.*\", \n      \"/private/etc/ssh/.sshd_auth\",\n      \"/usr/bin/ssd\", \n      \"/private/var/opt/power\", \n      \"/private/etc/ssh/ssh_known_hosts\", \n      \"/private/var/html/lol\", \n      \"/private/var/log/utmp\", \n      \"/private/var/lib\",\n      \"/var/run/sshd/sshd.pid\",\n      \"/var/run/nscd/ns.pid\",\n      \"/var/run/udev/ud.pid\",\n      \"/var/run/udevd.pid\"\n    )\n  )\n",
+    "references": [
+      "https://github.com/eset/malware-ioc/tree/master/sshdoor",
+      "https://www.welivesecurity.com/wp-content/uploads/2021/01/ESET_Kobalos.pdf"
+    ],
+    "risk_score": 73,
+    "rule_id": "f28e2be4-6eca-4349-bdd9-381573730c22",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "Threat Detection",
+      "Persistence",
+      "Credential Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0006",
+          "name": "Credential Access",
+          "reference": "https://attack.mitre.org/tactics/TA0006/"
+        },
+        "technique": [
+          {
+            "id": "T1556",
+            "name": "Modify Authentication Process",
+            "reference": "https://attack.mitre.org/techniques/T1556/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1554",
+            "name": "Compromise Client Software Binary",
+            "reference": "https://attack.mitre.org/techniques/T1554/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies a high number (25) of failed Microsoft 365 user authentication attempts from a single IP address within 30 minutes, which could be indicative of a password spraying attack. An adversary may attempt a password spraying attack to obtain unauthorized access to user accounts.",
+    "false_positives": [
+      "Automated processes that attempt to authenticate using expired credentials and unbounded retries may lead to false positives."
+    ],
+    "from": "now-30m",
+    "index": [
+      "filebeat-*",
+      "logs-o365*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Potential Password Spraying of Microsoft 365 User Accounts",
+    "note": "## Config\n\nThe Microsoft 365 Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:o365.audit and event.provider:(Exchange or AzureActiveDirectory) and event.category:authentication and \nevent.action:(\"UserLoginFailed\" or \"PasswordLogonInitialAuthUsingPassword\") and event.outcome:failure\n",
+    "risk_score": 73,
+    "rule_id": "3efee4f0-182a-40a8-a835-102c68a4175d",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "Microsoft 365",
+      "Continuous Monitoring",
+      "SecOps",
+      "Identity and Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0006",
+          "name": "Credential Access",
+          "reference": "https://attack.mitre.org/tactics/TA0006/"
+        },
+        "technique": [
+          {
+            "id": "T1110",
+            "name": "Brute Force",
+            "reference": "https://attack.mitre.org/techniques/T1110/"
+          }
+        ]
+      }
+    ],
+    "threshold": {
+      "field": [
+        "source.ip"
+      ],
+      "value": 25
+    },
+    "type": "threshold",
+    "version": 4
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies modifications to the Atom desktop text editor Init File. Adversaries may add malicious JavaScript code to the init.coffee file that will be executed upon the Atom application opening.",
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Potential Persistence via Atom Init Script Modification",
+    "query": "event.category:\"file\" and not event.type:\"deletion\" and\n file.path:/Users/*/.atom/init.coffee and not process.name:(Atom or xpcproxy) and not user.name:root\n",
+    "references": [
+      "https://github.com/D00MFist/PersistentJXA/blob/master/AtomPersist.js",
+      "https://flight-manual.atom.io/hacking-atom/sections/the-init-file/"
+    ],
+    "risk_score": 21,
+    "rule_id": "b4449455-f986-4b5a-82ed-e36b129331f7",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "macOS",
+      "Threat Detection",
+      "Persistence"
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the creation or modification of the login window property list (plist). Adversaries may modify plist files to run a program during system boot or user login for persistence.",
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Potential Persistence via Login Hook",
+    "note": "## Triage and analysis\n\nStarting in Mac OS X 10.7 (Lion), users can specify certain applications to be re-opened when a user reboots their machine. This can be abused to establish or maintain persistence on a compromised system.",
+    "query": "event.category:\"file\" and not event.type:\"deletion\" and\n file.name:\"com.apple.loginwindow.plist\" and\n process.name:(* and not (systemmigrationd or DesktopServicesHelper or diskmanagementd or rsync or launchd or cfprefsd or xpcproxy or ManagedClient or MCXCompositor))\n",
+    "references": [
+      "https://github.com/D00MFist/PersistentJXA/blob/master/LoginScript.js"
+    ],
+    "risk_score": 47,
+    "rule_id": "ac412404-57a5-476f-858f-4e8fbb4f48d8",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "macOS",
+      "Threat Detection",
+      "Persistence"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1547",
+            "name": "Boot or Logon Autostart Execution",
+            "reference": "https://attack.mitre.org/techniques/T1547/",
+            "subtechnique": [
+              {
+                "id": "T1547.011",
+                "name": "Plist Modification",
+                "reference": "https://attack.mitre.org/techniques/T1547/011/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 2
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the creation or modification of the default configuration for periodic tasks. Adversaries may abuse periodic tasks to execute malicious code or maintain persistence.",
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Potential Persistence via Periodic Tasks",
+    "query": "event.category:\"file\" and not event.type:\"deletion\" and\n file.path:(/private/etc/periodic/* or /private/etc/defaults/periodic.conf or /private/etc/periodic.conf)\n",
+    "references": [
+      "https://opensource.apple.com/source/crontabs/crontabs-13/private/etc/defaults/periodic.conf.auto.html",
+      "https://www.oreilly.com/library/view/mac-os-x/0596003706/re328.html",
+      "https://github.com/D00MFist/PersistentJXA/blob/master/PeriodicPersist.js"
+    ],
+    "risk_score": 21,
+    "rule_id": "48ec9452-e1fd-4513-a376-10a1a26d2c83",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "macOS",
+      "Threat Detection",
+      "Persistence"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1053",
+            "name": "Scheduled Task/Job",
+            "reference": "https://attack.mitre.org/techniques/T1053/",
+            "subtechnique": [
+              {
+                "id": "T1053.003",
+                "name": "Cron",
+                "reference": "https://attack.mitre.org/techniques/T1053/003/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Windows operating systems are utilizing the time provider architecture in order to obtain accurate time stamps from other network devices or clients in the network. Time providers are implemented in the form of a DLL file which resides in System32 folder. The service W32Time initiates during the startup of Windows and loads w32time.dll. Adversaries may abuse this architecture to establish persistence, specifically by registering and enabling a malicious DLL as a time provider.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Potential Persistence via Time Provider Modification",
+    "query": "registry where event.type:\"change\" and\n  registry.path:\"HKLM\\\\SYSTEM\\\\*ControlSet*\\\\Services\\\\W32Time\\\\TimeProviders\\\\*\" and\n  registry.data.strings:\"*.dll\"\n",
+    "references": [
+      "https://pentestlab.blog/2019/10/22/persistence-time-providers/"
+    ],
+    "risk_score": 47,
+    "rule_id": "14ed1aa9-ebfd-4cf9-a463-0ac59ec55204",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Persistence"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1547",
+            "name": "Boot or Logon Autostart Execution",
+            "reference": "https://attack.mitre.org/techniques/T1547/",
+            "subtechnique": [
+              {
+                "id": "T1547.003",
+                "name": "Time Providers",
+                "reference": "https://attack.mitre.org/techniques/T1547/003/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies port monitor and print processor registry modifications. Adversaries may abuse port monitor and print processors to run malicious DLLs during system boot that will be executed as SYSTEM for privilege escalation and/or persistence, if permissions allow writing a fully-qualified pathname for that DLL.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Potential Port Monitor or Print Processor Registration Abuse",
+    "query": "registry where event.type in (\"creation\", \"change\") and\n  registry.path : (\"HKLM\\\\SYSTEM\\\\*ControlSet*\\\\Control\\\\Print\\\\Monitors\\\\*\",\n    \"HLLM\\\\SYSTEM\\\\*ControlSet*\\\\Control\\\\Print\\\\Environments\\\\Windows*\\\\Print Processors\\\\*\") and\n  registry.data.strings : \"*.dll\" and\n  /* exclude SYSTEM SID - look for changes by non-SYSTEM user */\n  not user.id : \"S-1-5-18\"\n",
+    "references": [
+      "https://www.welivesecurity.com/2020/05/21/no-game-over-winnti-group/"
+    ],
+    "risk_score": 47,
+    "rule_id": "8f3e91c7-d791-4704-80a1-42c160d7aa27",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Privilege Escalation"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0004",
+          "name": "Privilege Escalation",
+          "reference": "https://attack.mitre.org/tactics/TA0004/"
+        },
+        "technique": [
+          {
+            "id": "T1547",
+            "name": "Boot or Logon Autostart Execution",
+            "reference": "https://attack.mitre.org/techniques/T1547/",
+            "subtechnique": [
+              {
+                "id": "T1547.010",
+                "name": "Port Monitors",
+                "reference": "https://attack.mitre.org/techniques/T1547/010/"
+              }
+            ]
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1547",
+            "name": "Boot or Logon Autostart Execution",
+            "reference": "https://attack.mitre.org/techniques/T1547/",
+            "subtechnique": [
+              {
+                "id": "T1547.010",
+                "name": "Port Monitors",
+                "reference": "https://attack.mitre.org/techniques/T1547/010/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Detects attempts to exploit privilege escalation vulnerabilities related to the Print Spooler service. For more information refer to CVE-2021-34527 and verify that the impacted system is investigated.",
+    "from": "now-9m",
+    "index": [
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Potential PrintNightmare Exploit Registry Modification",
+    "query": "/* This rule is not compatible with Sysmon due to schema issues */\n\nregistry where process.name : \"spoolsv.exe\" and\n  (registry.path : \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Control\\\\Print\\\\Environments\\\\Windows*\\\\Drivers\\\\Version-3\\\\mimikatz*\\\\Data File\" or\n  (registry.path : \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Control\\\\Print\\\\Environments\\\\Windows*\\\\Drivers\\\\Version-3\\\\*\\\\Configuration File\" and\n   registry.data.strings : (\"kernelbase.dll\", \"ntdll.dll\", \"kernel32.dll\", \"winhttp.dll\", \"user32.dll\")))\n",
+    "references": [
+      "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527",
+      "https://github.com/afwu/PrintNightmare"
+    ],
+    "risk_score": 73,
+    "rule_id": "6506c9fd-229e-4722-8f0f-69be759afd2a",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Privilege Escalation"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0004",
+          "name": "Privilege Escalation",
+          "reference": "https://attack.mitre.org/tactics/TA0004/"
+        },
+        "technique": [
+          {
+            "id": "T1068",
+            "name": "Exploitation for Privilege Escalation",
+            "reference": "https://attack.mitre.org/techniques/T1068/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Detects the creation or modification of a print driver with an unusual file name. This may indicate attempts to exploit privilege escalation vulnerabilities related to the Print Spooler service. For more information refer to CVE-2021-34527 and verify that the impacted system is investigated.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Potential PrintNightmare File Modification",
+    "query": "/* This rule is compatible with both Sysmon and Elastic Endpoint */\n\nfile where process.name : \"spoolsv.exe\" and \n file.name : (\"kernelbase.dll\", \"ntdll.dll\", \"kernel32.dll\", \"winhttp.dll\", \"user32.dll\") and\n file.path : \"?:\\\\Windows\\\\System32\\\\spool\\\\drivers\\\\x64\\\\3\\\\*\"\n",
+    "references": [
+      "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527",
+      "https://github.com/afwu/PrintNightmare"
+    ],
+    "risk_score": 73,
+    "rule_id": "5e87f165-45c2-4b80-bfa5-52822552c997",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Privilege Escalation"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0004",
+          "name": "Privilege Escalation",
+          "reference": "https://attack.mitre.org/tactics/TA0004/"
+        },
+        "technique": [
+          {
+            "id": "T1068",
+            "name": "Exploitation for Privilege Escalation",
+            "reference": "https://attack.mitre.org/techniques/T1068/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies use of the Secure Copy Protocol (SCP) to copy files locally by abusing the auto addition of the Secure Shell Daemon (sshd) to the authorized application list for Full Disk Access. This may indicate attempts to bypass macOS privacy controls to access sensitive files.",
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Potential Privacy Control Bypass via Localhost Secure Copy",
+    "query": "process where event.type in (\"start\", \"process_started\") and \n process.name:\"scp\" and\n process.args:\"StrictHostKeyChecking=no\" and \n process.command_line:(\"scp *localhost:/*\", \"scp *127.0.0.1:/*\") and\n not process.args:\"vagrant@*127.0.0.1*\"\n",
+    "references": [
+      "https://blog.trendmicro.com/trendlabs-security-intelligence/xcsset-mac-malware-infects-xcode-projects-performs-uxss-attack-on-safari-other-browsers-leverages-zero-day-exploits/"
+    ],
+    "risk_score": 73,
+    "rule_id": "c02c8b9f-5e1d-463c-a1b0-04edcdfe1a3d",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "macOS",
+      "Threat Detection",
+      "Privilege Escalation",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1548",
+            "name": "Abuse Elevation Control Mechanism",
+            "reference": "https://attack.mitre.org/techniques/T1548/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0004",
+          "name": "Privilege Escalation",
+          "reference": "https://attack.mitre.org/tactics/TA0004/"
+        },
+        "technique": [
+          {
+            "id": "T1548",
+            "name": "Abuse Elevation Control Mechanism",
+            "reference": "https://attack.mitre.org/techniques/T1548/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the use of sqlite3 to directly modify the Transparency, Consent, and Control (TCC) SQLite database. This may indicate an attempt to bypass macOS privacy controls, including access to sensitive resources like the system camera, microphone, address book, and calendar.",
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Potential Privacy Control Bypass via TCCDB Modification",
+    "query": "process where event.type in (\"start\", \"process_started\") and process.name : \"sqlite*\" and \n process.args : \"/*/Application Support/com.apple.TCC/TCC.db\"\n",
+    "references": [
+      "https://applehelpwriter.com/2016/08/29/discovering-how-dropbox-hacks-your-mac/",
+      "https://github.com/bp88/JSS-Scripts/blob/master/TCC.db%20Modifier.sh",
+      "https://medium.com/@mattshockl/cve-2020-9934-bypassing-the-os-x-transparency-consent-and-control-tcc-framework-for-4e14806f1de8"
+    ],
+    "risk_score": 47,
+    "rule_id": "eea82229-b002-470e-a9e1-00be38b14d32",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "macOS",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1562",
+            "name": "Impair Defenses",
+            "reference": "https://attack.mitre.org/techniques/T1562/",
+            "subtechnique": [
+              {
+                "id": "T1562.001",
+                "name": "Disable or Modify Tools",
+                "reference": "https://attack.mitre.org/techniques/T1562/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 2
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "A sudoers file specifies the commands users or groups can run and from which terminals. Adversaries can take advantage of these configurations to execute commands as other users or spawn processes with higher privileges.",
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Potential Privilege Escalation via Sudoers File Modification",
+    "query": "event.category:process and event.type:start and process.args:(echo and *NOPASSWD*ALL*)\n",
+    "risk_score": 73,
+    "rule_id": "76152ca1-71d0-4003-9e37-0983e12832da",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "macOS",
+      "Threat Detection",
+      "Privilege Escalation"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0004",
+          "name": "Privilege Escalation",
+          "reference": "https://attack.mitre.org/tactics/TA0004/"
+        },
+        "technique": [
+          {
+            "id": "T1548",
+            "name": "Abuse Elevation Control Mechanism",
+            "reference": "https://attack.mitre.org/techniques/T1548/",
+            "subtechnique": [
+              {
+                "id": "T1548.003",
+                "name": "Sudo and Sudo Caching",
+                "reference": "https://attack.mitre.org/techniques/T1548/003/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies process execution followed by a file overwrite of an executable by the same parent process. This may indicate an evasion attempt to execute malicious code in a stealthy way.",
+    "from": "now-9m",
+    "index": [
+      "logs-endpoint.events.*",
+      "winlogbeat-*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Potential Process Herpaderping Attempt",
+    "query": "sequence with maxspan=5s\n   [process where event.type == \"start\" and not process.parent.executable : \"C:\\\\Windows\\\\SoftwareDistribution\\\\*.exe\"] by host.id, process.executable, process.parent.entity_id\n   [file where event.type == \"change\" and event.action == \"overwrite\" and file.extension == \"exe\"] by host.id, file.path, process.entity_id\n",
+    "references": [
+      "https://github.com/jxy-s/herpaderping"
+    ],
+    "risk_score": 73,
+    "rule_id": "ccc55af4-9882-4c67-87b4-449a7ae8079c",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1036",
+            "name": "Masquerading",
+            "reference": "https://attack.mitre.org/techniques/T1036/"
+          }
+        ]
+      }
+    ],
+    "type": "eql",
+    "version": 2
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the execution of the EarthWorm tunneler. Adversaries may tunnel network communications to and from a victim system within a separate protocol to avoid detection and network filtering, or to enable access to otherwise unreachable systems.",
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Potential Protocol Tunneling via EarthWorm",
+    "query": "process where event.type == \"start\" and\n process.args : \"-s\" and process.args : \"-d\" and process.args : \"rssocks\"\n",
+    "references": [
+      "http://rootkiter.com/EarthWorm/",
+      "https://decoded.avast.io/luigicamastra/apt-group-targeting-governmental-agencies-in-east-asia/"
+    ],
+    "risk_score": 47,
+    "rule_id": "9f1c4ca3-44b5-481d-ba42-32dc215a2769",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "Threat Detection",
+      "Command and Control"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0011",
+          "name": "Command and Control",
+          "reference": "https://attack.mitre.org/tactics/TA0011/"
+        },
+        "technique": [
+          {
+            "id": "T1572",
+            "name": "Protocol Tunneling",
+            "reference": "https://attack.mitre.org/techniques/T1572/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the modification of the Remote Desktop Protocol (RDP) Shadow registry or the execution of processes indicative of an active RDP shadowing session. An adversary may abuse the RDP Shadowing feature to spy on or control other users active RDP sessions.",
+    "from": "now-9m",
+    "index": [
+      "logs-endpoint.events.*",
+      "winlogbeat-*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Potential Remote Desktop Shadowing Activity",
+    "query": "/* Identifies the modification of RDP Shadow registry or\n  the execution of processes indicative of active shadow RDP session */\n\nany where \n  (event.category == \"registry\" and\n     registry.path : \"HKLM\\\\Software\\\\Policies\\\\Microsoft\\\\Windows NT\\\\Terminal Services\\\\Shadow\"\n  ) or\n  (event.category == \"process\" and \n     (process.name : (\"RdpSaUacHelper.exe\", \"RdpSaProxy.exe\") and process.parent.name : \"svchost.exe\") or\n     (process.pe.original_file_name : \"mstsc.exe\" and process.args : \"/shadow:*\")\n  )\n",
+    "references": [
+      "https://bitsadm.in/blog/spying-on-users-using-rdp-shadowing",
+      "https://swarm.ptsecurity.com/remote-desktop-services-shadowing/"
+    ],
+    "risk_score": 73,
+    "rule_id": "c57f8579-e2a5-4804-847f-f2732edc5156",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Lateral Movement"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0008",
+          "name": "Lateral Movement",
+          "reference": "https://attack.mitre.org/tactics/TA0008/"
+        },
+        "technique": [
+          {
+            "id": "T1021",
+            "name": "Remote Services",
+            "reference": "https://attack.mitre.org/techniques/T1021/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies potential use of an SSH utility to establish RDP over a reverse SSH Tunnel. This can be used by attackers to enable routing of network packets that would otherwise not reach their intended destination.",
+    "from": "now-9m",
+    "index": [
+      "logs-endpoint.events.*",
+      "winlogbeat-*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Potential Remote Desktop Tunneling Detected",
+    "query": "process where event.type in (\"start\", \"process_started\") and\n  /* RDP port and usual SSH tunneling related switches in command line */\n  process.args : \"*:3389\" and\n  process.args : (\"-L\", \"-P\", \"-R\", \"-pw\", \"-ssh\")\n",
+    "references": [
+      "https://blog.netspi.com/how-to-access-rdp-over-a-reverse-ssh-tunnel/"
+    ],
+    "risk_score": 73,
+    "rule_id": "76fd43b7-3480-4dd9-8ad7-8bd36bfad92f",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Command and Control"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0011",
+          "name": "Command and Control",
+          "reference": "https://attack.mitre.org/tactics/TA0011/"
+        },
+        "technique": [
+          {
+            "id": "T1572",
+            "name": "Protocol Tunneling",
+            "reference": "https://attack.mitre.org/techniques/T1572/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 4
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the execution of a shell process with suspicious arguments which may be indicative of reverse shell activity.",
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Potential Reverse Shell Activity via Terminal",
+    "query": "process where event.type in (\"start\", \"process_started\") and\n  process.name in (\"sh\", \"bash\", \"zsh\", \"dash\", \"zmodload\") and\n  process.args:(\"*/dev/tcp/*\", \"*/dev/udp/*\", \"zsh/net/tcp\", \"zsh/net/udp\")\n",
+    "references": [
+      "https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md",
+      "https://github.com/WangYihang/Reverse-Shell-Manager",
+      "https://www.netsparker.com/blog/web-security/understanding-reverse-shells/"
+    ],
+    "risk_score": 73,
+    "rule_id": "a1a0375f-22c2-48c0-81a4-7c2d11cc6856",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "macOS",
+      "Threat Detection",
+      "Execution"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0002",
+          "name": "Execution",
+          "reference": "https://attack.mitre.org/tactics/TA0002/"
+        },
+        "technique": [
+          {
+            "id": "T1059",
+            "name": "Command and Scripting Interpreter",
+            "reference": "https://attack.mitre.org/techniques/T1059/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies a high number (20) of macOS SSH KeyGen process executions from the same host. An adversary may attempt a brute force attack to obtain unauthorized access to user accounts.",
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Potential SSH Brute Force Detected",
+    "query": "event.category:process and event.type:start and process.name:\"sshd-keygen-wrapper\" and process.parent.name:launchd\n",
+    "references": [
+      "https://themittenmac.com/detecting-ssh-activity-via-process-monitoring/"
+    ],
+    "risk_score": 47,
+    "rule_id": "ace1e989-a541-44df-93a8-a8b0591b63c0",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "macOS",
+      "Threat Detection",
+      "Credential Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0006",
+          "name": "Credential Access",
+          "reference": "https://attack.mitre.org/tactics/TA0006/"
+        },
+        "technique": [
+          {
+            "id": "T1110",
+            "name": "Brute Force",
+            "reference": "https://attack.mitre.org/techniques/T1110/"
+          }
+        ]
+      }
+    ],
+    "threshold": {
+      "field": [
+        "host.id"
+      ],
+      "value": 20
+    },
+    "type": "threshold",
+    "version": 2
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Detects file name patterns generated by the use of Sysinternals SDelete utility to securely delete a file via multiple file overwrite and rename operations.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Potential Secure File Deletion via SDelete Utility",
+    "note": "## Triage and analysis\n\nVerify process details such as command line and hash to confirm this activity legitimacy.",
+    "query": "file where event.type == \"change\" and file.name : \"*AAA.AAA\"\n",
+    "risk_score": 21,
+    "rule_id": "5aee924b-6ceb-4633-980e-1bde8cdb40c5",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1070",
+            "name": "Indicator Removal on Host",
+            "reference": "https://attack.mitre.org/techniques/T1070/",
+            "subtechnique": [
+              {
+                "id": "T1070.004",
+                "name": "File Deletion",
+                "reference": "https://attack.mitre.org/techniques/T1070/004/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 5
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies potential behavior of SharpRDP, which is a tool that can be used to perform authenticated command execution against a remote target via Remote Desktop Protocol (RDP) for the purposes of lateral movement.",
+    "from": "now-9m",
+    "index": [
+      "logs-endpoint.events.*",
+      "winlogbeat-*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Potential SharpRDP Behavior",
+    "query": "/* Incoming RDP followed by a new RunMRU string value set to cmd, powershell, taskmgr or tsclient, followed by process execution within 1m */\n\nsequence by host.id with maxspan=1m\n  [network where event.type == \"start\" and process.name : \"svchost.exe\" and destination.port == 3389 and \n   network.direction : (\"incoming\", \"ingress\") and network.transport == \"tcp\" and\n   source.address != \"127.0.0.1\" and source.address != \"::1\"\n  ]\n\n  [registry where process.name : \"explorer.exe\" and \n   registry.path : (\"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\RunMRU\\\\*\") and\n   registry.data.strings : (\"cmd.exe*\", \"powershell.exe*\", \"taskmgr*\", \"\\\\\\\\tsclient\\\\*.exe\\\\*\")\n  ]\n  \n  [process where event.type in (\"start\", \"process_started\") and\n   (process.parent.name : (\"cmd.exe\", \"powershell.exe\", \"taskmgr.exe\") or process.args : (\"\\\\\\\\tsclient\\\\*.exe\")) and \n   not process.name : \"conhost.exe\"\n   ]\n",
+    "references": [
+      "https://posts.specterops.io/revisiting-remote-desktop-lateral-movement-8fb905cb46c3",
+      "https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES/blob/master/Lateral%20Movement/LM_sysmon_3_12_13_1_SharpRDP.evtx"
+    ],
+    "risk_score": 73,
+    "rule_id": "8c81e506-6e82-4884-9b9a-75d3d252f967",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Lateral Movement"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0008",
+          "name": "Lateral Movement",
+          "reference": "https://attack.mitre.org/tactics/TA0008/"
+        },
+        "technique": [
+          {
+            "id": "T1021",
+            "name": "Remote Services",
+            "reference": "https://attack.mitre.org/techniques/T1021/",
+            "subtechnique": [
+              {
+                "id": "T1021.001",
+                "name": "Remote Desktop Protocol",
+                "reference": "https://attack.mitre.org/techniques/T1021/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "type": "eql",
+    "version": 4
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies suspicious commands executed via a web server, which may suggest a vulnerability and remote shell access.",
+    "false_positives": [
+      "Network monitoring or management products may have a web server component that runs shell commands as part of normal behavior."
+    ],
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Potential Shell via Web Server",
+    "query": "event.category:process and event.type:(start or process_started) and process.name:(bash or dash) and\n  user.name:(apache or nginx or www or \"www-data\")\n",
+    "references": [
+      "https://pentestlab.blog/tag/web-shell/"
+    ],
+    "risk_score": 47,
+    "rule_id": "231876e7-4d1f-4d63-a47c-47dd1acdc1cb",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "Threat Detection",
+      "Persistence"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1505",
+            "name": "Server Software Component",
+            "reference": "https://attack.mitre.org/techniques/T1505/",
+            "subtechnique": [
+              {
+                "id": "T1505.003",
+                "name": "Web Shell",
+                "reference": "https://attack.mitre.org/techniques/T1505/003/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 9
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies suspicious instances of the Windows Error Reporting process (WerFault.exe or Wermgr.exe) with matching command-line and process executable values performing outgoing network connections. This may be indicative of a masquerading attempt to evade suspicious child process behavior detections.",
+    "false_positives": [
+      "Legit Application Crash with rare Werfault commandline value"
+    ],
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Potential Windows Error Manager Masquerading",
+    "query": "sequence by host.id, process.entity_id with maxspan = 5s\n  [process where event.type:\"start\" and process.name : (\"wermgr.exe\", \"WerFault.exe\") and process.args_count == 1]\n  [network where process.name : (\"wermgr.exe\", \"WerFault.exe\") and network.protocol != \"dns\" and\n    network.direction : (\"outgoing\", \"egress\") and destination.ip !=\"::1\" and destination.ip !=\"127.0.0.1\"\n  ]\n",
+    "references": [
+      "https://twitter.com/SBousseaden/status/1235533224337641473",
+      "https://www.hexacorn.com/blog/2019/09/20/werfault-command-line-switches-v0-1/",
+      "https://app.any.run/tasks/26051d84-b68e-4afb-8a9a-76921a271b81/"
+    ],
+    "risk_score": 47,
+    "rule_id": "6ea41894-66c3-4df7-ad6b-2c5074eb3df8",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1036",
+            "name": "Masquerading",
+            "reference": "https://attack.mitre.org/techniques/T1036/"
+          }
+        ]
+      }
+    ],
+    "type": "eql",
+    "version": 4
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "This rule detects PowerShell scripts that have capabilities to dump process memory using WindowsErrorReporting or Dbghelp.dll MiniDumpWriteDump. Attackers can use this tooling to dump LSASS and get access to credentials.",
+    "false_positives": [
+      "Powershell Scripts that use this capability for troubleshooting."
+    ],
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-windows.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "PowerShell MiniDump Script",
+    "query": "event.code:\"4104\" and powershell.file.script_block_text:(MiniDumpWriteDump or MiniDumpWithFullMemory or pmuDetirWpmuDiniM)\n",
+    "references": [
+      "https://github.com/PowerShellMafia/PowerSploit/blob/master/Exfiltration/Out-Minidump.ps1",
+      "https://github.com/FuzzySecurity/PowerShell-Suite/blob/master/Get-ProcessMiniDump.ps1"
+    ],
+    "risk_score": 73,
+    "rule_id": "577ec21e-56fe-4065-91d8-45eb8224fe77",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Credential Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0006",
+          "name": "Credential Access",
+          "reference": "https://attack.mitre.org/tactics/TA0006/"
+        },
+        "technique": [
+          {
+            "id": "T1003",
+            "name": "OS Credential Dumping",
+            "reference": "https://attack.mitre.org/techniques/T1003/",
+            "subtechnique": [
+              {
+                "id": "T1003.001",
+                "name": "LSASS Memory",
+                "reference": "https://attack.mitre.org/techniques/T1003/001/"
+              }
+            ]
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0002",
+          "name": "Execution",
+          "reference": "https://attack.mitre.org/tactics/TA0002/"
+        },
+        "technique": [
+          {
+            "id": "T1059",
+            "name": "Command and Scripting Interpreter",
+            "reference": "https://attack.mitre.org/techniques/T1059/",
+            "subtechnique": [
+              {
+                "id": "T1059.001",
+                "name": "PowerShell",
+                "reference": "https://attack.mitre.org/techniques/T1059/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "This rule detects the use of discovery-related Windows API Functions in Powershell Scripts. Attackers can use these functions to perform various situational awareness related activities, like enumerating users, shares, sessions, domain trusts, groups, etc.,",
+    "false_positives": [
+      "Legitimate Powershell Scripts that make use of these Functions"
+    ],
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-windows.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "PowerShell Suspicious Discovery Related Windows API Functions",
+    "query": "event.code:\"4104\" and \n  powershell.file.script_block_text : (\n    NetShareEnum or\n    NetWkstaUserEnum or\n    NetSessionEnum or\n    NetLocalGroupEnum or\n    NetLocalGroupGetMembers or\n    DsGetSiteName or\n    DsEnumerateDomainTrusts or\n    WTSEnumerateSessionsEx or\n    WTSQuerySessionInformation or\n    LsaGetLogonSessionData or\n    QueryServiceObjectSecurity\n  )\n",
+    "references": [
+      "https://github.com/BC-SECURITY/Empire/blob/9259e5106986847d2bb770c4289c0c0f1adf2344/data/module_source/situational_awareness/network/powerview.ps1#L21413"
+    ],
+    "risk_score": 47,
+    "rule_id": "61ac3638-40a3-44b2-855a-985636ca985e",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Discovery"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0007",
+          "name": "Discovery",
+          "reference": "https://attack.mitre.org/tactics/TA0007/"
+        },
+        "technique": [
+          {
+            "id": "T1135",
+            "name": "Network Share Discovery",
+            "reference": "https://attack.mitre.org/techniques/T1135/"
+          },
+          {
+            "id": "T1069",
+            "name": "Permission Groups Discovery",
+            "reference": "https://attack.mitre.org/techniques/T1069/",
+            "subtechnique": [
+              {
+                "id": "T1069.001",
+                "name": "Local Groups",
+                "reference": "https://attack.mitre.org/techniques/T1069/001/"
+              }
+            ]
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0002",
+          "name": "Execution",
+          "reference": "https://attack.mitre.org/tactics/TA0002/"
+        },
+        "technique": [
+          {
+            "id": "T1059",
+            "name": "Command and Scripting Interpreter",
+            "reference": "https://attack.mitre.org/techniques/T1059/",
+            "subtechnique": [
+              {
+                "id": "T1059.001",
+                "name": "PowerShell",
+                "reference": "https://attack.mitre.org/techniques/T1059/001/"
+              }
+            ]
+          },
+          {
+            "id": "T1106",
+            "name": "Native API",
+            "reference": "https://attack.mitre.org/techniques/T1106/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Detects PowerShell Scripts that can record audio, a common feature in popular post-exploitation tooling.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-windows.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "PowerShell Suspicious Script with Audio Capture Capabilities",
+    "query": "event.code:\"4104\" and \n  powershell.file.script_block_text : (\n    Get-MicrophoneAudio or (waveInGetNumDevs and mciSendStringA)\n  )\n",
+    "references": [
+      "https://github.com/PowerShellMafia/PowerSploit/blob/master/Exfiltration/Get-MicrophoneAudio.ps1"
+    ],
+    "risk_score": 47,
+    "rule_id": "2f2f4939-0b34-40c2-a0a3-844eb7889f43",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Collection"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0009",
+          "name": "Collection",
+          "reference": "https://attack.mitre.org/tactics/TA0009/"
+        },
+        "technique": [
+          {
+            "id": "T1123",
+            "name": "Audio Capture",
+            "reference": "https://attack.mitre.org/techniques/T1123/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0002",
+          "name": "Execution",
+          "reference": "https://attack.mitre.org/tactics/TA0002/"
+        },
+        "technique": [
+          {
+            "id": "T1059",
+            "name": "Command and Scripting Interpreter",
+            "reference": "https://attack.mitre.org/techniques/T1059/",
+            "subtechnique": [
+              {
+                "id": "T1059.001",
+                "name": "PowerShell",
+                "reference": "https://attack.mitre.org/techniques/T1059/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies a privilege escalation attempt via named pipe impersonation. An adversary may abuse this technique by utilizing a framework such Metasploit's meterpreter getsystem command.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Privilege Escalation via Named Pipe Impersonation",
+    "query": "process where event.type in (\"start\", \"process_started\") and\n process.pe.original_file_name in (\"Cmd.Exe\", \"PowerShell.EXE\") and \n process.args : \"echo\" and process.args : \">\" and process.args : \"\\\\\\\\.\\\\pipe\\\\*\"\n",
+    "references": [
+      "https://www.ired.team/offensive-security/privilege-escalation/windows-namedpipes-privilege-escalation"
+    ],
+    "risk_score": 73,
+    "rule_id": "3ecbdc9e-e4f2-43fa-8cca-63802125e582",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Privilege Escalation"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0004",
+          "name": "Privilege Escalation",
+          "reference": "https://attack.mitre.org/tactics/TA0004/"
+        },
+        "technique": [
+          {
+            "id": "T1134",
+            "name": "Access Token Manipulation",
+            "reference": "https://attack.mitre.org/techniques/T1134/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 3
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies modifications to the root crontab file. Adversaries may overwrite this file to gain code execution with root privileges by exploiting privileged file write or move related vulnerabilities.",
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Privilege Escalation via Root Crontab File Modification",
+    "query": "event.category:file and not event.type:deletion and\n file.path:/private/var/at/tabs/root and not process.executable:/usr/bin/crontab\n",
+    "references": [
+      "https://phoenhex.re/2017-06-09/pwn2own-diskarbitrationd-privesc",
+      "https://www.exploit-db.com/exploits/42146"
+    ],
+    "risk_score": 73,
+    "rule_id": "0ff84c42-873d-41a2-a4ed-08d74d352d01",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "macOS",
+      "Threat Detection",
+      "Privilege Escalation"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0004",
+          "name": "Privilege Escalation",
+          "reference": "https://attack.mitre.org/tactics/TA0004/"
+        },
+        "technique": [
+          {
+            "id": "T1053",
+            "name": "Scheduled Task/Job",
+            "reference": "https://attack.mitre.org/techniques/T1053/",
+            "subtechnique": [
+              {
+                "id": "T1053.003",
+                "name": "Cron",
+                "reference": "https://attack.mitre.org/techniques/T1053/003/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies a privilege escalation attempt via a rogue Windows directory (Windir) environment variable. This is a known primitive that is often combined with other vulnerabilities to elevate privileges.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Privilege Escalation via Windir Environment Variable",
+    "query": "registry where registry.path : (\"HKEY_USERS\\\\*\\\\Environment\\\\windir\", \"HKEY_USERS\\\\*\\\\Environment\\\\systemroot\") and \n not registry.data.strings : (\"C:\\\\windows\", \"%SystemRoot%\")\n",
+    "references": [
+      "https://www.tiraniddo.dev/2017/05/exploiting-environment-variables-in.html"
+    ],
+    "risk_score": 73,
+    "rule_id": "d563aaba-2e72-462b-8658-3e5ea22db3a6",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Privilege Escalation"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0004",
+          "name": "Privilege Escalation",
+          "reference": "https://attack.mitre.org/tactics/TA0004/"
+        },
+        "technique": [
+          {
+            "id": "T1574",
+            "name": "Hijack Execution Flow",
+            "reference": "https://attack.mitre.org/techniques/T1574/",
+            "subtechnique": [
+              {
+                "id": "T1574.007",
+                "name": "Path Interception by PATH Environment Variable",
+                "reference": "https://attack.mitre.org/techniques/T1574/007/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 3
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Compiled HTML files (.chm) are commonly distributed as part of the Microsoft HTML Help system. Adversaries may conceal malicious code in a CHM file and deliver it to a victim for execution. CHM content is loaded by the HTML Help executable program (hh.exe).",
+    "false_positives": [
+      "The HTML Help executable program (hh.exe) runs whenever a user clicks a compiled help (.chm) file or menu item that opens the help file inside the Help Viewer. This is not always malicious, but adversaries may abuse this technology to conceal malicious code."
+    ],
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Process Activity via Compiled HTML File",
+    "query": "process where event.type in (\"start\", \"process_started\") and \n process.parent.name : \"hh.exe\" and \n process.name : (\"mshta.exe\", \"cmd.exe\", \"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\", \"cscript.exe\", \"wscript.exe\")\n",
+    "risk_score": 47,
+    "rule_id": "e3343ab9-4245-4715-b344-e11c56b0a47f",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Execution"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0002",
+          "name": "Execution",
+          "reference": "https://attack.mitre.org/tactics/TA0002/"
+        },
+        "technique": [
+          {
+            "id": "T1204",
+            "name": "User Execution",
+            "reference": "https://attack.mitre.org/techniques/T1204/",
+            "subtechnique": [
+              {
+                "id": "T1204.002",
+                "name": "Malicious File",
+                "reference": "https://attack.mitre.org/techniques/T1204/002/"
+              }
+            ]
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1218",
+            "name": "Signed Binary Proxy Execution",
+            "reference": "https://attack.mitre.org/techniques/T1218/",
+            "subtechnique": [
+              {
+                "id": "T1218.001",
+                "name": "Compiled HTML File",
+                "reference": "https://attack.mitre.org/techniques/T1218/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 10
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies process execution from suspicious default Windows directories. This is sometimes done by adversaries to hide malware in trusted paths.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Process Execution from an Unusual Directory",
+    "query": "process where event.type in (\"start\", \"process_started\", \"info\") and\n /* add suspicious execution paths here */\nprocess.executable : (\"C:\\\\PerfLogs\\\\*.exe\",\"C:\\\\Users\\\\Public\\\\*.exe\",\"C:\\\\Users\\\\Default\\\\*.exe\",\"C:\\\\Windows\\\\Tasks\\\\*.exe\",\"C:\\\\Intel\\\\*.exe\",\"C:\\\\AMD\\\\Temp\\\\*.exe\",\"C:\\\\Windows\\\\AppReadiness\\\\*.exe\",\n\"C:\\\\Windows\\\\ServiceState\\\\*.exe\",\"C:\\\\Windows\\\\security\\\\*.exe\",\"C:\\\\Windows\\\\IdentityCRL\\\\*.exe\",\"C:\\\\Windows\\\\Branding\\\\*.exe\",\"C:\\\\Windows\\\\csc\\\\*.exe\",\n \"C:\\\\Windows\\\\DigitalLocker\\\\*.exe\",\"C:\\\\Windows\\\\en-US\\\\*.exe\",\"C:\\\\Windows\\\\wlansvc\\\\*.exe\",\"C:\\\\Windows\\\\Prefetch\\\\*.exe\",\"C:\\\\Windows\\\\Fonts\\\\*.exe\",\n \"C:\\\\Windows\\\\diagnostics\\\\*.exe\",\"C:\\\\Windows\\\\TAPI\\\\*.exe\",\"C:\\\\Windows\\\\INF\\\\*.exe\",\"C:\\\\Windows\\\\System32\\\\Speech\\\\*.exe\",\"C:\\\\windows\\\\tracing\\\\*.exe\",\n \"c:\\\\windows\\\\IME\\\\*.exe\",\"c:\\\\Windows\\\\Performance\\\\*.exe\",\"c:\\\\windows\\\\intel\\\\*.exe\",\"c:\\\\windows\\\\ms\\\\*.exe\",\"C:\\\\Windows\\\\dot3svc\\\\*.exe\",\"C:\\\\Windows\\\\ServiceProfiles\\\\*.exe\",\n \"C:\\\\Windows\\\\panther\\\\*.exe\",\"C:\\\\Windows\\\\RemotePackages\\\\*.exe\",\"C:\\\\Windows\\\\OCR\\\\*.exe\",\"C:\\\\Windows\\\\appcompat\\\\*.exe\",\"C:\\\\Windows\\\\apppatch\\\\*.exe\",\"C:\\\\Windows\\\\addins\\\\*.exe\",\n \"C:\\\\Windows\\\\Setup\\\\*.exe\",\"C:\\\\Windows\\\\Help\\\\*.exe\",\"C:\\\\Windows\\\\SKB\\\\*.exe\",\"C:\\\\Windows\\\\Vss\\\\*.exe\",\"C:\\\\Windows\\\\Web\\\\*.exe\",\"C:\\\\Windows\\\\servicing\\\\*.exe\",\"C:\\\\Windows\\\\CbsTemp\\\\*.exe\",\n \"C:\\\\Windows\\\\Logs\\\\*.exe\",\"C:\\\\Windows\\\\WaaS\\\\*.exe\",\"C:\\\\Windows\\\\twain_32\\\\*.exe\",\"C:\\\\Windows\\\\ShellExperiences\\\\*.exe\",\"C:\\\\Windows\\\\ShellComponents\\\\*.exe\",\"C:\\\\Windows\\\\PLA\\\\*.exe\",\n \"C:\\\\Windows\\\\Migration\\\\*.exe\",\"C:\\\\Windows\\\\debug\\\\*.exe\",\"C:\\\\Windows\\\\Cursors\\\\*.exe\",\"C:\\\\Windows\\\\Containers\\\\*.exe\",\"C:\\\\Windows\\\\Boot\\\\*.exe\",\"C:\\\\Windows\\\\bcastdvr\\\\*.exe\",\n \"C:\\\\Windows\\\\assembly\\\\*.exe\",\"C:\\\\Windows\\\\TextInput\\\\*.exe\",\"C:\\\\Windows\\\\security\\\\*.exe\",\"C:\\\\Windows\\\\schemas\\\\*.exe\",\"C:\\\\Windows\\\\SchCache\\\\*.exe\",\"C:\\\\Windows\\\\Resources\\\\*.exe\",\n \"C:\\\\Windows\\\\rescache\\\\*.exe\",\"C:\\\\Windows\\\\Provisioning\\\\*.exe\",\"C:\\\\Windows\\\\PrintDialog\\\\*.exe\",\"C:\\\\Windows\\\\PolicyDefinitions\\\\*.exe\",\"C:\\\\Windows\\\\media\\\\*.exe\",\n \"C:\\\\Windows\\\\Globalization\\\\*.exe\",\"C:\\\\Windows\\\\L2Schemas\\\\*.exe\",\"C:\\\\Windows\\\\LiveKernelReports\\\\*.exe\",\"C:\\\\Windows\\\\ModemLogs\\\\*.exe\",\"C:\\\\Windows\\\\ImmersiveControlPanel\\\\*.exe\") and\n not process.name : (\"SpeechUXWiz.exe\",\"SystemSettings.exe\",\"TrustedInstaller.exe\",\"PrintDialog.exe\",\"MpSigStub.exe\",\"LMS.exe\",\"mpam-*.exe\")\n /* uncomment once in winlogbeat */\n /* and not (process.code_signature.subject_name == \"Microsoft Corporation\" and process.code_signature.trusted == true) */\n",
+    "risk_score": 47,
+    "rule_id": "ebfe1448-7fac-4d59-acea-181bd89b1f7f",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Execution"
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 3
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Elastic Endgame detected Process Injection. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information.",
+    "from": "now-15m",
+    "index": [
+      "endgame-*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Process Injection - Detected - Elastic Endgame",
+    "query": "event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:kernel_shellcode_event or endgame.event_subtype_full:kernel_shellcode_event)\n",
+    "risk_score": 73,
+    "rule_id": "80c52164-c82a-402c-9964-852533d58be1",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Elastic Endgame"
+    ],
+    "type": "query",
+    "version": 6
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Elastic Endgame prevented Process Injection. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information.",
+    "from": "now-15m",
+    "index": [
+      "endgame-*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Process Injection - Prevented - Elastic Endgame",
+    "query": "event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:kernel_shellcode_event or endgame.event_subtype_full:kernel_shellcode_event)\n",
+    "risk_score": 47,
+    "rule_id": "990838aa-a953-4f3e-b3cb-6ddf7584de9e",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Elastic Endgame"
+    ],
+    "type": "query",
+    "version": 6
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "An instance of MSBuild, the Microsoft Build Engine, created a thread in another process. This technique is sometimes used to evade detection or elevate privileges.",
+    "false_positives": [
+      "The Build Engine is commonly used by Windows developers but use by non-engineers is unusual."
+    ],
+    "index": [
+      "winlogbeat-*",
+      "logs-windows.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Process Injection by the Microsoft Build Engine",
+    "query": "process.name:MSBuild.exe and event.action:\"CreateRemoteThread detected (rule: CreateRemoteThread)\"\n",
+    "risk_score": 21,
+    "rule_id": "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae9",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1055",
+            "name": "Process Injection",
+            "reference": "https://attack.mitre.org/techniques/T1055/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0004",
+          "name": "Privilege Escalation",
+          "reference": "https://attack.mitre.org/tactics/TA0004/"
+        },
+        "technique": [
+          {
+            "id": "T1055",
+            "name": "Process Injection",
+            "reference": "https://attack.mitre.org/techniques/T1055/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 5
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies a process termination event quickly followed by the deletion of its executable file. Malware tools and other non-native files dropped or created on a system by an adversary may leave traces to indicate to what occurred. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.",
+    "from": "now-9m",
+    "index": [
+      "logs-endpoint.events.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Process Termination followed by Deletion",
+    "query": "sequence by host.id with maxspan=5s\n   [process where event.type == \"end\" and \n    process.code_signature.trusted == false and\n    not process.executable : (\"C:\\\\Windows\\\\SoftwareDistribution\\\\*.exe\", \"C:\\\\Windows\\\\WinSxS\\\\*.exe\")\n   ] by process.executable\n   [file where event.type == \"deletion\" and file.extension : (\"exe\", \"scr\", \"com\")] by file.path\n",
+    "risk_score": 47,
+    "rule_id": "09443c92-46b3-45a4-8f25-383b028b258d",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1070",
+            "name": "Indicator Removal on Host",
+            "reference": "https://attack.mitre.org/techniques/T1070/",
+            "subtechnique": [
+              {
+                "id": "T1070.004",
+                "name": "File Deletion",
+                "reference": "https://attack.mitre.org/techniques/T1070/004/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "type": "eql",
+    "version": 3
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies execution from a directory masquerading as the Windows Program Files directories. These paths are trusted and usually host trusted third party programs. An adversary may leverage masquerading, along with low privileges to bypass detections whitelisting those folders.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Program Files Directory Masquerading",
+    "query": "process where event.type == \"start\" and\n process.executable : \"C:\\\\*Program*Files*\\\\*.exe\" and\n not process.executable : (\"C:\\\\Program Files\\\\*.exe\", \"C:\\\\Program Files (x86)\\\\*.exe\", \"C:\\\\Users\\\\*.exe\", \"C:\\\\ProgramData\\\\*.exe\")\n",
+    "risk_score": 47,
+    "rule_id": "32c5cf9c-2ef8-4e87-819e-5ccb7cd18b14",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1036",
+            "name": "Masquerading",
+            "reference": "https://attack.mitre.org/techniques/T1036/",
+            "subtechnique": [
+              {
+                "id": "T1036.005",
+                "name": "Match Legitimate Name or Location",
+                "reference": "https://attack.mitre.org/techniques/T1036/005/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 5
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the use of osascript to execute scripts via standard input that may prompt a user with a rogue dialog for credentials.",
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Prompt for Credentials with OSASCRIPT",
+    "query": "process where event.type in (\"start\", \"process_started\") and process.name : \"osascript\" and\n process.command_line : \"osascript*display dialog*password*\"\n",
+    "references": [
+      "https://github.com/EmpireProject/EmPyre/blob/master/lib/modules/collection/osx/prompt.py",
+      "https://ss64.com/osx/osascript.html"
+    ],
+    "risk_score": 73,
+    "rule_id": "38948d29-3d5d-42e3-8aec-be832aaaf8eb",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "macOS",
+      "Threat Detection",
+      "Credential Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0006",
+          "name": "Credential Access",
+          "reference": "https://attack.mitre.org/tactics/TA0006/"
+        },
+        "technique": [
+          {
+            "id": "T1056",
+            "name": "Input Capture",
+            "reference": "https://attack.mitre.org/techniques/T1056/",
+            "subtechnique": [
+              {
+                "id": "T1056.002",
+                "name": "GUI Input Capture",
+                "reference": "https://attack.mitre.org/techniques/T1056/002/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 3
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies use of the SysInternals tool PsExec.exe making a network connection. This could be an indication of lateral movement.",
+    "false_positives": [
+      "PsExec is a dual-use tool that can be used for benign or malicious activity. It's important to baseline your environment to determine the amount of noise to expect from this tool."
+    ],
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "PsExec Network Connection",
+    "query": "sequence by process.entity_id\n  [process where process.name : \"PsExec.exe\" and event.type == \"start\"]\n  [network where process.name : \"PsExec.exe\"]\n",
+    "risk_score": 21,
+    "rule_id": "55d551c6-333b-4665-ab7e-5d14a59715ce",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Execution"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0002",
+          "name": "Execution",
+          "reference": "https://attack.mitre.org/tactics/TA0002/"
+        },
+        "technique": [
+          {
+            "id": "T1569",
+            "name": "System Services",
+            "reference": "https://attack.mitre.org/techniques/T1569/",
+            "subtechnique": [
+              {
+                "id": "T1569.002",
+                "name": "Service Execution",
+                "reference": "https://attack.mitre.org/techniques/T1569/002/"
+              }
+            ]
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0008",
+          "name": "Lateral Movement",
+          "reference": "https://attack.mitre.org/tactics/TA0008/"
+        },
+        "technique": []
+      }
+    ],
+    "type": "eql",
+    "version": 7
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "This rule detects network events that may indicate the use of RDP traffic from the Internet. RDP is commonly used by system administrators to remotely control a system for maintenance or to use shared resources. It should almost never be directly exposed to the Internet, as it is frequently targeted and exploited by threat actors as an initial access or backdoor vector.",
+    "false_positives": [
+      "Some network security policies allow RDP directly from the Internet but usage that is unfamiliar to server or network owners can be unexpected and suspicious. RDP services may be exposed directly to the Internet in some networks such as cloud environments. In such cases, only RDP gateways, bastions or jump servers may be expected expose RDP directly to the Internet and can be exempted from this rule. RDP may be required by some work-flows such as remote access and support for specialized software products and servers. Such work-flows are usually known and not unexpected."
+    ],
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "filebeat-*",
+      "packetbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "RDP (Remote Desktop Protocol) from the Internet",
+    "query": "event.category:(network or network_traffic) and network.transport:tcp and (destination.port:3389 or event.dataset:zeek.rdp) and\n  not source.ip:(\n    10.0.0.0/8 or\n    127.0.0.0/8 or\n    169.254.0.0/16 or\n    172.16.0.0/12 or\n    192.0.0.0/24 or\n    192.0.0.0/29 or\n    192.0.0.8/32 or\n    192.0.0.9/32 or\n    192.0.0.10/32 or\n    192.0.0.170/32 or\n    192.0.0.171/32 or\n    192.0.2.0/24 or\n    192.31.196.0/24 or\n    192.52.193.0/24 or\n    192.168.0.0/16 or\n    192.88.99.0/24 or\n    224.0.0.0/4 or\n    100.64.0.0/10 or\n    192.175.48.0/24 or\n    198.18.0.0/15 or\n    198.51.100.0/24 or\n    203.0.113.0/24 or\n    240.0.0.0/4 or\n    \"::1\" or\n    \"FE80::/10\" or\n    \"FF00::/8\"\n  ) and\n  destination.ip:(\n    10.0.0.0/8 or\n    172.16.0.0/12 or\n    192.168.0.0/16\n  )\n",
+    "references": [
+      "https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml"
+    ],
+    "risk_score": 47,
+    "rule_id": "8c1bdde8-4204-45c0-9e0c-c85ca3902488",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Network",
+      "Threat Detection",
+      "Command and Control",
+      "Host"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0011",
+          "name": "Command and Control",
+          "reference": "https://attack.mitre.org/tactics/TA0011/"
+        },
+        "technique": []
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0008",
+          "name": "Lateral Movement",
+          "reference": "https://attack.mitre.org/tactics/TA0008/"
+        },
+        "technique": [
+          {
+            "id": "T1021",
+            "name": "Remote Services",
+            "reference": "https://attack.mitre.org/techniques/T1021/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0001",
+          "name": "Initial Access",
+          "reference": "https://attack.mitre.org/tactics/TA0001/"
+        },
+        "technique": [
+          {
+            "id": "T1190",
+            "name": "Exploit Public-Facing Application",
+            "reference": "https://attack.mitre.org/techniques/T1190/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 11
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies registry write modifications to enable Remote Desktop Protocol (RDP) access. This could be indicative of adversary lateral movement preparation.",
+    "from": "now-9m",
+    "index": [
+      "logs-endpoint.events.*",
+      "winlogbeat-*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "RDP Enabled via Registry",
+    "query": "registry where\nregistry.path : \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Control\\\\Terminal Server\\\\fDenyTSConnections\" and\nregistry.data.strings == \"0\" and not (process.name : \"svchost.exe\" and user.domain == \"NT AUTHORITY\") and\nnot process.executable : \"C:\\\\Windows\\\\System32\\\\SystemPropertiesRemote.exe\"\n",
+    "risk_score": 47,
+    "rule_id": "58aa72ca-d968-4f34-b9f7-bea51d75eb50",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Lateral Movement"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0008",
+          "name": "Lateral Movement",
+          "reference": "https://attack.mitre.org/tactics/TA0008/"
+        },
+        "technique": [
+          {
+            "id": "T1021",
+            "name": "Remote Services",
+            "reference": "https://attack.mitre.org/techniques/T1021/",
+            "subtechnique": [
+              {
+                "id": "T1021.001",
+                "name": "Remote Desktop Protocol",
+                "reference": "https://attack.mitre.org/techniques/T1021/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 4
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "This rule detects network events that may indicate the use of RPC traffic from the Internet. RPC is commonly used by system administrators to remotely control a system for maintenance or to use shared resources. It should almost never be directly exposed to the Internet, as it is frequently targeted and exploited by threat actors as an initial access or backdoor vector.",
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "filebeat-*",
+      "packetbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "RPC (Remote Procedure Call) from the Internet",
+    "query": "event.category:(network or network_traffic) and network.transport:tcp and (destination.port:135 or event.dataset:zeek.dce_rpc) and\n  not source.ip:(\n    10.0.0.0/8 or\n    127.0.0.0/8 or\n    169.254.0.0/16 or\n    172.16.0.0/12 or\n    192.0.0.0/24 or\n    192.0.0.0/29 or\n    192.0.0.8/32 or\n    192.0.0.9/32 or\n    192.0.0.10/32 or\n    192.0.0.170/32 or\n    192.0.0.171/32 or\n    192.0.2.0/24 or\n    192.31.196.0/24 or\n    192.52.193.0/24 or\n    192.168.0.0/16 or\n    192.88.99.0/24 or\n    224.0.0.0/4 or\n    100.64.0.0/10 or\n    192.175.48.0/24 or\n    198.18.0.0/15 or\n    198.51.100.0/24 or\n    203.0.113.0/24 or\n    240.0.0.0/4 or\n    \"::1\" or\n    \"FE80::/10\" or\n    \"FF00::/8\"\n  ) and\n  destination.ip:(\n    10.0.0.0/8 or\n    172.16.0.0/12 or\n    192.168.0.0/16\n  )\n",
+    "references": [
+      "https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml"
+    ],
+    "risk_score": 73,
+    "rule_id": "143cb236-0956-4f42-a706-814bcaa0cf5a",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Network",
+      "Threat Detection",
+      "Initial Access",
+      "Host"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0001",
+          "name": "Initial Access",
+          "reference": "https://attack.mitre.org/tactics/TA0001/"
+        },
+        "technique": [
+          {
+            "id": "T1190",
+            "name": "Exploit Public-Facing Application",
+            "reference": "https://attack.mitre.org/techniques/T1190/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 11
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "This rule detects network events that may indicate the use of RPC traffic to the Internet. RPC is commonly used by system administrators to remotely control a system for maintenance or to use shared resources. It should almost never be directly exposed to the Internet, as it is frequently targeted and exploited by threat actors as an initial access or backdoor vector.",
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "filebeat-*",
+      "packetbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "RPC (Remote Procedure Call) to the Internet",
+    "query": "event.category:(network or network_traffic) and network.transport:tcp and (destination.port:135 or event.dataset:zeek.dce_rpc) and\n  source.ip:(\n    10.0.0.0/8 or\n    172.16.0.0/12 or\n    192.168.0.0/16\n  ) and\n  not destination.ip:(\n    10.0.0.0/8 or\n    127.0.0.0/8 or\n    169.254.0.0/16 or\n    172.16.0.0/12 or\n    192.0.0.0/24 or\n    192.0.0.0/29 or\n    192.0.0.8/32 or\n    192.0.0.9/32 or\n    192.0.0.10/32 or\n    192.0.0.170/32 or\n    192.0.0.171/32 or\n    192.0.2.0/24 or\n    192.31.196.0/24 or\n    192.52.193.0/24 or\n    192.168.0.0/16 or\n    192.88.99.0/24 or\n    224.0.0.0/4 or\n    100.64.0.0/10 or\n    192.175.48.0/24 or\n    198.18.0.0/15 or\n    198.51.100.0/24 or\n    203.0.113.0/24 or\n    240.0.0.0/4 or\n    \"::1\" or\n    \"FE80::/10\" or\n    \"FF00::/8\"\n  )\n",
+    "references": [
+      "https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml"
+    ],
+    "risk_score": 73,
+    "rule_id": "32923416-763a-4531-bb35-f33b9232ecdb",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Network",
+      "Threat Detection",
+      "Initial Access",
+      "Host"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0001",
+          "name": "Initial Access",
+          "reference": "https://attack.mitre.org/tactics/TA0001/"
+        },
+        "technique": [
+          {
+            "id": "T1190",
+            "name": "Exploit Public-Facing Application",
+            "reference": "https://attack.mitre.org/techniques/T1190/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 11
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Elastic Endgame detected Ransomware. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information.",
+    "from": "now-15m",
+    "index": [
+      "endgame-*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Ransomware - Detected - Elastic Endgame",
+    "query": "event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:ransomware_event or endgame.event_subtype_full:ransomware_event)\n",
+    "risk_score": 99,
+    "rule_id": "8cb4f625-7743-4dfb-ae1b-ad92be9df7bd",
+    "severity": "critical",
+    "tags": [
+      "Elastic",
+      "Elastic Endgame"
+    ],
+    "type": "query",
+    "version": 6
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Elastic Endgame prevented Ransomware. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information.",
+    "from": "now-15m",
+    "index": [
+      "endgame-*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Ransomware - Prevented - Elastic Endgame",
+    "query": "event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:ransomware_event or endgame.event_subtype_full:ransomware_event)\n",
+    "risk_score": 73,
+    "rule_id": "e3c5d5cb-41d5-4206-805c-f30561eae3ac",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Elastic Endgame"
+    ],
+    "type": "query",
+    "version": 6
+  },
+  {
+    "anomaly_threshold": 50,
+    "author": [
+      "Elastic"
+    ],
+    "description": "A machine learning job detected an unusual error in a CloudTrail message. These can be byproducts of attempted or successful persistence, privilege escalation, defense evasion, discovery, lateral movement, or collection.",
+    "false_positives": [
+      "Rare and unusual errors may indicate an impending service failure state. Rare and unusual user error activity can also be due to manual troubleshooting or reconfiguration attempts by insufficiently privileged users, bugs in cloud automation scripts or workflows, or changes to IAM privileges."
+    ],
+    "from": "now-2h",
+    "interval": "15m",
+    "license": "Elastic License v2",
+    "machine_learning_job_id": "rare_error_code",
+    "name": "Rare AWS Error Code",
+    "note": "## Config\n\nThe AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\n\n## Triage and analysis\n\nInvestigating Unusual CloudTrail Error Activity ###\nDetection alerts from this rule indicate a rare and unusual error code that was associated with the response to an AWS API command or method call. Here are some possible avenues of investigation:\n- Examine the history of the error. Has it manifested before? If the error, which is visible in the `aws.cloudtrail.error_code field`, only manifested recently, it might be related to recent changes in an automation module or script.\n- Examine the request parameters. These may provide indications as to the nature of the task being performed when the error occurred. Is the error related to unsuccessful attempts to enumerate or access objects, data, or secrets? If so, this can sometimes be a byproduct of discovery, privilege escalation, or lateral movement attempts.\n- Consider the user as identified by the `user.name` field. Is this activity part of an expected workflow for the user context? Examine the user identity in the `aws.cloudtrail.user_identity.arn` field and the access key ID in the `aws.cloudtrail.user_identity.access_key_id` field, which can help identify the precise user context. The user agent details in the `user_agent.original` field may also indicate what kind of a client made the request.\n- Consider the source IP address and geolocation for the calling user who issued the command. Do they look normal for the calling user? If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts, or could it be sourcing from an EC2 instance that's not under your control? If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance?",
+    "references": [
+      "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"
+    ],
+    "risk_score": 21,
+    "rule_id": "19de8096-e2b0-4bd8-80c9-34a820813fff",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "AWS",
+      "ML"
+    ],
+    "type": "machine_learning",
+    "version": 7
+  },
+  {
+    "anomaly_threshold": 75,
+    "author": [
+      "Elastic"
+    ],
+    "description": "A machine learning job found an unusual user name in the authentication logs. An unusual user name is one way of detecting credentialed access by means of a new or dormant user account. An inactive user account (because the user has left the organization) that becomes active may be due to credentialed access using a compromised account password. Threat actors will sometimes also create new users as a means of persisting in a compromised web application.",
+    "false_positives": [
+      "User accounts that are rarely active, such as a site reliability engineer (SRE) or developer logging into a production server for troubleshooting, may trigger this alert. Under some conditions, a newly created user account may briefly trigger this alert while the model is learning."
+    ],
+    "from": "now-30m",
+    "interval": "15m",
+    "license": "Elastic License v2",
+    "machine_learning_job_id": "auth_rare_user",
+    "name": "Rare User Logon",
+    "references": [
+      "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"
+    ],
+    "risk_score": 21,
+    "rule_id": "138c5dd5-838b-446e-b1ac-c995c7f8108a",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Authentication",
+      "Threat Detection",
+      "ML"
+    ],
+    "type": "machine_learning",
+    "version": 3
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Detects attempts to maintain persistence by creating registry keys using AppCert DLLs. AppCert DLLs are loaded by every process using the common API functions to create processes.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Registry Persistence via AppCert DLL",
+    "query": "registry where\n/* uncomment once stable length(bytes_written_string) > 0 and */\n  registry.path : \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Control\\\\Session Manager\\\\AppCertDLLs\\\\*\"\n",
+    "risk_score": 47,
+    "rule_id": "513f0ffd-b317-4b9c-9494-92ce861f22c7",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Persistence"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1546",
+            "name": "Event Triggered Execution",
+            "reference": "https://attack.mitre.org/techniques/T1546/",
+            "subtechnique": [
+              {
+                "id": "T1546.009",
+                "name": "AppCert DLLs",
+                "reference": "https://attack.mitre.org/techniques/T1546/009/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 3
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Attackers may maintain persistence by creating registry keys using AppInit DLLs. AppInit DLLs are loaded by every process using the common library, user32.dll.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Registry Persistence via AppInit DLL",
+    "query": "registry where\n   registry.path : (\"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows\\\\AppInit_Dlls\", \n                    \"HKLM\\\\SOFTWARE\\\\Wow6432Node\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows\\\\AppInit_Dlls\") and\n   not process.executable : (\"C:\\\\Windows\\\\System32\\\\msiexec.exe\", \n                             \"C:\\\\Windows\\\\SysWOW64\\\\msiexec.exe\", \n                             \"C:\\\\Program Files\\\\Commvault\\\\ContentStore*\\\\Base\\\\cvd.exe\",\n                             \"C:\\\\Program Files (x86)\\\\Commvault\\\\ContentStore*\\\\Base\\\\cvd.exe\")\n",
+    "risk_score": 47,
+    "rule_id": "d0e159cf-73e9-40d1-a9ed-077e3158a855",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Persistence"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1546",
+            "name": "Event Triggered Execution",
+            "reference": "https://attack.mitre.org/techniques/T1546/",
+            "subtechnique": [
+              {
+                "id": "T1546.010",
+                "name": "AppInit DLLs",
+                "reference": "https://attack.mitre.org/techniques/T1546/010/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 3
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies use of the network shell utility (netsh.exe) to enable inbound Remote Desktop Protocol (RDP) connections in the Windows Firewall.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Remote Desktop Enabled in Windows Firewall",
+    "query": "process where event.type in (\"start\", \"process_started\") and\n (process.name : \"netsh.exe\" or process.pe.original_file_name == \"netsh.exe\") and\n process.args : (\"localport=3389\", \"RemoteDesktop\", \"group=\\\"remote desktop\\\"\") and\n process.args : (\"action=allow\", \"enable=Yes\", \"enable\")\n",
+    "risk_score": 47,
+    "rule_id": "074464f9-f30d-4029-8c03-0ed237fffec7",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1562",
+            "name": "Impair Defenses",
+            "reference": "https://attack.mitre.org/techniques/T1562/",
+            "subtechnique": [
+              {
+                "id": "T1562.004",
+                "name": "Disable or Modify System Firewall",
+                "reference": "https://attack.mitre.org/techniques/T1562/004/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 4
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the execution of a file that was created by the virtual system process. This may indicate lateral movement via network file shares.",
+    "from": "now-9m",
+    "index": [
+      "logs-endpoint.events.*",
+      "winlogbeat-*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Remote Execution via File Shares",
+    "query": "sequence with maxspan=1m\n  [file where event.type in (\"creation\", \"change\") and process.pid == 4 and file.extension : \"exe\"] by host.id, file.path\n  [process where event.type in (\"start\", \"process_started\")] by host.id, process.executable\n",
+    "references": [
+      "https://blog.menasec.net/2020/08/new-trick-to-detect-lateral-movement.html"
+    ],
+    "risk_score": 47,
+    "rule_id": "ab75c24b-2502-43a0-bf7c-e60e662c811e",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Lateral Movement"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0008",
+          "name": "Lateral Movement",
+          "reference": "https://attack.mitre.org/tactics/TA0008/"
+        },
+        "technique": [
+          {
+            "id": "T1021",
+            "name": "Remote Services",
+            "reference": "https://attack.mitre.org/techniques/T1021/",
+            "subtechnique": [
+              {
+                "id": "T1021.002",
+                "name": "SMB/Windows Admin Shares",
+                "reference": "https://attack.mitre.org/techniques/T1021/002/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "type": "eql",
+    "version": 2
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies a remote file copy attempt to a hidden network share. This may indicate lateral movement or data staging activity.",
+    "from": "now-9m",
+    "index": [
+      "logs-endpoint.events.*",
+      "winlogbeat-*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Remote File Copy to a Hidden Share",
+    "query": "process where event.type in (\"start\", \"process_started\") and\n  process.name : (\"cmd.exe\", \"powershell.exe\", \"robocopy.exe\", \"xcopy.exe\") and \n  process.args : (\"copy*\", \"move*\", \"cp\", \"mv\") and process.args : \"*$*\"\n",
+    "risk_score": 47,
+    "rule_id": "fa01341d-6662-426b-9d0c-6d81e33c8a9d",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Lateral Movement"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0008",
+          "name": "Lateral Movement",
+          "reference": "https://attack.mitre.org/tactics/TA0008/"
+        },
+        "technique": [
+          {
+            "id": "T1021",
+            "name": "Remote Services",
+            "reference": "https://attack.mitre.org/techniques/T1021/",
+            "subtechnique": [
+              {
+                "id": "T1021.002",
+                "name": "SMB/Windows Admin Shares",
+                "reference": "https://attack.mitre.org/techniques/T1021/002/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 3
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies an executable or script file remotely downloaded via a TeamViewer transfer session.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Remote File Copy via TeamViewer",
+    "query": "file where event.type == \"creation\" and process.name : \"TeamViewer.exe\" and\n  file.extension : (\"exe\", \"dll\", \"scr\", \"com\", \"bat\", \"ps1\", \"vbs\", \"vbe\", \"js\", \"wsh\", \"hta\")\n",
+    "references": [
+      "https://blog.menasec.net/2019/11/hunting-for-suspicious-use-of.html"
+    ],
+    "risk_score": 47,
+    "rule_id": "b25a7df2-120a-4db2-bd3f-3e4b86b24bee",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Command and Control"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0011",
+          "name": "Command and Control",
+          "reference": "https://attack.mitre.org/tactics/TA0011/"
+        },
+        "technique": [
+          {
+            "id": "T1105",
+            "name": "Ingress Tool Transfer",
+            "reference": "https://attack.mitre.org/techniques/T1105/"
+          },
+          {
+            "id": "T1219",
+            "name": "Remote Access Software",
+            "reference": "https://attack.mitre.org/techniques/T1219/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 5
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the desktopimgdownldr utility being used to download a remote file. An adversary may use desktopimgdownldr to download arbitrary files as an alternative to certutil.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Remote File Download via Desktopimgdownldr Utility",
+    "query": "process where event.type in (\"start\", \"process_started\") and\n  (process.name : \"desktopimgdownldr.exe\" or process.pe.original_file_name == \"desktopimgdownldr.exe\") and\n  process.args : \"/lockscreenurl:http*\"\n",
+    "references": [
+      "https://labs.sentinelone.com/living-off-windows-land-a-new-native-file-downldr/"
+    ],
+    "risk_score": 47,
+    "rule_id": "15c0b7a7-9c34-4869-b25b-fa6518414899",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Command and Control"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0011",
+          "name": "Command and Control",
+          "reference": "https://attack.mitre.org/tactics/TA0011/"
+        },
+        "technique": [
+          {
+            "id": "T1105",
+            "name": "Ingress Tool Transfer",
+            "reference": "https://attack.mitre.org/techniques/T1105/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 5
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the Windows Defender configuration utility (MpCmdRun.exe) being used to download a remote file.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Remote File Download via MpCmdRun",
+    "note": "## Triage and analysis\n\n### Investigating Remote File Download via MpCmdRun\nVerify details such as the parent process, URL reputation, and downloaded file details. Additionally, `MpCmdRun` logs this information in the Appdata Temp folder in `MpCmdRun.log`.",
+    "query": "process where event.type == \"start\" and\n  (process.name : \"MpCmdRun.exe\" or process.pe.original_file_name == \"MpCmdRun.exe\") and\n   process.args : \"-DownloadFile\" and process.args : \"-url\" and process.args : \"-path\"\n",
+    "references": [
+      "https://twitter.com/mohammadaskar2/status/1301263551638761477",
+      "https://www.bleepingcomputer.com/news/microsoft/microsoft-defender-can-ironically-be-used-to-download-malware/"
+    ],
+    "risk_score": 47,
+    "rule_id": "c6453e73-90eb-4fe7-a98c-cde7bbfc504a",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Command and Control"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0011",
+          "name": "Command and Control",
+          "reference": "https://attack.mitre.org/tactics/TA0011/"
+        },
+        "technique": [
+          {
+            "id": "T1105",
+            "name": "Ingress Tool Transfer",
+            "reference": "https://attack.mitre.org/techniques/T1105/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 5
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies powershell.exe being used to download an executable file from an untrusted remote destination.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Remote File Download via PowerShell",
+    "query": "sequence by host.id, process.entity_id with maxspan=30s\n  [network where process.name : (\"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\") and network.protocol == \"dns\" and\n   not dns.question.name : (\"localhost\", \"*.microsoft.com\", \"*.azureedge.net\", \"*.powershellgallery.com\", \"*.windowsupdate.com\", \"metadata.google.internal\") and \n   not user.domain : \"NT AUTHORITY\"]\n    [file where process.name : \"powershell.exe\" and event.type == \"creation\" and file.extension : (\"exe\", \"dll\", \"ps1\", \"bat\") and \n   not file.name : \"__PSScriptPolicy*.ps1\"]\n",
+    "risk_score": 47,
+    "rule_id": "33f306e8-417c-411b-965c-c2812d6d3f4d",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Command and Control"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0011",
+          "name": "Command and Control",
+          "reference": "https://attack.mitre.org/tactics/TA0011/"
+        },
+        "technique": [
+          {
+            "id": "T1105",
+            "name": "Ingress Tool Transfer",
+            "reference": "https://attack.mitre.org/techniques/T1105/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0002",
+          "name": "Execution",
+          "reference": "https://attack.mitre.org/tactics/TA0002/"
+        },
+        "technique": [
+          {
+            "id": "T1059",
+            "name": "Command and Scripting Interpreter",
+            "reference": "https://attack.mitre.org/techniques/T1059/",
+            "subtechnique": [
+              {
+                "id": "T1059.001",
+                "name": "PowerShell",
+                "reference": "https://attack.mitre.org/techniques/T1059/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "type": "eql",
+    "version": 3
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies built-in Windows script interpreters (cscript.exe or wscript.exe) being used to download an executable file from a remote destination.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Remote File Download via Script Interpreter",
+    "query": "sequence by host.id, process.entity_id\n  [network where process.name : (\"wscript.exe\", \"cscript.exe\") and network.protocol != \"dns\" and\n   network.direction : (\"outgoing\", \"egress\") and network.type == \"ipv4\" and destination.ip != \"127.0.0.1\"\n  ]\n  [file where event.type == \"creation\" and file.extension : (\"exe\", \"dll\")]\n",
+    "risk_score": 47,
+    "rule_id": "1d276579-3380-4095-ad38-e596a01bc64f",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Command and Control"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0011",
+          "name": "Command and Control",
+          "reference": "https://attack.mitre.org/tactics/TA0011/"
+        },
+        "technique": [
+          {
+            "id": "T1105",
+            "name": "Ingress Tool Transfer",
+            "reference": "https://attack.mitre.org/techniques/T1105/"
+          }
+        ]
+      }
+    ],
+    "type": "eql",
+    "version": 3
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Detects use of the systemsetup command to enable remote SSH Login.",
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Remote SSH Login Enabled via systemsetup Command",
+    "query": "event.category:process and event.type:(start or process_started) and\n process.name:systemsetup and\n process.args:(\"-setremotelogin\" and on)\n",
+    "references": [
+      "https://documents.trendmicro.com/assets/pdf/XCSSET_Technical_Brief.pdf",
+      "https://ss64.com/osx/systemsetup.html",
+      "https://support.apple.com/guide/remote-desktop/about-systemsetup-apd95406b8d/mac"
+    ],
+    "risk_score": 47,
+    "rule_id": "5ae4e6f8-d1bf-40fa-96ba-e29645e1e4dc",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "macOS",
+      "Threat Detection",
+      "Lateral Movement"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0008",
+          "name": "Lateral Movement",
+          "reference": "https://attack.mitre.org/tactics/TA0008/"
+        },
+        "technique": [
+          {
+            "id": "T1021",
+            "name": "Remote Services",
+            "reference": "https://attack.mitre.org/techniques/T1021/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 3
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies remote scheduled task creations on a target host. This could be indicative of adversary lateral movement.",
+    "from": "now-9m",
+    "index": [
+      "logs-endpoint.events.*",
+      "winlogbeat-*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Remote Scheduled Task Creation",
+    "note": "## Triage and analysis\n\n### Investigating Creation of Remote Scheduled Tasks\n\n[Scheduled tasks](https://docs.microsoft.com/en-us/windows/win32/taskschd/about-the-task-scheduler) are a great mechanism used for persistence and executing programs. These features can\nbe used remotely for a variety of legitimate reasons, but at the same time used by malware and adversaries.\nWhen investigating scheduled tasks that have been set-up remotely, one of the first methods should be determining the\noriginal intent behind the configuration and verify if the activity is tied to benign behavior such as software installations or any kind\nof network administrator work. One objective for these alerts is to understand the configured action within the scheduled\ntask, this is captured within the registry event data for this rule and can be base64 decoded to view the value.\n\n#### Possible investigation steps:\n- Review the base64 encoded tasks actions registry value to investigate the task configured action.\n- Determine if task is related to legitimate or benign behavior based on the corresponding process or program tied to the\nscheduled task.\n- Further examination should include both the source and target machines where host-based artifacts and network logs\nshould be reviewed further around the time window of the creation of the scheduled task.\n\n### False Positive Analysis\n- There is a high possibility of benign activity tied to the creation of remote scheduled tasks as it is a general feature\nwithin Windows and used for legitimate purposes for a wide range of activity. Any kind of context should be found to\nfurther understand the source of the activity and determine the intent based on the scheduled task contents.\n\n### Related Rules\n- Service Command Lateral Movement\n- Remotely Started Services via RPC\n\n### Response and Remediation\n- This behavior represents post-exploitation actions such as persistence or lateral movement, immediate response should\nbe taken to review and investigate the activity and potentially isolate involved machines to prevent further post-compromise\nbehavior.\n- Remove scheduled task and any other related artifacts to the activity.\n- Review privileged account management and user account management settings such as implementing GPO policies to further\nrestrict activity or configure settings that only allow Administrators to create remote scheduled tasks.\n",
+    "query": "/* Task Scheduler service incoming connection followed by TaskCache registry modification  */\n\nsequence by host.id, process.entity_id with maxspan = 1m\n   [network where process.name : \"svchost.exe\" and\n   network.direction : (\"incoming\", \"ingress\") and source.port >= 49152 and destination.port >= 49152 and\n   source.address != \"127.0.0.1\" and source.address != \"::1\"\n   ]\n   [registry where registry.path : \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Schedule\\\\TaskCache\\\\Tasks\\\\*\\\\Actions\"]\n",
+    "risk_score": 47,
+    "rule_id": "954ee7c8-5437-49ae-b2d6-2960883898e9",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Lateral Movement"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0008",
+          "name": "Lateral Movement",
+          "reference": "https://attack.mitre.org/tactics/TA0008/"
+        },
+        "technique": [
+          {
+            "id": "T1021",
+            "name": "Remote Services",
+            "reference": "https://attack.mitre.org/techniques/T1021/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0002",
+          "name": "Execution",
+          "reference": "https://attack.mitre.org/tactics/TA0002/"
+        },
+        "technique": [
+          {
+            "id": "T1053",
+            "name": "Scheduled Task/Job",
+            "reference": "https://attack.mitre.org/techniques/T1053/",
+            "subtechnique": [
+              {
+                "id": "T1053.005",
+                "name": "Scheduled Task",
+                "reference": "https://attack.mitre.org/techniques/T1053/005/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "type": "eql",
+    "version": 5
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Discovery of remote system information using built-in commands, which may be used to mover laterally.",
+    "from": "now-9m",
+    "index": [
+      "logs-endpoint.events.*",
+      "winlogbeat-*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Remote System Discovery Commands",
+    "query": "process where event.type in (\"start\", \"process_started\") and\n  (process.name : \"nbtstat.exe\" and process.args : (\"-n\", \"-s\")) or\n  (process.name : \"arp.exe\" and process.args : \"-a\")\n",
+    "risk_score": 21,
+    "rule_id": "0635c542-1b96-4335-9b47-126582d2c19a",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Discovery"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0007",
+          "name": "Discovery",
+          "reference": "https://attack.mitre.org/tactics/TA0007/"
+        },
+        "technique": [
+          {
+            "id": "T1018",
+            "name": "Remote System Discovery",
+            "reference": "https://attack.mitre.org/techniques/T1018/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 3
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies remote execution of Windows services over remote procedure call (RPC). This could be indicative of lateral movement, but will be noisy if commonly done by administrators.\"",
+    "from": "now-9m",
+    "index": [
+      "logs-endpoint.events.*",
+      "winlogbeat-*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Remotely Started Services via RPC",
+    "query": "sequence with maxspan=1s\n   [network where process.name : \"services.exe\" and\n      network.direction : (\"incoming\", \"ingress\") and network.transport == \"tcp\" and \n      source.port >= 49152 and destination.port >= 49152 and source.address not in (\"127.0.0.1\", \"::1\")\n   ] by host.id, process.entity_id\n\n   [process where event.type in (\"start\", \"process_started\") and process.parent.name : \"services.exe\" and \n       not (process.name : \"svchost.exe\" and process.args : \"tiledatamodelsvc\") and \n       not (process.name : \"msiexec.exe\" and process.args : \"/V\")\n   \n    /* uncomment if psexec is noisy in your environment */\n    /* and not process.name : \"PSEXESVC.exe\" */\n   ] by host.id, process.parent.entity_id\n",
+    "risk_score": 47,
+    "rule_id": "aa9a274d-6b53-424d-ac5e-cb8ca4251650",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Lateral Movement"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0008",
+          "name": "Lateral Movement",
+          "reference": "https://attack.mitre.org/tactics/TA0008/"
+        },
+        "technique": [
+          {
+            "id": "T1021",
+            "name": "Remote Services",
+            "reference": "https://attack.mitre.org/techniques/T1021/"
+          }
+        ]
+      }
+    ],
+    "type": "eql",
+    "version": 3
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies a suspicious AutoIt process execution. Malware written as an AutoIt script tends to rename the AutoIt executable to avoid detection.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Renamed AutoIt Scripts Interpreter",
+    "query": "process where event.type in (\"start\", \"process_started\", \"info\") and\n  process.pe.original_file_name : \"AutoIt*.exe\" and not process.name : \"AutoIt*.exe\"\n",
+    "risk_score": 47,
+    "rule_id": "2e1e835d-01e5-48ca-b9fc-7a61f7f11902",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1036",
+            "name": "Masquerading",
+            "reference": "https://attack.mitre.org/techniques/T1036/",
+            "subtechnique": [
+              {
+                "id": "T1036.003",
+                "name": "Rename System Utilities",
+                "reference": "https://attack.mitre.org/techniques/T1036/003/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 5
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Detects a Roshal Archive (RAR) file or PowerShell script downloaded from the internet by an internal host. Gaining initial access to a system and then downloading encoded or encrypted tools to move laterally is a common practice for adversaries as a way to protect their more valuable tools and tactics, techniques, and procedures (TTPs). This may be atypical behavior for a managed network and can be indicative of malware, exfiltration, or command and control.",
+    "false_positives": [
+      "Downloading RAR or PowerShell files from the Internet may be expected for certain systems. This rule should be tailored to either exclude systems as sources or destinations in which this behavior is expected."
+    ],
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "filebeat-*",
+      "packetbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "lucene",
+    "license": "Elastic License v2",
+    "name": "Roshal Archive (RAR) or PowerShell File Downloaded from the Internet",
+    "note": "## Threat intel\n\nThis activity has been observed in FIN7 campaigns.",
+    "query": "event.category:(network or network_traffic) and network.protocol:http and\n  (url.extension:(ps1 or rar) or url.path:(*.ps1 or *.rar)) and\n    not destination.ip:(\n      10.0.0.0/8 or\n      127.0.0.0/8 or\n      169.254.0.0/16 or\n      172.16.0.0/12 or\n      192.0.0.0/24 or\n      192.0.0.0/29 or\n      192.0.0.8/32 or\n      192.0.0.9/32 or\n      192.0.0.10/32 or\n      192.0.0.170/32 or\n      192.0.0.171/32 or\n      192.0.2.0/24 or\n      192.31.196.0/24 or\n      192.52.193.0/24 or\n      192.168.0.0/16 or\n      192.88.99.0/24 or\n      224.0.0.0/4 or\n      100.64.0.0/10 or\n      192.175.48.0/24 or\n      198.18.0.0/15 or\n      198.51.100.0/24 or\n      203.0.113.0/24 or\n      240.0.0.0/4 or\n      \"::1\" or\n      \"FE80::/10\" or\n      \"FF00::/8\"\n    ) and\n    source.ip:(\n      10.0.0.0/8 or\n      172.16.0.0/12 or\n      192.168.0.0/16\n    )\n",
+    "references": [
+      "https://www.fireeye.com/blog/threat-research/2017/04/fin7-phishing-lnk.html",
+      "https://www.justice.gov/opa/press-release/file/1084361/download",
+      "https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml"
+    ],
+    "risk_score": 47,
+    "rule_id": "ff013cb4-274d-434a-96bb-fe15ddd3ae92",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Network",
+      "Threat Detection",
+      "Command and Control",
+      "Host"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0011",
+          "name": "Command and Control",
+          "reference": "https://attack.mitre.org/tactics/TA0011/"
+        },
+        "technique": [
+          {
+            "id": "T1105",
+            "name": "Ingress Tool Transfer",
+            "reference": "https://attack.mitre.org/techniques/T1105/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 8
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies modifications to the registered Subject Interface Package (SIP) providers. SIP providers are used by the Windows cryptographic system to validate file signatures on the system. This may be an attempt to bypass signature validation checks or inject code into critical processes.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "SIP Provider Modification",
+    "query": "registry where event.type:\"change\" and\n  registry.path: (\n    \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Cryptography\\\\OID\\\\EncodingType 0\\\\CryptSIPDllPutSignedDataMsg\\\\{*}\\\\Dll\",\n    \"HKLM\\\\SOFTWARE\\\\WOW6432Node\\\\Microsoft\\\\Cryptography\\\\OID\\\\EncodingType 0\\\\CryptSIPDllPutSignedDataMsg\\\\{*}\\\\Dll\",\n    \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Cryptography\\\\Providers\\\\Trust\\\\FinalPolicy\\\\{*}\\\\$Dll\",\n    \"HKLM\\\\SOFTWARE\\\\WOW6432Node\\\\Microsoft\\\\Cryptography\\\\Providers\\\\Trust\\\\FinalPolicy\\\\{*}\\\\$Dll\"\n    ) and\n  registry.data.strings:\"*.dll\"\n",
+    "references": [
+      "https://github.com/mattifestation/PoCSubjectInterfacePackage"
+    ],
+    "risk_score": 47,
+    "rule_id": "f2c7b914-eda3-40c2-96ac-d23ef91776ca",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1553",
+            "name": "Subvert Trust Controls",
+            "reference": "https://attack.mitre.org/techniques/T1553/",
+            "subtechnique": [
+              {
+                "id": "T1553.003",
+                "name": "SIP and Trust Provider Hijacking",
+                "reference": "https://attack.mitre.org/techniques/T1553/003/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "This rule detects network events that may indicate the use of Windows file sharing (also called SMB or CIFS) traffic to the Internet. SMB is commonly used within networks to share files, printers, and other system resources amongst trusted systems. It should almost never be directly exposed to the Internet, as it is frequently targeted and exploited by threat actors as an initial access or backdoor vector or for data exfiltration.",
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "filebeat-*",
+      "packetbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "SMB (Windows File Sharing) Activity to the Internet",
+    "query": "event.category:(network or network_traffic) and network.transport:tcp and (destination.port:(139 or 445) or event.dataset:zeek.smb) and\n  source.ip:(\n    10.0.0.0/8 or\n    172.16.0.0/12 or\n    192.168.0.0/16\n  ) and\n  not destination.ip:(\n    10.0.0.0/8 or\n    127.0.0.0/8 or\n    169.254.0.0/16 or\n    172.16.0.0/12 or\n    192.0.0.0/24 or\n    192.0.0.0/29 or\n    192.0.0.8/32 or\n    192.0.0.9/32 or\n    192.0.0.10/32 or\n    192.0.0.170/32 or\n    192.0.0.171/32 or\n    192.0.2.0/24 or\n    192.31.196.0/24 or\n    192.52.193.0/24 or\n    192.168.0.0/16 or\n    192.88.99.0/24 or\n    224.0.0.0/4 or\n    100.64.0.0/10 or\n    192.175.48.0/24 or\n    198.18.0.0/15 or\n    198.51.100.0/24 or\n    203.0.113.0/24 or\n    240.0.0.0/4 or\n    \"::1\" or\n    \"FE80::/10\" or\n    \"FF00::/8\"\n  )\n",
+    "references": [
+      "https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml"
+    ],
+    "risk_score": 73,
+    "rule_id": "c82b2bd8-d701-420c-ba43-f11a155b681a",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Network",
+      "Threat Detection",
+      "Initial Access",
+      "Host"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0001",
+          "name": "Initial Access",
+          "reference": "https://attack.mitre.org/tactics/TA0001/"
+        },
+        "technique": [
+          {
+            "id": "T1190",
+            "name": "Exploit Public-Facing Application",
+            "reference": "https://attack.mitre.org/techniques/T1190/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0010",
+          "name": "Exfiltration",
+          "reference": "https://attack.mitre.org/tactics/TA0010/"
+        },
+        "technique": [
+          {
+            "id": "T1048",
+            "name": "Exfiltration Over Alternative Protocol",
+            "reference": "https://attack.mitre.org/techniques/T1048/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 11
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "This rule detects events that may indicate use of SMTP on TCP port 26. This port is commonly used by several popular mail transfer agents to deconflict with the default SMTP port 25. This port has also been used by a malware family called BadPatch for command and control of Windows systems.",
+    "false_positives": [
+      "Servers that process email traffic may cause false positives and should be excluded from this rule as this is expected behavior."
+    ],
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "filebeat-*",
+      "packetbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "SMTP on Port 26/TCP",
+    "query": "event.category:(network or network_traffic) and network.transport:tcp and (destination.port:26 or (event.dataset:zeek.smtp and destination.port:26))\n",
+    "references": [
+      "https://unit42.paloaltonetworks.com/unit42-badpatch/",
+      "https://isc.sans.edu/forums/diary/Next+up+whats+up+with+TCP+port+26/25564/"
+    ],
+    "risk_score": 21,
+    "rule_id": "d7e62693-aab9-4f66-a21a-3d79ecdd603d",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Network",
+      "Threat Detection",
+      "Command and Control",
+      "Host"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0011",
+          "name": "Command and Control",
+          "reference": "https://attack.mitre.org/tactics/TA0011/"
+        },
+        "technique": []
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0010",
+          "name": "Exfiltration",
+          "reference": "https://attack.mitre.org/tactics/TA0010/"
+        },
+        "technique": [
+          {
+            "id": "T1048",
+            "name": "Exfiltration Over Alternative Protocol",
+            "reference": "https://attack.mitre.org/techniques/T1048/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 8
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "The Secure Shell (SSH) authorized_keys file specifies which users are allowed to log into a server using public key authentication. Adversaries may modify it to maintain persistence on a victim host by adding their own public key(s).",
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "SSH Authorized Keys File Modification",
+    "query": "event.category:file and event.type:(change or creation) and \n file.name:(\"authorized_keys\" or \"authorized_keys2\") and \n not process.executable:\n             (/Library/Developer/CommandLineTools/usr/bin/git or \n              /usr/local/Cellar/maven/*/libexec/bin/mvn or \n              /Library/Java/JavaVirtualMachines/jdk*.jdk/Contents/Home/bin/java or \n              /usr/bin/vim or \n              /usr/local/Cellar/coreutils/*/bin/gcat or \n              /usr/bin/bsdtar or\n              /usr/bin/nautilus or \n              /usr/bin/scp or\n              /usr/bin/touch or \n              /var/lib/docker/*)\n",
+    "risk_score": 47,
+    "rule_id": "2215b8bd-1759-4ffa-8ab8-55c8e6b32e7f",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "macOS",
+      "Threat Detection",
+      "Persistence"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1098",
+            "name": "Account Manipulation",
+            "reference": "https://attack.mitre.org/techniques/T1098/",
+            "subtechnique": [
+              {
+                "id": "T1098.004",
+                "name": "SSH Authorized Keys",
+                "reference": "https://attack.mitre.org/techniques/T1098/004/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "The malware known as SUNBURST targets the SolarWind's Orion business software for command and control. This rule detects post-exploitation command and control activity of the SUNBURST backdoor.",
+    "from": "now-9m",
+    "index": [
+      "logs-endpoint.events.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "SUNBURST Command and Control Activity",
+    "note": "## Triage and analysis\n\nThe SUNBURST malware attempts to hide within the Orion Improvement Program (OIP) network traffic. As this rule detects post-exploitation network traffic, investigations into this should be prioritized.",
+    "query": "network where event.type == \"protocol\" and network.protocol == \"http\" and\n  process.name : (\"ConfigurationWizard.exe\",\n                  \"NetFlowService.exe\",\n                  \"NetflowDatabaseMaintenance.exe\",\n                  \"SolarWinds.Administration.exe\",\n                  \"SolarWinds.BusinessLayerHost.exe\",\n                  \"SolarWinds.BusinessLayerHostx64.exe\",\n                  \"SolarWinds.Collector.Service.exe\",\n                  \"SolarwindsDiagnostics.exe\") and\n  (http.request.body.content : \"*/swip/Upload.ashx*\" and http.request.body.content : (\"POST*\", \"PUT*\")) or\n  (http.request.body.content : (\"*/swip/SystemDescription*\", \"*/swip/Events*\") and http.request.body.content : (\"GET*\", \"HEAD*\")) and\n  not http.request.body.content : \"*solarwinds.com*\"\n",
+    "references": [
+      "https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html"
+    ],
+    "risk_score": 73,
+    "rule_id": "22599847-5d13-48cb-8872-5796fee8692b",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Command and Control"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0011",
+          "name": "Command and Control",
+          "reference": "https://attack.mitre.org/tactics/TA0011/"
+        },
+        "technique": [
+          {
+            "id": "T1071",
+            "name": "Application Layer Protocol",
+            "reference": "https://attack.mitre.org/techniques/T1071/",
+            "subtechnique": [
+              {
+                "id": "T1071.001",
+                "name": "Web Protocols",
+                "reference": "https://attack.mitre.org/techniques/T1071/001/"
+              }
+            ]
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0001",
+          "name": "Initial Access",
+          "reference": "https://attack.mitre.org/tactics/TA0001/"
+        },
+        "technique": [
+          {
+            "id": "T1195",
+            "name": "Supply Chain Compromise",
+            "reference": "https://attack.mitre.org/techniques/T1195/",
+            "subtechnique": [
+              {
+                "id": "T1195.002",
+                "name": "Compromise Software Supply Chain",
+                "reference": "https://attack.mitre.org/techniques/T1195/002/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 4
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "A scheduled task was created by a Windows script via cscript.exe, wscript.exe or powershell.exe. This can be abused by an adversary to establish persistence.",
+    "false_positives": [
+      "Legitimate scheduled tasks may be created during installation of new software."
+    ],
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Scheduled Task Created by a Windows Script",
+    "note": "## Triage and analysis\n\nDecode the base64 encoded Tasks Actions registry value to investigate the task's configured action.",
+    "query": "sequence by host.id with maxspan = 30s\n  [library where dll.name : \"taskschd.dll\" and process.name : (\"cscript.exe\", \"wscript.exe\", \"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\")]\n  [registry where registry.path : \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Schedule\\\\TaskCache\\\\Tasks\\\\*\\\\Actions\"]\n",
+    "risk_score": 47,
+    "rule_id": "689b9d57-e4d5-4357-ad17-9c334609d79a",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Persistence"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1053",
+            "name": "Scheduled Task/Job",
+            "reference": "https://attack.mitre.org/techniques/T1053/",
+            "subtechnique": [
+              {
+                "id": "T1053.005",
+                "name": "Scheduled Task",
+                "reference": "https://attack.mitre.org/techniques/T1053/005/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "type": "eql",
+    "version": 5
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies attempts to enable the Windows scheduled tasks AT command via the registry. Attackers may use this method to move laterally or persist locally. The AT command has been deprecated since Windows 8 and Windows Server 2012, but still exists for backwards compatibility.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Scheduled Tasks AT Command Enabled",
+    "query": "registry where \n registry.path : \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Schedule\\\\Configuration\\\\EnableAt\" and registry.data.strings == \"1\"\n",
+    "references": [
+      "https://docs.microsoft.com/en-us/windows/win32/cimwin32prov/win32-scheduledjob"
+    ],
+    "risk_score": 47,
+    "rule_id": "9aa0e1f6-52ce-42e1-abb3-09657cee2698",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1562",
+            "name": "Impair Defenses",
+            "reference": "https://attack.mitre.org/techniques/T1562/",
+            "subtechnique": [
+              {
+                "id": "T1562.001",
+                "name": "Disable or Modify Tools",
+                "reference": "https://attack.mitre.org/techniques/T1562/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 3
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies when a screensaver plist file is modified by an unexpected process. An adversary can maintain persistence on a macOS endpoint by creating a malicious screensaver (.saver) file and configuring the screensaver plist file to execute code each time the screensaver is activated.",
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Screensaver Plist File Modified by Unexpected Process",
+    "note": "## Triage and analysis\n\n- Analyze the plist file modification event to identify whether the change was expected or not\n- Investigate the process that modified the plist file for malicious code or other suspicious behavior\n- Identify if any suspicious or known malicious screensaver (.saver) files were recently written to or modified on the host",
+    "query": "file where event.type != \"deletion\" and\n  file.name: \"com.apple.screensaver.*.plist\" and\n  file.path : (\n    \"/Users/*/Library/Preferences/ByHost/*\",\n    \"/Library/Managed Preferences/*\",\n    \"/System/Library/Preferences/*\"\n    ) and\n  /* Filter OS processes modifying screensaver plist files */\n  not process.executable : (\n    \"/usr/sbin/cfprefsd\",\n    \"/usr/libexec/xpcproxy\",\n    \"/System/Library/CoreServices/ManagedClient.app/Contents/Resources/MCXCompositor\",\n    \"/System/Library/CoreServices/ManagedClient.app/Contents/MacOS/ManagedClient\"\n    )\n",
+    "references": [
+      "https://posts.specterops.io/saving-your-access-d562bf5bf90b",
+      "https://github.com/D00MFist/PersistentJXA"
+    ],
+    "risk_score": 47,
+    "rule_id": "e6e8912f-283f-4d0d-8442-e0dcaf49944b",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "macOS",
+      "Threat Detection",
+      "Persistence"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1546",
+            "name": "Event Triggered Execution",
+            "reference": "https://attack.mitre.org/techniques/T1546/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Windows Credential Manager allows you to create, view, or delete saved credentials for signing into websites, connected applications, and networks. An adversary may abuse this to list or dump credentials stored in the Credential Manager for saved usernames and passwords. This may also be performed in preparation of lateral movement.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Searching for Saved Credentials via VaultCmd",
+    "query": "process where event.type in (\"start\", \"process_started\") and\n  (process.pe.original_file_name:\"vaultcmd.exe\" or process.name:\"vaultcmd.exe\") and\n  process.args:\"/list*\"\n",
+    "references": [
+      "https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16",
+      "https://rastamouse.me/blog/rdp-jump-boxes/"
+    ],
+    "risk_score": 47,
+    "rule_id": "be8afaed-4bcd-4e0a-b5f9-5562003dde81",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Credential Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0006",
+          "name": "Credential Access",
+          "reference": "https://attack.mitre.org/tactics/TA0006/"
+        },
+        "technique": [
+          {
+            "id": "T1003",
+            "name": "OS Credential Dumping",
+            "reference": "https://attack.mitre.org/techniques/T1003/"
+          },
+          {
+            "id": "T1555",
+            "name": "Credentials from Password Stores",
+            "reference": "https://attack.mitre.org/techniques/T1555/",
+            "subtechnique": [
+              {
+                "id": "T1555.004",
+                "name": "Windows Credential Manager",
+                "reference": "https://attack.mitre.org/techniques/T1555/004/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 2
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the use of Windows Management Instrumentation Command (WMIC) to discover certain System Security Settings such as AntiVirus or Host Firewall details.",
+    "from": "now-9m",
+    "index": [
+      "logs-endpoint.events.*",
+      "winlogbeat-*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Security Software Discovery using WMIC",
+    "query": "process where event.type in (\"start\", \"process_started\") and\n   (process.name:\"wmic.exe\" or process.pe.original_file_name:\"wmic.exe\") and\n    process.args:\"/namespace:\\\\\\\\root\\\\SecurityCenter2\" and process.args:\"Get\"\n",
+    "risk_score": 47,
+    "rule_id": "6ea55c81-e2ba-42f2-a134-bccf857ba922",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Discovery"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0007",
+          "name": "Discovery",
+          "reference": "https://attack.mitre.org/tactics/TA0007/"
+        },
+        "technique": [
+          {
+            "id": "T1518",
+            "name": "Software Discovery",
+            "reference": "https://attack.mitre.org/techniques/T1518/",
+            "subtechnique": [
+              {
+                "id": "T1518.001",
+                "name": "Security Software Discovery",
+                "reference": "https://attack.mitre.org/techniques/T1518/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 4
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the use of the grep command to discover known third-party macOS and Linux security tools, such as Antivirus or Host Firewall details.",
+    "false_positives": [
+      "Endpoint Security installers, updaters and post installation verification scripts."
+    ],
+    "from": "now-9m",
+    "index": [
+      "logs-endpoint.events.*",
+      "auditbeat-*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Security Software Discovery via Grep",
+    "query": "process where event.type == \"start\" and\nprocess.name : \"grep\" and user.id != \"0\" and\n not process.parent.executable : \"/Library/Application Support/*\" and\n   process.args :\n         (\"Little Snitch*\",\n          \"Avast*\",\n          \"Avira*\",\n          \"ESET*\",\n          \"BlockBlock*\",\n          \"360Sec*\",\n          \"LuLu*\",\n          \"KnockKnock*\",\n          \"kav\",\n          \"KIS\",\n          \"RTProtectionDaemon*\",\n          \"Malware*\",\n          \"VShieldScanner*\",\n          \"WebProtection*\",\n          \"webinspectord*\",\n          \"McAfee*\",\n          \"isecespd*\",\n          \"macmnsvc*\",\n          \"masvc*\",\n          \"kesl*\",\n          \"avscan*\",\n          \"guard*\",\n          \"rtvscand*\",\n          \"symcfgd*\",\n          \"scmdaemon*\",\n          \"symantec*\",\n          \"sophos*\",\n          \"osquery*\",\n          \"elastic-endpoint*\"\n          ) and\n   not (process.args : \"Avast\" and process.args : \"Passwords\")\n",
+    "risk_score": 47,
+    "rule_id": "870aecc0-cea4-4110-af3f-e02e9b373655",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "macOS",
+      "Linux",
+      "Threat Detection",
+      "Discovery"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0007",
+          "name": "Discovery",
+          "reference": "https://attack.mitre.org/tactics/TA0007/"
+        },
+        "technique": [
+          {
+            "id": "T1518",
+            "name": "Software Discovery",
+            "reference": "https://attack.mitre.org/techniques/T1518/",
+            "subtechnique": [
+              {
+                "id": "T1518.001",
+                "name": "Security Software Discovery",
+                "reference": "https://attack.mitre.org/techniques/T1518/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 2
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the use of a compression utility to collect known files containing sensitive information, such as credentials and system configurations.",
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Sensitive Files Compression",
+    "query": "event.category:process and event.type:start and\n  process.name:(zip or tar or gzip or hdiutil or 7z) and\n  process.args:\n    (\n      /root/.ssh/id_rsa or\n      /root/.ssh/id_rsa.pub or\n      /root/.ssh/id_ed25519 or\n      /root/.ssh/id_ed25519.pub or\n      /root/.ssh/authorized_keys or\n      /root/.ssh/authorized_keys2 or\n      /root/.ssh/known_hosts or\n      /root/.bash_history or\n      /etc/hosts or\n      /home/*/.ssh/id_rsa or\n      /home/*/.ssh/id_rsa.pub or\n      /home/*/.ssh/id_ed25519 or\n      /home/*/.ssh/id_ed25519.pub or\n      /home/*/.ssh/authorized_keys or\n      /home/*/.ssh/authorized_keys2 or\n      /home/*/.ssh/known_hosts or\n      /home/*/.bash_history or\n      /root/.aws/credentials or\n      /root/.aws/config or\n      /home/*/.aws/credentials or\n      /home/*/.aws/config or\n      /root/.docker/config.json or\n      /home/*/.docker/config.json or\n      /etc/group or\n      /etc/passwd or\n      /etc/shadow or\n      /etc/gshadow\n    )\n",
+    "references": [
+      "https://www.trendmicro.com/en_ca/research/20/l/teamtnt-now-deploying-ddos-capable-irc-bot-tntbotinger.html"
+    ],
+    "risk_score": 47,
+    "rule_id": "6b84d470-9036-4cc0-a27c-6d90bbfe81ab",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "Threat Detection",
+      "Collection",
+      "Credential Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0006",
+          "name": "Credential Access",
+          "reference": "https://attack.mitre.org/tactics/TA0006/"
+        },
+        "technique": [
+          {
+            "id": "T1552",
+            "name": "Unsecured Credentials",
+            "reference": "https://attack.mitre.org/techniques/T1552/",
+            "subtechnique": [
+              {
+                "id": "T1552.001",
+                "name": "Credentials In Files",
+                "reference": "https://attack.mitre.org/techniques/T1552/001/"
+              }
+            ]
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0009",
+          "name": "Collection",
+          "reference": "https://attack.mitre.org/tactics/TA0009/"
+        },
+        "technique": [
+          {
+            "id": "T1560",
+            "name": "Archive Collected Data",
+            "reference": "https://attack.mitre.org/techniques/T1560/",
+            "subtechnique": [
+              {
+                "id": "T1560.001",
+                "name": "Archive via Utility",
+                "reference": "https://attack.mitre.org/techniques/T1560/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies use of sc.exe to create, modify, or start services on remote hosts. This could be indicative of adversary lateral movement but will be noisy if commonly done by admins.",
+    "from": "now-9m",
+    "index": [
+      "logs-endpoint.events.*",
+      "winlogbeat-*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Service Command Lateral Movement",
+    "query": "sequence by process.entity_id with maxspan = 1m\n  [process where event.type in (\"start\", \"process_started\") and\n     (process.name : \"sc.exe\" or process.pe.original_file_name : \"sc.exe\") and\n      process.args : \"\\\\\\\\*\" and process.args : (\"binPath=*\", \"binpath=*\") and\n      process.args : (\"create\", \"config\", \"failure\", \"start\")]\n  [network where process.name : \"sc.exe\" and destination.ip != \"127.0.0.1\"]\n",
+    "risk_score": 21,
+    "rule_id": "d61cbcf8-1bc1-4cff-85ba-e7b21c5beedc",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Lateral Movement"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0008",
+          "name": "Lateral Movement",
+          "reference": "https://attack.mitre.org/tactics/TA0008/"
+        },
+        "technique": [
+          {
+            "id": "T1021",
+            "name": "Remote Services",
+            "reference": "https://attack.mitre.org/techniques/T1021/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1543",
+            "name": "Create or Modify System Process",
+            "reference": "https://attack.mitre.org/techniques/T1543/",
+            "subtechnique": [
+              {
+                "id": "T1543.003",
+                "name": "Windows Service",
+                "reference": "https://attack.mitre.org/techniques/T1543/003/"
+              }
+            ]
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0002",
+          "name": "Execution",
+          "reference": "https://attack.mitre.org/tactics/TA0002/"
+        },
+        "technique": [
+          {
+            "id": "T1569",
+            "name": "System Services",
+            "reference": "https://attack.mitre.org/techniques/T1569/",
+            "subtechnique": [
+              {
+                "id": "T1569.002",
+                "name": "Service Execution",
+                "reference": "https://attack.mitre.org/techniques/T1569/002/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "type": "eql",
+    "version": 3
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies Service Control (sc.exe) spawning from script interpreter processes to create, modify, or start services. This could be indicative of adversary lateral movement but will be noisy if commonly done by admins.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Service Control Spawned via Script Interpreter",
+    "query": "process where event.type == \"start\" and\n  (process.name : \"sc.exe\" or process.pe.original_file_name == \"sc.exe\") and\n  process.parent.name : (\"cmd.exe\", \"wscript.exe\", \"rundll32.exe\", \"regsvr32.exe\",\n                         \"wmic.exe\", \"mshta.exe\",\"powershell.exe\", \"pwsh.exe\") and\n  process.args:(\"config\", \"create\", \"start\", \"delete\", \"stop\", \"pause\") and\n  /* exclude SYSTEM SID - look for service creations by non-SYSTEM user */\n  not user.id : \"S-1-5-18\"\n",
+    "risk_score": 21,
+    "rule_id": "e8571d5f-bea1-46c2-9f56-998de2d3ed95",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Lateral Movement"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0008",
+          "name": "Lateral Movement",
+          "reference": "https://attack.mitre.org/tactics/TA0008/"
+        },
+        "technique": [
+          {
+            "id": "T1021",
+            "name": "Remote Services",
+            "reference": "https://attack.mitre.org/techniques/T1021/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 9
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "An adversary may add the setuid or setgid bit to a file or directory in order to run a file with the privileges of the owning user or group. An adversary can take advantage of this to either do a shell escape or exploit a vulnerability in an application with the setuid or setgid bit to get code running in a different user\u2019s context. Additionally, adversaries can use this mechanism on their own malware to make sure they're able to execute in elevated contexts in the future.",
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "lucene",
+    "license": "Elastic License v2",
+    "max_signals": 33,
+    "name": "Setuid / Setgid Bit Set via chmod",
+    "query": "event.category:process AND event.type:(start OR process_started) AND\n process.name:chmod AND process.args:(\"+s\" OR \"u+s\" OR /4[0-9]{3}/ OR g+s OR /2[0-9]{3}/) AND\n NOT process.args:\n           (\n             /.*\\/Applications\\/VirtualBox.app\\/.+/ OR\n             /\\/usr\\/local\\/lib\\/python.+/ OR\n             /\\/var\\/folders\\/.+\\/FP.*nstallHelper/ OR\n             /\\/Library\\/Filesystems\\/.+/ OR\n             /\\/usr\\/lib\\/virtualbox\\/.+/ OR\n             /\\/Library\\/Application.*/ OR\n             \"/run/postgresql\" OR\n             \"/var/crash\" OR\n             \"/var/run/postgresql\" OR\n             /\\/usr\\/bin\\/.+/ OR /\\/usr\\/local\\/share\\/.+/ OR\n             /\\/Applications\\/.+/ OR /\\/usr\\/libexec\\/.+/ OR\n             \"/var/metrics\" OR /\\/var\\/lib\\/dpkg\\/.+/ OR\n             /\\/run\\/log\\/journal\\/.*/ OR\n             \\/Users\\/*\\/.minikube\\/bin\\/docker-machine-driver-hyperkit\n           ) AND\n NOT process.parent.executable:\n           (\n             /\\/var\\/lib\\/docker\\/.+/ OR\n             \"/System/Library/PrivateFrameworks/PackageKit.framework/Versions/A/XPCServices/package_script_service.xpc/Contents/MacOS/package_script_service\" OR\n             \"/var/lib/dpkg/info/whoopsie.postinst\"\n           )\n",
+    "risk_score": 21,
+    "rule_id": "8a1b0278-0f9a-487d-96bd-d4833298e87a",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "macOS",
+      "Threat Detection",
+      "Privilege Escalation"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0004",
+          "name": "Privilege Escalation",
+          "reference": "https://attack.mitre.org/tactics/TA0004/"
+        },
+        "technique": [
+          {
+            "id": "T1548",
+            "name": "Abuse Elevation Control Mechanism",
+            "reference": "https://attack.mitre.org/techniques/T1548/",
+            "subtechnique": [
+              {
+                "id": "T1548.001",
+                "name": "Setuid and Setgid",
+                "reference": "https://attack.mitre.org/techniques/T1548/001/"
+              }
+            ]
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": []
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 8
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the execution of the shell process (sh) via scripting (JXA or AppleScript). Adversaries may use the doShellScript functionality in JXA or do shell script in AppleScript to execute system commands.",
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Shell Execution via Apple Scripting",
+    "query": "sequence by host.id with maxspan=5s\n [process where event.type in (\"start\", \"process_started\", \"info\") and process.name == \"osascript\"] by process.pid\n [process where event.type in (\"start\", \"process_started\") and process.name == \"sh\" and process.args == \"-c\"] by process.parent.pid\n",
+    "references": [
+      "https://developer.apple.com/library/archive/technotes/tn2065/_index.html",
+      "https://objectivebythesea.com/v2/talks/OBTS_v2_Thomas.pdf"
+    ],
+    "risk_score": 47,
+    "rule_id": "d461fac0-43e8-49e2-85ea-3a58fe120b4f",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "macOS",
+      "Threat Detection",
+      "Execution"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0002",
+          "name": "Execution",
+          "reference": "https://attack.mitre.org/tactics/TA0002/"
+        },
+        "technique": [
+          {
+            "id": "T1059",
+            "name": "Command and Scripting Interpreter",
+            "reference": "https://attack.mitre.org/techniques/T1059/"
+          }
+        ]
+      }
+    ],
+    "type": "eql",
+    "version": 3
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies files written to or modified in the startup folder by commonly abused processes. Adversaries may use this technique to maintain persistence.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Shortcut File Written or Modified for Persistence",
+    "query": "file where event.type != \"deletion\" and\n  user.domain != \"NT AUTHORITY\" and\n  file.path : (\"C:\\\\Users\\\\*\\\\AppData\\\\Roaming\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\\\\*\", \n               \"C:\\\\ProgramData\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\StartUp\\\\*\") and\n  process.name : (\"cmd.exe\",\n                  \"powershell.exe\",\n                  \"wmic.exe\",\n                  \"mshta.exe\",\n                  \"pwsh.exe\",\n                  \"cscript.exe\",\n                  \"wscript.exe\",\n                  \"regsvr32.exe\",\n                  \"RegAsm.exe\",\n                  \"rundll32.exe\",\n                  \"EQNEDT32.EXE\",\n                  \"WINWORD.EXE\",\n                  \"EXCEL.EXE\",\n                  \"POWERPNT.EXE\",\n                  \"MSPUB.EXE\",\n                  \"MSACCESS.EXE\",\n                  \"iexplore.exe\",\n                  \"InstallUtil.exe\")\n",
+    "risk_score": 47,
+    "rule_id": "440e2db4-bc7f-4c96-a068-65b78da59bde",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Persistence"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1547",
+            "name": "Boot or Logon Autostart Execution",
+            "reference": "https://attack.mitre.org/techniques/T1547/",
+            "subtechnique": [
+              {
+                "id": "T1547.001",
+                "name": "Registry Run Keys / Startup Folder",
+                "reference": "https://attack.mitre.org/techniques/T1547/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 3
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies changes to the SoftwareUpdate preferences using the built-in defaults command. Adversaries may abuse this in an attempt to disable security updates.",
+    "false_positives": [
+      "Authorized SoftwareUpdate Settings Changes"
+    ],
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "SoftwareUpdate Preferences Modification",
+    "query": "event.category:process and event.type:(start or process_started) and\n process.name:defaults and \n process.args:(write and \"-bool\" and (com.apple.SoftwareUpdate or /Library/Preferences/com.apple.SoftwareUpdate.plist) and not (TRUE or true))\n",
+    "references": [
+      "https://blog.checkpoint.com/2017/07/13/osxdok-refuses-go-away-money/"
+    ],
+    "risk_score": 47,
+    "rule_id": "f683dcdf-a018-4801-b066-193d4ae6c8e5",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "macOS",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1562",
+            "name": "Impair Defenses",
+            "reference": "https://attack.mitre.org/techniques/T1562/",
+            "subtechnique": [
+              {
+                "id": "T1562.001",
+                "name": "Disable or Modify Tools",
+                "reference": "https://attack.mitre.org/techniques/T1562/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies a SolarWinds binary modifying the start type of a service to be disabled. An adversary may abuse this technique to manipulate relevant security services.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "SolarWinds Process Disabling Services via Registry",
+    "query": "registry where registry.path : \"HKLM\\\\SYSTEM\\\\*ControlSet*\\\\Services\\\\*\\\\Start\" and registry.data.strings == \"4\" and\n process.name : (\n     \"SolarWinds.BusinessLayerHost*.exe\", \n     \"ConfigurationWizard*.exe\", \n     \"NetflowDatabaseMaintenance*.exe\", \n     \"NetFlowService*.exe\", \n     \"SolarWinds.Administration*.exe\", \n     \"SolarWinds.Collector.Service*.exe\" , \n     \"SolarwindsDiagnostics*.exe\")\n",
+    "references": [
+      "https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html"
+    ],
+    "risk_score": 47,
+    "rule_id": "b9960fef-82c6-4816-befa-44745030e917",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1562",
+            "name": "Impair Defenses",
+            "reference": "https://attack.mitre.org/techniques/T1562/",
+            "subtechnique": [
+              {
+                "id": "T1562.001",
+                "name": "Disable or Modify Tools",
+                "reference": "https://attack.mitre.org/techniques/T1562/001/"
+              }
+            ]
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0001",
+          "name": "Initial Access",
+          "reference": "https://attack.mitre.org/tactics/TA0001/"
+        },
+        "technique": [
+          {
+            "id": "T1195",
+            "name": "Supply Chain Compromise",
+            "reference": "https://attack.mitre.org/techniques/T1195/",
+            "subtechnique": [
+              {
+                "id": "T1195.002",
+                "name": "Compromise Software Supply Chain",
+                "reference": "https://attack.mitre.org/techniques/T1195/002/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 3
+  },
+  {
+    "anomaly_threshold": 50,
+    "author": [
+      "Elastic"
+    ],
+    "description": "A machine learning job detected a significant spike in the rate of a particular error in the CloudTrail messages. Spikes in error messages may accompany attempts at privilege escalation, lateral movement, or discovery.",
+    "false_positives": [
+      "Spikes in error message activity can also be due to bugs in cloud automation scripts or workflows; changes to cloud automation scripts or workflows; adoption of new services; changes in the way services are used; or changes to IAM privileges."
+    ],
+    "from": "now-60m",
+    "interval": "15m",
+    "license": "Elastic License v2",
+    "machine_learning_job_id": "high_distinct_count_error_message",
+    "name": "Spike in AWS Error Messages",
+    "note": "## Config\n\nThe AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\n\n## Triage and analysis\n\n### Investigating Spikes in CloudTrail Errors\n\nCloudTrail logging provides visibility on actions taken within an AWS environment. By monitoring these events and understanding\nwhat is considered normal behavior within an organization, suspicious or malicious activity can be spotted when deviations\nare observed. This example rule triggers from a large spike in the number of CloudTrail log messages that contain a\nparticular error message. The error message in question was associated with the response to an AWS API command or method call,\nthis has the potential to uncover unknown threats or activity.\n\n#### Possible investigation steps:\n- Examine the history of the error. Has it manifested before? If the error, which is visible in the `aws.cloudtrail.error_message` field, only manifested recently, it might be related to recent changes in an automation module or script.\n- Examine the request parameters. These may provide indications as to the nature of the task being performed when the error occurred. Is the error related to unsuccessful attempts to enumerate or access objects, data, or secrets? If so, this can sometimes be a byproduct of discovery, privilege escalation or lateral movement attempts.\n- Consider the user as identified by the `user.name field`. Is this activity part of an expected workflow for the user context? Examine the user identity in the `aws.cloudtrail.user_identity.arn` field and the access key ID in the `aws.cloudtrail.user_identity.access_key_id` field, which can help identify the precise user context. The user agent details in the `user_agent.original` field may also indicate what kind of a client made the request.\n- Consider the source IP address and geolocation for the calling user who issued the command. Do they look normal for the calling user? If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts, or could it be sourcing from an EC2 instance that's not under your control? If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance?\n\n### False Positive Analysis\n- This rule has the possibility to produce false positives based on unexpected activity occurring such as bugs or recent\nchanges to automation modules or scripting.\n- Adoption of new services or implementing new functionality to scripts may generate false positives\n\n### Related Rules\n- Unusual AWS Command for a User\n- Rare AWS Error Code\n\n### Response and Remediation\n- If activity is observed as suspicious or malicious, immediate response should be looked into rotating and deleting AWS IAM access keys\n- Validate if any unauthorized new users were created, remove these accounts and request password resets for other IAM users\n- Look into enabling multi-factor authentication for users\n- Follow security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS\n",
+    "references": [
+      "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"
+    ],
+    "risk_score": 21,
+    "rule_id": "78d3d8d9-b476-451d-a9e0-7a5addd70670",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "AWS",
+      "ML"
+    ],
+    "type": "machine_learning",
+    "version": 7
+  },
+  {
+    "anomaly_threshold": 75,
+    "author": [
+      "Elastic"
+    ],
+    "description": "A machine learning job found an unusually large spike in authentication failure events. This can be due to password spraying, user enumeration or brute force activity and may be a precursor to account takeover or credentialed access.",
+    "false_positives": [
+      "A misconfigured service account can trigger this alert. A password change on an account used by an email client can trigger this alert. Security test cycles that include brute force or password spraying activities may trigger this alert."
+    ],
+    "from": "now-30m",
+    "interval": "15m",
+    "license": "Elastic License v2",
+    "machine_learning_job_id": "auth_high_count_logon_fails",
+    "name": "Spike in Failed Logon Events",
+    "references": [
+      "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"
+    ],
+    "risk_score": 21,
+    "rule_id": "99dcf974-6587-4f65-9252-d866a3fdfd9c",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Authentication",
+      "Threat Detection",
+      "ML"
+    ],
+    "type": "machine_learning",
+    "version": 2
+  },
+  {
+    "anomaly_threshold": 75,
+    "author": [
+      "Elastic"
+    ],
+    "description": "A machine learning job detected an unusually large spike in network traffic that was denied by network access control lists (ACLs) or firewall rules. Such a burst of denied traffic is usually caused by either 1) a mis-configured application or firewall or 2) suspicious or malicious activity. Unsuccessful attempts at network transit, in order to connect to command-and-control (C2), or engage in data exfiltration, may produce a burst of failed connections. This could also be due to unusually large amounts of reconnaissance or enumeration traffic. Denial-of-service attacks or traffic floods may also produce such a surge in traffic.",
+    "false_positives": [
+      "A misconfgured network application or firewall may trigger this alert. Security scans or test cycles may trigger this alert."
+    ],
+    "from": "now-30m",
+    "interval": "15m",
+    "license": "Elastic License v2",
+    "machine_learning_job_id": "high_count_network_denies",
+    "name": "Spike in Firewall Denies",
+    "references": [
+      "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"
+    ],
+    "risk_score": 21,
+    "rule_id": "eaa77d63-9679-4ce3-be25-3ba8b795e5fa",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Network",
+      "Threat Detection",
+      "ML"
+    ],
+    "type": "machine_learning",
+    "version": 2
+  },
+  {
+    "anomaly_threshold": 75,
+    "author": [
+      "Elastic"
+    ],
+    "description": "A machine learning job found an unusually large spike in successful authentication events. This can be due to password spraying, user enumeration or brute force activity.",
+    "false_positives": [
+      "Build servers and CI systems can sometimes trigger this alert. Security test cycles that include brute force or password spraying activities may trigger this alert."
+    ],
+    "from": "now-30m",
+    "interval": "15m",
+    "license": "Elastic License v2",
+    "machine_learning_job_id": "auth_high_count_logon_events",
+    "name": "Spike in Logon Events",
+    "references": [
+      "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"
+    ],
+    "risk_score": 21,
+    "rule_id": "d7d5c059-c19a-4a96-8ae3-41496ef3bcf9",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Authentication",
+      "Threat Detection",
+      "ML"
+    ],
+    "type": "machine_learning",
+    "version": 1
+  },
+  {
+    "anomaly_threshold": 75,
+    "author": [
+      "Elastic"
+    ],
+    "description": "A machine learning job found an unusually large spike in successful authentication events from a particular source IP address. This can be due to password spraying, user enumeration or brute force activity.",
+    "false_positives": [
+      "Build servers and CI systems can sometimes trigger this alert. Security test cycles that include brute force or password spraying activities may trigger this alert."
+    ],
+    "from": "now-30m",
+    "interval": "15m",
+    "license": "Elastic License v2",
+    "machine_learning_job_id": "auth_high_count_logon_events_for_a_source_ip",
+    "name": "Spike in Logon Events from a Source IP",
+    "references": [
+      "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"
+    ],
+    "risk_score": 21,
+    "rule_id": "e26aed74-c816-40d3-a810-48d6fbd8b2fd",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Authentication",
+      "Threat Detection",
+      "ML"
+    ],
+    "type": "machine_learning",
+    "version": 2
+  },
+  {
+    "anomaly_threshold": 75,
+    "author": [
+      "Elastic"
+    ],
+    "description": "A machine learning job detected an unusually large spike in network traffic. Such a burst of traffic, if not caused by a surge in business activity, can be due to suspicious or malicious activity. Large-scale data exfiltration may produce a burst of network traffic; this could also be due to unusually large amounts of reconnaissance or enumeration traffic. Denial-of-service attacks or traffic floods may also produce such a surge in traffic.",
+    "false_positives": [
+      "Business workflows that occur very occasionally, and involve an unusual surge in network traffic, can trigger this alert. A new business workflow or a surge in business activity may trigger this alert. A misconfigured network application or firewall may trigger this alert."
+    ],
+    "from": "now-30m",
+    "interval": "15m",
+    "license": "Elastic License v2",
+    "machine_learning_job_id": "high_count_network_events",
+    "name": "Spike in Network Traffic",
+    "references": [
+      "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"
+    ],
+    "risk_score": 21,
+    "rule_id": "b240bfb8-26b7-4e5e-924e-218144a3fa71",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Network",
+      "Threat Detection",
+      "ML"
+    ],
+    "type": "machine_learning",
+    "version": 3
+  },
+  {
+    "anomaly_threshold": 75,
+    "author": [
+      "Elastic"
+    ],
+    "description": "A machine learning job detected an unusually large spike in network activity to one destination country in the network logs. This could be due to unusually large amounts of reconnaissance or enumeration traffic. Data exfiltration activity may also produce such a surge in traffic to a destination country which does not normally appear in network traffic or business work-flows. Malware instances and persistence mechanisms may communicate with command-and-control (C2) infrastructure in their country of origin, which may be an unusual destination country for the source network.",
+    "false_positives": [
+      "Business workflows that occur very occasionally, and involve an unusual surge in network traffic to one destination country, can trigger this alert. A new business workflow or a surge in business activity in a particular country may trigger this alert. Business travelers who roam to many countries for brief periods may trigger this alert if they engage in volumetric network activity."
+    ],
+    "from": "now-30m",
+    "interval": "15m",
+    "license": "Elastic License v2",
+    "machine_learning_job_id": "high_count_by_destination_country",
+    "name": "Spike in Network Traffic To a Country",
+    "references": [
+      "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"
+    ],
+    "risk_score": 21,
+    "rule_id": "c7db5533-ca2a-41f6-a8b0-ee98abe0f573",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Network",
+      "Threat Detection",
+      "ML"
+    ],
+    "type": "machine_learning",
+    "version": 2
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies files written or modified in the startup folder by unsigned processes. Adversaries may abuse this technique to maintain persistence in an environment.",
+    "from": "now-9m",
+    "index": [
+      "logs-endpoint.events.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Startup Folder Persistence via Unsigned Process",
+    "query": "sequence by host.id, process.entity_id with maxspan=5s\n  [process where event.type in (\"start\", \"process_started\") and process.code_signature.trusted == false and\n  /* suspicious paths can be added here  */\n   process.executable : (\"C:\\\\Users\\\\*.exe\", \n                         \"C:\\\\ProgramData\\\\*.exe\", \n                         \"C:\\\\Windows\\\\Temp\\\\*.exe\", \n                         \"C:\\\\Windows\\\\Tasks\\\\*.exe\", \n                         \"C:\\\\Intel\\\\*.exe\", \n                         \"C:\\\\PerfLogs\\\\*.exe\")\n   ]\n   [file where event.type != \"deletion\" and user.domain != \"NT AUTHORITY\" and\n    file.path : (\"C:\\\\Users\\\\*\\\\AppData\\\\Roaming\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\\\\*\", \n                 \"C:\\\\ProgramData\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\StartUp\\\\*\")\n   ]\n",
+    "risk_score": 41,
+    "rule_id": "2fba96c0-ade5-4bce-b92f-a5df2509da3f",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Persistence"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1547",
+            "name": "Boot or Logon Autostart Execution",
+            "reference": "https://attack.mitre.org/techniques/T1547/",
+            "subtechnique": [
+              {
+                "id": "T1547.001",
+                "name": "Registry Run Keys / Startup Folder",
+                "reference": "https://attack.mitre.org/techniques/T1547/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "type": "eql",
+    "version": 2
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies run key or startup key registry modifications. In order to survive reboots and other system interrupts, attackers will modify run keys within the registry or leverage startup folder items as a form of persistence.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Startup or Run Key Registry Modification",
+    "query": "registry where registry.data.strings != null and\n registry.path : (\n     /* Machine Hive */\n     \"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\*\", \n     \"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\*\", \n     \"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnceEx\\\\*\",\n     \"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\\\*\", \n     \"HKLM\\\\Software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\Shell\\\\*\",   \n     /* Users Hive */\n     \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\*\", \n     \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\*\", \n     \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnceEx\\\\*\",\n     \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\\\*\", \n     \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\Shell\\\\*\"\n     ) and\n  /* add common legitimate changes without being too restrictive as this is one of the most abused AESPs */\n  not registry.data.strings : \"ctfmon.exe /n\" and\n  not (registry.value : \"Application Restart #*\" and process.name : \"csrss.exe\") and\n  user.id not in (\"S-1-5-18\", \"S-1-5-19\", \"S-1-5-20\") and\n  not registry.data.strings : (\"?:\\\\Program Files\\\\*.exe\", \"?:\\\\Program Files (x86)\\\\*.exe\") and\n  not process.executable : (\"?:\\\\Windows\\\\System32\\\\msiexec.exe\", \"?:\\\\Windows\\\\SysWOW64\\\\msiexec.exe\") and\n  not (process.name : \"OneDriveSetup.exe\" and\n       registry.value : (\"Delete Cached Standalone Update Binary\", \"Delete Cached Update Binary\", \"amd64\", \"Uninstall *\") and\n       registry.data.strings : \"?:\\\\Windows\\\\system32\\\\cmd.exe /q /c * \\\"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Microsoft\\\\OneDrive\\\\*\\\"\")\n",
+    "risk_score": 21,
+    "rule_id": "97fc44d3-8dae-4019-ae83-298c3015600f",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Persistence"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1547",
+            "name": "Boot or Logon Autostart Execution",
+            "reference": "https://attack.mitre.org/techniques/T1547/",
+            "subtechnique": [
+              {
+                "id": "T1547.001",
+                "name": "Registry Run Keys / Startup Folder",
+                "reference": "https://attack.mitre.org/techniques/T1547/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 4
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Strace runs in a privileged context and can be used to escape restrictive environments by instantiating a shell in order to elevate privileges or move laterally.",
+    "false_positives": [
+      "Strace is a dual-use tool that can be used for benign or malicious activity. Some normal use of this command may originate from developers or SREs engaged in debugging or system call tracing."
+    ],
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Strace Process Activity",
+    "query": "event.category:process and event.type:(start or process_started) and process.name:strace\n",
+    "references": [
+      "https://en.wikipedia.org/wiki/Strace"
+    ],
+    "risk_score": 21,
+    "rule_id": "d6450d4e-81c6-46a3-bd94-079886318ed5",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "Threat Detection"
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 7
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Adversaries may create or modify the Sublime application plugins or scripts to execute a malicious payload each time the Sublime application is started.",
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Sublime Plugin or Application Script Modification",
+    "query": "file where event.type in (\"change\", \"creation\") and file.extension : \"py\" and\n  file.path : \n    (\n      \"/Users/*/Library/Application Support/Sublime Text*/Packages/*.py\", \n      \"/Applications/Sublime Text.app/Contents/MacOS/sublime.py\"\n    ) and\n  not process.executable : \n    (\n      \"/Applications/Sublime Text*.app/Contents/MacOS/Sublime Text*\", \n      \"/usr/local/Cellar/git/*/bin/git\", \n      \"/usr/libexec/xpcproxy\", \n      \"/System/Library/PrivateFrameworks/DesktopServicesPriv.framework/Versions/A/Resources/DesktopServicesHelper\", \n      \"/Applications/Sublime Text.app/Contents/MacOS/plugin_host\"\n    )\n",
+    "references": [
+      "https://posts.specterops.io/persistent-jxa-66e1c3cd1cf5"
+    ],
+    "risk_score": 21,
+    "rule_id": "88817a33-60d3-411f-ba79-7c905d865b2a",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "macOS",
+      "Threat Detection",
+      "Persistence"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1554",
+            "name": "Compromise Client Software Binary",
+            "reference": "https://attack.mitre.org/techniques/T1554/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the attempted use of a heap-based buffer overflow vulnerability for the Sudo binary in Unix-like systems (CVE-2021-3156). Successful exploitation allows an unprivileged user to escalate to the root user.",
+    "false_positives": [
+      "This rule could generate false positives if the process arguments leveraged by the exploit are shared by custom scripts using the Sudo or Sudoedit binaries. Only Sudo versions 1.8.2 through 1.8.31p2 and 1.9.0 through 1.9.5p1 are affected; if those versions are not present on the endpoint, this could be a false positive."
+    ],
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Sudo Heap-Based Buffer Overflow Attempt",
+    "query": "event.category:process and event.type:start and\n  process.name:(sudo or sudoedit) and\n  process.args:(*\\\\ and (\"-i\" or \"-s\"))\n",
+    "references": [
+      "https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-3156",
+      "https://blog.qualys.com/vulnerabilities-research/2021/01/26/cve-2021-3156-heap-based-buffer-overflow-in-sudo-baron-samedit",
+      "https://www.bleepingcomputer.com/news/security/latest-macos-big-sur-also-has-sudo-root-privilege-escalation-flaw",
+      "https://www.sudo.ws/alerts/unescape_overflow.html"
+    ],
+    "risk_score": 73,
+    "rule_id": "f37f3054-d40b-49ac-aa9b-a786c74c58b8",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "macOS",
+      "Threat Detection",
+      "Privilege Escalation"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0004",
+          "name": "Privilege Escalation",
+          "reference": "https://attack.mitre.org/tactics/TA0004/"
+        },
+        "technique": [
+          {
+            "id": "T1068",
+            "name": "Exploitation for Privilege Escalation",
+            "reference": "https://attack.mitre.org/techniques/T1068/"
+          }
+        ]
+      }
+    ],
+    "threshold": {
+      "field": [
+        "host.hostname"
+      ],
+      "value": 100
+    },
+    "type": "threshold",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "A sudoers file specifies the commands that users or groups can run and from which terminals. Adversaries can take advantage of these configurations to execute commands as other users or spawn processes with higher privileges.",
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Sudoers File Modification",
+    "query": "event.category:file and event.type:change and file.path:(/etc/sudoers* or /private/etc/sudoers*)\n",
+    "risk_score": 47,
+    "rule_id": "931e25a5-0f5e-4ae0-ba0d-9e94eff7e3a4",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "macOS",
+      "Threat Detection",
+      "Privilege Escalation"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0004",
+          "name": "Privilege Escalation",
+          "reference": "https://attack.mitre.org/tactics/TA0004/"
+        },
+        "technique": [
+          {
+            "id": "T1548",
+            "name": "Abuse Elevation Control Mechanism",
+            "reference": "https://attack.mitre.org/techniques/T1548/",
+            "subtechnique": [
+              {
+                "id": "T1548.003",
+                "name": "Sudo and Sudo Caching",
+                "reference": "https://attack.mitre.org/techniques/T1548/003/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 7
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies suspicious .NET code execution. connections.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Suspicious .NET Code Compilation",
+    "query": "process where event.type in (\"start\", \"process_started\") and\n  process.name : (\"csc.exe\", \"vbc.exe\") and\n  process.parent.name : (\"wscript.exe\", \"mshta.exe\", \"cscript.exe\", \"wmic.exe\", \"svchost.exe\", \"rundll32.exe\", \"cmstp.exe\", \"regsvr32.exe\")\n",
+    "risk_score": 47,
+    "rule_id": "201200f1-a99b-43fb-88ed-f65a45c4972c",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1027",
+            "name": "Obfuscated Files or Information",
+            "reference": "https://attack.mitre.org/techniques/T1027/",
+            "subtechnique": [
+              {
+                "id": "T1027.004",
+                "name": "Compile After Delivery",
+                "reference": "https://attack.mitre.org/techniques/T1027/004/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 5
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Detects when a user reports suspicious activity for their Okta account. These events should be investigated, as they can help security teams identify when an adversary is attempting to gain access to their network.",
+    "false_positives": [
+      "A user may report suspicious activity on their Okta account in error."
+    ],
+    "index": [
+      "filebeat-*",
+      "logs-okta*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Suspicious Activity Reported by Okta User",
+    "note": "## Config\n\nThe Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:okta.system and event.action:user.account.report_suspicious_activity_by_enduser\n",
+    "references": [
+      "https://developer.okta.com/docs/reference/api/system-log/",
+      "https://developer.okta.com/docs/reference/api/event-types/"
+    ],
+    "risk_score": 47,
+    "rule_id": "f994964f-6fce-4d75-8e79-e16ccc412588",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Identity",
+      "Okta",
+      "Continuous Monitoring",
+      "SecOps",
+      "Monitoring"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0001",
+          "name": "Initial Access",
+          "reference": "https://attack.mitre.org/tactics/TA0001/"
+        },
+        "technique": [
+          {
+            "id": "T1078",
+            "name": "Valid Accounts",
+            "reference": "https://attack.mitre.org/techniques/T1078/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1078",
+            "name": "Valid Accounts",
+            "reference": "https://attack.mitre.org/techniques/T1078/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0004",
+          "name": "Privilege Escalation",
+          "reference": "https://attack.mitre.org/tactics/TA0004/"
+        },
+        "technique": [
+          {
+            "id": "T1078",
+            "name": "Valid Accounts",
+            "reference": "https://attack.mitre.org/techniques/T1078/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1078",
+            "name": "Valid Accounts",
+            "reference": "https://attack.mitre.org/techniques/T1078/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 6
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the execution of the Automator Workflows process followed by a network connection from it's XPC service. Adversaries may drop a custom workflow template that hosts malicious JavaScript for Automation (JXA) code as an alternative to using osascript.",
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Suspicious Automator Workflows Execution",
+    "query": "sequence by host.id with maxspan=30s\n [process where event.type in (\"start\", \"process_started\") and process.name == \"automator\"]\n [network where process.name:\"com.apple.automator.runner\"]\n",
+    "references": [
+      "https://posts.specterops.io/persistent-jxa-66e1c3cd1cf5"
+    ],
+    "risk_score": 47,
+    "rule_id": "5d9f8cfc-0d03-443e-a167-2b0597ce0965",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "macOS",
+      "Threat Detection",
+      "Execution"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0002",
+          "name": "Execution",
+          "reference": "https://attack.mitre.org/tactics/TA0002/"
+        },
+        "technique": [
+          {
+            "id": "T1059",
+            "name": "Command and Scripting Interpreter",
+            "reference": "https://attack.mitre.org/techniques/T1059/"
+          }
+        ]
+      }
+    ],
+    "type": "eql",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the execution of a suspicious browser child process. Adversaries may gain access to a system through a user visiting a website over the normal course of browsing. With this technique, the user's web browser is typically targeted for exploitation.",
+    "from": "now-9m",
+    "index": [
+      "logs-endpoint.events.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Suspicious Browser Child Process",
+    "query": "process where event.type in (\"start\", \"process_started\") and\n  process.parent.name : (\"Google Chrome\", \"Google Chrome Helper*\", \"firefox\", \"Opera\", \"Safari\", \"com.apple.WebKit.WebContent\", \"Microsoft Edge\") and\n  process.name : (\"sh\", \"bash\", \"dash\", \"ksh\", \"tcsh\", \"zsh\", \"curl\", \"wget\", \"python*\", \"perl*\", \"php*\", \"osascript\", \"pwsh\") and \n  process.command_line != null and \n  not process.args : \n    ( \n      \"/Library/Application Support/Microsoft/MAU*/Microsoft AutoUpdate.app/Contents/MacOS/msupdate\", \n      \"hw.model\", \n      \"IOPlatformExpertDevice\", \n      \"/Volumes/Google Chrome/Google Chrome.app/Contents/Frameworks/*/Resources/install.sh\",\n      \"--defaults-torrc\", \n      \"Chrome.app\", \n      \"Framework.framework/Versions/*/Resources/keystone_promote_preflight.sh\", \n      \"/Users/*/Library/Application Support/Google/Chrome/recovery/*/ChromeRecovery\", \n      \"$DISPLAY\", \n      \"GIO_LAUNCHED_DESKTOP_FILE_PID=$$\"\n    )\n",
+    "references": [
+      "https://objective-see.com/blog/blog_0x43.html",
+      "https://fr.slideshare.net/codeblue_jp/cb19-recent-apt-attack-on-crypto-exchange-employees-by-heungsoo-kang"
+    ],
+    "risk_score": 73,
+    "rule_id": "080bc66a-5d56-4d1f-8071-817671716db9",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "macOS",
+      "Threat Detection",
+      "Initial Access",
+      "Execution"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0002",
+          "name": "Execution",
+          "reference": "https://attack.mitre.org/tactics/TA0002/"
+        },
+        "technique": [
+          {
+            "id": "T1203",
+            "name": "Exploitation for Client Execution",
+            "reference": "https://attack.mitre.org/techniques/T1203/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0001",
+          "name": "Initial Access",
+          "reference": "https://attack.mitre.org/tactics/TA0001/"
+        },
+        "technique": [
+          {
+            "id": "T1189",
+            "name": "Drive-by Compromise",
+            "reference": "https://attack.mitre.org/techniques/T1189/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies suspicious modifications of the calendar file by an unusual process. Adversaries may create a custom calendar notification procedure to execute a malicious program at a recurring interval to establish persistence.",
+    "false_positives": [
+      "Trusted applications for managing calendars and reminders."
+    ],
+    "from": "now-9m",
+    "index": [
+      "logs-endpoint.events.*",
+      "auditbeat-*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Suspicious Calendar File Modification",
+    "query": "event.category:file and event.action:modification and\n  file.path:/Users/*/Library/Calendars/*.calendar/Events/*.ics and\n  process.executable:\n  (* and not \n    (\n      /System/Library/* or \n      /System/Applications/Calendar.app/Contents/MacOS/* or \n      /usr/libexec/xpcproxy or \n      /sbin/launchd or \n      /Applications/*\n    )\n  )\n",
+    "references": [
+      "https://labs.f-secure.com/blog/operationalising-calendar-alerts-persistence-on-macos",
+      "https://github.com/FSecureLABS/CalendarPersist",
+      "https://github.com/D00MFist/PersistentJXA/blob/master/CalendarPersist.js"
+    ],
+    "risk_score": 47,
+    "rule_id": "cb71aa62-55c8-42f0-b0dd-afb0bb0b1f51",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "macOS",
+      "Threat Detection",
+      "Persistence"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1546",
+            "name": "Event Triggered Execution",
+            "reference": "https://attack.mitre.org/techniques/T1546/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies suspicious commands being used with certutil.exe. CertUtil is a native Windows component which is part of Certificate Services. CertUtil is often abused by attackers to live off the land for stealthier command and control or data exfiltration.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Suspicious CertUtil Commands",
+    "query": "process where event.type == \"start\" and\n  (process.name : \"certutil.exe\" or process.pe.original_file_name == \"CertUtil.exe\") and \n  process.args : (\"?decode\", \"?encode\", \"?urlcache\", \"?verifyctl\", \"?encodehex\", \"?decodehex\")\n",
+    "references": [
+      "https://twitter.com/Moriarty_Meng/status/984380793383370752",
+      "https://twitter.com/egre55/status/1087685529016193025",
+      "https://www.sysadmins.lv/blog-en/certutil-tips-and-tricks-working-with-x509-file-format.aspx",
+      "https://docs.microsoft.com/en-us/archive/blogs/pki/basic-crl-checking-with-certutil"
+    ],
+    "risk_score": 47,
+    "rule_id": "fd70c98a-c410-42dc-a2e3-761c71848acf",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1140",
+            "name": "Deobfuscate/Decode Files or Information",
+            "reference": "https://attack.mitre.org/techniques/T1140/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 9
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Detects attempts to exploit privilege escalation vulnerabilities related to the Adobe Acrobat Reader PrivilegedHelperTool responsible for installing updates. For more information, refer to CVE-2020-9615, CVE-2020-9614 and CVE-2020-9613 and verify that the impacted system is patched.",
+    "false_positives": [
+      "Trusted system or Adobe Acrobat Related processes."
+    ],
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Suspicious Child Process of Adobe Acrobat Reader Update Service",
+    "query": "event.category:process and event.type:(start or process_started) and\n  process.parent.name:com.adobe.ARMDC.SMJobBlessHelper and\n  user.name:root and\n  not process.executable: (/Library/PrivilegedHelperTools/com.adobe.ARMDC.SMJobBlessHelper or\n                           /usr/bin/codesign or\n                           /private/var/folders/zz/*/T/download/ARMDCHammer or\n                           /usr/sbin/pkgutil or\n                           /usr/bin/shasum or\n                           /usr/bin/perl* or\n                           /usr/sbin/spctl or\n                           /usr/sbin/installer)\n",
+    "references": [
+      "https://rekken.github.io/2020/05/14/Security-Flaws-in-Adobe-Acrobat-Reader-Allow-Malicious-Program-to-Gain-Root-on-macOS-Silently/"
+    ],
+    "risk_score": 73,
+    "rule_id": "f85ce03f-d8a8-4c83-acdc-5c8cd0592be7",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "macOS",
+      "Threat Detection",
+      "Privilege Escalation"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0004",
+          "name": "Privilege Escalation",
+          "reference": "https://attack.mitre.org/tactics/TA0004/"
+        },
+        "technique": [
+          {
+            "id": "T1068",
+            "name": "Exploitation for Privilege Escalation",
+            "reference": "https://attack.mitre.org/techniques/T1068/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies suspicious command execution (cmd) via Windows Management Instrumentation (WMI) on a remote host. This could be indicative of adversary lateral movement.",
+    "from": "now-9m",
+    "index": [
+      "logs-endpoint.events.*",
+      "winlogbeat-*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Suspicious Cmd Execution via WMI",
+    "query": "process where event.type in (\"start\", \"process_started\") and\n process.parent.name : \"WmiPrvSE.exe\" and process.name : \"cmd.exe\" and\n process.args : \"\\\\\\\\127.0.0.1\\\\*\" and process.args : (\"2>&1\", \"1>\")\n",
+    "risk_score": 47,
+    "rule_id": "12f07955-1674-44f7-86b5-c35da0a6f41a",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Execution"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0002",
+          "name": "Execution",
+          "reference": "https://attack.mitre.org/tactics/TA0002/"
+        },
+        "technique": [
+          {
+            "id": "T1047",
+            "name": "Windows Management Instrumentation",
+            "reference": "https://attack.mitre.org/techniques/T1047/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 3
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the loading of a non Microsoft signed DLL that is missing on a default Windows install (phantom DLL) or one that can be loaded from a different location by a native Windows process. This may be abused to persist or elevate privileges via privileged file write vulnerabilities.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Suspicious DLL Loaded for Persistence or Privilege Escalation",
+    "query": "library where dll.name :\n  (\n  \"wlbsctrl.dll\",\n  \"wbemcomn.dll\",\n  \"WptsExtensions.dll\",\n  \"Tsmsisrv.dll\",\n  \"TSVIPSrv.dll\",\n  \"Msfte.dll\",\n  \"wow64log.dll\",\n  \"WindowsCoreDeviceInfo.dll\",\n  \"Ualapi.dll\",\n  \"wlanhlp.dll\",\n  \"phoneinfo.dll\",\n  \"EdgeGdi.dll\",\n  \"cdpsgshims.dll\",\n  \"windowsperformancerecordercontrol.dll\",\n  \"diagtrack_win.dll\"\n  ) and \nnot (dll.code_signature.subject_name : (\"Microsoft Windows\", \"Microsoft Corporation\") and dll.code_signature.status : \"trusted\")\n",
+    "references": [
+      "https://itm4n.github.io/windows-dll-hijacking-clarified/",
+      "http://remoteawesomethoughts.blogspot.com/2019/05/windows-10-task-schedulerservice.html",
+      "https://googleprojectzero.blogspot.com/2018/04/windows-exploitation-tricks-exploiting.html",
+      "https://shellz.club/edgegdi-dll-for-persistence-and-lateral-movement/",
+      "https://windows-internals.com/faxing-your-way-to-system/",
+      "http://waleedassar.blogspot.com/2013/01/wow64logdll.html"
+    ],
+    "risk_score": 73,
+    "rule_id": "bfeaf89b-a2a7-48a3-817f-e41829dc61ee",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Persistence",
+      "Privilege Escalation"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0004",
+          "name": "Privilege Escalation",
+          "reference": "https://attack.mitre.org/tactics/TA0004/"
+        },
+        "technique": [
+          {
+            "id": "T1574",
+            "name": "Hijack Execution Flow",
+            "reference": "https://attack.mitre.org/techniques/T1574/",
+            "subtechnique": [
+              {
+                "id": "T1574.002",
+                "name": "DLL Side-Loading",
+                "reference": "https://attack.mitre.org/techniques/T1574/002/"
+              }
+            ]
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1574",
+            "name": "Hijack Execution Flow",
+            "reference": "https://attack.mitre.org/techniques/T1574/",
+            "subtechnique": [
+              {
+                "id": "T1574.001",
+                "name": "DLL Search Order Hijacking",
+                "reference": "https://attack.mitre.org/techniques/T1574/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 2
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the execution of a suspicious child process of the Event Monitor Daemon (emond). Adversaries may abuse this service by writing a rule to execute commands when a defined event occurs, such as system start up or user authentication.",
+    "from": "now-9m",
+    "index": [
+      "logs-endpoint.events.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Suspicious Emond Child Process",
+    "query": "process where event.type in (\"start\", \"process_started\") and\n process.parent.name : \"emond\" and\n process.name : (\n   \"bash\",\n   \"dash\",\n   \"sh\",\n   \"tcsh\",\n   \"csh\",\n   \"zsh\",\n   \"ksh\",\n   \"fish\",\n   \"Python\",\n   \"python*\",\n   \"perl*\",\n   \"php*\",\n   \"osascript\",\n   \"pwsh\",\n   \"curl\",\n   \"wget\",\n   \"cp\",\n   \"mv\",\n   \"touch\",\n   \"echo\",\n   \"base64\",\n   \"launchctl\")\n",
+    "references": [
+      "https://www.xorrior.com/emond-persistence/"
+    ],
+    "risk_score": 47,
+    "rule_id": "3e3d15c6-1509-479a-b125-21718372157e",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "macOS",
+      "Threat Detection",
+      "Persistence"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1546",
+            "name": "Event Triggered Execution",
+            "reference": "https://attack.mitre.org/techniques/T1546/",
+            "subtechnique": [
+              {
+                "id": "T1546.014",
+                "name": "Emond",
+                "reference": "https://attack.mitre.org/techniques/T1546/014/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "A suspicious Endpoint Security parent process was detected. This may indicate a process hollowing or other form of code injection.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Suspicious Endpoint Security Parent Process",
+    "query": "process where event.type in (\"start\", \"process_started\", \"info\") and\n process.name : (\"esensor.exe\", \"elastic-endpoint.exe\") and\n process.parent.executable != null and\n  /* add FPs here */\n not process.parent.executable : (\"C:\\\\Program Files\\\\Elastic\\\\*\", \n                                  \"C:\\\\Windows\\\\System32\\\\services.exe\", \n                                  \"C:\\\\Windows\\\\System32\\\\WerFault*.exe\", \n                                  \"C:\\\\Windows\\\\System32\\\\wermgr.exe\")\n",
+    "risk_score": 47,
+    "rule_id": "b41a13c6-ba45-4bab-a534-df53d0cfed6a",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1036",
+            "name": "Masquerading",
+            "reference": "https://attack.mitre.org/techniques/T1036/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 4
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies process execution with a single character process name. This is often done by adversaries while staging or executing temporary utilities.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Suspicious Execution - Short Program Name",
+    "query": "process where event.type in (\"start\", \"process_started\") and length(process.name) > 0 and\n length(process.name) == 5 and host.os.name == \"Windows\" and length(process.pe.original_file_name) > 5\n",
+    "risk_score": 47,
+    "rule_id": "17c7f6a5-5bc9-4e1f-92bf-13632d24384d",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Execution"
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 3
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies when a script interpreter or signed binary is launched via a non-standard working directory. An attacker may use this technique to evade defenses.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Suspicious Execution from a Mounted Device",
+    "query": "process where event.type == \"start\" and process.executable : \"C:\\\\*\" and\n  (process.working_directory : \"?:\\\\\" and not process.working_directory: \"C:\\\\\") and\n  process.parent.name : \"explorer.exe\" and\n  process.name : (\"rundll32.exe\", \"mshta.exe\", \"powershell.exe\", \"pwsh.exe\", \"cmd.exe\", \"regsvr32.exe\",\n                  \"cscript.exe\", \"wscript.exe\")\n",
+    "references": [
+      "https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/",
+      "https://www.volexity.com/blog/2021/05/27/suspected-apt29-operation-launches-election-fraud-themed-phishing-campaigns/"
+    ],
+    "risk_score": 47,
+    "rule_id": "8a1d4831-3ce6-4859-9891-28931fa6101d",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1218",
+            "name": "Signed Binary Proxy Execution",
+            "reference": "https://attack.mitre.org/techniques/T1218/",
+            "subtechnique": [
+              {
+                "id": "T1218.011",
+                "name": "Rundll32",
+                "reference": "https://attack.mitre.org/techniques/T1218/011/"
+              },
+              {
+                "id": "T1218.005",
+                "name": "Mshta",
+                "reference": "https://attack.mitre.org/techniques/T1218/005/"
+              },
+              {
+                "id": "T1218.010",
+                "name": "Regsvr32",
+                "reference": "https://attack.mitre.org/techniques/T1218/010/"
+              }
+            ]
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0002",
+          "name": "Execution",
+          "reference": "https://attack.mitre.org/tactics/TA0002/"
+        },
+        "technique": [
+          {
+            "id": "T1059",
+            "name": "Command and Scripting Interpreter",
+            "reference": "https://attack.mitre.org/techniques/T1059/",
+            "subtechnique": [
+              {
+                "id": "T1059.001",
+                "name": "PowerShell",
+                "reference": "https://attack.mitre.org/techniques/T1059/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies execution of a suspicious program via scheduled tasks by looking at process lineage and command line usage.",
+    "false_positives": [
+      "Legitimate scheduled tasks running third party software."
+    ],
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Suspicious Execution via Scheduled Task",
+    "query": "process where event.type == \"start\" and\n    /* Schedule service cmdline on Win10+ */\n    process.parent.name : \"svchost.exe\" and process.parent.args : \"Schedule\" and\n    /* add suspicious programs here */\n    process.pe.original_file_name in\n                                (\n                                  \"cscript.exe\",\n                                  \"wscript.exe\",\n                                  \"PowerShell.EXE\",\n                                  \"Cmd.Exe\",\n                                  \"MSHTA.EXE\",\n                                  \"RUNDLL32.EXE\",\n                                  \"REGSVR32.EXE\",\n                                  \"MSBuild.exe\",\n                                  \"InstallUtil.exe\",\n                                  \"RegAsm.exe\",\n                                  \"RegSvcs.exe\",\n                                  \"msxsl.exe\",\n                                  \"CONTROL.EXE\",\n                                  \"EXPLORER.EXE\",\n                                  \"Microsoft.Workflow.Compiler.exe\",\n                                  \"msiexec.exe\"\n                                  ) and\n    /* add suspicious paths here */\n    process.args : (\n       \"C:\\\\Users\\\\*\",\n       \"C:\\\\ProgramData\\\\*\", \n       \"C:\\\\Windows\\\\Temp\\\\*\", \n       \"C:\\\\Windows\\\\Tasks\\\\*\", \n       \"C:\\\\PerfLogs\\\\*\", \n       \"C:\\\\Intel\\\\*\", \n       \"C:\\\\Windows\\\\Debug\\\\*\", \n       \"C:\\\\HP\\\\*\")\n",
+    "risk_score": 47,
+    "rule_id": "5d1d6907-0747-4d5d-9b24-e4a18853dc0a",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Persistence"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1053",
+            "name": "Scheduled Task/Job",
+            "reference": "https://attack.mitre.org/techniques/T1053/",
+            "subtechnique": [
+              {
+                "id": "T1053.005",
+                "name": "Scheduled Task",
+                "reference": "https://attack.mitre.org/techniques/T1053/005/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 4
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies a suspicious Windows explorer child process. Explorer.exe can be abused to launch malicious scripts or executables from a trusted parent process.",
+    "from": "now-9m",
+    "index": [
+      "logs-endpoint.events.*",
+      "winlogbeat-*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Suspicious Explorer Child Process",
+    "query": "process where event.type in (\"start\", \"process_started\") and\n  (\n   process.name : (\"cscript.exe\", \"wscript.exe\", \"powershell.exe\", \"rundll32.exe\", \"cmd.exe\", \"mshta.exe\", \"regsvr32.exe\") or\n   process.pe.original_file_name in (\"cscript.exe\", \"wscript.exe\", \"PowerShell.EXE\", \"RUNDLL32.EXE\", \"Cmd.Exe\", \"MSHTA.EXE\", \"REGSVR32.EXE\")\n  ) and\n  /* Explorer started via DCOM */\n  process.parent.name : \"explorer.exe\" and process.parent.args : \"-Embedding\" and\n  not process.parent.args:\n          (\n            /* Noisy CLSID_SeparateSingleProcessExplorerHost Explorer COM Class IDs   */\n            \"/factory,{5BD95610-9434-43C2-886C-57852CC8A120}\",\n            \"/factory,{ceff45ee-c862-41de-aee2-a022c81eda92}\"\n          )\n",
+    "risk_score": 47,
+    "rule_id": "9a5b4e31-6cde-4295-9ff7-6be1b8567e1b",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Initial Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0001",
+          "name": "Initial Access",
+          "reference": "https://attack.mitre.org/tactics/TA0001/"
+        },
+        "technique": [
+          {
+            "id": "T1566",
+            "name": "Phishing",
+            "reference": "https://attack.mitre.org/techniques/T1566/",
+            "subtechnique": [
+              {
+                "id": "T1566.001",
+                "name": "Spearphishing Attachment",
+                "reference": "https://attack.mitre.org/techniques/T1566/001/"
+              },
+              {
+                "id": "T1566.002",
+                "name": "Spearphishing Link",
+                "reference": "https://attack.mitre.org/techniques/T1566/002/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 4
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the execution of a launchd child process with a hidden file. An adversary can establish persistence by installing a new logon item, launch agent, or daemon that executes upon login.",
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Suspicious Hidden Child Process of Launchd",
+    "query": "event.category:process and event.type:(start or process_started) and\n process.name:.* and process.parent.executable:/sbin/launchd\n",
+    "references": [
+      "https://objective-see.com/blog/blog_0x61.html",
+      "https://www.intezer.com/blog/research/operation-electrorat-attacker-creates-fake-companies-to-drain-your-crypto-wallets/",
+      "https://developer.apple.com/library/archive/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/CreatingLaunchdJobs.html"
+    ],
+    "risk_score": 47,
+    "rule_id": "083fa162-e790-4d85-9aeb-4fea04188adb",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "macOS",
+      "Threat Detection",
+      "Persistence",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1543",
+            "name": "Create or Modify System Process",
+            "reference": "https://attack.mitre.org/techniques/T1543/",
+            "subtechnique": [
+              {
+                "id": "T1543.001",
+                "name": "Launch Agent",
+                "reference": "https://attack.mitre.org/techniques/T1543/001/"
+              }
+            ]
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1564",
+            "name": "Hide Artifacts",
+            "reference": "https://attack.mitre.org/techniques/T1564/",
+            "subtechnique": [
+              {
+                "id": "T1564.001",
+                "name": "Hidden Files and Directories",
+                "reference": "https://attack.mitre.org/techniques/T1564/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies a suspicious image load (taskschd.dll) from Microsoft Office processes. This behavior may indicate adversarial activity where a scheduled task is configured via Windows Component Object Model (COM). This technique can be used to configure persistence and evade monitoring by avoiding the usage of the traditional Windows binary (schtasks.exe) used to manage scheduled tasks.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Suspicious Image Load (taskschd.dll) from MS Office",
+    "query": "library where process.name : (\"WINWORD.EXE\", \"EXCEL.EXE\", \"POWERPNT.EXE\", \"MSPUB.EXE\", \"MSACCESS.EXE\") and\n  event.action : \"load\" and\n  event.category : \"library\" and\n  dll.name : \"taskschd.dll\"\n",
+    "references": [
+      "https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16",
+      "https://www.clearskysec.com/wp-content/uploads/2020/10/Operation-Quicksand.pdf"
+    ],
+    "risk_score": 21,
+    "rule_id": "baa5d22c-5e1c-4f33-bfc9-efa73bb53022",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Persistence"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1053",
+            "name": "Scheduled Task/Job",
+            "reference": "https://attack.mitre.org/techniques/T1053/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 3
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the creation of a suspicious ImagePath value. This could be an indication of an adversary attempting to stealthily persist or escalate privileges through abnormal service creation.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Suspicious ImagePath Service Creation",
+    "query": "registry where registry.path : \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Services\\\\*\\\\ImagePath\" and\n /* add suspicious registry ImagePath values here */\n registry.data.strings : (\"%COMSPEC%*\", \"*\\\\.\\\\pipe\\\\*\")\n",
+    "risk_score": 73,
+    "rule_id": "36a8e048-d888-4f61-a8b9-0f9e2e40f317",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Persistence"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1543",
+            "name": "Create or Modify System Process",
+            "reference": "https://attack.mitre.org/techniques/T1543/",
+            "subtechnique": [
+              {
+                "id": "T1543.003",
+                "name": "Windows Service",
+                "reference": "https://attack.mitre.org/techniques/T1543/003/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 3
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies suspicious child processes of a Java Archive (JAR) file. JAR files may be used to deliver malware in order to evade detection.",
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Suspicious JAR Child Process",
+    "query": "process where event.type in (\"start\", \"process_started\") and\n  process.parent.name : \"java\" and\n  process.name : (\"sh\", \"bash\", \"dash\", \"ksh\", \"tcsh\", \"zsh\", \"curl\", \"wget\") and\n  process.args : \"-jar\" and process.args : \"*.jar\" and\n  /* Add any FP's here */\n  not process.executable : (\"/Users/*/.sdkman/*\", \"/Library/Java/JavaVirtualMachines/*\") and\n  not process.args : (\"/usr/local/*\", \"/Users/*/github.com/*\", \"/Users/*/src/*\")\n",
+    "risk_score": 47,
+    "rule_id": "8acb7614-1d92-4359-bfcf-478b6d9de150",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "macOS",
+      "Threat Detection",
+      "Execution"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0002",
+          "name": "Execution",
+          "reference": "https://attack.mitre.org/tactics/TA0002/"
+        },
+        "technique": [
+          {
+            "id": "T1059",
+            "name": "Command and Scripting Interpreter",
+            "reference": "https://attack.mitre.org/techniques/T1059/",
+            "subtechnique": [
+              {
+                "id": "T1059.007",
+                "name": "JavaScript",
+                "reference": "https://attack.mitre.org/techniques/T1059/007/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 2
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies suspicious child processes of frequently targeted Microsoft Office applications (Word, PowerPoint, Excel). These child processes are often launched during exploitation of Office applications or from documents with malicious macros.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Suspicious MS Office Child Process",
+    "query": "process where event.type in (\"start\", \"process_started\") and\n  process.parent.name : (\"eqnedt32.exe\", \"excel.exe\", \"fltldr.exe\", \"msaccess.exe\", \"mspub.exe\", \"powerpnt.exe\", \"winword.exe\") and\n  process.name : (\"Microsoft.Workflow.Compiler.exe\", \"arp.exe\", \"atbroker.exe\", \"bginfo.exe\", \"bitsadmin.exe\", \"cdb.exe\", \"certutil.exe\",\n                \"cmd.exe\", \"cmstp.exe\", \"control.exe\", \"cscript.exe\", \"csi.exe\", \"dnx.exe\", \"dsget.exe\", \"dsquery.exe\", \"forfiles.exe\", \n                \"fsi.exe\", \"ftp.exe\", \"gpresult.exe\", \"hostname.exe\", \"ieexec.exe\", \"iexpress.exe\", \"installutil.exe\", \"ipconfig.exe\", \n                \"mshta.exe\", \"msxsl.exe\", \"nbtstat.exe\", \"net.exe\", \"net1.exe\", \"netsh.exe\", \"netstat.exe\", \"nltest.exe\", \"odbcconf.exe\", \n                \"ping.exe\", \"powershell.exe\", \"pwsh.exe\", \"qprocess.exe\", \"quser.exe\", \"qwinsta.exe\", \"rcsi.exe\", \"reg.exe\", \"regasm.exe\", \n                \"regsvcs.exe\", \"regsvr32.exe\", \"sc.exe\", \"schtasks.exe\", \"systeminfo.exe\", \"tasklist.exe\", \"tracert.exe\", \"whoami.exe\",\n                \"wmic.exe\", \"wscript.exe\", \"xwizard.exe\", \"explorer.exe\", \"rundll32.exe\", \"hh.exe\")\n",
+    "risk_score": 47,
+    "rule_id": "a624863f-a70d-417f-a7d2-7a404638d47f",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Initial Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0001",
+          "name": "Initial Access",
+          "reference": "https://attack.mitre.org/tactics/TA0001/"
+        },
+        "technique": [
+          {
+            "id": "T1566",
+            "name": "Phishing",
+            "reference": "https://attack.mitre.org/techniques/T1566/",
+            "subtechnique": [
+              {
+                "id": "T1566.001",
+                "name": "Spearphishing Attachment",
+                "reference": "https://attack.mitre.org/techniques/T1566/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 9
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies suspicious child processes of Microsoft Outlook. These child processes are often associated with spear phishing activity.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Suspicious MS Outlook Child Process",
+    "query": "process where event.type in (\"start\", \"process_started\") and\n  process.parent.name : \"outlook.exe\" and\n  process.name : (\"Microsoft.Workflow.Compiler.exe\", \"arp.exe\", \"atbroker.exe\", \"bginfo.exe\", \"bitsadmin.exe\",\n                  \"cdb.exe\", \"certutil.exe\", \"cmd.exe\", \"cmstp.exe\", \"cscript.exe\", \"csi.exe\", \"dnx.exe\", \"dsget.exe\",\n                  \"dsquery.exe\", \"forfiles.exe\", \"fsi.exe\", \"ftp.exe\", \"gpresult.exe\", \"hostname.exe\", \"ieexec.exe\",\n                  \"iexpress.exe\", \"installutil.exe\", \"ipconfig.exe\", \"mshta.exe\", \"msxsl.exe\", \"nbtstat.exe\", \"net.exe\",\n                  \"net1.exe\", \"netsh.exe\", \"netstat.exe\", \"nltest.exe\", \"odbcconf.exe\", \"ping.exe\", \"powershell.exe\",\n                  \"pwsh.exe\", \"qprocess.exe\", \"quser.exe\", \"qwinsta.exe\", \"rcsi.exe\", \"reg.exe\", \"regasm.exe\",\n                  \"regsvcs.exe\", \"regsvr32.exe\", \"sc.exe\", \"schtasks.exe\", \"systeminfo.exe\", \"tasklist.exe\",\n                  \"tracert.exe\", \"whoami.exe\", \"wmic.exe\", \"wscript.exe\", \"xwizard.exe\")\n",
+    "risk_score": 21,
+    "rule_id": "32f4675e-6c49-4ace-80f9-97c9259dca2e",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Initial Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0001",
+          "name": "Initial Access",
+          "reference": "https://attack.mitre.org/tactics/TA0001/"
+        },
+        "technique": [
+          {
+            "id": "T1566",
+            "name": "Phishing",
+            "reference": "https://attack.mitre.org/techniques/T1566/",
+            "subtechnique": [
+              {
+                "id": "T1566.001",
+                "name": "Spearphishing Attachment",
+                "reference": "https://attack.mitre.org/techniques/T1566/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 9
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies a suspicious managed code hosting process which could indicate code injection or other form of suspicious code execution.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Suspicious Managed Code Hosting Process",
+    "query": "sequence by process.entity_id with maxspan=5m\n [process where event.type == \"start\" and \n  process.name : (\"wscript.exe\", \"cscript.exe\", \"mshta.exe\", \"wmic.exe\", \"regsvr32.exe\", \"svchost.exe\", \"dllhost.exe\", \"cmstp.exe\")]\n [file where event.type != \"deletion\" and\n  file.name : (\"wscript.exe.log\",\n               \"cscript.exe\",\n               \"mshta.exe.log\",\n               \"wmic.exe.log\",\n               \"svchost.exe.log\",\n               \"dllhost.exe.log\",\n               \"cmstp.exe.log\",\n               \"regsvr32.exe.log\")]\n",
+    "references": [
+      "https://blog.menasec.net/2019/07/interesting-difr-traces-of-net-clr.html"
+    ],
+    "risk_score": 73,
+    "rule_id": "acf738b5-b5b2-4acc-bad9-1e18ee234f40",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1055",
+            "name": "Process Injection",
+            "reference": "https://attack.mitre.org/techniques/T1055/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 4
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies suspicious child processes of PDF reader applications. These child processes are often launched via exploitation of PDF applications or social engineering.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Suspicious PDF Reader Child Process",
+    "query": "process where event.type in (\"start\", \"process_started\") and\n  process.parent.name : (\"AcroRd32.exe\",\n                         \"Acrobat.exe\",\n                         \"FoxitPhantomPDF.exe\",\n                         \"FoxitReader.exe\") and\n  process.name : (\"arp.exe\", \"dsquery.exe\", \"dsget.exe\", \"gpresult.exe\", \"hostname.exe\", \"ipconfig.exe\", \"nbtstat.exe\",\n                  \"net.exe\", \"net1.exe\", \"netsh.exe\", \"netstat.exe\", \"nltest.exe\", \"ping.exe\", \"qprocess.exe\",\n                  \"quser.exe\", \"qwinsta.exe\", \"reg.exe\", \"sc.exe\", \"systeminfo.exe\", \"tasklist.exe\", \"tracert.exe\",\n                  \"whoami.exe\", \"bginfo.exe\", \"cdb.exe\", \"cmstp.exe\", \"csi.exe\", \"dnx.exe\", \"fsi.exe\", \"ieexec.exe\",\n                  \"iexpress.exe\", \"installutil.exe\", \"Microsoft.Workflow.Compiler.exe\", \"msbuild.exe\", \"mshta.exe\",\n                  \"msxsl.exe\", \"odbcconf.exe\", \"rcsi.exe\", \"regsvr32.exe\", \"xwizard.exe\", \"atbroker.exe\",\n                  \"forfiles.exe\", \"schtasks.exe\", \"regasm.exe\", \"regsvcs.exe\", \"cmd.exe\", \"cscript.exe\",\n                  \"powershell.exe\", \"pwsh.exe\", \"wmic.exe\", \"wscript.exe\", \"bitsadmin.exe\", \"certutil.exe\", \"ftp.exe\")\n",
+    "risk_score": 21,
+    "rule_id": "53a26770-9cbd-40c5-8b57-61d01a325e14",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Execution"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0002",
+          "name": "Execution",
+          "reference": "https://attack.mitre.org/tactics/TA0002/"
+        },
+        "technique": [
+          {
+            "id": "T1204",
+            "name": "User Execution",
+            "reference": "https://attack.mitre.org/techniques/T1204/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 7
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "This rule detects the presence of Portable Executables in a PowerShell Script by Looking for its encoded header. Attackers embed PEs into PowerShell Scripts for Injecting them into the memory, avoiding defenses by not writing to disk.,",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-windows.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Suspicious Portable Executable Encoded in Powershell Script",
+    "query": "event.code:\"4104\" and \n  powershell.file.script_block_text : (\n    TVqQAAMAAAAEAAAA\n  )\n",
+    "risk_score": 47,
+    "rule_id": "ad84d445-b1ce-4377-82d9-7c633f28bf9a",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Execution"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0002",
+          "name": "Execution",
+          "reference": "https://attack.mitre.org/tactics/TA0002/"
+        },
+        "technique": [
+          {
+            "id": "T1059",
+            "name": "Command and Scripting Interpreter",
+            "reference": "https://attack.mitre.org/techniques/T1059/",
+            "subtechnique": [
+              {
+                "id": "T1059.001",
+                "name": "PowerShell",
+                "reference": "https://attack.mitre.org/techniques/T1059/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the PowerShell engine being invoked by unexpected processes. Rather than executing PowerShell functionality with powershell.exe, some attackers do this to operate more stealthily.",
+    "from": "now-9m",
+    "index": [
+      "logs-endpoint.events.*",
+      "winlogbeat-*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Suspicious PowerShell Engine ImageLoad",
+    "query": "library where dll.name : (\"System.Management.Automation.ni.dll\", \"System.Management.Automation.dll\") and\n/* add false positives relevant to your environment here */\nnot process.executable : (\"C:\\\\Windows\\\\System32\\\\RemoteFXvGPUDisablement.exe\", \"C:\\\\Windows\\\\System32\\\\sdiagnhost.exe\") and\nnot process.executable regex~ \"\"\"C:\\\\Program Files( \\(x86\\))?\\\\*\\.exe\"\"\" and\n  not process.name :\n  (\n    \"Altaro.SubAgent.exe\",\n    \"AppV_Manage.exe\",\n    \"azureadconnect.exe\",\n    \"CcmExec.exe\",\n    \"configsyncrun.exe\",\n    \"choco.exe\",\n    \"ctxappvservice.exe\",\n    \"DVLS.Console.exe\",\n    \"edgetransport.exe\",\n    \"exsetup.exe\",\n    \"forefrontactivedirectoryconnector.exe\",\n    \"InstallUtil.exe\",\n    \"JenkinsOnDesktop.exe\",\n    \"Microsoft.EnterpriseManagement.ServiceManager.UI.Console.exe\",\n    \"mmc.exe\",\n    \"mscorsvw.exe\",\n    \"msexchangedelivery.exe\",\n    \"msexchangefrontendtransport.exe\",\n    \"msexchangehmworker.exe\",\n    \"msexchangesubmission.exe\",\n    \"msiexec.exe\",\n    \"MsiExec.exe\",\n    \"noderunner.exe\",\n    \"NServiceBus.Host.exe\",\n    \"NServiceBus.Host32.exe\",\n    \"NServiceBus.Hosting.Azure.HostProcess.exe\",\n    \"OuiGui.WPF.exe\",\n    \"powershell.exe\",\n    \"powershell_ise.exe\",\n    \"pwsh.exe\",\n    \"SCCMCliCtrWPF.exe\",\n    \"ScriptEditor.exe\",\n    \"ScriptRunner.exe\",\n    \"sdiagnhost.exe\",\n    \"servermanager.exe\",\n    \"setup100.exe\",\n    \"ServiceHub.VSDetouredHost.exe\",\n    \"SPCAF.Client.exe\",\n    \"SPCAF.SettingsEditor.exe\",\n    \"SQLPS.exe\",\n    \"telemetryservice.exe\",\n    \"UMWorkerProcess.exe\",\n    \"w3wp.exe\",\n    \"wsmprovhost.exe\"\n  )\n",
+    "risk_score": 47,
+    "rule_id": "852c1f19-68e8-43a6-9dce-340771fe1be3",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Execution"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0002",
+          "name": "Execution",
+          "reference": "https://attack.mitre.org/tactics/TA0002/"
+        },
+        "technique": [
+          {
+            "id": "T1059",
+            "name": "Command and Scripting Interpreter",
+            "reference": "https://attack.mitre.org/techniques/T1059/",
+            "subtechnique": [
+              {
+                "id": "T1059.001",
+                "name": "PowerShell",
+                "reference": "https://attack.mitre.org/techniques/T1059/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 4
+  },
+  {
+    "anomaly_threshold": 50,
+    "author": [
+      "Elastic"
+    ],
+    "description": "A machine learning job detected a PowerShell script with unusual data characteristics, such as obfuscation, that may be a characteristic of malicious PowerShell script text blocks.",
+    "false_positives": [
+      "Certain kinds of security testing may trigger this alert. PowerShell scripts that use high levels of obfuscation or have unusual script block payloads may trigger this alert."
+    ],
+    "from": "now-45m",
+    "interval": "15m",
+    "license": "Elastic License v2",
+    "machine_learning_job_id": "windows_anomalous_script",
+    "name": "Suspicious Powershell Script",
+    "references": [
+      "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"
+    ],
+    "risk_score": 21,
+    "rule_id": "1781d055-5c66-4adf-9d60-fc0fa58337b6",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "ML"
+    ],
+    "type": "machine_learning",
+    "version": 4
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Detects deletion of print driver files by an unusual process. This may indicate a clean up attempt post successful privilege escalation via Print Spooler service related vulnerabilities.",
+    "false_positives": [
+      "Uninstall or manual deletion of a legitimate printing driver files. Verify the printer file metadata such as manufacturer and signature information."
+    ],
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Suspicious Print Spooler File Deletion",
+    "query": "file where event.type : \"deletion\" and\n not process.name : (\"spoolsv.exe\", \"dllhost.exe\", \"explorer.exe\") and\n file.path : \"?:\\\\Windows\\\\System32\\\\spool\\\\drivers\\\\x64\\\\3\\\\*.dll\"\n",
+    "references": [
+      "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527",
+      "https://github.com/afwu/PrintNightmare"
+    ],
+    "risk_score": 47,
+    "rule_id": "c4818812-d44f-47be-aaef-4cfb2f9cc799",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Privilege Escalation"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0004",
+          "name": "Privilege Escalation",
+          "reference": "https://attack.mitre.org/tactics/TA0004/"
+        },
+        "technique": [
+          {
+            "id": "T1068",
+            "name": "Exploitation for Privilege Escalation",
+            "reference": "https://attack.mitre.org/techniques/T1068/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Detects attempts to exploit a privilege escalation vulnerability (CVE-2020-1030) related to the print spooler service. Exploitation involves chaining multiple primitives to load an arbitrary DLL into the print spooler process running as SYSTEM.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Suspicious Print Spooler Point and Print DLL",
+    "query": "sequence by host.id with maxspan=30s\n[registry where\n registry.path : \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Print\\\\Printers\\\\*\\\\SpoolDirectory\" and\n registry.data.strings : \"C:\\\\Windows\\\\System32\\\\spool\\\\drivers\\\\x64\\\\4\"]\n[registry where\n registry.path : \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Print\\\\Printers\\\\*\\\\CopyFiles\\\\Payload\\\\Module\" and\n registry.data.strings : \"C:\\\\Windows\\\\System32\\\\spool\\\\drivers\\\\x64\\\\4\\\\*\"]\n",
+    "references": [
+      "https://www.accenture.com/us-en/blogs/cyber-defense/discovering-exploiting-shutting-down-dangerous-windows-print-spooler-vulnerability",
+      "https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES/blob/master/Privilege%20Escalation/privesc_sysmon_cve_20201030_spooler.evtx",
+      "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2020-1030"
+    ],
+    "risk_score": 73,
+    "rule_id": "bd7eefee-f671-494e-98df-f01daf9e5f17",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Privilege Escalation"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0004",
+          "name": "Privilege Escalation",
+          "reference": "https://attack.mitre.org/tactics/TA0004/"
+        },
+        "technique": [
+          {
+            "id": "T1068",
+            "name": "Exploitation for Privilege Escalation",
+            "reference": "https://attack.mitre.org/techniques/T1068/"
+          }
+        ]
+      }
+    ],
+    "type": "eql",
+    "version": 2
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Detects attempts to exploit privilege escalation vulnerabilities related to the Print Spooler service including CVE-2020-1048 and CVE-2020-1337. .",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Suspicious PrintSpooler SPL File Created",
+    "note": "## Threat intel\n\nRefer to CVEs, CVE-2020-1048 and CVE-2020-1337 for further information on the vulnerability and exploit. Verify that the relevant system is patched.",
+    "query": "file where event.type != \"deletion\" and\n  file.extension : \"spl\" and\n  file.path : \"?:\\\\Windows\\\\System32\\\\spool\\\\PRINTERS\\\\*\" and\n  not process.name : (\"spoolsv.exe\",\n                      \"printfilterpipelinesvc.exe\",\n                      \"PrintIsolationHost.exe\",\n                      \"splwow64.exe\",\n                      \"msiexec.exe\",\n                      \"poqexec.exe\")\n",
+    "references": [
+      "https://safebreach.com/Post/How-we-bypassed-CVE-2020-1048-Patch-and-got-CVE-2020-1337"
+    ],
+    "risk_score": 73,
+    "rule_id": "a7ccae7b-9d2c-44b2-a061-98e5946971fa",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Privilege Escalation"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0004",
+          "name": "Privilege Escalation",
+          "reference": "https://attack.mitre.org/tactics/TA0004/"
+        },
+        "technique": [
+          {
+            "id": "T1068",
+            "name": "Exploitation for Privilege Escalation",
+            "reference": "https://attack.mitre.org/techniques/T1068/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 4
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Detects attempts to exploit privilege escalation vulnerabilities related to the Print Spooler service. For more information refer to the following CVE's - CVE-2020-1048, CVE-2020-1337 and CVE-2020-1300 and verify that the impacted system is patched.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Suspicious PrintSpooler Service Executable File Creation",
+    "query": "file where event.type != \"deletion\" and process.name : \"spoolsv.exe\" and\n  file.extension : (\"exe\", \"dll\") and\n  not file.path : (\"?:\\\\Windows\\\\System32\\\\spool\\\\*\", \"?:\\\\Windows\\\\Temp\\\\*\", \"?:\\\\Users\\\\*\")\n",
+    "references": [
+      "https://voidsec.com/cve-2020-1337-printdemon-is-dead-long-live-printdemon/",
+      "https://www.thezdi.com/blog/2020/7/8/cve-2020-1300-remote-code-execution-through-microsoft-windows-cab-files"
+    ],
+    "risk_score": 73,
+    "rule_id": "5bb4a95d-5a08-48eb-80db-4c3a63ec78a8",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Privilege Escalation"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0004",
+          "name": "Privilege Escalation",
+          "reference": "https://attack.mitre.org/tactics/TA0004/"
+        },
+        "technique": [
+          {
+            "id": "T1068",
+            "name": "Exploitation for Privilege Escalation",
+            "reference": "https://attack.mitre.org/techniques/T1068/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 4
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies suspicious process access events from unknown memory region. Endpoint security solutions usually hook userland Windows APIs in order to decide if the code that is being executed is malicious or not. It's possible to bypass hooked functions by writing malicious functions that call syscalls directly.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Suspicious Process Access via Direct System Call",
+    "query": "process where event.code == \"10\" and\n length(winlog.event_data.CallTrace) > 0 and\n \n /* Sysmon CallTrace starting with unknown memory module instead of ntdll which host Windows NT Syscalls */\n not winlog.event_data.CallTrace : (\"?:\\\\WINDOWS\\\\SYSTEM32\\\\ntdll.dll*\", \"?:\\\\WINDOWS\\\\SysWOW64\\\\ntdll.dll*\")\n",
+    "references": [
+      "https://twitter.com/SBousseaden/status/1278013896440324096",
+      "https://www.ired.team/offensive-security/defense-evasion/using-syscalls-directly-from-visual-studio-to-bypass-avs-edrs"
+    ],
+    "risk_score": 73,
+    "rule_id": "2dd480be-1263-4d9c-8672-172928f6789a",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1055",
+            "name": "Process Injection",
+            "reference": "https://attack.mitre.org/techniques/T1055/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies suspicious psexec activity which is executing from the psexec service that has been renamed, possibly to evade detection.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Suspicious Process Execution via Renamed PsExec Executable",
+    "query": "process where event.type in (\"start\", \"process_started\", \"info\") and\n  process.pe.original_file_name : \"psexesvc.exe\" and not process.name : \"PSEXESVC.exe\"\n",
+    "risk_score": 47,
+    "rule_id": "e2f9fdf5-8076-45ad-9427-41e0e03dc9c2",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Execution"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0002",
+          "name": "Execution",
+          "reference": "https://attack.mitre.org/tactics/TA0002/"
+        },
+        "technique": [
+          {
+            "id": "T1569",
+            "name": "System Services",
+            "reference": "https://attack.mitre.org/techniques/T1569/",
+            "subtechnique": [
+              {
+                "id": "T1569.002",
+                "name": "Service Execution",
+                "reference": "https://attack.mitre.org/techniques/T1569/002/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 4
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies a suspicious Conhost child process which may be an indication of code injection activity.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Suspicious Process from Conhost",
+    "query": "process where event.type in (\"start\", \"process_started\") and\n  process.parent.name : \"conhost.exe\" and\n  not process.executable : (\"?:\\\\Windows\\\\splwow64.exe\", \"?:\\\\Windows\\\\System32\\\\WerFault.exe\", \"?:\\\\Windows\\\\System32\\\\conhost.exe\")\n",
+    "references": [
+      "https://modexp.wordpress.com/2018/09/12/process-injection-user-data/",
+      "https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES/blob/master/Defense%20Evasion/evasion_codeinj_odzhan_conhost_sysmon_10_1.evtx"
+    ],
+    "risk_score": 73,
+    "rule_id": "28896382-7d4f-4d50-9b72-67091901fd26",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1055",
+            "name": "Process Injection",
+            "reference": "https://attack.mitre.org/techniques/T1055/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 4
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies suspicious Image Loading of the Remote Desktop Services ActiveX Client (mstscax), this may indicate the presence of RDP lateral movement capability.",
+    "from": "now-9m",
+    "index": [
+      "logs-endpoint.events.*",
+      "winlogbeat-*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Suspicious RDP ActiveX Client Loaded",
+    "query": "library where dll.name : \"mstscax.dll\" and\n   /* depending on noise in your env add here extra paths  */\n  process.executable :\n    (\n    \"C:\\\\Windows\\\\*\",\n    \"C:\\\\Users\\\\Public\\\\*\",\n    \"C:\\\\Users\\\\Default\\\\*\",\n    \"C:\\\\Intel\\\\*\",\n    \"C:\\\\PerfLogs\\\\*\",\n    \"C:\\\\ProgramData\\\\*\",\n    \"\\\\Device\\\\Mup\\\\*\",\n    \"\\\\\\\\*\"\n    ) and\n    /* add here FPs */\n  not process.executable : (\"C:\\\\Windows\\\\System32\\\\mstsc.exe\", \"C:\\\\Windows\\\\SysWOW64\\\\mstsc.exe\")\n",
+    "references": [
+      "https://posts.specterops.io/revisiting-remote-desktop-lateral-movement-8fb905cb46c3"
+    ],
+    "risk_score": 47,
+    "rule_id": "71c5cb27-eca5-4151-bb47-64bc3f883270",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Lateral Movement"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0008",
+          "name": "Lateral Movement",
+          "reference": "https://attack.mitre.org/tactics/TA0008/"
+        },
+        "technique": [
+          {
+            "id": "T1021",
+            "name": "Remote Services",
+            "reference": "https://attack.mitre.org/techniques/T1021/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 3
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies scrobj.dll loaded into unusual Microsoft processes. This usually means a malicious scriptlet is being executed in the target process.",
+    "from": "now-9m",
+    "index": [
+      "logs-endpoint.events.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Suspicious Script Object Execution",
+    "query": "sequence by process.entity_id with maxspan=2m\n  [process where event.type == \"start\" \n   and (process.code_signature.subject_name in (\"Microsoft Corporation\", \"Microsoft Windows\") and \n   process.code_signature.trusted == true) and\n     not process.executable : (\n       \"?:\\\\Windows\\\\System32\\\\cscript.exe\",\n       \"?:\\\\Windows\\\\SysWOW64\\\\cscript.exe\",\n       \"?:\\\\Program Files (x86)\\\\Internet Explorer\\\\iexplore.exe\",\n       \"?:\\\\Program Files\\\\Internet Explorer\\\\iexplore.exe\",\n       \"?:\\\\Windows\\\\SystemApps\\\\Microsoft.MicrosoftEdge_*\\\\MicrosoftEdge.exe\",\n       \"?:\\\\Windows\\\\system32\\\\msiexec.exe\",\n       \"?:\\\\Windows\\\\SysWOW64\\\\msiexec.exe\",\n       \"?:\\\\Windows\\\\System32\\\\smartscreen.exe\",\n       \"?:\\\\Windows\\\\system32\\\\taskhostw.exe\",\n       \"?:\\\\windows\\\\system32\\\\inetsrv\\\\w3wp.exe\",\n       \"?:\\\\windows\\\\SysWOW64\\\\inetsrv\\\\w3wp.exe\",\n       \"?:\\\\Windows\\\\system32\\\\wscript.exe\",\n       \"?:\\\\Windows\\\\SysWOW64\\\\wscript.exe\",\n       \"?:\\\\Windows\\\\system32\\\\mobsync.exe\",\n       \"?:\\\\Windows\\\\SysWOW64\\\\mobsync.exe\",\n       \"?:\\\\Windows\\\\System32\\\\cmd.exe\",\n       \"?:\\\\Windows\\\\SysWOW64\\\\cmd.exe\")]\n  [library where event.type == \"start\" and dll.name : \"scrobj.dll\"]\n",
+    "risk_score": 47,
+    "rule_id": "4ed678a9-3a4f-41fb-9fea-f85a6e0a0dff",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1218",
+            "name": "Signed Binary Proxy Execution",
+            "reference": "https://attack.mitre.org/techniques/T1218/"
+          }
+        ]
+      }
+    ],
+    "type": "eql",
+    "version": 4
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "A suspicious SolarWinds child process was detected, which may indicate an attempt to execute malicious programs.",
+    "false_positives": [
+      "Trusted SolarWinds child processes, verify process details such as network connections and file writes."
+    ],
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Suspicious SolarWinds Child Process",
+    "query": "process where event.type in (\"start\", \"process_started\") and\n process.parent.name: (\"SolarWinds.BusinessLayerHost.exe\", \"SolarWinds.BusinessLayerHostx64.exe\") and\n not process.name : (\n        \"APMServiceControl*.exe\",\n        \"ExportToPDFCmd*.Exe\",\n        \"SolarWinds.Credentials.Orion.WebApi*.exe\",\n        \"SolarWinds.Orion.Topology.Calculator*.exe\",\n        \"Database-Maint.exe\",\n        \"SolarWinds.Orion.ApiPoller.Service.exe\",\n        \"WerFault.exe\",\n        \"WerMgr.exe\")\n",
+    "references": [
+      "https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html",
+      "https://github.com/fireeye/sunburst_countermeasures/blob/main/rules/SUNBURST/hxioc/SOLARWINDS%20SUSPICIOUS%20CHILD%20PROCESSES%20(METHODOLOGY).ioc"
+    ],
+    "risk_score": 47,
+    "rule_id": "93b22c0a-06a0-4131-b830-b10d5e166ff4",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Execution"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0002",
+          "name": "Execution",
+          "reference": "https://attack.mitre.org/tactics/TA0002/"
+        },
+        "technique": [
+          {
+            "id": "T1106",
+            "name": "Native API",
+            "reference": "https://attack.mitre.org/techniques/T1106/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0001",
+          "name": "Initial Access",
+          "reference": "https://attack.mitre.org/tactics/TA0001/"
+        },
+        "technique": [
+          {
+            "id": "T1195",
+            "name": "Supply Chain Compromise",
+            "reference": "https://attack.mitre.org/techniques/T1195/",
+            "subtechnique": [
+              {
+                "id": "T1195.002",
+                "name": "Compromise Software Supply Chain",
+                "reference": "https://attack.mitre.org/techniques/T1195/002/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 3
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies suspicious startup shell folder modifications to change the default Startup directory in order to bypass detections monitoring file creation in the Windows Startup folder.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Suspicious Startup Shell Folder Modification",
+    "note": "## Triage and analysis\n\n### Investigating Suspicious Startup Shell Activity\n\nTechniques used within malware and by adversaries often leverage the Windows registry to store malicious programs for\npersistence. Startup shell folders are often targeted as they are not as prevalent as normal Startup folder paths so this\nbehavior may evade existing AV/EDR solutions. Another preference is that these programs might run with higher privileges\nwhich can be ideal for an attacker.\n\n#### Possible investigation steps:\n- Review the source process and related file tied to the Windows Registry entry\n- Validate the activity is not related to planned patches, updates, network administrator activity or legitimate software\ninstallations\n- Determine if activity is unique by validating if other machines in same organization have similar entry\n\n### False Positive Analysis\n- There is a high possibility of benign legitimate programs being added to Shell folders. This activity could be based\non new software installations, patches, or any kind of network administrator related activity. Before entering further\ninvestigation, this activity should be validated that is it not related to benign activity\n\n### Related Rules\n- Startup or Run Key Registry Modification\n- Persistent Scripts in the Startup Directory\n\n### Response and Remediation\n- Activity should first be validated as a true positive event if so then immediate response should be taken to review,\ninvestigate and potentially isolate activity to prevent further post-compromise behavior\n- The respective binary or program tied to this persistence method should be further analyzed and reviewed to understand\nit's behavior and capabilities\n- Since this activity is considered post-exploitation behavior, it's important to understand how the behavior was first\ninitialized such as through a macro-enabled document that was attached in a phishing email. By understanding the source\nof the attack, this information can then be used to search for similar indicators on other machines in the same environment.\n",
+    "query": "registry where\n registry.path : (\n     \"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\User Shell Folders\\\\Common Startup\",\n     \"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\Shell Folders\\\\Common Startup\",\n     \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\User Shell Folders\\\\Startup\",\n     \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\Shell Folders\\\\Startup\"\n     ) and\n  registry.data.strings != null and\n  /* Normal Startup Folder Paths */\n  not registry.data.strings : (\n           \"C:\\\\ProgramData\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\",\n           \"%ProgramData%\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\",\n           \"%USERPROFILE%\\\\AppData\\\\Roaming\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\",\n           \"C:\\\\Users\\\\*\\\\AppData\\\\Roaming\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\"\n           )\n",
+    "risk_score": 73,
+    "rule_id": "c8b150f0-0164-475b-a75e-74b47800a9ff",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Persistence"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1547",
+            "name": "Boot or Logon Autostart Execution",
+            "reference": "https://attack.mitre.org/techniques/T1547/",
+            "subtechnique": [
+              {
+                "id": "T1547.001",
+                "name": "Registry Run Keys / Startup Folder",
+                "reference": "https://attack.mitre.org/techniques/T1547/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 2
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies a suspicious image load (wmiutils.dll) from Microsoft Office processes. This behavior may indicate adversarial activity where child processes are spawned via Windows Management Instrumentation (WMI). This technique can be used to execute code and evade traditional parent/child processes spawned from Microsoft Office products.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Suspicious WMI Image Load from MS Office",
+    "query": "library where process.name : (\"WINWORD.EXE\", \"EXCEL.EXE\", \"POWERPNT.EXE\", \"MSPUB.EXE\", \"MSACCESS.EXE\") and\n  event.action : \"load\" and\n  event.category : \"library\" and\n  dll.name : \"wmiutils.dll\"\n",
+    "references": [
+      "https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16"
+    ],
+    "risk_score": 21,
+    "rule_id": "891cb88e-441a-4c3e-be2d-120d99fe7b0d",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Execution"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0002",
+          "name": "Execution",
+          "reference": "https://attack.mitre.org/tactics/TA0002/"
+        },
+        "technique": [
+          {
+            "id": "T1047",
+            "name": "Windows Management Instrumentation",
+            "reference": "https://attack.mitre.org/techniques/T1047/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 4
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies WMIC whitelisting bypass techniques by alerting on suspicious execution of scripts. When WMIC loads scripting libraries it may be indicative of a whitelist bypass.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Suspicious WMIC XSL Script Execution",
+    "query": "sequence by process.entity_id with maxspan = 2m\n[process where event.type in (\"start\", \"process_started\") and\n   (process.name : \"WMIC.exe\" or process.pe.original_file_name : \"wmic.exe\") and\n   process.args : (\"format*:*\", \"/format*:*\", \"*-format*:*\") and\n   not process.command_line : \"* /format:table *\"]\n[library where event.type == \"start\" and dll.name : (\"jscript.dll\", \"vbscript.dll\")]\n",
+    "risk_score": 21,
+    "rule_id": "7f370d54-c0eb-4270-ac5a-9a6020585dc6",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1220",
+            "name": "XSL Script Processing",
+            "reference": "https://attack.mitre.org/techniques/T1220/"
+          }
+        ]
+      }
+    ],
+    "type": "eql",
+    "version": 2
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "A suspicious WerFault child process was detected, which may indicate an attempt to run unnoticed. Verify process details such as command line, network connections, file writes and parent process details as well.",
+    "false_positives": [
+      "Custom Windows error reporting debugger or applications restarted by WerFault after a crash."
+    ],
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Suspicious WerFault Child Process",
+    "query": "process where event.type in (\"start\", \"process_started\") and\n  process.parent.name : \"WerFault.exe\" and\n  not process.name : (\"cofire.exe\",\n                      \"psr.exe\",\n                      \"VsJITDebugger.exe\",\n                      \"TTTracer.exe\",\n                      \"rundll32.exe\",\n                      \"LogiOptionsMgr.exe\") and\n  not process.args : (\"/LOADSAVEDWINDOWS\",\n                      \"/restore\",\n                      \"RestartByRestartManager*\",\n                      \"--restarted\",\n                      \"createdump\",\n                      \"dontsend\",\n                      \"/watson\")\n",
+    "references": [
+      "https://www.hexacorn.com/blog/2019/09/19/silentprocessexit-quick-look-under-the-hood/",
+      "https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES/blob/master/Persistence/persistence_SilentProcessExit_ImageHijack_sysmon_13_1.evtx",
+      "https://blog.menasec.net/2021/01/"
+    ],
+    "risk_score": 47,
+    "rule_id": "ac5012b8-8da8-440b-aaaf-aedafdea2dff",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1036",
+            "name": "Masquerading",
+            "reference": "https://attack.mitre.org/techniques/T1036/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 4
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "A suspicious Zoom child process was detected, which may indicate an attempt to run unnoticed. Verify process details such as command line, network connections, file writes and associated file signature details as well.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Suspicious Zoom Child Process",
+    "query": "process where event.type in (\"start\", \"process_started\", \"info\") and\n process.parent.name : \"Zoom.exe\" and process.name : (\"cmd.exe\", \"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\")\n",
+    "risk_score": 47,
+    "rule_id": "97aba1ef-6034-4bd3-8c1a-1e0996b27afa",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1036",
+            "name": "Masquerading",
+            "reference": "https://attack.mitre.org/techniques/T1036/"
+          },
+          {
+            "id": "T1055",
+            "name": "Process Injection",
+            "reference": "https://attack.mitre.org/techniques/T1055/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 5
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies suspicious child processes of frequently targeted Microsoft Office applications (Word, PowerPoint, and Excel). These child processes are often launched during exploitation of Office applications or by documents with malicious macros.",
+    "from": "now-9m",
+    "index": [
+      "logs-endpoint.events.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Suspicious macOS MS Office Child Process",
+    "query": "process where event.type in (\"start\", \"process_started\") and\n process.parent.name:(\"Microsoft Word\", \"Microsoft PowerPoint\", \"Microsoft Excel\") and\n process.name:\n (\n   \"bash\", \n   \"dash\", \n   \"sh\", \n   \"tcsh\", \n   \"csh\", \n   \"zsh\", \n   \"ksh\", \n   \"fish\", \n   \"python*\", \n   \"perl*\", \n   \"php*\", \n   \"osascript\",\n   \"pwsh\", \n   \"curl\", \n   \"wget\", \n   \"cp\", \n   \"mv\", \n   \"base64\", \n   \"launchctl\"\n  ) and\n  /* noisy false positives related to product version discovery and office errors reporting */\n  not process.args:\n    (\n      \"ProductVersion\",\n      \"hw.model\",\n      \"ioreg\",\n      \"ProductName\",\n      \"ProductUserVisibleVersion\",\n      \"ProductBuildVersion\",\n      \"/Library/Application Support/Microsoft/MERP*/Microsoft Error Reporting.app/Contents/MacOS/Microsoft Error Reporting\"\n    )\n",
+    "references": [
+      "https://blog.malwarebytes.com/cybercrime/2017/02/microsoft-office-macro-malware-targets-macs/"
+    ],
+    "risk_score": 47,
+    "rule_id": "66da12b1-ac83-40eb-814c-07ed1d82b7b9",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "macOS",
+      "Threat Detection",
+      "Initial Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0001",
+          "name": "Initial Access",
+          "reference": "https://attack.mitre.org/tactics/TA0001/"
+        },
+        "technique": [
+          {
+            "id": "T1566",
+            "name": "Phishing",
+            "reference": "https://attack.mitre.org/techniques/T1566/",
+            "subtechnique": [
+              {
+                "id": "T1566.001",
+                "name": "Spearphishing Attachment",
+                "reference": "https://attack.mitre.org/techniques/T1566/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 2
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies a suspicious parent child process relationship with cmd.exe descending from svchost.exe",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Svchost spawning Cmd",
+    "query": "process where event.type in (\"start\", \"process_started\") and\n  process.parent.name : \"svchost.exe\" and process.name : \"cmd.exe\" and \n  not (process.pe.original_file_name == \"Cmd.Exe\" and process.args : \"?:\\\\Program Files\\\\Npcap\\\\CheckStatus.bat??\")\n",
+    "risk_score": 21,
+    "rule_id": "fd7a6052-58fa-4397-93c3-4795249ccfa2",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Execution"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0002",
+          "name": "Execution",
+          "reference": "https://attack.mitre.org/tactics/TA0002/"
+        },
+        "technique": [
+          {
+            "id": "T1059",
+            "name": "Command and Scripting Interpreter",
+            "reference": "https://attack.mitre.org/techniques/T1059/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 8
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the deletion of sensitive Linux system logs. This may indicate an attempt to evade detection or destroy forensic evidence on a system.",
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "System Log File Deletion",
+    "query": "file where event.type == \"deletion\" and \n  file.path : \n    (\n    \"/var/run/utmp\", \n    \"/var/log/wtmp\", \n    \"/var/log/btmp\", \n    \"/var/log/lastlog\", \n    \"/var/log/faillog\",\n    \"/var/log/syslog\", \n    \"/var/log/messages\", \n    \"/var/log/secure\", \n    \"/var/log/auth.log\"\n    )\n",
+    "references": [
+      "https://www.fireeye.com/blog/threat-research/2020/11/live-off-the-land-an-overview-of-unc1945.html"
+    ],
+    "risk_score": 47,
+    "rule_id": "aa895aea-b69c-4411-b110-8d7599634b30",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1070",
+            "name": "Indicator Removal on Host",
+            "reference": "https://attack.mitre.org/techniques/T1070/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 3
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Windows services typically run as SYSTEM and can be used as a privilege escalation opportunity. Malware or penetration testers may run a shell as a service to gain SYSTEM permissions.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "System Shells via Services",
+    "query": "process where event.type in (\"start\", \"process_started\") and\n  process.parent.name : \"services.exe\" and\n  process.name : (\"cmd.exe\", \"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\") and\n  \n  /* Third party FP's */\n  not process.args : \"NVDisplay.ContainerLocalSystem\"\n",
+    "risk_score": 47,
+    "rule_id": "0022d47d-39c7-4f69-a232-4fe9dc7a3acd",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Persistence"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1543",
+            "name": "Create or Modify System Process",
+            "reference": "https://attack.mitre.org/techniques/T1543/",
+            "subtechnique": [
+              {
+                "id": "T1543.003",
+                "name": "Windows Service",
+                "reference": "https://attack.mitre.org/techniques/T1543/003/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 10
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Keychains are the built-in way for macOS to keep track of users' passwords and credentials for many services and features, including Wi-Fi and website passwords, secure notes, certificates, and Kerberos. Adversaries may collect the keychain storage data from a system to acquire credentials.",
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "SystemKey Access via Command Line",
+    "query": "event.category:process and event.type:(start or process_started) and\n  process.args:\"/private/var/db/SystemKey\"\n",
+    "references": [
+      "https://github.com/AlessandroZ/LaZagne/blob/master/Mac/lazagne/softwares/system/chainbreaker.py"
+    ],
+    "risk_score": 73,
+    "rule_id": "d75991f2-b989-419d-b797-ac1e54ec2d61",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "macOS",
+      "Threat Detection",
+      "Credential Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0006",
+          "name": "Credential Access",
+          "reference": "https://attack.mitre.org/tactics/TA0006/"
+        },
+        "technique": [
+          {
+            "id": "T1555",
+            "name": "Credentials from Password Stores",
+            "reference": "https://attack.mitre.org/techniques/T1555/",
+            "subtechnique": [
+              {
+                "id": "T1555.001",
+                "name": "Keychain",
+                "reference": "https://attack.mitre.org/techniques/T1555/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the use of the mount_apfs command to mount the entire file system through Apple File System (APFS) snapshots as read-only and with the noowners flag set. This action enables the adversary to access almost any file in the file system, including all user data and files protected by Apple\u2019s privacy framework (TCC).",
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "TCC Bypass via Mounted APFS Snapshot Access",
+    "query": "event.category : process and event.type : (start or process_started) and process.name : mount_apfs and\n  process.args : (/System/Volumes/Data and noowners)\n",
+    "references": [
+      "https://theevilbit.github.io/posts/cve_2020_9771/"
+    ],
+    "risk_score": 73,
+    "rule_id": "b00bcd89-000c-4425-b94c-716ef67762f6",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "macOS",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1006",
+            "name": "Direct Volume Access",
+            "reference": "https://attack.mitre.org/techniques/T1006/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Adversaries may attempt to clear or disable the Bash command-line history in an attempt to evade detection or forensic investigations.",
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Tampering of Bash Command-Line History",
+    "query": "process where event.type in (\"start\", \"process_started\") and\n (\n  (process.args : (\"rm\", \"echo\") and process.args : (\".bash_history\", \"/root/.bash_history\", \"/home/*/.bash_history\")) or\n  (process.name : \"history\" and process.args : \"-c\") or\n  (process.args : \"export\" and process.args : (\"HISTFILE=/dev/null\", \"HISTFILESIZE=0\")) or\n  (process.args : \"unset\" and process.args : \"HISTFILE\") or\n  (process.args : \"set\" and process.args : \"history\" and process.args : \"+o\")\n )\n",
+    "risk_score": 47,
+    "rule_id": "7bcbb3ac-e533-41ad-a612-d6c3bf666aba",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1070",
+            "name": "Indicator Removal on Host",
+            "reference": "https://attack.mitre.org/techniques/T1070/",
+            "subtechnique": [
+              {
+                "id": "T1070.003",
+                "name": "Clear Command History",
+                "reference": "https://attack.mitre.org/techniques/T1070/003/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 6
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "This rule detects network events that may indicate the use of Telnet traffic. Telnet is commonly used by system administrators to remotely control older or embedded systems using the command line shell. It should almost never be directly exposed to the Internet, as it is frequently targeted and exploited by threat actors as an initial access or backdoor vector. As a plain-text protocol, it may also expose usernames and passwords to anyone capable of observing the traffic.",
+    "false_positives": [
+      "IoT (Internet of Things) devices and networks may use telnet and can be excluded if desired. Some business work-flows may use Telnet for administration of older devices. These often have a predictable behavior. Telnet activity involving an unusual source or destination may be more suspicious. Telnet activity involving a production server that has no known associated Telnet work-flow or business requirement is often suspicious."
+    ],
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "filebeat-*",
+      "packetbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Telnet Port Activity",
+    "query": "event.category:(network or network_traffic) and network.transport:tcp and destination.port:23\n",
+    "risk_score": 47,
+    "rule_id": "34fde489-94b0-4500-a76f-b8a157cf9269",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Network",
+      "Threat Detection",
+      "Command and Control",
+      "Host"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0011",
+          "name": "Command and Control",
+          "reference": "https://attack.mitre.org/tactics/TA0011/"
+        },
+        "technique": []
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0008",
+          "name": "Lateral Movement",
+          "reference": "https://attack.mitre.org/tactics/TA0008/"
+        },
+        "technique": [
+          {
+            "id": "T1021",
+            "name": "Remote Services",
+            "reference": "https://attack.mitre.org/techniques/T1021/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0001",
+          "name": "Initial Access",
+          "reference": "https://attack.mitre.org/tactics/TA0001/"
+        },
+        "technique": [
+          {
+            "id": "T1190",
+            "name": "Exploit Public-Facing Application",
+            "reference": "https://attack.mitre.org/techniques/T1190/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 9
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the deletion of backup files, saved using third-party software, by a process outside of the backup suite. Adversaries may delete Backup files to ensure that recovery from a Ransomware attack is less likely.",
+    "false_positives": [
+      "Certain utilities that delete files for disk cleanup or Administrators manually removing backup files."
+    ],
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Third-party Backup Files Deleted via Unexpected Process",
+    "query": "file where event.type == \"deletion\" and\n  (\n  /* Veeam Related Backup Files */\n  (file.extension : (\"VBK\", \"VIB\", \"VBM\") and\n  not process.executable : (\"?:\\\\Windows\\\\Veeam\\\\Backup\\\\*\",\n                            \"?:\\\\Program Files\\\\Veeam\\\\Backup and Replication\\\\*\",\n                            \"?:\\\\Program Files (x86)\\\\Veeam\\\\Backup and Replication\\\\*\")) or\n\n  /* Veritas Backup Exec Related Backup File */\n  (file.extension : \"BKF\" and\n  not process.executable : (\"?:\\\\Program Files\\\\Veritas\\\\Backup Exec\\\\*\",\n                            \"?:\\\\Program Files (x86)\\\\Veritas\\\\Backup Exec\\\\*\"))\n  )\n",
+    "references": [
+      "https://www.advintel.io/post/backup-removal-solutions-from-conti-ransomware-with-love"
+    ],
+    "risk_score": 47,
+    "rule_id": "11ea6bec-ebde-4d71-a8e9-784948f8e3e9",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Impact"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0040",
+          "name": "Impact",
+          "reference": "https://attack.mitre.org/tactics/TA0040/"
+        },
+        "technique": [
+          {
+            "id": "T1490",
+            "name": "Inhibit System Recovery",
+            "reference": "https://attack.mitre.org/techniques/T1490/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Detects when Okta ThreatInsight identifies a request from a malicious IP address. Investigating requests from IP addresses identified as malicious by Okta ThreatInsight can help security teams monitor for and respond to credential based attacks against their organization, such as brute force and password spraying attacks.",
+    "index": [
+      "filebeat-*",
+      "logs-okta*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Threat Detected by Okta ThreatInsight",
+    "note": "## Config\n\nThe Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:okta.system and event.action:security.threat.detected\n",
+    "references": [
+      "https://developer.okta.com/docs/reference/api/system-log/",
+      "https://developer.okta.com/docs/reference/api/event-types/"
+    ],
+    "risk_score": 47,
+    "rule_id": "6885d2ae-e008-4762-b98a-e8e1cd3a81e9",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Identity",
+      "Okta",
+      "Continuous Monitoring",
+      "SecOps",
+      "Monitoring"
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 6
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "This rule is triggered when indicators from the Threat Intel Filebeat module has a match against local file or network observations.",
+    "from": "now-65m",
+    "index": [
+      "auditbeat-*",
+      "endgame-*",
+      "filebeat-*",
+      "logs-*",
+      "packetbeat-*",
+      "winlogbeat-*"
+    ],
+    "interval": "1h",
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Threat Intel Filebeat Module Indicator Match",
+    "note": "## Triage and Analysis\n\n### Investigating Threat Intel Indicator Matches\n\nThreat Intel indicator match rules allow matching from a local observation such as an endpoint event that records a file\nhash with an entry of a file hash stored within the Threat Intel Filebeat module. Other examples of matches can occur on\nan IP address, registry path, URL and imphash.\n\nThe matches will be based on the incoming feed data so it's important to validate the data and review the results by\ninvestigating the associated activity to determine if it requires further investigation.\n\nIf an indicator matches a local observation, the following enriched fields will be generated to identify the indicator, field, and type matched.\n\n- `threatintel.indicator.matched.atomic` - this identifies the atomic indicator that matched the local observation\n- `threatintel.indicator.matched.field` - this identifies the indicator field that matched the local observation\n- `threatintel.indicator.matched.type` - this identifies the indicator type that matched the local observation\n\n#### Possible investigation steps:\n- Investigation should be validated and reviewed based on the data (file hash, registry path, URL, imphash) that was matched\nand viewing the source of that activity.\n- Consider the history of the indicator that was matched. Has it happened before? Is it happening on multiple machines?\nThese kinds of questions can help understand if the activity is related to legitimate behavior.\n- Consider the user and their role within the company, is this something related to their job or work function?\n\n### False Positive Analysis\n- For any matches found, it's important to consider the initial release date of that indicator. Threat intelligence can\nbe a great tool for augmenting existing security processes, while at the same time it should be understood that threat\nintelligence can represent a specific set of activity observed at a point in time. For example, an IP address\nmay have hosted malware observed in a Dridex campaign six months ago, but it's possible that IP has been remediated and\nno longer represents any threat.\n- Adversaries often use legitimate tools as network administrators such as `PsExec` or `AdFind`, these tools often find their\nway into indicator lists creating the potential for false positives.\n- It's possible after large and publicly written campaigns, curious employees might end up going directly to attacker infrastructure and generating these rules\n\n### Response and Remediation\n- If suspicious or malicious behavior is observed, immediate response should be taken to isolate activity to prevent further\npost-compromise behavior.\n- One example of a response if a machine matched a command and control IP address would be to add an entry to a network\ndevice such as a firewall or proxy appliance to prevent any outbound activity from leaving that machine.\n- Another example of a response with a malicious file hash match would involve validating if the file was properly quarantined,\nreview current running processes looking for any abnormal activity, and investigating for any other follow-up actions such as persistence or lateral movement\n",
+    "query": "file.hash.*:* or file.pe.imphash:* or source.ip:* or destination.ip:* or url.full:* or registry.path:*\n",
+    "references": [
+      "https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-threatintel.html"
+    ],
+    "risk_score": 99,
+    "rule_id": "dc672cb7-d5df-4d1f-a6d7-0841b1caafb9",
+    "severity": "critical",
+    "tags": [
+      "Elastic",
+      "Windows",
+      "Elastic Endgame",
+      "Network",
+      "Continuous Monitoring",
+      "SecOps",
+      "Monitoring"
+    ],
+    "threat_filters": [
+      {
+        "$state": {
+          "store": "appState"
+        },
+        "meta": {
+          "disabled": false,
+          "key": "event.module",
+          "negate": false,
+          "params": {
+            "query": "threatintel"
+          },
+          "type": "phrase"
+        },
+        "query": {
+          "match_phrase": {
+            "event.module": "threatintel"
+          }
+        }
+      },
+      {
+        "$state": {
+          "store": "appState"
+        },
+        "meta": {
+          "disabled": false,
+          "key": "event.category",
+          "negate": false,
+          "params": {
+            "query": "threat"
+          },
+          "type": "phrase"
+        },
+        "query": {
+          "match_phrase": {
+            "event.category": "threat"
+          }
+        }
+      },
+      {
+        "$state": {
+          "store": "appState"
+        },
+        "meta": {
+          "disabled": false,
+          "key": "event.kind",
+          "negate": false,
+          "params": {
+            "query": "enrichment"
+          },
+          "type": "phrase"
+        },
+        "query": {
+          "match_phrase": {
+            "event.kind": "enrichment"
+          }
+        }
+      },
+      {
+        "$state": {
+          "store": "appState"
+        },
+        "meta": {
+          "disabled": false,
+          "key": "event.type",
+          "negate": false,
+          "params": {
+            "query": "indicator"
+          },
+          "type": "phrase"
+        },
+        "query": {
+          "match_phrase": {
+            "event.type": "indicator"
+          }
+        }
+      }
+    ],
+    "threat_index": [
+      "filebeat-*"
+    ],
+    "threat_indicator_path": "",
+    "threat_language": "kuery",
+    "threat_mapping": [
+      {
+        "entries": [
+          {
+            "field": "file.hash.md5",
+            "type": "mapping",
+            "value": "threatintel.indicator.file.hash.md5"
+          }
+        ]
+      },
+      {
+        "entries": [
+          {
+            "field": "file.hash.sha1",
+            "type": "mapping",
+            "value": "threatintel.indicator.file.hash.sha1"
+          }
+        ]
+      },
+      {
+        "entries": [
+          {
+            "field": "file.hash.sha256",
+            "type": "mapping",
+            "value": "threatintel.indicator.file.hash.sha256"
+          }
+        ]
+      },
+      {
+        "entries": [
+          {
+            "field": "file.pe.imphash",
+            "type": "mapping",
+            "value": "threatintel.indicator.file.pe.imphash"
+          }
+        ]
+      },
+      {
+        "entries": [
+          {
+            "field": "source.ip",
+            "type": "mapping",
+            "value": "threatintel.indicator.ip"
+          }
+        ]
+      },
+      {
+        "entries": [
+          {
+            "field": "destination.ip",
+            "type": "mapping",
+            "value": "threatintel.indicator.ip"
+          }
+        ]
+      },
+      {
+        "entries": [
+          {
+            "field": "url.full",
+            "type": "mapping",
+            "value": "threatintel.indicator.url.full"
+          }
+        ]
+      },
+      {
+        "entries": [
+          {
+            "field": "registry.path",
+            "type": "mapping",
+            "value": "threatintel.indicator.registry.path"
+          }
+        ]
+      }
+    ],
+    "threat_query": "@timestamp >= \"now-30d\" and event.module:threatintel and (threatintel.indicator.file.hash.*:* or threatintel.indicator.file.pe.imphash:* or threatintel.indicator.ip:* or threatintel.indicator.registry.path:* or threatintel.indicator.url.full:*)",
+    "timeline_id": "495ad7a7-316e-4544-8a0f-9c098daee76e",
+    "timeline_title": "Generic Threat Match Timeline",
+    "type": "threat_match",
+    "version": 3
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Timestomping is an anti-forensics technique which is used to modify the timestamps of a file, often to mimic files that are in the same folder.",
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "max_signals": 33,
+    "name": "Timestomping using Touch Command",
+    "query": "process where event.type == \"start\" and\n process.name : \"touch\" and user.id != \"0\" and\n process.args : (\"-r\", \"-t\", \"-a*\",\"-m*\") and\n not process.args : (\"/usr/lib/go-*/bin/go\", \"/usr/lib/dracut/dracut-functions.sh\", \"/tmp/KSInstallAction.*/m/.patch/*\")\n",
+    "risk_score": 47,
+    "rule_id": "b0046934-486e-462f-9487-0d4cf9e429c6",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "macOS",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1070",
+            "name": "Indicator Removal on Host",
+            "reference": "https://attack.mitre.org/techniques/T1070/",
+            "subtechnique": [
+              {
+                "id": "T1070.006",
+                "name": "Timestomp",
+                "reference": "https://attack.mitre.org/techniques/T1070/006/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 4
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies User Account Control (UAC) bypass attempts by abusing an elevated COM Interface to launch a malicious program. Attackers may attempt to bypass UAC to stealthily execute code with elevated permissions.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "UAC Bypass Attempt via Elevated COM Internet Explorer Add-On Installer",
+    "query": "process where event.type in (\"start\", \"process_started\") and\n process.executable : \"C:\\\\*\\\\AppData\\\\*\\\\Temp\\\\IDC*.tmp\\\\*.exe\" and\n process.parent.name : \"ieinstal.exe\" and process.parent.args : \"-Embedding\"\n\n /* uncomment once in winlogbeat */\n /* and not (process.code_signature.subject_name == \"Microsoft Corporation\" and process.code_signature.trusted == true) */\n",
+    "references": [
+      "https://swapcontext.blogspot.com/2020/11/uac-bypasses-from-comautoapprovallist.html"
+    ],
+    "risk_score": 47,
+    "rule_id": "fc7c0fa4-8f03-4b3e-8336-c5feab0be022",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Privilege Escalation"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0004",
+          "name": "Privilege Escalation",
+          "reference": "https://attack.mitre.org/tactics/TA0004/"
+        },
+        "technique": [
+          {
+            "id": "T1548",
+            "name": "Abuse Elevation Control Mechanism",
+            "reference": "https://attack.mitre.org/techniques/T1548/",
+            "subtechnique": [
+              {
+                "id": "T1548.002",
+                "name": "Bypass User Account Control",
+                "reference": "https://attack.mitre.org/techniques/T1548/002/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 4
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies attempts to bypass User Account Control (UAC) via DLL side-loading. Attackers may attempt to bypass UAC to stealthily execute code with elevated permissions.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "UAC Bypass Attempt via Privileged IFileOperation COM Interface",
+    "query": "file where event.type : \"change\" and process.name : \"dllhost.exe\" and\n  /* Known modules names side loaded into process running with high or system integrity level for UAC Bypass, update here for new modules */\n  file.name : (\"wow64log.dll\", \"comctl32.dll\", \"DismCore.dll\", \"OskSupport.dll\", \"duser.dll\", \"Accessibility.ni.dll\") and\n  /* has no impact on rule logic just to avoid OS install related FPs */\n  not file.path : (\"C:\\\\Windows\\\\SoftwareDistribution\\\\*\", \"C:\\\\Windows\\\\WinSxS\\\\*\")\n",
+    "references": [
+      "https://github.com/hfiref0x/UACME"
+    ],
+    "risk_score": 73,
+    "rule_id": "5a14d01d-7ac8-4545-914c-b687c2cf66b3",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Privilege Escalation"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0004",
+          "name": "Privilege Escalation",
+          "reference": "https://attack.mitre.org/tactics/TA0004/"
+        },
+        "technique": [
+          {
+            "id": "T1548",
+            "name": "Abuse Elevation Control Mechanism",
+            "reference": "https://attack.mitre.org/techniques/T1548/",
+            "subtechnique": [
+              {
+                "id": "T1548.002",
+                "name": "Bypass User Account Control",
+                "reference": "https://attack.mitre.org/techniques/T1548/002/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 4
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies an attempt to bypass User Account Control (UAC) by masquerading as a Microsoft trusted Windows directory. Attackers may bypass UAC to stealthily execute code with elevated permissions.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "UAC Bypass Attempt via Windows Directory Masquerading",
+    "query": "process where event.type in (\"start\", \"process_started\") and\n  process.args : (\"C:\\\\Windows \\\\system32\\\\*.exe\", \"C:\\\\Windows \\\\SysWOW64\\\\*.exe\")\n",
+    "references": [
+      "https://medium.com/tenable-techblog/uac-bypass-by-mocking-trusted-directories-24a96675f6e"
+    ],
+    "risk_score": 73,
+    "rule_id": "290aca65-e94d-403b-ba0f-62f320e63f51",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Privilege Escalation"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0004",
+          "name": "Privilege Escalation",
+          "reference": "https://attack.mitre.org/tactics/TA0004/"
+        },
+        "technique": [
+          {
+            "id": "T1548",
+            "name": "Abuse Elevation Control Mechanism",
+            "reference": "https://attack.mitre.org/techniques/T1548/",
+            "subtechnique": [
+              {
+                "id": "T1548.002",
+                "name": "Bypass User Account Control",
+                "reference": "https://attack.mitre.org/techniques/T1548/002/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 4
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies attempts to bypass User Account Control (UAC) by abusing an elevated COM Interface to launch a rogue Windows ClipUp program. Attackers may attempt to bypass UAC to stealthily execute code with elevated permissions.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "UAC Bypass Attempt with IEditionUpgradeManager Elevated COM Interface",
+    "query": "process where event.type in (\"start\", \"process_started\") and process.name : \"Clipup.exe\" and\n  not process.executable : \"C:\\\\Windows\\\\System32\\\\ClipUp.exe\" and process.parent.name : \"dllhost.exe\" and\n  /* CLSID of the Elevated COM Interface IEditionUpgradeManager */\n  process.parent.args : \"/Processid:{BD54C901-076B-434E-B6C7-17C531F4AB41}\"\n",
+    "references": [
+      "https://github.com/hfiref0x/UACME"
+    ],
+    "risk_score": 73,
+    "rule_id": "b90cdde7-7e0d-4359-8bf0-2c112ce2008a",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Privilege Escalation"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0004",
+          "name": "Privilege Escalation",
+          "reference": "https://attack.mitre.org/tactics/TA0004/"
+        },
+        "technique": [
+          {
+            "id": "T1548",
+            "name": "Abuse Elevation Control Mechanism",
+            "reference": "https://attack.mitre.org/techniques/T1548/",
+            "subtechnique": [
+              {
+                "id": "T1548.002",
+                "name": "Bypass User Account Control",
+                "reference": "https://attack.mitre.org/techniques/T1548/002/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 4
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies User Account Control (UAC) bypass via hijacking DiskCleanup Scheduled Task. Attackers bypass UAC to stealthily execute code with elevated permissions.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "UAC Bypass via DiskCleanup Scheduled Task Hijack",
+    "query": "process where event.type == \"start\" and\n process.args : \"/autoclean\" and process.args : \"/d\" and\n not process.executable : (\"C:\\\\Windows\\\\System32\\\\cleanmgr.exe\",\n                           \"C:\\\\Windows\\\\SysWOW64\\\\cleanmgr.exe\",\n                           \"C:\\\\Windows\\\\System32\\\\taskhostw.exe\")\n",
+    "risk_score": 47,
+    "rule_id": "1dcc51f6-ba26-49e7-9ef4-2655abb2361e",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Privilege Escalation"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0004",
+          "name": "Privilege Escalation",
+          "reference": "https://attack.mitre.org/tactics/TA0004/"
+        },
+        "technique": [
+          {
+            "id": "T1548",
+            "name": "Abuse Elevation Control Mechanism",
+            "reference": "https://attack.mitre.org/techniques/T1548/",
+            "subtechnique": [
+              {
+                "id": "T1548.002",
+                "name": "Bypass User Account Control",
+                "reference": "https://attack.mitre.org/techniques/T1548/002/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 6
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies User Account Control (UAC) bypass attempts via the ICMLuaUtil Elevated COM interface. Attackers may attempt to bypass UAC to stealthily execute code with elevated permissions.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "UAC Bypass via ICMLuaUtil Elevated COM Interface",
+    "query": "process where event.type in (\"start\", \"process_started\") and\n process.parent.name == \"dllhost.exe\" and\n process.parent.args in (\"/Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}\", \"/Processid:{D2E7041B-2927-42FB-8E9F-7CE93B6DC937}\") and\n process.pe.original_file_name != \"WerFault.exe\"\n",
+    "risk_score": 73,
+    "rule_id": "68d56fdc-7ffa-4419-8e95-81641bd6f845",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Privilege Escalation"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0004",
+          "name": "Privilege Escalation",
+          "reference": "https://attack.mitre.org/tactics/TA0004/"
+        },
+        "technique": [
+          {
+            "id": "T1548",
+            "name": "Abuse Elevation Control Mechanism",
+            "reference": "https://attack.mitre.org/techniques/T1548/",
+            "subtechnique": [
+              {
+                "id": "T1548.002",
+                "name": "Bypass User Account Control",
+                "reference": "https://attack.mitre.org/techniques/T1548/002/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 4
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies attempts to bypass User Account Control (UAC) by hijacking the Microsoft Management Console (MMC) Windows Firewall snap-in. Attackers bypass UAC to stealthily execute code with elevated permissions.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "UAC Bypass via Windows Firewall Snap-In Hijack",
+    "query": "process where event.type in (\"start\", \"process_started\") and\n process.parent.name == \"mmc.exe\" and\n /* process.Ext.token.integrity_level_name == \"high\" can be added in future for tuning */\n /* args of the Windows Firewall SnapIn */\n  process.parent.args == \"WF.msc\" and process.name != \"WerFault.exe\"\n",
+    "references": [
+      "https://github.com/AzAgarampur/byeintegrity-uac"
+    ],
+    "risk_score": 47,
+    "rule_id": "1178ae09-5aff-460a-9f2f-455cd0ac4d8e",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Privilege Escalation"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0004",
+          "name": "Privilege Escalation",
+          "reference": "https://attack.mitre.org/tactics/TA0004/"
+        },
+        "technique": [
+          {
+            "id": "T1548",
+            "name": "Abuse Elevation Control Mechanism",
+            "reference": "https://attack.mitre.org/techniques/T1548/",
+            "subtechnique": [
+              {
+                "id": "T1548.002",
+                "name": "Bypass User Account Control",
+                "reference": "https://attack.mitre.org/techniques/T1548/002/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 4
+  },
+  {
+    "author": [
+      "Elastic",
+      "Austin Songer"
+    ],
+    "description": "Identifies when an unauthorized access attempt is made by a user for an Okta application.",
+    "index": [
+      "filebeat-*",
+      "logs-okta*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Unauthorized Access to an Okta Application",
+    "note": "## Config\n\nThe Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:okta.system and event.action:app.generic.unauth_app_access_attempt\n",
+    "risk_score": 21,
+    "rule_id": "4edd3e1a-3aa0-499b-8147-4d2ea43b1613",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Identity",
+      "Okta",
+      "Continuous Monitoring",
+      "SecOps",
+      "Identity and Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0001",
+          "name": "Initial Access",
+          "reference": "https://attack.mitre.org/tactics/TA0001/"
+        },
+        "technique": [
+          {
+            "id": "T1078",
+            "name": "Valid Accounts",
+            "reference": "https://attack.mitre.org/techniques/T1078/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": []
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": []
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0004",
+          "name": "Privilege Escalation",
+          "reference": "https://attack.mitre.org/tactics/TA0004/"
+        },
+        "technique": []
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Detects changes to registry persistence keys that are uncommonly used or modified by legitimate programs. This could be an indication of an adversary's attempt to persist in a stealthy manner.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Uncommon Registry Persistence Change",
+    "query": "registry where\n  /* uncomment once stable length(registry.data.strings) > 0 and */\n registry.path : (\n      \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Terminal Server\\\\Install\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\*\",\n      \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Terminal Server\\\\Install\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Runonce\\\\*\",\n      \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows\\\\Load\",\n      \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows\\\\Run\",\n      \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows\\\\IconServiceLib\",\n      \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\Shell\",\n      \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\Shell\",\n      \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\AppSetup\",\n      \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\Taskman\",\n      \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\Userinit\",\n      \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\VmApplet\",\n      \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\\\*\",\n      \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\Shell\",\n      \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Logoff\\\\Script\",\n      \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Logon\\\\Script\",\n      \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Shutdown\\\\Script\",\n      \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Startup\\\\Script\",\n      \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\\\*\",\n      \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\Shell\",\n      \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Logoff\\\\Script\",\n      \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Logon\\\\Script\",\n      \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Shutdown\\\\Script\",\n      \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Startup\\\\Script\",\n      \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Active Setup\\\\Installed Components\\\\*\\\\ShellComponent\",\n      \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows CE Services\\\\AutoStartOnConnect\\\\MicrosoftActiveSync\",\n      \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows CE Services\\\\AutoStartOnDisconnect\\\\MicrosoftActiveSync\",\n      \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Ctf\\\\LangBarAddin\\\\*\\\\FilePath\",\n      \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Internet Explorer\\\\Extensions\\\\*\\\\Exec\",\n      \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Internet Explorer\\\\Extensions\\\\*\\\\Script\",\n      \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Command Processor\\\\Autorun\",\n      \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Ctf\\\\LangBarAddin\\\\*\\\\FilePath\",\n      \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Internet Explorer\\\\Extensions\\\\*\\\\Exec\",\n      \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Internet Explorer\\\\Extensions\\\\*\\\\Script\",\n      \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Command Processor\\\\Autorun\",\n      \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\*\\\\VerifierDlls\",\n      \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\GpExtensions\\\\*\\\\DllName\",\n      \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Control\\\\SafeBoot\\\\AlternateShell\",\n      \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Control\\\\Terminal Server\\\\Wds\\\\rdpwd\\\\StartupPrograms\",\n      \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Control\\\\Terminal Server\\\\WinStations\\\\RDP-Tcp\\\\InitialProgram\",\n      \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Control\\\\Session Manager\\\\BootExecute\",\n      \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Control\\\\Session Manager\\\\SetupExecute\",\n      \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Control\\\\Session Manager\\\\Execute\",\n      \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Control\\\\Session Manager\\\\S0InitialCommand\",\n      \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Control\\\\ServiceControlManagerExtension\",\n      \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Control\\\\BootVerificationProgram\\\\ImagePath\",\n      \"HKLM\\\\SYSTEM\\\\Setup\\\\CmdLine\",\n      \"HKEY_USERS\\\\*\\\\Environment\\\\UserInitMprLogonScript\") and\n      \n not registry.data.strings : (\"C:\\\\Windows\\\\system32\\\\userinit.exe\", \"cmd.exe\", \"C:\\\\Program Files (x86)\\\\*.exe\",\n                              \"C:\\\\Program Files\\\\*.exe\") and\n not (process.name : \"rundll32.exe\" and registry.path : \"*\\\\Software\\\\Microsoft\\\\Internet Explorer\\\\Extensions\\\\*\\\\Script\") and\n not process.executable : (\"C:\\\\Windows\\\\System32\\\\msiexec.exe\",\n                           \"C:\\\\Windows\\\\SysWOW64\\\\msiexec.exe\",\n                           \"C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\Platform\\\\*\\\\MsMpEng.exe\",\n                           \"C:\\\\Program Files\\\\*.exe\",\n                           \"C:\\\\Program Files (x86)\\\\*.exe\")\n",
+    "references": [
+      "https://www.microsoftpressstore.com/articles/article.aspx?p=2762082&seqNum=2"
+    ],
+    "risk_score": 47,
+    "rule_id": "54902e45-3467-49a4-8abc-529f2c8cfb80",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Persistence"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1547",
+            "name": "Boot or Logon Autostart Execution",
+            "reference": "https://attack.mitre.org/techniques/T1547/",
+            "subtechnique": [
+              {
+                "id": "T1547.001",
+                "name": "Registry Run Keys / Startup Folder",
+                "reference": "https://attack.mitre.org/techniques/T1547/001/"
+              }
+            ]
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1112",
+            "name": "Modify Registry",
+            "reference": "https://attack.mitre.org/techniques/T1112/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 4
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies when a child process is spawned by the screensaver engine process, which is consistent with an attacker's malicious payload being executed after the screensaver activated on the endpoint. An adversary can maintain persistence on a macOS endpoint by creating a malicious screensaver (.saver) file and configuring the screensaver plist file to execute code each time the screensaver is activated.",
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Unexpected Child Process of macOS Screensaver Engine",
+    "note": "## Triage and analysis\n\n- Analyze the descendant processes of the ScreenSaverEngine process for malicious code and suspicious behavior such\nas downloading a payload from a server\n- Review the installed and activated screensaver on the host. Triage the screensaver (.saver) file that was triggered to\nidentify whether the file is malicious or not.\n",
+    "query": "process where event.type == \"start\" and process.parent.name == \"ScreenSaverEngine\"\n",
+    "references": [
+      "https://posts.specterops.io/saving-your-access-d562bf5bf90b",
+      "https://github.com/D00MFist/PersistentJXA"
+    ],
+    "risk_score": 47,
+    "rule_id": "48d7f54d-c29e-4430-93a9-9db6b5892270",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "macOS",
+      "Threat Detection",
+      "Persistence"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1546",
+            "name": "Event Triggered Execution",
+            "reference": "https://attack.mitre.org/techniques/T1546/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 1
+  },
+  {
+    "anomaly_threshold": 75,
+    "author": [
+      "Elastic"
+    ],
+    "description": "A machine learning job detected an AWS API command that, while not inherently suspicious or abnormal, is being made by a user context that does not normally use the command. This can be the result of compromised credentials or keys as someone uses a valid account to persist, move laterally, or exfiltrate data.",
+    "false_positives": [
+      "New or unusual user command activity can be due to manual troubleshooting or reconfiguration; changes in cloud automation scripts or workflows; adoption of new services; or changes in the way services are used."
+    ],
+    "from": "now-2h",
+    "interval": "15m",
+    "license": "Elastic License v2",
+    "machine_learning_job_id": "rare_method_for_a_username",
+    "name": "Unusual AWS Command for a User",
+    "note": "## Config\n\nThe AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\n\n## Triage and analysis\n\n### Investigating an Unusual CloudTrail Event\n\nDetection alerts from this rule indicate an AWS API command or method call that is rare and unusual for the calling IAM user. Here are some possible avenues of investigation:\n- Consider the user as identified by the `user.name` field. Is this command part of an expected workflow for the user context? Examine the user identity in the `aws.cloudtrail.user_identity.arn` field and the access key ID in the `aws.cloudtrail.user_identity.access_key_id` field, which can help identify the precise user context. The user agent details in the `user_agent.original` field may also indicate what kind of a client made the request.\n- Consider the source IP address and geolocation for the calling user who issued the command. Do they look normal for the calling user? If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts, or could it be sourcing from an EC2 instance that's not under your control? If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance?\n- Consider the time of day. If the user is a human, not a program or script, did the activity take place during a normal time of day?\n- Examine the history of the command. If the command, which is visible in the `event.action field`, only manifested recently, it might be part of a new automation module or script. If it has a consistent cadence (for example, if it appears in small numbers on a weekly or monthly cadence), it might be part of a housekeeping or maintenance process.\n- Examine the request parameters. These may provide indications as to the source of the program or the nature of the tasks it is performing.",
+    "references": [
+      "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"
+    ],
+    "risk_score": 21,
+    "rule_id": "ac706eae-d5ec-4b14-b4fd-e8ba8086f0e1",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "AWS",
+      "ML"
+    ],
+    "type": "machine_learning",
+    "version": 7
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies a suspicious child process of the Windows virtual system process, which could indicate code injection.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Unusual Child Process from a System Virtual Process",
+    "query": "process where event.type in (\"start\", \"process_started\") and\n  process.parent.pid == 4 and\n  not process.executable : (\"Registry\", \"MemCompression\", \"?:\\\\Windows\\\\System32\\\\smss.exe\")\n",
+    "risk_score": 73,
+    "rule_id": "de9bd7e0-49e9-4e92-a64d-53ade2e66af1",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1055",
+            "name": "Process Injection",
+            "reference": "https://attack.mitre.org/techniques/T1055/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 4
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies an unexpected process spawning from dns.exe, the process responsible for Windows DNS server services, which may indicate activity related to remote code execution or other forms of exploitation.",
+    "false_positives": [
+      "Werfault.exe will legitimately spawn when dns.exe crashes, but the DNS service is very stable and so this is a low occurring event. Denial of Service (DoS) attempts by intentionally crashing the service will also cause werfault.exe to spawn."
+    ],
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Unusual Child Process of dns.exe",
+    "note": "## Triage and analysis\n\n### Investigating Unusual Child Process\nDetection alerts from this rule indicate potential suspicious child processes spawned after exploitation from CVE-2020-1350 (SigRed) has occurred. Here are some possible avenues of investigation:\n- Any suspicious or abnormal child process spawned from dns.exe should be reviewed and investigated with care. It's impossible to predict what an adversary may deploy as the follow-on process after the exploit, but built-in discovery/enumeration utilities should be top of mind (whoami.exe, netstat.exe, systeminfo.exe, tasklist.exe).\n- Built-in Windows programs that contain capabilities used to download and execute additional payloads should also be considered. This is not an exhaustive list, but ideal candidates to start out would be: mshta.exe, powershell.exe, regsvr32.exe, rundll32.exe, wscript.exe, wmic.exe.\n- If the DoS exploit is successful and DNS Server service crashes, be mindful of potential child processes related to werfault.exe occurring.\n- Any subsequent activity following the child process spawned related to execution/network activity should be thoroughly reviewed from the endpoint.",
+    "query": "process where event.type == \"start\" and process.parent.name : \"dns.exe\" and\n  not process.name : \"conhost.exe\"\n",
+    "references": [
+      "https://research.checkpoint.com/2020/resolving-your-way-into-domain-admin-exploiting-a-17-year-old-bug-in-windows-dns-servers/",
+      "https://msrc-blog.microsoft.com/2020/07/14/july-2020-security-update-cve-2020-1350-vulnerability-in-windows-domain-name-system-dns-server/",
+      "https://github.com/maxpl0it/CVE-2020-1350-DoS"
+    ],
+    "risk_score": 73,
+    "rule_id": "8c37dc0e-e3ac-4c97-8aa0-cf6a9122de45",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Initial Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0001",
+          "name": "Initial Access",
+          "reference": "https://attack.mitre.org/tactics/TA0001/"
+        },
+        "technique": [
+          {
+            "id": "T1133",
+            "name": "External Remote Services",
+            "reference": "https://attack.mitre.org/techniques/T1133/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 5
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies child processes of unusual instances of RunDLL32 where the command line parameters were suspicious. Misuse of RunDLL32 could indicate malicious activity.",
+    "from": "now-60m",
+    "index": [
+      "logs-endpoint.events.*",
+      "winlogbeat-*",
+      "logs-windows.*"
+    ],
+    "interval": "30m",
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Unusual Child Processes of RunDLL32",
+    "query": "sequence with maxspan=1h\n  [process where event.type in (\"start\", \"process_started\") and\n     (process.name : \"rundll32.exe\" or process.pe.original_file_name == \"RUNDLL32.EXE\") and\n      process.args_count == 1\n  ] by process.entity_id\n  [process where event.type in (\"start\", \"process_started\") and process.parent.name : \"rundll32.exe\"\n  ] by process.parent.entity_id\n",
+    "risk_score": 21,
+    "rule_id": "f036953a-4615-4707-a1ca-dc53bf69dcd5",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1218",
+            "name": "Signed Binary Proxy Execution",
+            "reference": "https://attack.mitre.org/techniques/T1218/",
+            "subtechnique": [
+              {
+                "id": "T1218.011",
+                "name": "Rundll32",
+                "reference": "https://attack.mitre.org/techniques/T1218/011/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "type": "eql",
+    "version": 4
+  },
+  {
+    "anomaly_threshold": 50,
+    "author": [
+      "Elastic"
+    ],
+    "description": "A machine learning job detected AWS command activity that, while not inherently suspicious or abnormal, is sourcing from a geolocation (city) that is unusual for the command. This can be the result of compromised credentials or keys being used by a threat actor in a different geography than the authorized user(s).",
+    "false_positives": [
+      "New or unusual command and user geolocation activity can be due to manual troubleshooting or reconfiguration; changes in cloud automation scripts or workflows; adoption of new services; expansion into new regions; increased adoption of work from home policies; or users who travel frequently."
+    ],
+    "from": "now-2h",
+    "interval": "15m",
+    "license": "Elastic License v2",
+    "machine_learning_job_id": "rare_method_for_a_city",
+    "name": "Unusual City For an AWS Command",
+    "note": "## Config\n\nThe AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\n\n## Triage and analysis\n\n### Investigating an Unusual CloudTrail Event\nDetection alerts from this rule indicate an AWS API command or method call that is rare and unusual for the geolocation of the source IP address. Here are some possible avenues of investigation:\n- Consider the source IP address and geolocation for the calling user who issued the command. Do they look normal for the calling user? If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts, or could it be sourcing from an EC2 instance that's not under your control? If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance?\n- Consider the user as identified by the `user.name` field. Is this command part of an expected workflow for the user context? Examine the user identity in the `aws.cloudtrail.user_identity.arn` field and the access key ID in the `aws.cloudtrail.user_identity.access_key_id` field, which can help identify the precise user context. The user agent details in the `user_agent.original` field may also indicate what kind of a client made the request.\n- Consider the time of day. If the user is a human, not a program or script, did the activity take place during a normal time of day?\n- Examine the history of the command. If the command, which is visible in the `event.action field`, only manifested recently, it might be part of a new automation module or script. If it has a consistent cadence (for example, if it appears in small numbers on a weekly or monthly cadence), it might be part of a housekeeping or maintenance process.\n- Examine the request parameters. These may provide indications as to the source of the program or the nature of the tasks it is performing.",
+    "references": [
+      "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"
+    ],
+    "risk_score": 21,
+    "rule_id": "809b70d3-e2c3-455e-af1b-2626a5a1a276",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "AWS",
+      "ML"
+    ],
+    "type": "machine_learning",
+    "version": 7
+  },
+  {
+    "anomaly_threshold": 50,
+    "author": [
+      "Elastic"
+    ],
+    "description": "A machine learning job detected AWS command activity that, while not inherently suspicious or abnormal, is sourcing from a geolocation (country) that is unusual for the command. This can be the result of compromised credentials or keys being used by a threat actor in a different geography than the authorized user(s).",
+    "false_positives": [
+      "New or unusual command and user geolocation activity can be due to manual troubleshooting or reconfiguration; changes in cloud automation scripts or workflows; adoption of new services; expansion into new regions; increased adoption of work from home policies; or users who travel frequently."
+    ],
+    "from": "now-2h",
+    "interval": "15m",
+    "license": "Elastic License v2",
+    "machine_learning_job_id": "rare_method_for_a_country",
+    "name": "Unusual Country For an AWS Command",
+    "note": "## Config\n\nThe AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\n\n## Triage and analysis\n\n### Investigating an Unusual Country For an AWS Command\n\nCloudTrail logging provides visibility on actions taken within an AWS environment. By monitoring these events and understanding\nwhat is considered normal behavior within an organization, suspicious or malicious activity can be spotted when deviations\nare observed. This example rule focuses on AWS command activity where the country from the source of the activity has been\nconsidered unusual based on previous history.\n\n#### Possible investigation steps:\n- Consider the source IP address and geolocation for the calling user who issued the command. Do they look normal for the calling user? If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts, or could it be sourcing from an EC2 instance that's not under your control? If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance?\n- Consider the user as identified by the `user.name` field. Is this command part of an expected workflow for the user context? Examine the user identity in the `aws.cloudtrail.user_identity.arn` field and the access key ID in the `aws.cloudtrail.user_identity.access_key_id` field, which can help identify the precise user context. The user agent details in the `user_agent.original` field may also indicate what kind of a client made the request.\n- Consider the time of day. If the user is a human, not a program or script, did the activity take place during a normal time of day?\n- Examine the history of the command. If the command, which is visible in the `event.action field`, only manifested recently, it might be part of a new automation module or script. If it has a consistent cadence (for example, if it appears in small numbers on a weekly or monthly cadence), it might be part of a housekeeping or maintenance process.\n- Examine the request parameters. These may provide indications as to the source of the program or the nature of the tasks it is performing.\n\n### False Positive Analysis\n- False positives can occur if activity is coming from new employees based in a country with no previous history in AWS,\ntherefore it's important to validate the activity listed in the investigation steps above.\n\n### Related Rules\n- Unusual City For an AWS Command\n- Unusual AWS Command for a User\n- Rare AWS Error Code\n\n### Response and Remediation\n- If activity is observed as suspicious or malicious, immediate response should be looked into rotating and deleting AWS IAM access keys\n- Validate if any unauthorized new users were created, remove these accounts and request password resets for other IAM users\n- Look into enabling multi-factor authentication for users\n- Follow security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS\n",
+    "references": [
+      "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"
+    ],
+    "risk_score": 21,
+    "rule_id": "dca28dee-c999-400f-b640-50a081cc0fd1",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "AWS",
+      "ML"
+    ],
+    "type": "machine_learning",
+    "version": 7
+  },
+  {
+    "anomaly_threshold": 50,
+    "author": [
+      "Elastic"
+    ],
+    "description": "A machine learning job detected a rare and unusual DNS query that indicate network activity with unusual DNS domains. This can be due to initial access, persistence, command-and-control, or exfiltration activity. For example, when a user clicks on a link in a phishing email or opens a malicious document, a request may be sent to download and run a payload from an uncommon domain. When malware is already running, it may send requests to an uncommon DNS domain the malware uses for command-and-control communication.",
+    "false_positives": [
+      "A newly installed program or one that runs rarely as part of a monthly or quarterly workflow could trigger this alert. Network activity that occurs rarely, in small quantities, can trigger this alert. Possible examples are browsing technical support or vendor networks sparsely. A user who visits a new or unique web destination may trigger this alert."
+    ],
+    "from": "now-45m",
+    "interval": "15m",
+    "license": "Elastic License v2",
+    "machine_learning_job_id": "packetbeat_rare_dns_question",
+    "name": "Unusual DNS Activity",
+    "references": [
+      "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"
+    ],
+    "risk_score": 21,
+    "rule_id": "746edc4c-c54c-49c6-97a1-651223819448",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Network",
+      "Threat Detection",
+      "ML"
+    ],
+    "type": "machine_learning",
+    "version": 4
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies an unexpected executable file being created or modified by a Windows system critical process, which may indicate activity related to remote code execution or other forms of exploitation.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Unusual Executable File Creation by a System Critical Process",
+    "query": "file where event.type != \"deletion\" and\n  file.extension : (\"exe\", \"dll\") and\n  process.name : (\"smss.exe\",\n                  \"autochk.exe\",\n                  \"csrss.exe\",\n                  \"wininit.exe\",\n                  \"services.exe\",\n                  \"lsass.exe\",\n                  \"winlogon.exe\",\n                  \"userinit.exe\",\n                  \"LogonUI.exe\")\n",
+    "risk_score": 73,
+    "rule_id": "e94262f2-c1e9-4d3f-a907-aeab16712e1a",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1211",
+            "name": "Exploitation for Defense Evasion",
+            "reference": "https://attack.mitre.org/techniques/T1211/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 4
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies suspicious creation of Alternate Data Streams on highly targeted files. This is uncommon for legitimate files and sometimes done by adversaries to hide malware.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Unusual File Creation - Alternate Data Stream",
+    "query": "file where event.type == \"creation\" and\n  file.path : \"C:\\\\*:*\" and\n  not file.path : \"C:\\\\*:zone.identifier*\" and\n  file.extension :\n    (\n      \"pdf\",\n      \"dll\",\n      \"png\",\n      \"exe\",\n      \"dat\",\n      \"com\",\n      \"bat\",\n      \"cmd\",\n      \"sys\",\n      \"vbs\",\n      \"ps1\",\n      \"hta\",\n      \"txt\",\n      \"vbe\",\n      \"js\",\n      \"wsh\",\n      \"docx\",\n      \"doc\",\n      \"xlsx\",\n      \"xls\",\n      \"pptx\",\n      \"ppt\",\n      \"rtf\",\n      \"gif\",\n      \"jpg\",\n      \"png\",\n      \"bmp\",\n      \"img\",\n      \"iso\"\n    )\n",
+    "risk_score": 47,
+    "rule_id": "71bccb61-e19b-452f-b104-79a60e546a95",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1564",
+            "name": "Hide Artifacts",
+            "reference": "https://attack.mitre.org/techniques/T1564/",
+            "subtechnique": [
+              {
+                "id": "T1564.004",
+                "name": "NTFS File Attributes",
+                "reference": "https://attack.mitre.org/techniques/T1564/004/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies an unexpected file being modified by dns.exe, the process responsible for Windows DNS Server services, which may indicate activity related to remote code execution or other forms of exploitation.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Unusual File Modification by dns.exe",
+    "note": "## Triage and analysis\n\n### Investigating Unusual File Write\nDetection alerts from this rule indicate potential unusual/abnormal file writes from the DNS Server service process (`dns.exe`) after exploitation from CVE-2020-1350 (SigRed) has occurred. Here are some possible avenues of investigation:\n- Post-exploitation, adversaries may write additional files or payloads to the system as additional discovery/exploitation/persistence mechanisms.\n- Any suspicious or abnormal files written from `dns.exe` should be reviewed and investigated with care.",
+    "query": "file where process.name : \"dns.exe\" and event.type in (\"creation\", \"deletion\", \"change\") and\n  not file.name : \"dns.log\"\n",
+    "references": [
+      "https://research.checkpoint.com/2020/resolving-your-way-into-domain-admin-exploiting-a-17-year-old-bug-in-windows-dns-servers/",
+      "https://msrc-blog.microsoft.com/2020/07/14/july-2020-security-update-cve-2020-1350-vulnerability-in-windows-domain-name-system-dns-server/"
+    ],
+    "risk_score": 73,
+    "rule_id": "c7ce36c0-32ff-4f9a-bfc2-dcb242bf99f9",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Initial Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0001",
+          "name": "Initial Access",
+          "reference": "https://attack.mitre.org/tactics/TA0001/"
+        },
+        "technique": [
+          {
+            "id": "T1133",
+            "name": "External Remote Services",
+            "reference": "https://attack.mitre.org/techniques/T1133/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 5
+  },
+  {
+    "anomaly_threshold": 75,
+    "author": [
+      "Elastic"
+    ],
+    "description": "A machine learning job detected a user logging in at a time of day that is unusual for the user. This can be due to credentialed access via a compromised account when the user and the threat actor are in different time zones. In addition, unauthorized user activity often takes place during non-business hours.",
+    "false_positives": [
+      "Users working late, or logging in from unusual time zones while traveling, may trigger this rule."
+    ],
+    "from": "now-30m",
+    "interval": "15m",
+    "license": "Elastic License v2",
+    "machine_learning_job_id": "auth_rare_hour_for_a_user",
+    "name": "Unusual Hour for a User to Logon",
+    "references": [
+      "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"
+    ],
+    "risk_score": 21,
+    "rule_id": "745b0119-0560-43ba-860a-7235dd8cee8d",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Authentication",
+      "Threat Detection",
+      "ML"
+    ],
+    "type": "machine_learning",
+    "version": 1
+  },
+  {
+    "anomaly_threshold": 50,
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies Linux processes that do not usually use the network but have unexpected network activity, which can indicate command-and-control, lateral movement, persistence, or data exfiltration activity. A process with unusual network activity can denote process exploitation or injection, where the process is used to run persistence mechanisms that allow a malicious actor remote access or control of the host, data exfiltration, and execution of unauthorized network applications.",
+    "from": "now-45m",
+    "interval": "15m",
+    "license": "Elastic License v2",
+    "machine_learning_job_id": "linux_anomalous_network_activity_ecs",
+    "name": "Unusual Linux Network Activity",
+    "note": "## Triage and analysis\n\n### Investigating Unusual Network Activity\nDetection alerts from this rule indicate the presence of network activity from a Linux process for which network activity is rare and unusual.  Here are some possible avenues of investigation:\n- Consider the IP addresses and ports. Are these used by normal but infrequent network workflows? Are they expected or unexpected?\n- If the destination IP address is remote or external, does it associate with an expected domain, organization or geography? Note: avoid interacting directly with suspected malicious IP addresses.\n- Consider the user as identified by the username field. Is this network activity part of an expected workflow for the user who ran the program?\n- Examine the history of execution. If this process only manifested recently, it might be part of a new software package. If it has a consistent cadence (for example if it runs monthly or quarterly), it might be part of a monthly or quarterly business or maintenance process.\n- Examine the process arguments, title and working directory. These may provide indications as to the source of the program or the nature of the tasks it is performing.",
+    "references": [
+      "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"
+    ],
+    "risk_score": 21,
+    "rule_id": "52afbdc5-db15-485e-bc24-f5707f820c4b",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "Threat Detection",
+      "ML"
+    ],
+    "type": "machine_learning",
+    "version": 6
+  },
+  {
+    "anomaly_threshold": 25,
+    "author": [
+      "Elastic"
+    ],
+    "description": "Looks for commands related to system network connection discovery from an unusual user context. This can be due to uncommon troubleshooting activity or due to a compromised account. A compromised account may be used by a threat actor to engage in system network connection discovery in order to increase their understanding of connected services and systems. This information may be used to shape follow-up behaviors such as lateral movement or additional discovery.",
+    "false_positives": [
+      "Uncommon user command activity can be due to an engineer logging onto a server instance in order to perform manual troubleshooting or reconfiguration."
+    ],
+    "from": "now-45m",
+    "interval": "15m",
+    "license": "Elastic License v2",
+    "machine_learning_job_id": "linux_network_connection_discovery",
+    "name": "Unusual Linux Network Connection Discovery",
+    "risk_score": 21,
+    "rule_id": "c28c4d8c-f014-40ef-88b6-79a1d67cd499",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "Threat Detection",
+      "ML"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0007",
+          "name": "Discovery",
+          "reference": "https://attack.mitre.org/tactics/TA0007/"
+        },
+        "technique": [
+          {
+            "id": "T1049",
+            "name": "System Network Connections Discovery",
+            "reference": "https://attack.mitre.org/techniques/T1049/"
+          }
+        ]
+      }
+    ],
+    "type": "machine_learning",
+    "version": 2
+  },
+  {
+    "anomaly_threshold": 50,
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies unusual destination port activity that can indicate command-and-control, persistence mechanism, or data exfiltration activity. Rarely used destination port activity is generally unusual in Linux fleets, and can indicate unauthorized access or threat actor activity.",
+    "false_positives": [
+      "A newly installed program or one that rarely uses the network could trigger this alert."
+    ],
+    "from": "now-45m",
+    "interval": "15m",
+    "license": "Elastic License v2",
+    "machine_learning_job_id": [
+      "linux_anomalous_network_port_activity_ecs",
+      "v2_linux_anomalous_network_port_activity_ecs"
+    ],
+    "name": "Unusual Linux Network Port Activity",
+    "references": [
+      "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"
+    ],
+    "risk_score": 21,
+    "rule_id": "3c7e32e6-6104-46d9-a06e-da0f8b5795a0",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "Threat Detection",
+      "ML"
+    ],
+    "type": "machine_learning",
+    "version": 5
+  },
+  {
+    "anomaly_threshold": 50,
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies unusual listening ports on Linux instances that can indicate execution of unauthorized services, backdoors, or persistence mechanisms.",
+    "false_positives": [
+      "A newly installed program or one that rarely uses the network could trigger this alert."
+    ],
+    "from": "now-45m",
+    "interval": "15m",
+    "license": "Elastic License v2",
+    "machine_learning_job_id": "linux_anomalous_network_service",
+    "name": "Unusual Linux Network Service",
+    "references": [
+      "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"
+    ],
+    "risk_score": 21,
+    "rule_id": "52afbdc5-db15-596e-bc35-f5707f820c4b",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "Threat Detection",
+      "ML"
+    ],
+    "type": "machine_learning",
+    "version": 4
+  },
+  {
+    "anomaly_threshold": 50,
+    "author": [
+      "Elastic"
+    ],
+    "description": "Looks for anomalous access to the metadata service by an unusual process. The metadata service may be targeted in order to harvest credentials or user data scripts containing secrets.",
+    "false_positives": [
+      "A newly installed program or one that runs very rarely as part of a monthly or quarterly workflow could trigger this detection rule."
+    ],
+    "from": "now-45m",
+    "interval": "15m",
+    "license": "Elastic License v2",
+    "machine_learning_job_id": [
+      "linux_rare_metadata_process",
+      "v2_linux_rare_metadata_process"
+    ],
+    "name": "Unusual Linux Process Calling the Metadata Service",
+    "risk_score": 21,
+    "rule_id": "9d302377-d226-4e12-b54c-1906b5aec4f6",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "Threat Detection",
+      "ML"
+    ],
+    "type": "machine_learning",
+    "version": 3
+  },
+  {
+    "anomaly_threshold": 50,
+    "author": [
+      "Elastic"
+    ],
+    "description": "Looks for commands related to system process discovery from an unusual user context. This can be due to uncommon troubleshooting activity or due to a compromised account. A compromised account may be used by a threat actor to engage in system process discovery in order to increase their understanding of software applications running on a target host or network. This may be a precursor to selection of a persistence mechanism or a method of privilege elevation.",
+    "false_positives": [
+      "Uncommon user command activity can be due to an engineer logging onto a server instance in order to perform manual troubleshooting or reconfiguration."
+    ],
+    "from": "now-45m",
+    "interval": "15m",
+    "license": "Elastic License v2",
+    "machine_learning_job_id": "linux_system_process_discovery",
+    "name": "Unusual Linux Process Discovery Activity",
+    "risk_score": 21,
+    "rule_id": "5c983105-4681-46c3-9890-0c66d05e776b",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "Threat Detection",
+      "ML"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0007",
+          "name": "Discovery",
+          "reference": "https://attack.mitre.org/tactics/TA0007/"
+        },
+        "technique": [
+          {
+            "id": "T1057",
+            "name": "Process Discovery",
+            "reference": "https://attack.mitre.org/techniques/T1057/"
+          }
+        ]
+      }
+    ],
+    "type": "machine_learning",
+    "version": 2
+  },
+  {
+    "anomaly_threshold": 75,
+    "author": [
+      "Elastic"
+    ],
+    "description": "Looks for commands related to system information discovery from an unusual user context. This can be due to uncommon troubleshooting activity or due to a compromised account. A compromised account may be used to engage in system information discovery in order to gather detailed information about system configuration and software versions. This may be a precursor to selection of a persistence mechanism or a method of privilege elevation.",
+    "false_positives": [
+      "Uncommon user command activity can be due to an engineer logging onto a server instance in order to perform manual troubleshooting or reconfiguration."
+    ],
+    "from": "now-45m",
+    "interval": "15m",
+    "license": "Elastic License v2",
+    "machine_learning_job_id": "linux_system_information_discovery",
+    "name": "Unusual Linux System Information Discovery Activity",
+    "risk_score": 21,
+    "rule_id": "d4af3a06-1e0a-48ec-b96a-faf2309fae46",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "Threat Detection",
+      "ML"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0007",
+          "name": "Discovery",
+          "reference": "https://attack.mitre.org/tactics/TA0007/"
+        },
+        "technique": [
+          {
+            "id": "T1082",
+            "name": "System Information Discovery",
+            "reference": "https://attack.mitre.org/techniques/T1082/"
+          }
+        ]
+      }
+    ],
+    "type": "machine_learning",
+    "version": 2
+  },
+  {
+    "anomaly_threshold": 25,
+    "author": [
+      "Elastic"
+    ],
+    "description": "Looks for commands related to system network configuration discovery from an unusual user context. This can be due to uncommon troubleshooting activity or due to a compromised account. A compromised account may be used by a threat actor to engage in system network configuration discovery in order to increase their understanding of connected networks and hosts. This information may be used to shape follow-up behaviors such as lateral movement or additional discovery.",
+    "false_positives": [
+      "Uncommon user command activity can be due to an engineer logging onto a server instance in order to perform manual troubleshooting or reconfiguration."
+    ],
+    "from": "now-45m",
+    "interval": "15m",
+    "license": "Elastic License v2",
+    "machine_learning_job_id": "linux_network_configuration_discovery",
+    "name": "Unusual Linux System Network Configuration Discovery",
+    "risk_score": 21,
+    "rule_id": "f9590f47-6bd5-4a49-bd49-a2f886476fb9",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "Threat Detection",
+      "ML"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0007",
+          "name": "Discovery",
+          "reference": "https://attack.mitre.org/tactics/TA0007/"
+        },
+        "technique": [
+          {
+            "id": "T1016",
+            "name": "System Network Configuration Discovery",
+            "reference": "https://attack.mitre.org/techniques/T1016/"
+          }
+        ]
+      }
+    ],
+    "type": "machine_learning",
+    "version": 2
+  },
+  {
+    "anomaly_threshold": 75,
+    "author": [
+      "Elastic"
+    ],
+    "description": "Looks for commands related to system user or owner discovery from an unusual user context. This can be due to uncommon troubleshooting activity or due to a compromised account. A compromised account may be used to engage in system owner or user discovery in order to identify currently active or primary users of a system. This may be a precursor to additional discovery, credential dumping or privilege elevation activity.",
+    "false_positives": [
+      "Uncommon user command activity can be due to an engineer logging onto a server instance in order to perform manual troubleshooting or reconfiguration."
+    ],
+    "from": "now-45m",
+    "interval": "15m",
+    "license": "Elastic License v2",
+    "machine_learning_job_id": "linux_system_user_discovery",
+    "name": "Unusual Linux System Owner or User Discovery Activity",
+    "risk_score": 21,
+    "rule_id": "59756272-1998-4b8c-be14-e287035c4d10",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "Threat Detection",
+      "ML"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0007",
+          "name": "Discovery",
+          "reference": "https://attack.mitre.org/tactics/TA0007/"
+        },
+        "technique": [
+          {
+            "id": "T1033",
+            "name": "System Owner/User Discovery",
+            "reference": "https://attack.mitre.org/techniques/T1033/"
+          }
+        ]
+      }
+    ],
+    "type": "machine_learning",
+    "version": 2
+  },
+  {
+    "anomaly_threshold": 75,
+    "author": [
+      "Elastic"
+    ],
+    "description": "Looks for anomalous access to the cloud platform metadata service by an unusual user. The metadata service may be targeted in order to harvest credentials or user data scripts containing secrets.",
+    "false_positives": [
+      "A newly installed program, or one that runs under a new or rarely used user context, could trigger this detection rule. Manual interrogation of the metadata service during debugging or troubleshooting could trigger this rule."
+    ],
+    "from": "now-45m",
+    "interval": "15m",
+    "license": "Elastic License v2",
+    "machine_learning_job_id": [
+      "linux_rare_metadata_user",
+      "v2_linux_rare_metadata_user"
+    ],
+    "name": "Unusual Linux User Calling the Metadata Service",
+    "risk_score": 21,
+    "rule_id": "1faec04b-d902-4f89-8aff-92cd9043c16f",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "Threat Detection",
+      "ML"
+    ],
+    "type": "machine_learning",
+    "version": 3
+  },
+  {
+    "anomaly_threshold": 50,
+    "author": [
+      "Elastic"
+    ],
+    "description": "A machine learning job detected activity for a username that is not normally active, which can indicate unauthorized changes, activity by unauthorized users, lateral movement, or compromised credentials. In many organizations, new usernames are not often created apart from specific types of system activities, such as creating new accounts for new employees. These user accounts quickly become active and routine. Events from rarely used usernames can point to suspicious activity. Additionally, automated Linux fleets tend to see activity from rarely used usernames only when personnel log in to make authorized or unauthorized changes, or threat actors have acquired credentials and log in for malicious purposes. Unusual usernames can also indicate pivoting, where compromised credentials are used to try and move laterally from one host to another.",
+    "false_positives": [
+      "Uncommon user activity can be due to an engineer logging onto a server instance in order to perform manual troubleshooting or reconfiguration."
+    ],
+    "from": "now-45m",
+    "interval": "15m",
+    "license": "Elastic License v2",
+    "machine_learning_job_id": [
+      "linux_anomalous_user_name_ecs",
+      "v2_linux_anomalous_user_name_ecs"
+    ],
+    "name": "Unusual Linux Username",
+    "note": "## Triage and analysis\n\n### Investigating an Unusual Linux User\nDetection alerts from this rule indicate activity for a Linux user name that is rare and unusual. Here are some possible avenues of investigation:\n- Consider the user as identified by the username field. Is this program part of an expected workflow for the user who ran this program on this host? Could this be related to troubleshooting or debugging activity by a developer or site reliability engineer?\n- Examine the history of user activity. If this user only manifested recently, it might be a service account for a new software package. If it has a consistent cadence (for example if it runs monthly or quarterly), it might be part of a monthly or quarterly business process.\n- Examine the process arguments, title and working directory. These may provide indications as to the source of the program or the nature of the tasks that the user is performing.",
+    "references": [
+      "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"
+    ],
+    "risk_score": 21,
+    "rule_id": "b347b919-665f-4aac-b9e8-68369bf2340c",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "Threat Detection",
+      "ML"
+    ],
+    "type": "machine_learning",
+    "version": 7
+  },
+  {
+    "anomaly_threshold": 50,
+    "author": [
+      "Elastic"
+    ],
+    "description": "A machine learning job detected an unusual web URL request from a Linux host, which can indicate malware delivery and execution. Wget and cURL are commonly used by Linux programs to download code and data. Most of the time, their usage is entirely normal. Generally, because they use a list of URLs, they repeatedly download from the same locations. However, Wget and cURL are sometimes used to deliver Linux exploit payloads, and threat actors use these tools to download additional software and code. For these reasons, unusual URLs can indicate unauthorized downloads or threat activity.",
+    "false_positives": [
+      "A new and unusual program or artifact download in the course of software upgrades, debugging, or troubleshooting could trigger this alert."
+    ],
+    "from": "now-45m",
+    "interval": "15m",
+    "license": "Elastic License v2",
+    "machine_learning_job_id": "linux_anomalous_network_url_activity_ecs",
+    "name": "Unusual Linux Web Activity",
+    "references": [
+      "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"
+    ],
+    "risk_score": 21,
+    "rule_id": "52afbdc5-db15-485e-bc35-f5707f820c4c",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "Threat Detection",
+      "ML"
+    ],
+    "type": "machine_learning",
+    "version": 4
+  },
+  {
+    "anomaly_threshold": 50,
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies an unusually high number of authentication attempts.",
+    "false_positives": [
+      "Security audits may trigger this alert. Conditions that generate bursts of failed logins, such as misconfigured applications or account lockouts could trigger this alert."
+    ],
+    "from": "now-45m",
+    "interval": "15m",
+    "license": "Elastic License v2",
+    "machine_learning_job_id": "suspicious_login_activity_ecs",
+    "name": "Unusual Login Activity",
+    "references": [
+      "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"
+    ],
+    "risk_score": 21,
+    "rule_id": "4330272b-9724-4bc6-a3ca-f1532b81e5c2",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "Threat Detection",
+      "ML"
+    ],
+    "type": "machine_learning",
+    "version": 4
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies network activity from unexpected system applications. This may indicate adversarial activity as these applications are often leveraged by adversaries to execute code and evade detection.",
+    "from": "now-9m",
+    "index": [
+      "logs-endpoint.events.*",
+      "winlogbeat-*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Unusual Network Activity from a Windows System Binary",
+    "query": "sequence by process.entity_id with maxspan=5m\n  [process where event.type in (\"start\", \"process_started\") and\n\n     /* known applocker bypasses */\n     (process.name : \"bginfo.exe\" or\n      process.name : \"cdb.exe\" or\n      process.name : \"control.exe\" or\n      process.name : \"cmstp.exe\" or\n      process.name : \"csi.exe\" or\n      process.name : \"dnx.exe\" or\n      process.name : \"fsi.exe\" or\n      process.name : \"ieexec.exe\" or\n      process.name : \"iexpress.exe\" or\n      process.name : \"installutil.exe\" or\n      process.name : \"Microsoft.Workflow.Compiler.exe\" or\n      process.name : \"MSBuild.exe\" or\n      process.name : \"msdt.exe\" or\n      process.name : \"mshta.exe\" or\n      process.name : \"msiexec.exe\" or\n      process.name : \"msxsl.exe\" or\n      process.name : \"odbcconf.exe\" or\n      process.name : \"rcsi.exe\" or\n      process.name : \"regsvr32.exe\" or\n      process.name : \"xwizard.exe\")]\n  [network where\n     (process.name : \"bginfo.exe\" or\n      process.name : \"cdb.exe\" or\n      process.name : \"control.exe\" or\n      process.name : \"cmstp.exe\" or\n      process.name : \"csi.exe\" or\n      process.name : \"dnx.exe\" or\n      process.name : \"fsi.exe\" or\n      process.name : \"ieexec.exe\" or\n      process.name : \"iexpress.exe\" or\n      process.name : \"installutil.exe\" or\n      process.name : \"Microsoft.Workflow.Compiler.exe\" or\n      process.name : \"MSBuild.exe\" or\n      process.name : \"msdt.exe\" or\n      process.name : \"mshta.exe\" or\n      process.name : \"msiexec.exe\" or\n      process.name : \"msxsl.exe\" or\n      process.name : \"odbcconf.exe\" or\n      process.name : \"rcsi.exe\" or\n      process.name : \"regsvr32.exe\" or\n      process.name : \"xwizard.exe\")]\n",
+    "risk_score": 21,
+    "rule_id": "1fe3b299-fbb5-4657-a937-1d746f2c711a",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1127",
+            "name": "Trusted Developer Utilities Proxy Execution",
+            "reference": "https://attack.mitre.org/techniques/T1127/"
+          }
+        ]
+      }
+    ],
+    "type": "eql",
+    "version": 2
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies unusual instances of dllhost.exe making outbound network connections. This may indicate adversarial Command and Control activity.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Unusual Network Connection via DllHost",
+    "query": "sequence by host.id, process.entity_id with maxspan=1m\n  [process where event.type in (\"start\", \"process_started\") and process.name : \"dllhost.exe\" and process.args_count == 1]\n  [network where process.name : \"dllhost.exe\" and\n   not cidrmatch(destination.ip, \"10.0.0.0/8\", \"127.0.0.0/8\", \"169.254.0.0/16\", \"172.16.0.0/12\", \"192.0.0.0/24\",\n    \"192.0.0.0/29\", \"192.0.0.8/32\", \"192.0.0.9/32\", \"192.0.0.10/32\", \"192.0.0.170/32\", \"192.0.0.171/32\", \"192.0.2.0/24\",\n    \"192.31.196.0/24\", \"192.52.193.0/24\", \"192.168.0.0/16\", \"192.88.99.0/24\", \"224.0.0.0/4\", \"100.64.0.0/10\",\n    \"192.175.48.0/24\", \"198.18.0.0/15\", \"198.51.100.0/24\", \"203.0.113.0/24\", \"240.0.0.0/4\", \"::1\", \"FE80::/10\",\n    \"FF00::/8\")]\n",
+    "references": [
+      "https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/",
+      "https://www.volexity.com/blog/2021/05/27/suspected-apt29-operation-launches-election-fraud-themed-phishing-campaigns/",
+      "https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml"
+    ],
+    "risk_score": 47,
+    "rule_id": "c7894234-7814-44c2-92a9-f7d851ea246a",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1218",
+            "name": "Signed Binary Proxy Execution",
+            "reference": "https://attack.mitre.org/techniques/T1218/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies unusual instances of rundll32.exe making outbound network connections. This may indicate adversarial Command and Control activity.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Unusual Network Connection via RunDLL32",
+    "query": "sequence by host.id, process.entity_id with maxspan=1m\n  [process where event.type in (\"start\", \"process_started\") and process.name : \"rundll32.exe\" and process.args_count == 1]\n  [network where process.name : \"rundll32.exe\" and\n   not cidrmatch(destination.ip, \"10.0.0.0/8\", \"127.0.0.0/8\", \"169.254.0.0/16\", \"172.16.0.0/12\", \"192.0.0.0/24\",\n       \"192.0.0.0/29\", \"192.0.0.8/32\", \"192.0.0.9/32\", \"192.0.0.10/32\", \"192.0.0.170/32\", \"192.0.0.171/32\",\n       \"192.0.2.0/24\", \"192.31.196.0/24\", \"192.52.193.0/24\", \"192.168.0.0/16\", \"192.88.99.0/24\", \"224.0.0.0/4\",\n       \"100.64.0.0/10\", \"192.175.48.0/24\",\"198.18.0.0/15\", \"198.51.100.0/24\", \"203.0.113.0/24\", \"240.0.0.0/4\", \"::1\",\n       \"FE80::/10\", \"FF00::/8\")]\n",
+    "references": [
+      "https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml"
+    ],
+    "risk_score": 47,
+    "rule_id": "52aaab7b-b51c-441a-89ce-4387b3aea886",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1218",
+            "name": "Signed Binary Proxy Execution",
+            "reference": "https://attack.mitre.org/techniques/T1218/",
+            "subtechnique": [
+              {
+                "id": "T1218.011",
+                "name": "Rundll32",
+                "reference": "https://attack.mitre.org/techniques/T1218/011/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "type": "eql",
+    "version": 10
+  },
+  {
+    "anomaly_threshold": 50,
+    "author": [
+      "Elastic"
+    ],
+    "description": "A machine learning job detected an unusual network destination domain name. This can be due to initial access, persistence, command-and-control, or exfiltration activity. For example, when a user clicks on a link in a phishing email or opens a malicious document, a request may be sent to download and run a payload from an uncommon web server name. When malware is already running, it may send requests to an uncommon DNS domain the malware uses for command-and-control communication.",
+    "false_positives": [
+      "Web activity that occurs rarely in small quantities can trigger this alert. Possible examples are browsing technical support or vendor URLs that are used very sparsely. A user who visits a new and unique web destination may trigger this alert when the activity is sparse. Web applications that generate URLs unique to a transaction may trigger this when they are used sparsely. Web domains can be excluded in cases such as these."
+    ],
+    "from": "now-45m",
+    "interval": "15m",
+    "license": "Elastic License v2",
+    "machine_learning_job_id": "packetbeat_rare_server_domain",
+    "name": "Unusual Network Destination Domain Name",
+    "references": [
+      "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"
+    ],
+    "risk_score": 21,
+    "rule_id": "17e68559-b274-4948-ad0b-f8415bb31126",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Network",
+      "Threat Detection",
+      "ML"
+    ],
+    "type": "machine_learning",
+    "version": 4
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies a suspicious parent child process relationship with cmd.exe descending from an unusual process.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Unusual Parent Process for cmd.exe",
+    "query": "process where event.type in (\"start\", \"process_started\") and\n  process.name : \"cmd.exe\" and\n  process.parent.name : (\"lsass.exe\",\n                         \"csrss.exe\",\n                         \"epad.exe\",\n                         \"regsvr32.exe\",\n                         \"dllhost.exe\",\n                         \"LogonUI.exe\",\n                         \"wermgr.exe\",\n                         \"spoolsv.exe\",\n                         \"jucheck.exe\",\n                         \"jusched.exe\",\n                         \"ctfmon.exe\",\n                         \"taskhostw.exe\",\n                         \"GoogleUpdate.exe\",\n                         \"sppsvc.exe\",\n                         \"sihost.exe\",\n                         \"slui.exe\",\n                         \"SIHClient.exe\",\n                         \"SearchIndexer.exe\",\n                         \"SearchProtocolHost.exe\",\n                         \"FlashPlayerUpdateService.exe\",\n                         \"WerFault.exe\",\n                         \"WUDFHost.exe\",\n                         \"unsecapp.exe\",\n                         \"wlanext.exe\" )\n",
+    "risk_score": 47,
+    "rule_id": "3b47900d-e793-49e8-968f-c90dc3526aa1",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Execution"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0002",
+          "name": "Execution",
+          "reference": "https://attack.mitre.org/tactics/TA0002/"
+        },
+        "technique": [
+          {
+            "id": "T1059",
+            "name": "Command and Scripting Interpreter",
+            "reference": "https://attack.mitre.org/techniques/T1059/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 4
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies Windows programs run from unexpected parent processes. This could indicate masquerading or other strange activity on a system.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Unusual Parent-Child Relationship",
+    "query": "process where event.type in (\"start\", \"process_started\") and\nprocess.parent.name != null and\n (\n   /* suspicious parent processes */\n   (process.name:\"autochk.exe\" and not process.parent.name:\"smss.exe\") or\n   (process.name:(\"fontdrvhost.exe\", \"dwm.exe\") and not process.parent.name:(\"wininit.exe\", \"winlogon.exe\")) or\n   (process.name:(\"consent.exe\", \"RuntimeBroker.exe\", \"TiWorker.exe\") and not process.parent.name:\"svchost.exe\") or\n   (process.name:\"SearchIndexer.exe\" and not process.parent.name:\"services.exe\") or\n   (process.name:\"SearchProtocolHost.exe\" and not process.parent.name:(\"SearchIndexer.exe\", \"dllhost.exe\")) or\n   (process.name:\"dllhost.exe\" and not process.parent.name:(\"services.exe\", \"svchost.exe\")) or\n   (process.name:\"smss.exe\" and not process.parent.name:(\"System\", \"smss.exe\")) or\n   (process.name:\"csrss.exe\" and not process.parent.name:(\"smss.exe\", \"svchost.exe\")) or\n   (process.name:\"wininit.exe\" and not process.parent.name:\"smss.exe\") or\n   (process.name:\"winlogon.exe\" and not process.parent.name:\"smss.exe\") or\n   (process.name:(\"lsass.exe\", \"LsaIso.exe\") and not process.parent.name:\"wininit.exe\") or\n   (process.name:\"LogonUI.exe\" and not process.parent.name:(\"wininit.exe\", \"winlogon.exe\")) or\n   (process.name:\"services.exe\" and not process.parent.name:\"wininit.exe\") or\n   (process.name:\"svchost.exe\" and not process.parent.name:(\"MsMpEng.exe\", \"services.exe\")) or\n   (process.name:\"spoolsv.exe\" and not process.parent.name:\"services.exe\") or\n   (process.name:\"taskhost.exe\" and not process.parent.name:(\"services.exe\", \"svchost.exe\")) or\n   (process.name:\"taskhostw.exe\" and not process.parent.name:(\"services.exe\", \"svchost.exe\")) or\n   (process.name:\"userinit.exe\" and not process.parent.name:(\"dwm.exe\", \"winlogon.exe\")) or\n   (process.name:(\"wmiprvse.exe\", \"wsmprovhost.exe\", \"winrshost.exe\") and not process.parent.name:\"svchost.exe\") or\n   /* suspicious child processes */\n   (process.parent.name:(\"SearchProtocolHost.exe\", \"taskhost.exe\", \"csrss.exe\") and not process.name:(\"werfault.exe\", \"wermgr.exe\", \"WerFaultSecure.exe\")) or\n   (process.parent.name:\"autochk.exe\" and not process.name:(\"chkdsk.exe\", \"doskey.exe\", \"WerFault.exe\")) or\n   (process.parent.name:\"smss.exe\" and not process.name:(\"autochk.exe\", \"smss.exe\", \"csrss.exe\", \"wininit.exe\", \"winlogon.exe\", \"setupcl.exe\", \"WerFault.exe\")) or\n   (process.parent.name:\"wermgr.exe\" and not process.name:(\"WerFaultSecure.exe\", \"wermgr.exe\", \"WerFault.exe\")) or\n   (process.parent.name:\"conhost.exe\" and not process.name:(\"mscorsvw.exe\", \"wermgr.exe\", \"WerFault.exe\", \"WerFaultSecure.exe\"))\n  )\n",
+    "references": [
+      "https://github.com/sbousseaden/Slides/blob/master/Hunting%20MindMaps/PNG/Windows%20Processes%20TH.map.png",
+      "https://www.andreafortuna.org/2017/06/15/standard-windows-processes-a-brief-reference/"
+    ],
+    "risk_score": 47,
+    "rule_id": "35df0dd8-092d-4a83-88c1-5151a804f31b",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Privilege Escalation"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0004",
+          "name": "Privilege Escalation",
+          "reference": "https://attack.mitre.org/tactics/TA0004/"
+        },
+        "technique": [
+          {
+            "id": "T1055",
+            "name": "Process Injection",
+            "reference": "https://attack.mitre.org/techniques/T1055/",
+            "subtechnique": [
+              {
+                "id": "T1055.012",
+                "name": "Process Hollowing",
+                "reference": "https://attack.mitre.org/techniques/T1055/012/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 10
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies processes modifying the services registry key directly, instead of through the expected Windows APIs. This could be an indication of an adversary attempting to stealthily persist through abnormal service creation or modification of an existing service.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Unusual Persistence via Services Registry",
+    "query": "registry where registry.path : (\"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Services\\\\*\\\\ServiceDLL\", \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Services\\\\*\\\\ImagePath\") and\n  not registry.data.strings : (\"?:\\\\windows\\\\system32\\\\Drivers\\\\*.sys\",\n                               \"\\\\SystemRoot\\\\System32\\\\drivers\\\\*.sys\",\n                               \"\\\\??\\\\?:\\\\Windows\\\\system32\\\\Drivers\\\\*.SYS\",\n                               \"system32\\\\DRIVERS\\\\USBSTOR\") and\n  not (process.name : \"procexp??.exe\" and registry.data.strings : \"?:\\\\*\\\\procexp*.sys\") and\n  not process.executable : (\"?:\\\\Program Files\\\\*.exe\",\n                            \"?:\\\\Program Files (x86)\\\\*.exe\",\n                            \"?:\\\\Windows\\\\System32\\\\svchost.exe\",\n                            \"?:\\\\Windows\\\\winsxs\\\\*\\\\TiWorker.exe\",\n                            \"?:\\\\Windows\\\\System32\\\\drvinst.exe\",\n                            \"?:\\\\Windows\\\\System32\\\\services.exe\",\n                            \"?:\\\\Windows\\\\System32\\\\msiexec.exe\",\n                            \"?:\\\\Windows\\\\System32\\\\regsvr32.exe\")\n",
+    "risk_score": 21,
+    "rule_id": "403ef0d3-8259-40c9-a5b6-d48354712e49",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Persistence"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1543",
+            "name": "Create or Modify System Process",
+            "reference": "https://attack.mitre.org/techniques/T1543/",
+            "subtechnique": [
+              {
+                "id": "T1543.003",
+                "name": "Windows Service",
+                "reference": "https://attack.mitre.org/techniques/T1543/003/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 4
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Detects unusual Print Spooler service (spoolsv.exe) child processes. This may indicate an attempt to exploit privilege escalation vulnerabilities related to the Printing Service on Windows.",
+    "false_positives": [
+      "Install or update of a legitimate printing driver. Verify the printer driver file metadata such as manufacturer and signature information."
+    ],
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Unusual Print Spooler Child Process",
+    "query": "process where event.type == \"start\" and\n process.parent.name : \"spoolsv.exe\" and user.id : \"S-1-5-18\" and\n\n /* exclusions for FP control below */\n not process.name : (\"splwow64.exe\", \"PDFCreator.exe\", \"acrodist.exe\", \"spoolsv.exe\", \"msiexec.exe\", \"route.exe\", \"WerFault.exe\") and\n not process.command_line : \"*\\\\WINDOWS\\\\system32\\\\spool\\\\DRIVERS*\" and\n not (process.name : \"net.exe\" and process.command_line : (\"*stop*\", \"*start*\")) and\n not (process.name : (\"cmd.exe\", \"powershell.exe\") and process.command_line : (\"*.spl*\", \"*\\\\program files*\", \"*route add*\")) and\n not (process.name : \"netsh.exe\" and process.command_line : (\"*add portopening*\", \"*rule name*\")) and\n not (process.name : \"regsvr32.exe\" and process.command_line : \"*PrintConfig.dll*\")\n",
+    "references": [
+      "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527",
+      "https://github.com/afwu/PrintNightmare"
+    ],
+    "risk_score": 47,
+    "rule_id": "ee5300a7-7e31-4a72-a258-250abb8b3aa1",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Privilege Escalation"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0004",
+          "name": "Privilege Escalation",
+          "reference": "https://attack.mitre.org/tactics/TA0004/"
+        },
+        "technique": [
+          {
+            "id": "T1068",
+            "name": "Exploitation for Privilege Escalation",
+            "reference": "https://attack.mitre.org/techniques/T1068/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 2
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies processes running in a temporary folder. This is sometimes done by adversaries to hide malware.",
+    "false_positives": [
+      "Build systems, like Jenkins, may start processes in the `/tmp` directory. These can be exempted by name or by username."
+    ],
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Unusual Process Execution - Temp",
+    "query": "event.category:process and event.type:(start or process_started) and process.working_directory:/tmp\n",
+    "risk_score": 47,
+    "rule_id": "df959768-b0c9-4d45-988c-5606a2be8e5a",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "Threat Detection"
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 7
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies processes running from an Alternate Data Stream. This is uncommon for legitimate processes and sometimes done by adversaries to hide malware.",
+    "from": "now-9m",
+    "index": [
+      "logs-endpoint.events.*",
+      "winlogbeat-*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Unusual Process Execution Path - Alternate Data Stream",
+    "query": "process where event.type == \"start\" and\n  process.args : \"?:\\\\*:*\" and process.args_count == 1\n",
+    "risk_score": 47,
+    "rule_id": "4bd1c1af-79d4-4d37-9efa-6e0240640242",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1564",
+            "name": "Hide Artifacts",
+            "reference": "https://attack.mitre.org/techniques/T1564/",
+            "subtechnique": [
+              {
+                "id": "T1564.004",
+                "name": "NTFS File Attributes",
+                "reference": "https://attack.mitre.org/techniques/T1564/004/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 5
+  },
+  {
+    "anomaly_threshold": 50,
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies rare processes that do not usually run on individual hosts, which can indicate execution of unauthorized services, malware, or persistence mechanisms. Processes are considered rare when they only run occasionally as compared with other processes running on the host.",
+    "false_positives": [
+      "A newly installed program or one that runs rarely as part of a monthly or quarterly workflow could trigger this alert."
+    ],
+    "from": "now-45m",
+    "interval": "15m",
+    "license": "Elastic License v2",
+    "machine_learning_job_id": [
+      "rare_process_by_host_linux_ecs",
+      "v2_rare_process_by_host_linux_ecs"
+    ],
+    "name": "Unusual Process For a Linux Host",
+    "note": "## Triage and analysis\n\n### Investigating an Unusual Linux Process\nDetection alerts from this rule indicate the presence of a Linux process that is rare and unusual for the host it ran on. Here are some possible avenues of investigation:\n- Consider the user as identified by the username field. Is this program part of an expected workflow for the user who ran this program on this host?\n- Examine the history of execution. If this process only manifested recently, it might be part of a new software package. If it has a consistent cadence (for example if it runs monthly or quarterly), it might be part of a monthly or quarterly business process.\n- Examine the process arguments, title and working directory. These may provide indications as to the source of the program or the nature of the tasks it is performing.",
+    "references": [
+      "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"
+    ],
+    "risk_score": 21,
+    "rule_id": "46f804f5-b289-43d6-a881-9387cf594f75",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "Threat Detection",
+      "ML"
+    ],
+    "type": "machine_learning",
+    "version": 7
+  },
+  {
+    "anomaly_threshold": 50,
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies rare processes that do not usually run on individual hosts, which can indicate execution of unauthorized services, malware, or persistence mechanisms. Processes are considered rare when they only run occasionally as compared with other processes running on the host.",
+    "false_positives": [
+      "A newly installed program or one that runs rarely as part of a monthly or quarterly workflow could trigger this alert."
+    ],
+    "from": "now-45m",
+    "interval": "15m",
+    "license": "Elastic License v2",
+    "machine_learning_job_id": [
+      "rare_process_by_host_windows_ecs",
+      "v2_rare_process_by_host_windows_ecs"
+    ],
+    "name": "Unusual Process For a Windows Host",
+    "note": "## Triage and analysis\n\n###  Investigating an Unusual Windows Process\n\nSearching for abnormal Windows processes is a good methodology to find potentially malicious activity within a network.\nBy understanding what is commonly run within an environment and developing baselines for legitimate activity can help\nuncover potential malware and suspicious behaviors.\n\n#### Possible investigation steps:\n- Consider the user as identified by the `user.name` field. Is this program part of an expected workflow for the user who ran this program on this host?\n- Examine the history of execution. If this process only manifested recently, it might be part of a new software package. If it has a consistent cadence (for example if it runs monthly or quarterly), it might be part of a monthly or quarterly business process.\n- Examine the process metadata like the values of the Company, Description and Product fields which may indicate whether the program is associated with an expected software vendor or package.\n- Examine arguments and working directory. These may provide indications as to the source of the program or the nature of the tasks it is performing.\n- Consider the same for the parent process. If the parent process is a legitimate system utility or service, this could be related to software updates or system management. If the parent process is something user-facing like an Office application, this process could be more suspicious.\n- If you have file hash values in the event data, and you suspect malware, you can optionally run a search for the file hash to see if the file is identified as malware by anti-malware tools.\n\n### False Positive Analysis\n- Validate the unusual Windows process is not related to new benign software installation activity. If related to\nlegitimate software, this can be done by leveraging the exception workflow in the Kibana Security App or Elasticsearch\nAPI to tune this rule to your environment\n- Try to understand the context of the execution by thinking about the user, machine, or business purpose.  It's possible that a small number of endpoints\nsuch as servers that have very unique software that might appear to be unusual, but satisfy a specific business need.\n\n### Related Rules\n- Anomalous Windows Process Creation\n- Unusual Windows Path Activity\n- Unusual Windows Process Calling the Metadata Service\n\n### Response and Remediation\n- This rule is related to process execution events and should be immediately reviewed and investigated to determine if malicious\n- Based on validation and if malicious, the impacted machine should be isolated and analyzed to determine other post-compromise\nbehavior such as setting up persistence or performing lateral movement.\n- Look into preventive measures such as Windows Defender Application Control and AppLocker to gain better control on\nwhat is allowed to run on Windows infrastructure.\n",
+    "references": [
+      "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"
+    ],
+    "risk_score": 21,
+    "rule_id": "6d448b96-c922-4adb-b51c-b767f1ea5b76",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "ML"
+    ],
+    "type": "machine_learning",
+    "version": 8
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies network activity from unexpected system applications. This may indicate adversarial activity as these applications are often leveraged by adversaries to execute code and evade detection.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Unusual Process Network Connection",
+    "query": "sequence by process.entity_id\n  [process where (process.name : \"Microsoft.Workflow.Compiler.exe\" or\n                  process.name : \"bginfo.exe\" or\n                  process.name : \"cdb.exe\" or\n                  process.name : \"cmstp.exe\" or\n                  process.name : \"csi.exe\" or\n                  process.name : \"dnx.exe\" or\n                  process.name : \"fsi.exe\" or\n                  process.name : \"ieexec.exe\" or\n                  process.name : \"iexpress.exe\" or\n                  process.name : \"odbcconf.exe\" or\n                  process.name : \"rcsi.exe\" or\n                  process.name : \"xwizard.exe\") and\n     event.type == \"start\"]\n  [network where (process.name : \"Microsoft.Workflow.Compiler.exe\" or\n                  process.name : \"bginfo.exe\" or\n                  process.name : \"cdb.exe\" or\n                  process.name : \"cmstp.exe\" or\n                  process.name : \"csi.exe\" or\n                  process.name : \"dnx.exe\" or\n                  process.name : \"fsi.exe\" or\n                  process.name : \"ieexec.exe\" or\n                  process.name : \"iexpress.exe\" or\n                  process.name : \"odbcconf.exe\" or\n                  process.name : \"rcsi.exe\" or\n                  process.name : \"xwizard.exe\")]\n",
+    "risk_score": 21,
+    "rule_id": "610949a1-312f-4e04-bb55-3a79b8c95267",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1127",
+            "name": "Trusted Developer Utilities Proxy Execution",
+            "reference": "https://attack.mitre.org/techniques/T1127/"
+          }
+        ]
+      }
+    ],
+    "type": "eql",
+    "version": 7
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies unusual child processes of Service Host (svchost.exe) that traditionally do not spawn any child processes. This may indicate a code injection or an equivalent form of exploitation.",
+    "false_positives": [
+      "Changes to Windows services or a rarely executed child process."
+    ],
+    "from": "now-9m",
+    "index": [
+      "logs-endpoint.events.*",
+      "winlogbeat-*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Unusual Service Host Child Process - Childless Service",
+    "query": "process where event.type in (\"start\", \"process_started\") and\n     process.parent.name : \"svchost.exe\" and\n\n     /* based on svchost service arguments -s svcname where the service is known to be childless */\n\n    process.parent.args : (\"WdiSystemHost\",\"LicenseManager\",\n      \"StorSvc\",\"CDPSvc\",\"cdbhsvc\",\"BthAvctpSvc\",\"SstpSvc\",\"WdiServiceHost\",\n      \"imgsvc\",\"TrkWks\",\"WpnService\",\"IKEEXT\",\"PolicyAgent\",\"CryptSvc\",\n      \"netprofm\",\"ProfSvc\",\"StateRepository\",\"camsvc\",\"LanmanWorkstation\",\n      \"NlaSvc\",\"EventLog\",\"hidserv\",\"DisplayEnhancementService\",\"ShellHWDetection\",\n      \"AppHostSvc\",\"fhsvc\",\"CscService\",\"PushToInstall\") and\n\n      /* unknown FPs can be added here */\n\n     not process.name : (\"WerFault.exe\",\"WerFaultSecure.exe\",\"wermgr.exe\")\n",
+    "risk_score": 47,
+    "rule_id": "6a8ab9cc-4023-4d17-b5df-1a3e16882ce7",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion",
+      "Privilege Escalation"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0004",
+          "name": "Privilege Escalation",
+          "reference": "https://attack.mitre.org/tactics/TA0004/"
+        },
+        "technique": [
+          {
+            "id": "T1055",
+            "name": "Process Injection",
+            "reference": "https://attack.mitre.org/techniques/T1055/",
+            "subtechnique": [
+              {
+                "id": "T1055.012",
+                "name": "Process Hollowing",
+                "reference": "https://attack.mitre.org/techniques/T1055/012/"
+              }
+            ]
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1055",
+            "name": "Process Injection",
+            "reference": "https://attack.mitre.org/techniques/T1055/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 3
+  },
+  {
+    "anomaly_threshold": 75,
+    "author": [
+      "Elastic"
+    ],
+    "description": "A machine learning job detected a user logging in from an IP address that is unusual for the user. This can be due to credentialed access via a compromised account when the user and the threat actor are in different locations. An unusual source IP address for a username could also be due to lateral movement when a compromised account is used to pivot between hosts.",
+    "false_positives": [
+      "Business travelers who roam to new locations may trigger this alert."
+    ],
+    "from": "now-30m",
+    "interval": "15m",
+    "license": "Elastic License v2",
+    "machine_learning_job_id": "auth_rare_source_ip_for_a_user",
+    "name": "Unusual Source IP for a User to Logon from",
+    "references": [
+      "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"
+    ],
+    "risk_score": 21,
+    "rule_id": "d4b73fa0-9d43-465e-b8bf-50230da6718b",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Authentication",
+      "Threat Detection",
+      "ML"
+    ],
+    "type": "machine_learning",
+    "version": 1
+  },
+  {
+    "anomaly_threshold": 75,
+    "author": [
+      "Elastic"
+    ],
+    "description": "Looks for sudo activity from an unusual user context. An unusual sudo user could be due to troubleshooting activity or it could be a sign of credentialed access via compromised accounts.",
+    "false_positives": [
+      "Uncommon sudo activity can be due to an engineer logging onto a server instance in order to perform manual troubleshooting or reconfiguration."
+    ],
+    "from": "now-45m",
+    "interval": "15m",
+    "license": "Elastic License v2",
+    "machine_learning_job_id": "linux_rare_sudo_user",
+    "name": "Unusual Sudo Activity",
+    "risk_score": 21,
+    "rule_id": "1e9fc667-9ff1-4b33-9f40-fefca8537eb0",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "Threat Detection",
+      "ML"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1548",
+            "name": "Abuse Elevation Control Mechanism",
+            "reference": "https://attack.mitre.org/techniques/T1548/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0004",
+          "name": "Privilege Escalation",
+          "reference": "https://attack.mitre.org/tactics/TA0004/"
+        },
+        "technique": [
+          {
+            "id": "T1548",
+            "name": "Abuse Elevation Control Mechanism",
+            "reference": "https://attack.mitre.org/techniques/T1548/"
+          }
+        ]
+      }
+    ],
+    "type": "machine_learning",
+    "version": 2
+  },
+  {
+    "anomaly_threshold": 50,
+    "author": [
+      "Elastic"
+    ],
+    "description": "A machine learning job detected a rare and unusual URL that indicates unusual web browsing activity. This can be due to initial access, persistence, command-and-control, or exfiltration activity. For example, in a strategic web compromise or watering hole attack, when a trusted website is compromised to target a particular sector or organization, targeted users may receive emails with uncommon URLs for trusted websites. These URLs can be used to download and run a payload. When malware is already running, it may send requests to uncommon URLs on trusted websites the malware uses for command-and-control communication. When rare URLs are observed being requested for a local web server by a remote source, these can be due to web scanning, enumeration or attack traffic, or they can be due to bots and web scrapers which are part of common Internet background traffic.",
+    "false_positives": [
+      "Web activity that occurs rarely in small quantities can trigger this alert. Possible examples are browsing technical support or vendor URLs that are used very sparsely. A user who visits a new and unique web destination may trigger this alert when the activity is sparse. Web applications that generate URLs unique to a transaction may trigger this when they are used sparsely. Web domains can be excluded in cases such as these."
+    ],
+    "from": "now-45m",
+    "interval": "15m",
+    "license": "Elastic License v2",
+    "machine_learning_job_id": "packetbeat_rare_urls",
+    "name": "Unusual Web Request",
+    "references": [
+      "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"
+    ],
+    "risk_score": 21,
+    "rule_id": "91f02f01-969f-4167-8f55-07827ac3acc9",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Network",
+      "Threat Detection",
+      "ML"
+    ],
+    "type": "machine_learning",
+    "version": 4
+  },
+  {
+    "anomaly_threshold": 50,
+    "author": [
+      "Elastic"
+    ],
+    "description": "A machine learning job detected a rare and unusual user agent indicating web browsing activity by an unusual process other than a web browser. This can be due to persistence, command-and-control, or exfiltration activity. Uncommon user agents coming from remote sources to local destinations are often the result of scanners, bots, and web scrapers, which are part of common Internet background traffic. Much of this is noise, but more targeted attacks on websites using tools like Burp or SQLmap can sometimes be discovered by spotting uncommon user agents. Uncommon user agents in traffic from local sources to remote destinations can be any number of things, including harmless programs like weather monitoring or stock-trading programs. However, uncommon user agents from local sources can also be due to malware or scanning activity.",
+    "false_positives": [
+      "Web activity that is uncommon, like security scans, may trigger this alert and may need to be excluded. A new or rarely used program that calls web services may trigger this alert."
+    ],
+    "from": "now-45m",
+    "interval": "15m",
+    "license": "Elastic License v2",
+    "machine_learning_job_id": "packetbeat_rare_user_agent",
+    "name": "Unusual Web User Agent",
+    "references": [
+      "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"
+    ],
+    "risk_score": 21,
+    "rule_id": "91f02f01-969f-4167-8d77-07827ac4cee0",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Network",
+      "Threat Detection",
+      "ML"
+    ],
+    "type": "machine_learning",
+    "version": 4
+  },
+  {
+    "anomaly_threshold": 50,
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies Windows processes that do not usually use the network but have unexpected network activity, which can indicate command-and-control, lateral movement, persistence, or data exfiltration activity. A process with unusual network activity can denote process exploitation or injection, where the process is used to run persistence mechanisms that allow a malicious actor remote access or control of the host, data exfiltration, and execution of unauthorized network applications.",
+    "false_positives": [
+      "A newly installed program or one that rarely uses the network could trigger this alert."
+    ],
+    "from": "now-45m",
+    "interval": "15m",
+    "license": "Elastic License v2",
+    "machine_learning_job_id": [
+      "windows_anomalous_network_activity_ecs",
+      "v2_windows_anomalous_network_activity_ecs"
+    ],
+    "name": "Unusual Windows Network Activity",
+    "note": "## Triage and analysis\n\n### Investigating Unusual Network Activity\nDetection alerts from this rule indicate the presence of network activity from a Windows process for which network activity is very unusual.  Here are some possible avenues of investigation:\n- Consider the IP addresses, protocol and ports. Are these used by normal but infrequent network workflows? Are they expected or unexpected?\n- If the destination IP address is remote or external, does it associate with an expected domain, organization or geography? Note: avoid interacting directly with suspected malicious IP addresses.\n- Consider the user as identified by the username field. Is this network activity part of an expected workflow for the user who ran the program?\n- Examine the history of execution. If this process only manifested recently, it might be part of a new software package. If it has a consistent cadence (for example if it runs monthly or quarterly), it might be part of a monthly or quarterly business process.\n- Examine the process arguments, title and working directory. These may provide indications as to the source of the program or the nature of the tasks it is performing.\n- Consider the same for the parent process. If the parent process is a legitimate system utility or service, this could be related to software updates or system management. If the parent process is something user-facing like an Office application, this process could be more suspicious.\n- If you have file hash values in the event data, and you suspect malware, you can optionally run a search for the file hash to see if the file is identified as malware by anti-malware tools.",
+    "references": [
+      "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"
+    ],
+    "risk_score": 21,
+    "rule_id": "ba342eb2-583c-439f-b04d-1fdd7c1417cc",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "ML"
+    ],
+    "type": "machine_learning",
+    "version": 7
+  },
+  {
+    "anomaly_threshold": 50,
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies processes started from atypical folders in the file system, which might indicate malware execution or persistence mechanisms. In corporate Windows environments, software installation is centrally managed and it is unusual for programs to be executed from user or temporary directories. Processes executed from these locations can denote that a user downloaded software directly from the Internet or a malicious script or macro executed malware.",
+    "false_positives": [
+      "A new and unusual program or artifact download in the course of software upgrades, debugging, or troubleshooting could trigger this alert. Users downloading and running programs from unusual locations, such as temporary directories, browser caches, or profile paths could trigger this alert."
+    ],
+    "from": "now-45m",
+    "interval": "15m",
+    "license": "Elastic License v2",
+    "machine_learning_job_id": [
+      "windows_anomalous_path_activity_ecs",
+      "v2_windows_anomalous_path_activity_ecs"
+    ],
+    "name": "Unusual Windows Path Activity",
+    "references": [
+      "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"
+    ],
+    "risk_score": 21,
+    "rule_id": "445a342e-03fb-42d0-8656-0367eb2dead5",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "ML"
+    ],
+    "type": "machine_learning",
+    "version": 5
+  },
+  {
+    "anomaly_threshold": 50,
+    "author": [
+      "Elastic"
+    ],
+    "description": "Looks for anomalous access to the metadata service by an unusual process. The metadata service may be targeted in order to harvest credentials or user data scripts containing secrets.",
+    "false_positives": [
+      "A newly installed program or one that runs very rarely as part of a monthly or quarterly workflow could trigger this detection rule."
+    ],
+    "from": "now-45m",
+    "interval": "15m",
+    "license": "Elastic License v2",
+    "machine_learning_job_id": [
+      "windows_rare_metadata_process",
+      "v2_windows_rare_metadata_process"
+    ],
+    "name": "Unusual Windows Process Calling the Metadata Service",
+    "risk_score": 21,
+    "rule_id": "abae61a8-c560-4dbd-acca-1e1438bff36b",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "ML"
+    ],
+    "type": "machine_learning",
+    "version": 3
+  },
+  {
+    "anomaly_threshold": 50,
+    "author": [
+      "Elastic"
+    ],
+    "description": "A machine learning job detected an unusual remote desktop protocol (RDP) username, which can indicate account takeover or credentialed persistence using compromised accounts. RDP attacks, such as BlueKeep, also tend to use unusual usernames.",
+    "false_positives": [
+      "Uncommon username activity can be due to an engineer logging onto a server instance in order to perform manual troubleshooting or reconfiguration."
+    ],
+    "from": "now-45m",
+    "interval": "15m",
+    "license": "Elastic License v2",
+    "machine_learning_job_id": "windows_rare_user_type10_remote_login",
+    "name": "Unusual Windows Remote User",
+    "note": "## Triage and analysis\n\n### Investigating an Unusual Windows User\nDetection alerts from this rule indicate activity for a rare and unusual Windows RDP (remote desktop) user. Here are some possible avenues of investigation:\n- Consider the user as identified by the username field. Is the user part of a group who normally logs into Windows hosts using RDP (remote desktop protocol)? Is this logon activity part of an expected workflow for the user?\n- Consider the source of the login. If the source is remote, could this be related to occasional troubleshooting or support activity by a vendor or an employee working remotely?",
+    "references": [
+      "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"
+    ],
+    "risk_score": 21,
+    "rule_id": "1781d055-5c66-4adf-9e93-fc0fa69550c9",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "ML"
+    ],
+    "type": "machine_learning",
+    "version": 5
+  },
+  {
+    "anomaly_threshold": 50,
+    "author": [
+      "Elastic"
+    ],
+    "description": "A machine learning job detected an unusual Windows service, This can indicate execution of unauthorized services, malware, or persistence mechanisms. In corporate Windows environments, hosts do not generally run many rare or unique services. This job helps detect malware and persistence mechanisms that have been installed and run as a service.",
+    "false_positives": [
+      "A newly installed program or one that runs rarely as part of a monthly or quarterly workflow could trigger this alert."
+    ],
+    "from": "now-45m",
+    "interval": "15m",
+    "license": "Elastic License v2",
+    "machine_learning_job_id": "windows_anomalous_service",
+    "name": "Unusual Windows Service",
+    "references": [
+      "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"
+    ],
+    "risk_score": 21,
+    "rule_id": "1781d055-5c66-4adf-9c71-fc0fa58338c7",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "ML"
+    ],
+    "type": "machine_learning",
+    "version": 4
+  },
+  {
+    "anomaly_threshold": 75,
+    "author": [
+      "Elastic"
+    ],
+    "description": "Looks for anomalous access to the cloud platform metadata service by an unusual user. The metadata service may be targeted in order to harvest credentials or user data scripts containing secrets.",
+    "false_positives": [
+      "A newly installed program, or one that runs under a new or rarely used user context, could trigger this detection rule. Manual interrogation of the metadata service during debugging or troubleshooting could trigger this rule."
+    ],
+    "from": "now-45m",
+    "interval": "15m",
+    "license": "Elastic License v2",
+    "machine_learning_job_id": [
+      "windows_rare_metadata_user",
+      "v2_windows_rare_metadata_user"
+    ],
+    "name": "Unusual Windows User Calling the Metadata Service",
+    "risk_score": 21,
+    "rule_id": "df197323-72a8-46a9-a08e-3f5b04a4a97a",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "ML"
+    ],
+    "type": "machine_learning",
+    "version": 3
+  },
+  {
+    "anomaly_threshold": 50,
+    "author": [
+      "Elastic"
+    ],
+    "description": "A machine learning job detected an unusual user context switch, using the runas command or similar techniques, which can indicate account takeover or privilege escalation using compromised accounts. Privilege elevation using tools like runas are more commonly used by domain and network administrators than by regular Windows users.",
+    "false_positives": [
+      "Uncommon user privilege elevation activity can be due to an administrator, help desk technician, or a user performing manual troubleshooting or reconfiguration."
+    ],
+    "from": "now-45m",
+    "interval": "15m",
+    "license": "Elastic License v2",
+    "machine_learning_job_id": "windows_rare_user_runas_event",
+    "name": "Unusual Windows User Privilege Elevation Activity",
+    "references": [
+      "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"
+    ],
+    "risk_score": 21,
+    "rule_id": "1781d055-5c66-4adf-9d82-fc0fa58449c8",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "ML"
+    ],
+    "type": "machine_learning",
+    "version": 4
+  },
+  {
+    "anomaly_threshold": 50,
+    "author": [
+      "Elastic"
+    ],
+    "description": "A machine learning job detected activity for a username that is not normally active, which can indicate unauthorized changes, activity by unauthorized users, lateral movement, or compromised credentials. In many organizations, new usernames are not often created apart from specific types of system activities, such as creating new accounts for new employees. These user accounts quickly become active and routine. Events from rarely used usernames can point to suspicious activity. Additionally, automated Linux fleets tend to see activity from rarely used usernames only when personnel log in to make authorized or unauthorized changes, or threat actors have acquired credentials and log in for malicious purposes. Unusual usernames can also indicate pivoting, where compromised credentials are used to try and move laterally from one host to another.",
+    "false_positives": [
+      "Uncommon user activity can be due to an administrator or help desk technician logging onto a workstation or server in order to perform manual troubleshooting or reconfiguration."
+    ],
+    "from": "now-45m",
+    "interval": "15m",
+    "license": "Elastic License v2",
+    "machine_learning_job_id": [
+      "windows_anomalous_user_name_ecs",
+      "v2_windows_anomalous_user_name_ecs"
+    ],
+    "name": "Unusual Windows Username",
+    "note": "## Triage and analysis\n\n### Investigating an Unusual Windows User\nDetection alerts from this rule indicate activity for a Windows user name that is rare and unusual. Here are some possible avenues of investigation:\n- Consider the user as identified by the username field. Is this program part of an expected workflow for the user who ran this program on this host? Could this be related to occasional troubleshooting or support activity?\n- Examine the history of user activity. If this user only manifested recently, it might be a service account for a new software package. If it has a consistent cadence (for example if it runs monthly or quarterly), it might be part of a monthly or quarterly business process.\n- Examine the process arguments, title and working directory. These may provide indications as to the source of the program or the nature of the tasks that the user is performing.\n- Consider the same for the parent process. If the parent process is a legitimate system utility or service, this could be related to software updates or system management. If the parent process is something user-facing like an Office application, this process could be more suspicious.",
+    "references": [
+      "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"
+    ],
+    "risk_score": 21,
+    "rule_id": "1781d055-5c66-4adf-9c59-fc0fa58336a5",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "ML"
+    ],
+    "type": "machine_learning",
+    "version": 7
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies attempts to create new local users. This is sometimes done by attackers to increase access to a system or domain.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "User Account Creation",
+    "query": "process where event.type in (\"start\", \"process_started\") and\n  process.name : (\"net.exe\", \"net1.exe\") and\n  not process.parent.name : \"net.exe\" and\n  (process.args : \"user\" and process.args : (\"/ad\", \"/add\"))\n",
+    "risk_score": 21,
+    "rule_id": "1aa9181a-492b-4c01-8b16-fa0735786b2b",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Persistence"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1136",
+            "name": "Create Account",
+            "reference": "https://attack.mitre.org/techniques/T1136/",
+            "subtechnique": [
+              {
+                "id": "T1136.001",
+                "name": "Local Account",
+                "reference": "https://attack.mitre.org/techniques/T1136/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 9
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies when a user is added as an owner for an Azure application. An adversary may add a user account as an owner for an Azure application in order to grant additional permissions and modify the application's configuration using another account.",
+    "from": "now-25m",
+    "index": [
+      "filebeat-*",
+      "logs-azure*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "User Added as Owner for Azure Application",
+    "note": "## Config\n\nThe Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:azure.auditlogs and azure.auditlogs.operation_name:\"Add owner to application\" and event.outcome:(Success or success)\n",
+    "risk_score": 21,
+    "rule_id": "774f5e28-7b75-4a58-b94e-41bf060fdd86",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "Azure",
+      "Continuous Monitoring",
+      "SecOps",
+      "Configuration Audit"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1098",
+            "name": "Account Manipulation",
+            "reference": "https://attack.mitre.org/techniques/T1098/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 5
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies when a user is added as an owner for an Azure service principal. The service principal object defines what the application can do in the specific tenant, who can access the application, and what resources the app can access. A service principal object is created when an application is given permission to access resources in a tenant. An adversary may add a user account as an owner for a service principal and use that account in order to define what an application can do in the Azure AD tenant.",
+    "from": "now-25m",
+    "index": [
+      "filebeat-*",
+      "logs-azure*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "User Added as Owner for Azure Service Principal",
+    "note": "## Config\n\nThe Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:azure.auditlogs and azure.auditlogs.operation_name:\"Add owner to service principal\" and event.outcome:(Success or success)\n",
+    "references": [
+      "https://docs.microsoft.com/en-us/azure/active-directory/develop/app-objects-and-service-principals"
+    ],
+    "risk_score": 21,
+    "rule_id": "38e5acdd-5f20-4d99-8fe4-f0a1a592077f",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "Azure",
+      "Continuous Monitoring",
+      "SecOps",
+      "Configuration Audit"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1098",
+            "name": "Account Manipulation",
+            "reference": "https://attack.mitre.org/techniques/T1098/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 5
+  },
+  {
+    "author": [
+      "Elastic",
+      "Skoetting"
+    ],
+    "description": "Identifies a user being added to a privileged group in Active Directory. Privileged accounts and groups in Active Directory are those to which powerful rights, privileges, and permissions are granted that allow them to perform nearly any action in Active Directory and on domain-joined systems.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "User Added to Privileged Group in Active Directory",
+    "query": "iam where event.action == \"added-member-to-group\" and\n  group.name : (\"Admin*\",\n                \"Local Administrators\",\n                \"Domain Admins\",\n                \"Enterprise Admins\",\n                \"Backup Admins\",\n                \"Schema Admins\",\n                \"DnsAdmins\",\n                \"Exchange Organization Administrators\")\n",
+    "references": [
+      "https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/appendix-b--privileged-accounts-and-groups-in-active-directory"
+    ],
+    "risk_score": 47,
+    "rule_id": "5cd8e1f7-0050-4afc-b2df-904e40b2f5ae",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Persistence"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1098",
+            "name": "Account Manipulation",
+            "reference": "https://attack.mitre.org/techniques/T1098/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 3
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "This rule detects network events that may indicate the use of VNC traffic from the Internet. VNC is commonly used by system administrators to remotely control a system for maintenance or to use shared resources. It should almost never be directly exposed to the Internet, as it is frequently targeted and exploited by threat actors as an initial access or backdoor vector.",
+    "false_positives": [
+      "VNC connections may be received directly to Linux cloud server instances but such connections are usually made only by engineers. VNC is less common than SSH or RDP but may be required by some work-flows such as remote access and support for specialized software products or servers. Such work-flows are usually known and not unexpected. Usage that is unfamiliar to server or network owners can be unexpected and suspicious."
+    ],
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "filebeat-*",
+      "packetbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "VNC (Virtual Network Computing) from the Internet",
+    "query": "event.category:(network or network_traffic) and network.transport:tcp and destination.port >= 5800 and destination.port <= 5810 and\n  not source.ip:(\n    10.0.0.0/8 or\n    127.0.0.0/8 or\n    169.254.0.0/16 or\n    172.16.0.0/12 or\n    192.0.0.0/24 or\n    192.0.0.0/29 or\n    192.0.0.8/32 or\n    192.0.0.9/32 or\n    192.0.0.10/32 or\n    192.0.0.170/32 or\n    192.0.0.171/32 or\n    192.0.2.0/24 or\n    192.31.196.0/24 or\n    192.52.193.0/24 or\n    192.168.0.0/16 or\n    192.88.99.0/24 or\n    224.0.0.0/4 or\n    100.64.0.0/10 or\n    192.175.48.0/24 or\n    198.18.0.0/15 or\n    198.51.100.0/24 or\n    203.0.113.0/24 or\n    240.0.0.0/4 or\n    \"::1\" or\n    \"FE80::/10\" or\n    \"FF00::/8\"\n  ) and\n  destination.ip:(\n    10.0.0.0/8 or\n    172.16.0.0/12 or\n    192.168.0.0/16\n  )\n",
+    "references": [
+      "https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml"
+    ],
+    "risk_score": 73,
+    "rule_id": "5700cb81-df44-46aa-a5d7-337798f53eb8",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Network",
+      "Threat Detection",
+      "Command and Control",
+      "Host"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0011",
+          "name": "Command and Control",
+          "reference": "https://attack.mitre.org/tactics/TA0011/"
+        },
+        "technique": [
+          {
+            "id": "T1219",
+            "name": "Remote Access Software",
+            "reference": "https://attack.mitre.org/techniques/T1219/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0001",
+          "name": "Initial Access",
+          "reference": "https://attack.mitre.org/tactics/TA0001/"
+        },
+        "technique": [
+          {
+            "id": "T1190",
+            "name": "Exploit Public-Facing Application",
+            "reference": "https://attack.mitre.org/techniques/T1190/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 11
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "This rule detects network events that may indicate the use of VNC traffic to the Internet. VNC is commonly used by system administrators to remotely control a system for maintenance or to use shared resources. It should almost never be directly exposed to the Internet, as it is frequently targeted and exploited by threat actors as an initial access or backdoor vector.",
+    "false_positives": [
+      "VNC connections may be made directly to Linux cloud server instances but such connections are usually made only by engineers. VNC is less common than SSH or RDP but may be required by some work flows such as remote access and support for specialized software products or servers. Such work-flows are usually known and not unexpected. Usage that is unfamiliar to server or network owners can be unexpected and suspicious."
+    ],
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "filebeat-*",
+      "packetbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "VNC (Virtual Network Computing) to the Internet",
+    "query": "event.category:(network or network_traffic) and network.transport:tcp and destination.port >= 5800 and destination.port <= 5810 and\n  source.ip:(\n    10.0.0.0/8 or\n    172.16.0.0/12 or\n    192.168.0.0/16\n  ) and\n  not destination.ip:(\n    10.0.0.0/8 or\n    127.0.0.0/8 or\n    169.254.0.0/16 or\n    172.16.0.0/12 or\n    192.0.0.0/24 or\n    192.0.0.0/29 or\n    192.0.0.8/32 or\n    192.0.0.9/32 or\n    192.0.0.10/32 or\n    192.0.0.170/32 or\n    192.0.0.171/32 or\n    192.0.2.0/24 or\n    192.31.196.0/24 or\n    192.52.193.0/24 or\n    192.168.0.0/16 or\n    192.88.99.0/24 or\n    224.0.0.0/4 or\n    100.64.0.0/10 or\n    192.175.48.0/24 or\n    198.18.0.0/15 or\n    198.51.100.0/24 or\n    203.0.113.0/24 or\n    240.0.0.0/4 or\n    \"::1\" or\n    \"FE80::/10\" or\n    \"FF00::/8\"\n  )\n",
+    "references": [
+      "https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml"
+    ],
+    "risk_score": 47,
+    "rule_id": "3ad49c61-7adc-42c1-b788-732eda2f5abf",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Network",
+      "Threat Detection",
+      "Command and Control",
+      "Host"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0011",
+          "name": "Command and Control",
+          "reference": "https://attack.mitre.org/tactics/TA0011/"
+        },
+        "technique": [
+          {
+            "id": "T1219",
+            "name": "Remote Access Software",
+            "reference": "https://attack.mitre.org/techniques/T1219/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 11
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "An adversary may attempt to get detailed information about the operating system and hardware. This rule identifies common locations used to discover virtual machine hardware by a non-root user. This technique has been used by the Pupy RAT and other malware.",
+    "false_positives": [
+      "Certain tools or automated software may enumerate hardware information. These tools can be exempted via user name or process arguments to eliminate potential noise."
+    ],
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Virtual Machine Fingerprinting",
+    "query": "event.category:process and event.type:(start or process_started) and\n  process.args:(\"/sys/class/dmi/id/bios_version\" or\n                \"/sys/class/dmi/id/product_name\" or\n                \"/sys/class/dmi/id/chassis_vendor\" or\n                \"/proc/scsi/scsi\" or\n                \"/proc/ide/hd0/model\") and\n  not user.name:root\n",
+    "risk_score": 73,
+    "rule_id": "5b03c9fb-9945-4d2f-9568-fd690fee3fba",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "Threat Detection",
+      "Discovery"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0007",
+          "name": "Discovery",
+          "reference": "https://attack.mitre.org/tactics/TA0007/"
+        },
+        "technique": [
+          {
+            "id": "T1082",
+            "name": "System Information Discovery",
+            "reference": "https://attack.mitre.org/techniques/T1082/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 6
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "An adversary may attempt to get detailed information about the operating system and hardware. This rule identifies common locations used to discover virtual machine hardware by a non-root user. This technique has been used by the Pupy RAT and other malware.",
+    "false_positives": [
+      "Certain tools or automated software may enumerate hardware information. These tools can be exempted via user name or process arguments to eliminate potential noise."
+    ],
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Virtual Machine Fingerprinting via Grep",
+    "query": "process where event.type == \"start\" and\n process.name in (\"grep\", \"egrep\") and user.id != \"0\" and\n process.args : (\"parallels*\", \"vmware*\", \"virtualbox*\") and process.args : \"Manufacturer*\" and \n not process.parent.executable in (\"/Applications/Docker.app/Contents/MacOS/Docker\", \"/usr/libexec/kcare/virt-what\")\n",
+    "references": [
+      "https://objective-see.com/blog/blog_0x4F.html"
+    ],
+    "risk_score": 47,
+    "rule_id": "c85eb82c-d2c8-485c-a36f-534f914b7663",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "macOS",
+      "Linux",
+      "Threat Detection",
+      "Discovery"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0007",
+          "name": "Discovery",
+          "reference": "https://attack.mitre.org/tactics/TA0007/"
+        },
+        "technique": [
+          {
+            "id": "T1082",
+            "name": "System Information Discovery",
+            "reference": "https://attack.mitre.org/techniques/T1082/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the execution of macOS built-in commands to connect to an existing Virtual Private Network (VPN).",
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Virtual Private Network Connection Attempt",
+    "query": "process where event.type in (\"start\", \"process_started\") and\n  (\n    (process.name : \"networksetup\" and process.args : \"-connectpppoeservice\") or\n    (process.name : \"scutil\" and process.args : \"--nc\" and process.args : \"start\") or\n    (process.name : \"osascript\" and process.command_line : \"osascript*set VPN to service*\")\n  )\n",
+    "references": [
+      "https://github.com/rapid7/metasploit-framework/blob/master/modules/post/osx/manage/vpn.rb",
+      "https://www.unix.com/man-page/osx/8/networksetup/",
+      "https://superuser.com/questions/358513/start-configured-vpn-from-command-line-osx"
+    ],
+    "risk_score": 21,
+    "rule_id": "15dacaa0-5b90-466b-acab-63435a59701a",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "macOS",
+      "Threat Detection",
+      "Lateral Movement"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0008",
+          "name": "Lateral Movement",
+          "reference": "https://attack.mitre.org/tactics/TA0008/"
+        },
+        "technique": [
+          {
+            "id": "T1021",
+            "name": "Remote Services",
+            "reference": "https://attack.mitre.org/techniques/T1021/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies use of vssadmin.exe for shadow copy deletion or resizing on endpoints. This commonly occurs in tandem with ransomware or other destructive attacks.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Volume Shadow Copy Deleted or Resized via VssAdmin",
+    "query": "process where event.type in (\"start\", \"process_started\") and event.action == \"start\" \n  and (process.name : \"vssadmin.exe\" or process.pe.original_file_name == \"VSSADMIN.EXE\") and\n  process.args in (\"delete\", \"resize\") and process.args : \"shadows*\"\n",
+    "risk_score": 73,
+    "rule_id": "b5ea4bfe-a1b2-421f-9d47-22a75a6f2921",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Impact"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0040",
+          "name": "Impact",
+          "reference": "https://attack.mitre.org/tactics/TA0040/"
+        },
+        "technique": [
+          {
+            "id": "T1490",
+            "name": "Inhibit System Recovery",
+            "reference": "https://attack.mitre.org/techniques/T1490/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 10
+  },
+  {
+    "author": [
+      "Elastic",
+      "Austin Songer"
+    ],
+    "description": "Identifies the use of the Win32_ShadowCopy class and related cmdlets to achieve shadow copy deletion. This commonly occurs in tandem with ransomware or other destructive attacks.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Volume Shadow Copy Deletion via PowerShell",
+    "query": "process where event.type in (\"start\", \"process_started\") and\n  process.name : (\"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\") and \n  process.args : (\"*Get-WmiObject*\", \"*gwmi*\", \"*Get-CimInstance*\", \"*gcim*\") and\n  process.args : (\"*Win32_ShadowCopy*\") and\n  process.args : (\"*.Delete()*\", \"*Remove-WmiObject*\", \"*rwmi*\", \"*Remove-CimInstance*\", \"*rcim*\")\n",
+    "references": [
+      "https://docs.microsoft.com/en-us/previous-versions/windows/desktop/vsswmi/win32-shadowcopy",
+      "https://powershell.one/wmi/root/cimv2/win32_shadowcopy",
+      "https://www.fortinet.com/blog/threat-research/stomping-shadow-copies-a-second-look-into-deletion-methods"
+    ],
+    "risk_score": 73,
+    "rule_id": "d99a037b-c8e2-47a5-97b9-170d076827c4",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Impact"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0040",
+          "name": "Impact",
+          "reference": "https://attack.mitre.org/tactics/TA0040/"
+        },
+        "technique": [
+          {
+            "id": "T1490",
+            "name": "Inhibit System Recovery",
+            "reference": "https://attack.mitre.org/techniques/T1490/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 2
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies use of wmic.exe for shadow copy deletion on endpoints. This commonly occurs in tandem with ransomware or other destructive attacks.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Volume Shadow Copy Deletion via WMIC",
+    "query": "process where event.type in (\"start\", \"process_started\") and\n  (process.name : \"WMIC.exe\" or process.pe.original_file_name == \"wmic.exe\") and\n  process.args : \"delete\" and process.args : \"shadowcopy\"\n",
+    "risk_score": 73,
+    "rule_id": "dc9c1f74-dac3-48e3-b47f-eb79db358f57",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Impact"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0040",
+          "name": "Impact",
+          "reference": "https://attack.mitre.org/tactics/TA0040/"
+        },
+        "technique": [
+          {
+            "id": "T1490",
+            "name": "Inhibit System Recovery",
+            "reference": "https://attack.mitre.org/techniques/T1490/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 10
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies processes executed via Windows Management Instrumentation (WMI) on a remote host. This could be indicative of adversary lateral movement, but could be noisy if administrators use WMI to remotely manage hosts.",
+    "from": "now-9m",
+    "index": [
+      "logs-endpoint.events.*",
+      "winlogbeat-*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "WMI Incoming Lateral Movement",
+    "query": "sequence by host.id with maxspan = 2s\n\n /* Accepted Incoming RPC connection by Winmgmt service */\n\n  [network where process.name : \"svchost.exe\" and network.direction : (\"incoming\", \"ingress\") and\n   source.address != \"127.0.0.1\" and source.address != \"::1\" and \n   source.port >= 49152 and destination.port >= 49152\n  ]\n\n  /* Excluding Common FPs Nessus and SCCM */\n\n  [process where event.type in (\"start\", \"process_started\") and process.parent.name : \"WmiPrvSE.exe\" and\n   not process.args : (\"C:\\\\windows\\\\temp\\\\nessus_*.txt\", \n                       \"C:\\\\windows\\\\TEMP\\\\nessus_*.TMP\", \n                       \"C:\\\\Windows\\\\CCM\\\\SystemTemp\\\\*\", \n                       \"C:\\\\Windows\\\\CCMCache\\\\*\", \n                       \"C:\\\\CCM\\\\Cache\\\\*\")\n   ]\n",
+    "risk_score": 47,
+    "rule_id": "f3475224-b179-4f78-8877-c2bd64c26b88",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Lateral Movement"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0008",
+          "name": "Lateral Movement",
+          "reference": "https://attack.mitre.org/tactics/TA0008/"
+        },
+        "technique": []
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0002",
+          "name": "Execution",
+          "reference": "https://attack.mitre.org/tactics/TA0002/"
+        },
+        "technique": [
+          {
+            "id": "T1047",
+            "name": "Windows Management Instrumentation",
+            "reference": "https://attack.mitre.org/techniques/T1047/"
+          }
+        ]
+      }
+    ],
+    "type": "eql",
+    "version": 3
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "A request to a web application server contained no identifying user agent string.",
+    "false_positives": [
+      "Some normal applications and scripts may contain no user agent. Most legitimate web requests from the Internet contain a user agent string. Requests from web browsers almost always contain a user agent string. If the source is unexpected, the user unauthorized, or the request unusual, these may indicate suspicious or malicious activity."
+    ],
+    "filters": [
+      {
+        "$state": {
+          "store": "appState"
+        },
+        "exists": {
+          "field": "user_agent.original"
+        },
+        "meta": {
+          "disabled": false,
+          "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+          "key": "user_agent.original",
+          "negate": true,
+          "type": "exists",
+          "value": "exists"
+        }
+      }
+    ],
+    "index": [
+      "apm-*-transaction*",
+      "traces-apm*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Web Application Suspicious Activity: No User Agent",
+    "query": "url.path:*\n",
+    "references": [
+      "https://en.wikipedia.org/wiki/User_agent"
+    ],
+    "risk_score": 47,
+    "rule_id": "43303fd4-4839-4e48-b2b2-803ab060758d",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "APM"
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 7
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "A POST request to a web application returned a 403 response, which indicates the web application declined to process the request because the action requested was not allowed.",
+    "false_positives": [
+      "Security scans and tests may result in these errors. Misconfigured or buggy applications may produce large numbers of these errors. If the source is unexpected, the user unauthorized, or the request unusual, these may indicate suspicious or malicious activity."
+    ],
+    "index": [
+      "apm-*-transaction*",
+      "traces-apm*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Web Application Suspicious Activity: POST Request Declined",
+    "query": "http.response.status_code:403 and http.request.method:post\n",
+    "references": [
+      "https://en.wikipedia.org/wiki/HTTP_403"
+    ],
+    "risk_score": 47,
+    "rule_id": "a87a4e42-1d82-44bd-b0bf-d9b7f91fb89e",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "APM"
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 8
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "A request to a web application returned a 405 response, which indicates the web application declined to process the request because the HTTP method is not allowed for the resource.",
+    "false_positives": [
+      "Security scans and tests may result in these errors. Misconfigured or buggy applications may produce large numbers of these errors. If the source is unexpected, the user unauthorized, or the request unusual, these may indicate suspicious or malicious activity."
+    ],
+    "index": [
+      "apm-*-transaction*",
+      "traces-apm*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Web Application Suspicious Activity: Unauthorized Method",
+    "query": "http.response.status_code:405\n",
+    "references": [
+      "https://en.wikipedia.org/wiki/HTTP_405"
+    ],
+    "risk_score": 47,
+    "rule_id": "75ee75d8-c180-481c-ba88-ee50129a6aef",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "APM"
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 8
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "This is an example of how to detect an unwanted web client user agent. This search matches the user agent for sqlmap 1.3.11, which is a popular FOSS tool for testing web applications for SQL injection vulnerabilities.",
+    "false_positives": [
+      "This rule does not indicate that a SQL injection attack occurred, only that the `sqlmap` tool was used. Security scans and tests may result in these errors. If the source is not an authorized security tester, this is generally suspicious or malicious activity."
+    ],
+    "index": [
+      "apm-*-transaction*",
+      "traces-apm*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Web Application Suspicious Activity: sqlmap User Agent",
+    "query": "user_agent.original:\"sqlmap/1.3.11#stable (http://sqlmap.org)\"\n",
+    "references": [
+      "http://sqlmap.org/"
+    ],
+    "risk_score": 47,
+    "rule_id": "d49cc73f-7a16-4def-89ce-9fc7127d7820",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "APM"
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 7
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the use of the built-in networksetup command to configure webproxy settings. This may indicate an attempt to hijack web browser traffic for credential access via traffic sniffing or redirection.",
+    "false_positives": [
+      "Legitimate WebProxy Settings Modification"
+    ],
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "WebProxy Settings Modification",
+    "query": "event.category : process and event.type : start and\n process.name : networksetup and process.args : ((\"-setwebproxy\" or \"-setsecurewebproxy\" or \"-setautoproxyurl\") and not (Bluetooth or off)) and\n not process.parent.executable : (\"/Library/PrivilegedHelperTools/com.80pct.FreedomHelper\" or\n                                  \"/Applications/Fiddler Everywhere.app/Contents/Resources/app/out/WebServer/Fiddler.WebUi\" or\n                                  \"/usr/libexec/xpcproxy\")\n",
+    "references": [
+      "https://unit42.paloaltonetworks.com/mac-malware-steals-cryptocurrency-exchanges-cookies/",
+      "https://objectivebythesea.com/v2/talks/OBTS_v2_Zohar.pdf"
+    ],
+    "risk_score": 47,
+    "rule_id": "10a500bb-a28f-418e-ba29-ca4c8d1a9f2f",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "macOS",
+      "Threat Detection",
+      "Credential Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0006",
+          "name": "Credential Access",
+          "reference": "https://attack.mitre.org/tactics/TA0006/"
+        },
+        "technique": [
+          {
+            "id": "T1539",
+            "name": "Steal Web Session Cookie",
+            "reference": "https://attack.mitre.org/techniques/T1539/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 2
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the deletion of WebServer access logs. This may indicate an attempt to evade detection or destroy forensic evidence on a system.",
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "WebServer Access Logs Deleted",
+    "query": "file where event.type == \"deletion\" and\n  file.path : (\"C:\\\\inetpub\\\\logs\\\\LogFiles\\\\*.log\", \n               \"/var/log/apache*/access.log\",\n               \"/etc/httpd/logs/access_log\", \n               \"/var/log/httpd/access_log\", \n               \"/var/www/*/logs/access.log\")\n",
+    "risk_score": 47,
+    "rule_id": "665e7a4f-c58e-4fc6-bc83-87a7572670ac",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "Windows",
+      "macOS",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1070",
+            "name": "Indicator Removal on Host",
+            "reference": "https://attack.mitre.org/techniques/T1070/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 3
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies suspicious commands executed via a web server, which may suggest a vulnerability and remote shell access.",
+    "false_positives": [
+      "Security audits, maintenance, and network administrative scripts may trigger this alert when run under web processes."
+    ],
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Webshell Detection: Script Process Child of Common Web Processes",
+    "note": "## Triage and analysis\n\nDetections should be investigated to identify if the activity corresponds to legitimate activity. As this rule detects post-exploitation process activity, investigations into this should be prioritized.",
+    "query": "process where event.type == \"start\" and\n  process.parent.name : (\"w3wp.exe\", \"httpd.exe\", \"nginx.exe\", \"php.exe\", \"php-cgi.exe\", \"tomcat.exe\") and \n  process.name : (\"cmd.exe\", \"cscript.exe\", \"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\", \"wmic.exe\", \"wscript.exe\")\n",
+    "references": [
+      "https://www.microsoft.com/security/blog/2020/02/04/ghost-in-the-shell-investigating-web-shell-attacks/"
+    ],
+    "risk_score": 73,
+    "rule_id": "2917d495-59bd-4250-b395-c29409b76086",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Persistence"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1505",
+            "name": "Server Software Component",
+            "reference": "https://attack.mitre.org/techniques/T1505/",
+            "subtechnique": [
+              {
+                "id": "T1505.003",
+                "name": "Web Shell",
+                "reference": "https://attack.mitre.org/techniques/T1505/003/"
+              }
+            ]
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0001",
+          "name": "Initial Access",
+          "reference": "https://attack.mitre.org/tactics/TA0001/"
+        },
+        "technique": [
+          {
+            "id": "T1190",
+            "name": "Exploit Public-Facing Application",
+            "reference": "https://attack.mitre.org/techniques/T1190/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 3
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies process execution events where the command line value contains a long sequence of whitespace characters or multiple occurrences of contiguous whitespace. Attackers may attempt to evade signature-based detections by padding their malicious command with unnecessary whitespace characters. These observations should be investigated for malicious behavior.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Whitespace Padding in Process Command Line",
+    "note": "## Triage and analysis\n\n- Analyze the command line of the process in question for evidence of malicious code execution.\n- Review the ancestor and child processes spawned by the process in question for indicators of further malicious code execution.",
+    "query": "process where event.type in (\"start\", \"process_started\") and\n  process.command_line regex \".*[ ]{20,}.*\" or \n  \n  /* this will match on 3 or more separate occurrences of 5+ contiguous whitespace characters */\n  process.command_line regex \".*(.*[ ]{5,}[^ ]*){3,}.*\"\n",
+    "references": [
+      "https://twitter.com/JohnLaTwC/status/1419251082736201737"
+    ],
+    "risk_score": 47,
+    "rule_id": "e0dacebe-4311-4d50-9387-b17e89c2e7fd",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": []
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 2
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies use of whoami.exe which displays user, group, and privileges information for the user who is currently logged on to the local system.",
+    "false_positives": [
+      "Some normal use of this program, at varying levels of frequency, may originate from scripts, automation tools and frameworks. Usage by non-engineers and ordinary users is unusual."
+    ],
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Whoami Process Activity",
+    "query": "process where event.type in (\"start\", \"process_started\") and process.name : \"whoami.exe\"\n",
+    "risk_score": 21,
+    "rule_id": "ef862985-3f13-4262-a686-5f357bbb9bc2",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Discovery"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0007",
+          "name": "Discovery",
+          "reference": "https://attack.mitre.org/tactics/TA0007/"
+        },
+        "technique": [
+          {
+            "id": "T1033",
+            "name": "System Owner/User Discovery",
+            "reference": "https://attack.mitre.org/techniques/T1033/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 7
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "A spoofing vulnerability exists in the way Windows CryptoAPI (Crypt32.dll) validates Elliptic Curve Cryptography (ECC) certificates. An attacker could exploit the vulnerability by using a spoofed code-signing certificate to sign a malicious executable, making it appear the file was from a trusted, legitimate source.",
+    "index": [
+      "winlogbeat-*",
+      "logs-windows.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Windows CryptoAPI Spoofing Vulnerability (CVE-2020-0601 - CurveBall)",
+    "query": "event.provider:\"Microsoft-Windows-Audit-CVE\" and message:\"[CVE-2020-0601]\"\n",
+    "risk_score": 21,
+    "rule_id": "56557cde-d923-4b88-adee-c61b3f3b5dc3",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1553",
+            "name": "Subvert Trust Controls",
+            "reference": "https://attack.mitre.org/techniques/T1553/",
+            "subtechnique": [
+              {
+                "id": "T1553.002",
+                "name": "Code Signing",
+                "reference": "https://attack.mitre.org/techniques/T1553/002/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 6
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies modifications to the Windows Defender registry settings to disable the service or set the service to be started manually.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Windows Defender Disabled via Registry Modification",
+    "note": "## Triage and analysis\n\nDetections should be investigated to identify if the hosts and users are authorized to use this tool. As this rule detects post-exploitation process activity, investigations into this should be prioritized.",
+    "query": "registry where event.type in (\"creation\", \"change\") and\n  ((registry.path:\"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\DisableAntiSpyware\" and\n     registry.data.strings:\"1\") or\n  (registry.path:\"HKLM\\\\System\\\\ControlSet*\\\\Services\\\\WinDefend\\\\Start\" and\n     registry.data.strings in (\"3\", \"4\")))\n",
+    "references": [
+      "https://thedfirreport.com/2020/12/13/defender-control/"
+    ],
+    "risk_score": 21,
+    "rule_id": "2ffa1f1e-b6db-47fa-994b-1512743847eb",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1562",
+            "name": "Impair Defenses",
+            "reference": "https://attack.mitre.org/techniques/T1562/",
+            "subtechnique": [
+              {
+                "id": "T1562.006",
+                "name": "Indicator Blocking",
+                "reference": "https://attack.mitre.org/techniques/T1562/006/"
+              },
+              {
+                "id": "T1562.001",
+                "name": "Disable or Modify Tools",
+                "reference": "https://attack.mitre.org/techniques/T1562/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 3
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies modifications to the Windows Defender configuration settings using PowerShell to add exclusions at the folder directory or process level.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Windows Defender Exclusions Added via PowerShell",
+    "note": "## Triage and analysis\n\n### Investigating Windows Defender Exclusions\n\nMicrosoft Windows Defender is an anti-virus product built-in within Microsoft Windows. Since this software product is\nused to prevent and stop malware, it's important to monitor what specific exclusions are made to the product's configuration\nsettings. These can often be signs of an adversary or malware trying to bypass Windows Defender's capabilities. One of the more\nnotable [examples](https://www.cyberbit.com/blog/endpoint-security/latest-trickbot-variant-has-new-tricks-up-its-sleeve/) was observed in 2018 where Trickbot incorporated mechanisms to disable Windows Defense to avoid detection.\n\n#### Possible investigation steps:\n- With this specific rule, it's completely possible to trigger detections on network administrative activity or benign users\nusing scripting and PowerShell to configure the different exclusions for Windows Defender. Therefore, it's important to\nidentify the source of the activity first and determine if there is any mal-intent behind the events.\n- The actual exclusion such as the process, the file or directory should be reviewed in order to determine the original\nintent behind the exclusion. Is the excluded file or process malicious in nature or is it related to software that needs\nto be legitimately whitelisted from Windows Defender?\n\n### False Positive Analysis\n- This rule has a higher chance to produce false positives based on the nature around configuring exclusions by possibly\na network administrator. In order to validate the activity further, review the specific exclusion made and determine based\non the exclusion of the original intent behind the exclusion. There are often many legitimate reasons why exclusions are made\nwith Windows Defender so it's important to gain context around the exclusion.\n\n### Related Rules\n- Windows Defender Disabled via Registry Modification\n- Disabling Windows Defender Security Settings via PowerShell\n\n### Response and Remediation\n- Since this is related to post-exploitation activity, immediate response should be taken to review, investigate and\npotentially isolate further activity\n- If further analysis showed malicious intent was behind the Defender exclusions, administrators should remove\nthe exclusion and ensure antimalware capability has not been disabled or deleted\n- Exclusion lists for antimalware capabilities should always be routinely monitored for review\n",
+    "query": "process where event.type == \"start\" and\n (process.name : (\"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\") or process.pe.original_file_name in (\"powershell.exe\", \"pwsh.dll\", \"powershell_ise.exe\")) and\n  process.args : (\"*Add-MpPreference*-Exclusion*\", \"*Set-MpPreference*-Exclusion*\")\n",
+    "references": [
+      "https://www.bitdefender.com/files/News/CaseStudies/study/400/Bitdefender-PR-Whitepaper-MosaicLoader-creat5540-en-EN.pdf"
+    ],
+    "risk_score": 47,
+    "rule_id": "2c17e5d7-08b9-43b2-b58a-0270d65ac85b",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1562",
+            "name": "Impair Defenses",
+            "reference": "https://attack.mitre.org/techniques/T1562/",
+            "subtechnique": [
+              {
+                "id": "T1562.006",
+                "name": "Indicator Blocking",
+                "reference": "https://attack.mitre.org/techniques/T1562/006/"
+              },
+              {
+                "id": "T1562.001",
+                "name": "Disable or Modify Tools",
+                "reference": "https://attack.mitre.org/techniques/T1562/001/"
+              }
+            ]
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0002",
+          "name": "Execution",
+          "reference": "https://attack.mitre.org/tactics/TA0002/"
+        },
+        "technique": [
+          {
+            "id": "T1059",
+            "name": "Command and Scripting Interpreter",
+            "reference": "https://attack.mitre.org/techniques/T1059/",
+            "subtechnique": [
+              {
+                "id": "T1059.001",
+                "name": "PowerShell",
+                "reference": "https://attack.mitre.org/techniques/T1059/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 4
+  },
+  {
+    "author": [
+      "Elastic",
+      "Anabella Cristaldi"
+    ],
+    "description": "Identifies attempts to clear Windows event log stores. This is often done by attackers in an attempt to evade detection or destroy forensic evidence on a system.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-windows.*",
+      "logs-system.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Windows Event Logs Cleared",
+    "query": "event.action:(\"audit-log-cleared\" or \"Log clear\")\n",
+    "risk_score": 21,
+    "rule_id": "45ac4800-840f-414c-b221-53dd36a5aaf7",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1070",
+            "name": "Indicator Removal on Host",
+            "reference": "https://attack.mitre.org/techniques/T1070/",
+            "subtechnique": [
+              {
+                "id": "T1070.001",
+                "name": "Clear Windows Event Logs",
+                "reference": "https://attack.mitre.org/techniques/T1070/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 2
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies attempts to enumerate hosts in a network using the built-in Windows net.exe tool.",
+    "from": "now-9m",
+    "index": [
+      "logs-endpoint.events.*",
+      "winlogbeat-*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Windows Network Enumeration",
+    "query": "process where event.type in (\"start\", \"process_started\") and\n  ((process.name : \"net.exe\" or process.pe.original_file_name == \"net.exe\") or\n   ((process.name : \"net1.exe\" or process.pe.original_file_name == \"net1.exe\") and\n       not process.parent.name : \"net.exe\")) and\n  (process.args : \"view\" or (process.args : \"time\" and process.args : \"\\\\\\\\*\"))\n\n\n  /* expand when ancestry is available\n  and not descendant of [process where event.type == (\"start\", \"process_started\") and process.name : \"cmd.exe\" and\n                           ((process.parent.name : \"userinit.exe\") or\n                            (process.parent.name : \"gpscript.exe\") or\n                            (process.parent.name : \"explorer.exe\" and\n                               process.args : \"C:\\\\*\\\\Start Menu\\\\Programs\\\\Startup\\\\*.bat*\"))]\n  */\n",
+    "risk_score": 47,
+    "rule_id": "7b8bfc26-81d2-435e-965c-d722ee397ef1",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Discovery"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0007",
+          "name": "Discovery",
+          "reference": "https://attack.mitre.org/tactics/TA0007/"
+        },
+        "technique": [
+          {
+            "id": "T1018",
+            "name": "Remote System Discovery",
+            "reference": "https://attack.mitre.org/techniques/T1018/"
+          },
+          {
+            "id": "T1135",
+            "name": "Network Share Discovery",
+            "reference": "https://attack.mitre.org/techniques/T1135/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 4
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies a PowerShell process launched by either cscript.exe or wscript.exe. Observing Windows scripting processes executing a PowerShell script, may be indicative of malicious activity.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Windows Script Executing PowerShell",
+    "query": "process where event.type in (\"start\", \"process_started\") and\n  process.parent.name : (\"cscript.exe\", \"wscript.exe\") and process.name : \"powershell.exe\"\n",
+    "risk_score": 21,
+    "rule_id": "f545ff26-3c94-4fd0-bd33-3c7f95a3a0fc",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Initial Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0001",
+          "name": "Initial Access",
+          "reference": "https://attack.mitre.org/tactics/TA0001/"
+        },
+        "technique": [
+          {
+            "id": "T1566",
+            "name": "Phishing",
+            "reference": "https://attack.mitre.org/techniques/T1566/",
+            "subtechnique": [
+              {
+                "id": "T1566.001",
+                "name": "Spearphishing Attachment",
+                "reference": "https://attack.mitre.org/techniques/T1566/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 9
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies use of the built-in Windows script interpreters (cscript.exe or wscript.exe) being used to execute a process via Windows Management Instrumentation (WMI). This may be indicative of malicious activity.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Windows Script Interpreter Executing Process via WMI",
+    "query": "sequence by host.id with maxspan = 5s\n    [library where dll.name : \"wmiutils.dll\" and process.name : (\"wscript.exe\", \"cscript.exe\")]\n    [process where event.type in (\"start\", \"process_started\") and\n     process.parent.name : \"wmiprvse.exe\" and\n     user.domain != \"NT AUTHORITY\" and\n     (process.pe.original_file_name :\n        (\n          \"cscript.exe\",\n          \"wscript.exe\",\n          \"PowerShell.EXE\",\n          \"Cmd.Exe\",\n          \"MSHTA.EXE\",\n          \"RUNDLL32.EXE\",\n          \"REGSVR32.EXE\",\n          \"MSBuild.exe\",\n          \"InstallUtil.exe\",\n          \"RegAsm.exe\",\n          \"RegSvcs.exe\",\n          \"msxsl.exe\",\n          \"CONTROL.EXE\",\n          \"EXPLORER.EXE\",\n          \"Microsoft.Workflow.Compiler.exe\",\n          \"msiexec.exe\"\n        ) or\n      process.executable : (\"C:\\\\Users\\\\*.exe\", \"C:\\\\ProgramData\\\\*.exe\")\n     )\n    ]\n",
+    "risk_score": 47,
+    "rule_id": "b64b183e-1a76-422d-9179-7b389513e74d",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Initial Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0001",
+          "name": "Initial Access",
+          "reference": "https://attack.mitre.org/tactics/TA0001/"
+        },
+        "technique": [
+          {
+            "id": "T1566",
+            "name": "Phishing",
+            "reference": "https://attack.mitre.org/techniques/T1566/",
+            "subtechnique": [
+              {
+                "id": "T1566.001",
+                "name": "Spearphishing Attachment",
+                "reference": "https://attack.mitre.org/techniques/T1566/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "type": "eql",
+    "version": 2
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "This rule identifies Zoom meetings that are created without a passcode. Meetings without a passcode are susceptible to Zoombombing. Zoombombing is carried out by taking advantage of Zoom sessions that are not protected with a passcode. Zoombombing refers to the unwanted, disruptive intrusion, generally by Internet trolls and hackers, into a video conference call. In a typical Zoombombing incident, a teleconferencing session is hijacked by the insertion of material that is lewd, obscene, racist, or antisemitic in nature, typically resulting of the shutdown of the session.",
+    "index": [
+      "filebeat-*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Zoom Meeting with no Passcode",
+    "note": "## Config\n\nThe Zoom Filebeat module or similarly structured data is required to be compatible with this rule.",
+    "query": "event.type:creation and event.module:zoom and event.dataset:zoom.webhook and\n  event.action:meeting.created and not zoom.meeting.password:*\n",
+    "references": [
+      "https://blog.zoom.us/a-message-to-our-users/",
+      "https://www.fbi.gov/contact-us/field-offices/boston/news/press-releases/fbi-warns-of-teleconferencing-and-online-classroom-hijacking-during-covid-19-pandemic"
+    ],
+    "risk_score": 47,
+    "rule_id": "58ac2aa5-6718-427c-a845-5f3ac5af00ba",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Application",
+      "Communication",
+      "Zoom",
+      "Continuous Monitoring",
+      "SecOps",
+      "Configuration Audit"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0001",
+          "name": "Initial Access",
+          "reference": "https://attack.mitre.org/tactics/TA0001/"
+        },
+        "technique": [
+          {
+            "id": "T1190",
+            "name": "Exploit Public-Facing Application",
+            "reference": "https://attack.mitre.org/techniques/T1190/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 4
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies when the built in macOS Installer program generates a network event after attempting to install a .pkg file. This activity has been observed being leveraged by malware.",
+    "false_positives": [
+      "Custom organization-specific macOS packages that use .pkg files to run cURL could trigger this rule. If known behavior is causing false positives, it can be excluded from the rule."
+    ],
+    "from": "now-9m",
+    "index": [
+      "logs-endpoint.events.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "macOS Installer Spawns Network Event",
+    "query": "sequence by process.entity_id with maxspan=1m\n  [process where event.type == \"start\" and host.os.family == \"macos\" and\n    process.parent.executable in (\"/usr/sbin/installer\", \"/System/Library/CoreServices/Installer.app/Contents/MacOS/Installer\") ]\n  [network where not cidrmatch(destination.ip,\n    \"10.0.0.0/8\", \"127.0.0.0/8\", \"169.254.0.0/16\", \"172.16.0.0/12\", \"192.0.0.0/24\", \"192.0.0.0/29\", \"192.0.0.8/32\",\n    \"192.0.0.9/32\", \"192.0.0.10/32\", \"192.0.0.170/32\", \"192.0.0.171/32\", \"192.0.2.0/24\", \"192.31.196.0/24\",\n    \"192.52.193.0/24\", \"192.168.0.0/16\", \"192.88.99.0/24\", \"224.0.0.0/4\", \"100.64.0.0/10\", \"192.175.48.0/24\",\n    \"198.18.0.0/15\", \"198.51.100.0/24\", \"203.0.113.0/24\", \"240.0.0.0/4\", \"::1\", \"FE80::/10\", \"FF00::/8\")]\n",
+    "references": [
+      "https://redcanary.com/blog/clipping-silver-sparrows-wings",
+      "https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml"
+    ],
+    "risk_score": 47,
+    "rule_id": "99239e7d-b0d4-46e3-8609-acafcf99f68c",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "macOS",
+      "Threat Detection",
+      "Execution"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0002",
+          "name": "Execution",
+          "reference": "https://attack.mitre.org/tactics/TA0002/"
+        },
+        "technique": [
+          {
+            "id": "T1059",
+            "name": "Command and Scripting Interpreter",
+            "reference": "https://attack.mitre.org/techniques/T1059/",
+            "subtechnique": [
+              {
+                "id": "T1059.007",
+                "name": "JavaScript",
+                "reference": "https://attack.mitre.org/techniques/T1059/007/"
+              }
+            ]
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0011",
+          "name": "Command and Control",
+          "reference": "https://attack.mitre.org/tactics/TA0011/"
+        },
+        "technique": [
+          {
+            "id": "T1071",
+            "name": "Application Layer Protocol",
+            "reference": "https://attack.mitre.org/techniques/T1071/",
+            "subtechnique": [
+              {
+                "id": "T1071.001",
+                "name": "Web Protocols",
+                "reference": "https://attack.mitre.org/techniques/T1071/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 3
+  }
+]
\ No newline at end of file
diff --git a/prebuilt-rules-scripts/orig-rules-json-files/8.0.0-prebuilt-rule.json b/prebuilt-rules-scripts/orig-rules-json-files/8.0.0-prebuilt-rule.json
new file mode 100644
index 0000000000..b8cace39ee
--- /dev/null
+++ b/prebuilt-rules-scripts/orig-rules-json-files/8.0.0-prebuilt-rule.json
@@ -0,0 +1,33946 @@
+[
+  {
+    "author": [
+      "Nick Jones",
+      "Elastic"
+    ],
+    "description": "An adversary may attempt to access the secrets in secrets manager to steal certificates, credentials, or other sensitive material",
+    "false_positives": [
+      "Verify whether the user identity, user agent, and/or hostname should be using GetSecretString API for the specified SecretId. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "from": "now-60m",
+    "index": [
+      "filebeat-*",
+      "logs-aws*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "AWS Access Secret in Secrets Manager",
+    "note": "## Config\n\nThe AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:aws.cloudtrail and event.provider:secretsmanager.amazonaws.com and event.action:GetSecretValue\n",
+    "references": [
+      "https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_GetSecretValue.html",
+      "http://detectioninthe.cloud/credential_access/access_secret_in_secrets_manager/"
+    ],
+    "risk_score": 73,
+    "rule_id": "a00681e3-9ed6-447c-ab2c-be648821c622",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "AWS",
+      "Continuous Monitoring",
+      "SecOps",
+      "Data Protection"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0006",
+          "name": "Credential Access",
+          "reference": "https://attack.mitre.org/tactics/TA0006/"
+        },
+        "technique": [
+          {
+            "id": "T1528",
+            "name": "Steal Application Access Token",
+            "reference": "https://attack.mitre.org/techniques/T1528/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 5
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the creation of an AWS log trail that specifies the settings for delivery of log data.",
+    "false_positives": [
+      "Trail creations may be made by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Trail creations from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "from": "now-60m",
+    "index": [
+      "filebeat-*",
+      "logs-aws*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "AWS CloudTrail Log Created",
+    "note": "## Config\n\nThe AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:aws.cloudtrail and event.provider:cloudtrail.amazonaws.com and event.action:CreateTrail and event.outcome:success\n",
+    "references": [
+      "https://docs.aws.amazon.com/awscloudtrail/latest/APIReference/API_CreateTrail.html",
+      "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cloudtrail/create-trail.html"
+    ],
+    "risk_score": 21,
+    "rule_id": "594e0cbf-86cc-45aa-9ff7-ff27db27d3ed",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "AWS",
+      "Continuous Monitoring",
+      "SecOps",
+      "Log Auditing"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0009",
+          "name": "Collection",
+          "reference": "https://attack.mitre.org/tactics/TA0009/"
+        },
+        "technique": [
+          {
+            "id": "T1530",
+            "name": "Data from Cloud Storage Object",
+            "reference": "https://attack.mitre.org/techniques/T1530/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 5
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the deletion of an AWS log trail. An adversary may delete trails in an attempt to evade defenses.",
+    "false_positives": [
+      "Trail deletions may be made by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Trail deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "from": "now-60m",
+    "index": [
+      "filebeat-*",
+      "logs-aws*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "AWS CloudTrail Log Deleted",
+    "note": "## Config\n\nThe AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:aws.cloudtrail and event.provider:cloudtrail.amazonaws.com and event.action:DeleteTrail and event.outcome:success\n",
+    "references": [
+      "https://docs.aws.amazon.com/awscloudtrail/latest/APIReference/API_DeleteTrail.html",
+      "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cloudtrail/delete-trail.html"
+    ],
+    "risk_score": 47,
+    "rule_id": "7024e2a0-315d-4334-bb1a-441c593e16ab",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "AWS",
+      "Continuous Monitoring",
+      "SecOps",
+      "Log Auditing"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1562",
+            "name": "Impair Defenses",
+            "reference": "https://attack.mitre.org/techniques/T1562/",
+            "subtechnique": [
+              {
+                "id": "T1562.001",
+                "name": "Disable or Modify Tools",
+                "reference": "https://attack.mitre.org/techniques/T1562/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 6
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies suspending the recording of AWS API calls and log file delivery for the specified trail. An adversary may suspend trails in an attempt to evade defenses.",
+    "false_positives": [
+      "Suspending the recording of a trail may be done by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Trail suspensions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "from": "now-60m",
+    "index": [
+      "filebeat-*",
+      "logs-aws*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "AWS CloudTrail Log Suspended",
+    "note": "## Config\n\nThe AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:aws.cloudtrail and event.provider:cloudtrail.amazonaws.com and event.action:StopLogging and event.outcome:success\n",
+    "references": [
+      "https://docs.aws.amazon.com/awscloudtrail/latest/APIReference/API_StopLogging.html",
+      "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cloudtrail/stop-logging.html"
+    ],
+    "risk_score": 47,
+    "rule_id": "1aa8fa52-44a7-4dae-b058-f3333b91c8d7",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "AWS",
+      "Continuous Monitoring",
+      "SecOps",
+      "Log Auditing"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1562",
+            "name": "Impair Defenses",
+            "reference": "https://attack.mitre.org/techniques/T1562/",
+            "subtechnique": [
+              {
+                "id": "T1562.001",
+                "name": "Disable or Modify Tools",
+                "reference": "https://attack.mitre.org/techniques/T1562/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 6
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies an update to an AWS log trail setting that specifies the delivery of log files.",
+    "false_positives": [
+      "Trail updates may be made by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Trail updates from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "from": "now-60m",
+    "index": [
+      "filebeat-*",
+      "logs-aws*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "AWS CloudTrail Log Updated",
+    "note": "## Config\n\nThe AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:aws.cloudtrail and event.provider:cloudtrail.amazonaws.com and event.action:UpdateTrail and event.outcome:success\n",
+    "references": [
+      "https://docs.aws.amazon.com/awscloudtrail/latest/APIReference/API_UpdateTrail.html",
+      "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cloudtrail/update-trail.html"
+    ],
+    "risk_score": 21,
+    "rule_id": "3e002465-876f-4f04-b016-84ef48ce7e5d",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "AWS",
+      "Continuous Monitoring",
+      "SecOps",
+      "Log Auditing"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0040",
+          "name": "Impact",
+          "reference": "https://attack.mitre.org/tactics/TA0040/"
+        },
+        "technique": [
+          {
+            "id": "T1565",
+            "name": "Data Manipulation",
+            "reference": "https://attack.mitre.org/techniques/T1565/",
+            "subtechnique": [
+              {
+                "id": "T1565.001",
+                "name": "Stored Data Manipulation",
+                "reference": "https://attack.mitre.org/techniques/T1565/001/"
+              }
+            ]
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0009",
+          "name": "Collection",
+          "reference": "https://attack.mitre.org/tactics/TA0009/"
+        },
+        "technique": [
+          {
+            "id": "T1530",
+            "name": "Data from Cloud Storage Object",
+            "reference": "https://attack.mitre.org/techniques/T1530/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 6
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the deletion of an AWS CloudWatch alarm. An adversary may delete alarms in an attempt to evade defenses.",
+    "false_positives": [
+      "Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Alarm deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "from": "now-60m",
+    "index": [
+      "filebeat-*",
+      "logs-aws*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "AWS CloudWatch Alarm Deletion",
+    "note": "## Config\n\nThe AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:aws.cloudtrail and event.provider:monitoring.amazonaws.com and event.action:DeleteAlarms and event.outcome:success\n",
+    "references": [
+      "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cloudwatch/delete-alarms.html",
+      "https://docs.aws.amazon.com/AmazonCloudWatch/latest/APIReference/API_DeleteAlarms.html"
+    ],
+    "risk_score": 47,
+    "rule_id": "f772ec8a-e182-483c-91d2-72058f76a44c",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "AWS",
+      "Continuous Monitoring",
+      "SecOps",
+      "Monitoring"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1562",
+            "name": "Impair Defenses",
+            "reference": "https://attack.mitre.org/techniques/T1562/",
+            "subtechnique": [
+              {
+                "id": "T1562.001",
+                "name": "Disable or Modify Tools",
+                "reference": "https://attack.mitre.org/techniques/T1562/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 6
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the deletion of a specified AWS CloudWatch log group. When a log group is deleted, all the archived log events associated with the log group are also permanently deleted.",
+    "false_positives": [
+      "Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Log group deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "from": "now-60m",
+    "index": [
+      "filebeat-*",
+      "logs-aws*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "AWS CloudWatch Log Group Deletion",
+    "note": "## Config\n\nThe AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:aws.cloudtrail and event.provider:logs.amazonaws.com and event.action:DeleteLogGroup and event.outcome:success\n",
+    "references": [
+      "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/logs/delete-log-group.html",
+      "https://docs.aws.amazon.com/AmazonCloudWatchLogs/latest/APIReference/API_DeleteLogGroup.html"
+    ],
+    "risk_score": 47,
+    "rule_id": "68a7a5a5-a2fc-4a76-ba9f-26849de881b4",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "AWS",
+      "Continuous Monitoring",
+      "SecOps",
+      "Log Auditing"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0040",
+          "name": "Impact",
+          "reference": "https://attack.mitre.org/tactics/TA0040/"
+        },
+        "technique": [
+          {
+            "id": "T1485",
+            "name": "Data Destruction",
+            "reference": "https://attack.mitre.org/techniques/T1485/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1562",
+            "name": "Impair Defenses",
+            "reference": "https://attack.mitre.org/techniques/T1562/",
+            "subtechnique": [
+              {
+                "id": "T1562.001",
+                "name": "Disable or Modify Tools",
+                "reference": "https://attack.mitre.org/techniques/T1562/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 6
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the deletion of an AWS CloudWatch log stream, which permanently deletes all associated archived log events with the stream.",
+    "false_positives": [
+      "A log stream may be deleted by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Log stream deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "from": "now-60m",
+    "index": [
+      "filebeat-*",
+      "logs-aws*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "AWS CloudWatch Log Stream Deletion",
+    "note": "## Config\n\nThe AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:aws.cloudtrail and event.provider:logs.amazonaws.com and event.action:DeleteLogStream and event.outcome:success\n",
+    "references": [
+      "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/logs/delete-log-stream.html",
+      "https://docs.aws.amazon.com/AmazonCloudWatchLogs/latest/APIReference/API_DeleteLogStream.html"
+    ],
+    "risk_score": 47,
+    "rule_id": "d624f0ae-3dd1-4856-9aad-ccfe4d4bfa17",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "AWS",
+      "Continuous Monitoring",
+      "SecOps",
+      "Log Auditing"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0040",
+          "name": "Impact",
+          "reference": "https://attack.mitre.org/tactics/TA0040/"
+        },
+        "technique": [
+          {
+            "id": "T1485",
+            "name": "Data Destruction",
+            "reference": "https://attack.mitre.org/techniques/T1485/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1562",
+            "name": "Impair Defenses",
+            "reference": "https://attack.mitre.org/techniques/T1562/",
+            "subtechnique": [
+              {
+                "id": "T1562.001",
+                "name": "Disable or Modify Tools",
+                "reference": "https://attack.mitre.org/techniques/T1562/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 6
+  },
+  {
+    "author": [
+      "Elastic",
+      "Austin Songer"
+    ],
+    "description": "Identifies attempts to delete an AWS Config Service resource. An adversary may tamper with Config services in order to reduce visibility into the security posture of an account and / or its workload instances.",
+    "false_positives": [
+      "Privileged IAM users with security responsibilities may be expected to make changes to the Config service in order to align with local security policies and requirements. Automation, orchestration, and security tools may also make changes to the Config service, where they are used to automate setup or configuration of AWS accounts. Other kinds of user or service contexts do not commonly make changes to this service."
+    ],
+    "from": "now-60m",
+    "index": [
+      "filebeat-*",
+      "logs-aws*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "AWS Config Service Tampering",
+    "note": "## Config\n\nThe AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:aws.cloudtrail and event.provider:config.amazonaws.com and\n    event.action:(DeleteConfigRule or DeleteOrganizationConfigRule or DeleteConfigurationAggregator or\n    DeleteConfigurationRecorder or DeleteConformancePack or DeleteOrganizationConformancePack or\n    DeleteDeliveryChannel or DeleteRemediationConfiguration or DeleteRetentionConfiguration)\n",
+    "references": [
+      "https://docs.aws.amazon.com/config/latest/developerguide/how-does-config-work.html",
+      "https://docs.aws.amazon.com/config/latest/APIReference/API_Operations.html"
+    ],
+    "risk_score": 47,
+    "rule_id": "7024e2a0-315d-4334-bb1a-552d604f27bc",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "AWS",
+      "Continuous Monitoring",
+      "SecOps",
+      "Monitoring"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1562",
+            "name": "Impair Defenses",
+            "reference": "https://attack.mitre.org/techniques/T1562/",
+            "subtechnique": [
+              {
+                "id": "T1562.001",
+                "name": "Disable or Modify Tools",
+                "reference": "https://attack.mitre.org/techniques/T1562/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 6
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies an AWS configuration change to stop recording a designated set of resources.",
+    "false_positives": [
+      "Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Recording changes from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "from": "now-60m",
+    "index": [
+      "filebeat-*",
+      "logs-aws*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "AWS Configuration Recorder Stopped",
+    "note": "## Config\n\nThe AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:aws.cloudtrail and event.provider:config.amazonaws.com and event.action:StopConfigurationRecorder and event.outcome:success\n",
+    "references": [
+      "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/configservice/stop-configuration-recorder.html",
+      "https://docs.aws.amazon.com/config/latest/APIReference/API_StopConfigurationRecorder.html"
+    ],
+    "risk_score": 73,
+    "rule_id": "fbd44836-0d69-4004-a0b4-03c20370c435",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "AWS",
+      "Continuous Monitoring",
+      "SecOps",
+      "Monitoring"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1562",
+            "name": "Impair Defenses",
+            "reference": "https://attack.mitre.org/techniques/T1562/",
+            "subtechnique": [
+              {
+                "id": "T1562.001",
+                "name": "Disable or Modify Tools",
+                "reference": "https://attack.mitre.org/techniques/T1562/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 6
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies disabling of Amazon Elastic Block Store (EBS) encryption by default in the current region. Disabling encryption by default does not change the encryption status of your existing volumes.",
+    "false_positives": [
+      "Disabling encryption may be done by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Disabling encryption by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "from": "now-60m",
+    "index": [
+      "filebeat-*",
+      "logs-aws*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "AWS EC2 Encryption Disabled",
+    "note": "## Config\n\nThe AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.action:DisableEbsEncryptionByDefault and event.outcome:success\n",
+    "references": [
+      "https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html",
+      "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/disable-ebs-encryption-by-default.html",
+      "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DisableEbsEncryptionByDefault.html"
+    ],
+    "risk_score": 47,
+    "rule_id": "bb9b13b2-1700-48a8-a750-b43b0a72ab69",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "AWS",
+      "Continuous Monitoring",
+      "SecOps",
+      "Data Protection"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0040",
+          "name": "Impact",
+          "reference": "https://attack.mitre.org/tactics/TA0040/"
+        },
+        "technique": [
+          {
+            "id": "T1565",
+            "name": "Data Manipulation",
+            "reference": "https://attack.mitre.org/techniques/T1565/",
+            "subtechnique": [
+              {
+                "id": "T1565.001",
+                "name": "Stored Data Manipulation",
+                "reference": "https://attack.mitre.org/techniques/T1565/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 6
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the deletion of one or more flow logs in AWS Elastic Compute Cloud (EC2). An adversary may delete flow logs in an attempt to evade defenses.",
+    "false_positives": [
+      "Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Flow log deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "from": "now-60m",
+    "index": [
+      "filebeat-*",
+      "logs-aws*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "AWS EC2 Flow Log Deletion",
+    "note": "## Config\n\nThe AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.action:DeleteFlowLogs and event.outcome:success\n",
+    "references": [
+      "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/delete-flow-logs.html",
+      "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteFlowLogs.html"
+    ],
+    "risk_score": 73,
+    "rule_id": "9395fd2c-9947-4472-86ef-4aceb2f7e872",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "AWS",
+      "Continuous Monitoring",
+      "SecOps",
+      "Log Auditing"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1562",
+            "name": "Impair Defenses",
+            "reference": "https://attack.mitre.org/techniques/T1562/",
+            "subtechnique": [
+              {
+                "id": "T1562.001",
+                "name": "Disable or Modify Tools",
+                "reference": "https://attack.mitre.org/techniques/T1562/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 6
+  },
+  {
+    "author": [
+      "Elastic",
+      "Austin Songer"
+    ],
+    "description": "Identifies potential Traffic Mirroring in an Amazon Elastic Compute Cloud (EC2) instance. Traffic Mirroring is an Amazon VPC feature that you can use to copy network traffic from an Elastic network interface. This feature can potentially be abused to exfiltrate sensitive data from unencrypted internal traffic.",
+    "false_positives": [
+      "Traffic Mirroring may be done by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Traffic Mirroring from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "from": "now-60m",
+    "index": [
+      "filebeat-*",
+      "logs-aws*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "AWS EC2 Full Network Packet Capture Detected",
+    "note": "## Config\n\nThe AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and \nevent.action:(CreateTrafficMirrorFilter or CreateTrafficMirrorFilterRule or CreateTrafficMirrorSession or CreateTrafficMirrorTarget) and \nevent.outcome:success\n",
+    "references": [
+      "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_TrafficMirrorFilter.html",
+      "https://github.com/easttimor/aws-incident-response"
+    ],
+    "risk_score": 47,
+    "rule_id": "c1812764-0788-470f-8e74-eb4a14d47573",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "AWS",
+      "Continuous Monitoring",
+      "SecOps",
+      "Network Security"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0010",
+          "name": "Exfiltration",
+          "reference": "https://attack.mitre.org/tactics/TA0010/"
+        },
+        "technique": [
+          {
+            "id": "T1020",
+            "name": "Automated Exfiltration",
+            "reference": "https://attack.mitre.org/techniques/T1020/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0009",
+          "name": "Collection",
+          "reference": "https://attack.mitre.org/tactics/TA0009/"
+        },
+        "technique": [
+          {
+            "id": "T1074",
+            "name": "Data Staged",
+            "reference": "https://attack.mitre.org/techniques/T1074/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 2
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the creation of an AWS Elastic Compute Cloud (EC2) network access control list (ACL) or an entry in a network ACL with a specified rule number.",
+    "false_positives": [
+      "Network ACL's may be created by a network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Network ACL creations from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "from": "now-60m",
+    "index": [
+      "filebeat-*",
+      "logs-aws*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "AWS EC2 Network Access Control List Creation",
+    "note": "## Config\n\nThe AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.action:(CreateNetworkAcl or CreateNetworkAclEntry) and event.outcome:success\n",
+    "references": [
+      "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/create-network-acl.html",
+      "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateNetworkAcl.html",
+      "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/create-network-acl-entry.html",
+      "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateNetworkAclEntry.html"
+    ],
+    "risk_score": 21,
+    "rule_id": "39144f38-5284-4f8e-a2ae-e3fd628d90b0",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "AWS",
+      "Continuous Monitoring",
+      "SecOps",
+      "Network Security"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1133",
+            "name": "External Remote Services",
+            "reference": "https://attack.mitre.org/techniques/T1133/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 6
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the deletion of an Amazon Elastic Compute Cloud (EC2) network access control list (ACL) or one of its ingress/egress entries.",
+    "false_positives": [
+      "Network ACL's may be deleted by a network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Network ACL deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "from": "now-60m",
+    "index": [
+      "filebeat-*",
+      "logs-aws*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "AWS EC2 Network Access Control List Deletion",
+    "note": "## Config\n\nThe AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.action:(DeleteNetworkAcl or DeleteNetworkAclEntry) and event.outcome:success\n",
+    "references": [
+      "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/delete-network-acl.html",
+      "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteNetworkAcl.html",
+      "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/delete-network-acl-entry.html",
+      "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteNetworkAclEntry.html"
+    ],
+    "risk_score": 47,
+    "rule_id": "8623535c-1e17-44e1-aa97-7a0699c3037d",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "AWS",
+      "Continuous Monitoring",
+      "SecOps",
+      "Network Security"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1562",
+            "name": "Impair Defenses",
+            "reference": "https://attack.mitre.org/techniques/T1562/",
+            "subtechnique": [
+              {
+                "id": "T1562.001",
+                "name": "Disable or Modify Tools",
+                "reference": "https://attack.mitre.org/techniques/T1562/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 6
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "An attempt was made to modify AWS EC2 snapshot attributes. Snapshots are sometimes shared by threat actors in order to exfiltrate bulk data from an EC2 fleet. If the permissions were modified, verify the snapshot was not shared with an unauthorized or unexpected AWS account.",
+    "false_positives": [
+      "IAM users may occasionally share EC2 snapshots with another AWS account belonging to the same organization. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "from": "now-60m",
+    "index": [
+      "filebeat-*",
+      "logs-aws*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "AWS EC2 Snapshot Activity",
+    "note": "## Config\n\nThe AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.action:ModifySnapshotAttribute\n",
+    "references": [
+      "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/modify-snapshot-attribute.html",
+      "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ModifySnapshotAttribute.html"
+    ],
+    "risk_score": 47,
+    "rule_id": "98fd7407-0bd5-5817-cda0-3fcc33113a56",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "AWS",
+      "Continuous Monitoring",
+      "SecOps",
+      "Asset Visibility"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0010",
+          "name": "Exfiltration",
+          "reference": "https://attack.mitre.org/tactics/TA0010/"
+        },
+        "technique": [
+          {
+            "id": "T1537",
+            "name": "Transfer Data to Cloud Account",
+            "reference": "https://attack.mitre.org/techniques/T1537/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 5
+  },
+  {
+    "author": [
+      "Elastic",
+      "Austin Songer"
+    ],
+    "description": "Identifies an attempt to export an AWS EC2 instance. A virtual machine (VM) export may indicate an attempt to extract or exfiltrate information.",
+    "false_positives": [
+      "VM exports may be done by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. VM exports from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "from": "now-60m",
+    "index": [
+      "filebeat-*",
+      "logs-aws*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "AWS EC2 VM Export Failure",
+    "note": "## Config\n\nThe AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.action:CreateInstanceExportTask and event.outcome:failure\n",
+    "references": [
+      "https://docs.aws.amazon.com/vm-import/latest/userguide/vmexport.html#export-instance"
+    ],
+    "risk_score": 21,
+    "rule_id": "e919611d-6b6f-493b-8314-7ed6ac2e413b",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "AWS",
+      "Continuous Monitoring",
+      "SecOps",
+      "Asset Visibility"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0010",
+          "name": "Exfiltration",
+          "reference": "https://attack.mitre.org/tactics/TA0010/"
+        },
+        "technique": [
+          {
+            "id": "T1537",
+            "name": "Transfer Data to Cloud Account",
+            "reference": "https://attack.mitre.org/techniques/T1537/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0009",
+          "name": "Collection",
+          "reference": "https://attack.mitre.org/tactics/TA0009/"
+        },
+        "technique": [
+          {
+            "id": "T1005",
+            "name": "Data from Local System",
+            "reference": "https://attack.mitre.org/techniques/T1005/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 2
+  },
+  {
+    "author": [
+      "Austin Songer"
+    ],
+    "description": "Detects when a EFS File System or Mount is deleted. An adversary could break any file system using the mount target that is being deleted, which might disrupt instances or applications using those mounts. The mount must be deleted prior to deleting the File System, or the adversary will be unable to delete the File System.",
+    "false_positives": [
+      "File System or Mount being deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. File System Mount deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "from": "now-60m",
+    "index": [
+      "filebeat-*",
+      "logs-aws*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "AWS EFS File System or Mount Deleted",
+    "note": "## Config\n\nThe AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:aws.cloudtrail and event.provider:elasticfilesystem.amazonaws.com and \nevent.action:(DeleteMountTarget or DeleteFileSystem) and event.outcome:success\n",
+    "references": [
+      "https://docs.aws.amazon.com/efs/latest/ug/API_DeleteFileSystem.html",
+      "https://docs.aws.amazon.com/efs/latest/ug/API_DeleteMountTarget.html"
+    ],
+    "risk_score": 47,
+    "rule_id": "536997f7-ae73-447d-a12d-bff1e8f5f0a0",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "AWS",
+      "Continuous Monitoring",
+      "SecOps",
+      "Data Protection"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0040",
+          "name": "Impact",
+          "reference": "https://attack.mitre.org/tactics/TA0040/"
+        },
+        "technique": [
+          {
+            "id": "T1485",
+            "name": "Data Destruction",
+            "reference": "https://attack.mitre.org/techniques/T1485/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 1
+  },
+  {
+    "author": [
+      "Austin Songer"
+    ],
+    "description": "Identifies when an ElastiCache security group has been created.",
+    "false_positives": [
+      "A ElastiCache security group may be created by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Security group creations from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "from": "now-60m",
+    "index": [
+      "filebeat-*",
+      "logs-aws*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "AWS ElastiCache Security Group Created",
+    "note": "## Config\n\nThe AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:aws.cloudtrail and event.provider:elasticache.amazonaws.com and event.action:\"Create Cache Security Group\" and \nevent.outcome:success\n",
+    "references": [
+      "https://docs.aws.amazon.com/AmazonElastiCache/latest/APIReference/API_CreateCacheSecurityGroup.html"
+    ],
+    "risk_score": 21,
+    "rule_id": "7b3da11a-60a2-412e-8aa7-011e1eb9ed47",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "AWS",
+      "Continuous Monitoring",
+      "SecOps",
+      "Monitoring"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1562",
+            "name": "Impair Defenses",
+            "reference": "https://attack.mitre.org/techniques/T1562/",
+            "subtechnique": [
+              {
+                "id": "T1562.007",
+                "name": "Disable or Modify Cloud Firewall",
+                "reference": "https://attack.mitre.org/techniques/T1562/007/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 1
+  },
+  {
+    "author": [
+      "Austin Songer"
+    ],
+    "description": "Identifies when an ElastiCache security group has been modified or deleted.",
+    "false_positives": [
+      "A ElastiCache security group deletion may be done by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Security Group deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "from": "now-60m",
+    "index": [
+      "filebeat-*",
+      "logs-aws*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "AWS ElastiCache Security Group Modified or Deleted",
+    "note": "## Config\n\nThe AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:aws.cloudtrail and event.provider:elasticache.amazonaws.com and event.action:(\"Delete Cache Security Group\" or \n\"Authorize Cache Security Group Ingress\" or  \"Revoke Cache Security Group Ingress\" or \"AuthorizeCacheSecurityGroupEgress\" or \n\"RevokeCacheSecurityGroupEgress\") and event.outcome:success\n",
+    "references": [
+      "https://docs.aws.amazon.com/AmazonElastiCache/latest/APIReference/Welcome.html"
+    ],
+    "risk_score": 21,
+    "rule_id": "1ba5160d-f5a2-4624-b0ff-6a1dc55d2516",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "AWS",
+      "Continuous Monitoring",
+      "SecOps",
+      "Monitoring"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1562",
+            "name": "Impair Defenses",
+            "reference": "https://attack.mitre.org/techniques/T1562/",
+            "subtechnique": [
+              {
+                "id": "T1562.007",
+                "name": "Disable or Modify Cloud Firewall",
+                "reference": "https://attack.mitre.org/techniques/T1562/007/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 1
+  },
+  {
+    "author": [
+      "Austin Songer"
+    ],
+    "description": "Identifies when a user has disabled or deleted an EventBridge rule. This activity can result in an unintended loss of visibility in applications or a break in the flow with other AWS services.",
+    "false_positives": [
+      "EventBridge Rules could be deleted or disabled by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. EventBridge Rules being deleted or disabled from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "from": "now-20m",
+    "index": [
+      "filebeat-*",
+      "logs-aws*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "AWS EventBridge Rule Disabled or Deleted",
+    "note": "## Config\n\nThe AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:aws.cloudtrail and event.provider:eventbridge.amazonaws.com and event.action:(DeleteRule or DisableRule) and \nevent.outcome:success\n",
+    "references": [
+      "https://docs.aws.amazon.com/eventbridge/latest/APIReference/API_DeleteRule.html",
+      "https://docs.aws.amazon.com/eventbridge/latest/APIReference/API_DisableRule.html"
+    ],
+    "risk_score": 21,
+    "rule_id": "87594192-4539-4bc4-8543-23bc3d5bd2b4",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "AWS",
+      "Continuous Monitoring",
+      "SecOps",
+      "Monitoring"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0040",
+          "name": "Impact",
+          "reference": "https://attack.mitre.org/tactics/TA0040/"
+        },
+        "technique": []
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 2
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the execution of commands and scripts via System Manager. Execution methods such as RunShellScript, RunPowerShellScript, and alike can be abused by an authenticated attacker to install a backdoor or to interact with a compromised instance via reverse-shell using system only commands.",
+    "false_positives": [
+      "Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Suspicious commands from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "from": "now-60m",
+    "index": [
+      "filebeat-*",
+      "logs-aws*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "AWS Execution via System Manager",
+    "note": "## Config\n\nThe AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:aws.cloudtrail and event.provider:ssm.amazonaws.com and event.action:SendCommand and event.outcome:success\n",
+    "references": [
+      "https://docs.aws.amazon.com/systems-manager/latest/userguide/ssm-plugins.html"
+    ],
+    "risk_score": 21,
+    "rule_id": "37b211e8-4e2f-440f-86d8-06cc8f158cfa",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "AWS",
+      "Continuous Monitoring",
+      "SecOps",
+      "Log Auditing"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0001",
+          "name": "Initial Access",
+          "reference": "https://attack.mitre.org/tactics/TA0001/"
+        },
+        "technique": [
+          {
+            "id": "T1566",
+            "name": "Phishing",
+            "reference": "https://attack.mitre.org/techniques/T1566/",
+            "subtechnique": [
+              {
+                "id": "T1566.002",
+                "name": "Spearphishing Link",
+                "reference": "https://attack.mitre.org/techniques/T1566/002/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 6
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the deletion of an Amazon GuardDuty detector. Upon deletion, GuardDuty stops monitoring the environment and all existing findings are lost.",
+    "false_positives": [
+      "The GuardDuty detector may be deleted by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Detector deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "from": "now-60m",
+    "index": [
+      "filebeat-*",
+      "logs-aws*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "AWS GuardDuty Detector Deletion",
+    "note": "## Config\n\nThe AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:aws.cloudtrail and event.provider:guardduty.amazonaws.com and event.action:DeleteDetector and event.outcome:success\n",
+    "references": [
+      "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/guardduty/delete-detector.html",
+      "https://docs.aws.amazon.com/guardduty/latest/APIReference/API_DeleteDetector.html"
+    ],
+    "risk_score": 73,
+    "rule_id": "523116c0-d89d-4d7c-82c2-39e6845a78ef",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "AWS",
+      "Continuous Monitoring",
+      "SecOps",
+      "Monitoring"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1562",
+            "name": "Impair Defenses",
+            "reference": "https://attack.mitre.org/techniques/T1562/",
+            "subtechnique": [
+              {
+                "id": "T1562.001",
+                "name": "Disable or Modify Tools",
+                "reference": "https://attack.mitre.org/techniques/T1562/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 6
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies attempts to modify an AWS IAM Assume Role Policy. An adversary may attempt to modify the AssumeRolePolicy of a misconfigured role in order to gain the privileges of that role.",
+    "false_positives": [
+      "Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Policy updates from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "from": "now-60m",
+    "index": [
+      "filebeat-*",
+      "logs-aws*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "AWS IAM Assume Role Policy Update",
+    "note": "## Config\n\nThe AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.action:UpdateAssumeRolePolicy and event.outcome:success\n",
+    "references": [
+      "https://labs.bishopfox.com/tech-blog/5-privesc-attack-vectors-in-aws"
+    ],
+    "risk_score": 21,
+    "rule_id": "a60326d7-dca7-4fb7-93eb-1ca03a1febbd",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "AWS",
+      "Continuous Monitoring",
+      "SecOps",
+      "Identity and Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0004",
+          "name": "Privilege Escalation",
+          "reference": "https://attack.mitre.org/tactics/TA0004/"
+        },
+        "technique": [
+          {
+            "id": "T1078",
+            "name": "Valid Accounts",
+            "reference": "https://attack.mitre.org/techniques/T1078/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 5
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies a high number of failed attempts to assume an AWS Identity and Access Management (IAM) role. IAM roles are used to delegate access to users or services. An adversary may attempt to enumerate IAM roles in order to determine if a role exists before attempting to assume or hijack the discovered role.",
+    "from": "now-20m",
+    "index": [
+      "filebeat-*",
+      "logs-aws*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "AWS IAM Brute Force of Assume Role Policy",
+    "note": "## Config\n\nThe AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:aws.cloudtrail and\n  event.provider:iam.amazonaws.com and event.action:UpdateAssumeRolePolicy and\n  aws.cloudtrail.error_code:MalformedPolicyDocumentException and event.outcome:failure\n",
+    "references": [
+      "https://www.praetorian.com/blog/aws-iam-assume-role-vulnerabilities",
+      "https://rhinosecuritylabs.com/aws/assume-worst-aws-assume-role-enumeration/"
+    ],
+    "risk_score": 47,
+    "rule_id": "ea248a02-bc47-4043-8e94-2885b19b2636",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "AWS",
+      "Continuous Monitoring",
+      "SecOps",
+      "Identity and Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0006",
+          "name": "Credential Access",
+          "reference": "https://attack.mitre.org/tactics/TA0006/"
+        },
+        "technique": [
+          {
+            "id": "T1110",
+            "name": "Brute Force",
+            "reference": "https://attack.mitre.org/techniques/T1110/"
+          }
+        ]
+      }
+    ],
+    "threshold": {
+      "field": [],
+      "value": 25
+    },
+    "type": "threshold",
+    "version": 5
+  },
+  {
+    "author": [
+      "Elastic",
+      "Austin Songer"
+    ],
+    "description": "Identifies the deactivation of a specified multi-factor authentication (MFA) device and removes it from association with the user name for which it was originally enabled. In AWS Identity and Access Management (IAM), a device must be deactivated before it can be deleted.",
+    "false_positives": [
+      "A MFA device may be deactivated by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. MFA device deactivations from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "from": "now-60m",
+    "index": [
+      "filebeat-*",
+      "logs-aws*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "AWS IAM Deactivation of MFA Device",
+    "note": "## Config\n\nThe AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.action:(DeactivateMFADevice or DeleteVirtualMFADevice) and event.outcome:success\n",
+    "references": [
+      "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/deactivate-mfa-device.html",
+      "https://docs.aws.amazon.com/IAM/latest/APIReference/API_DeactivateMFADevice.html"
+    ],
+    "risk_score": 47,
+    "rule_id": "d8fc1cca-93ed-43c1-bbb6-c0dd3eff2958",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "AWS",
+      "Continuous Monitoring",
+      "SecOps",
+      "Monitoring"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0040",
+          "name": "Impact",
+          "reference": "https://attack.mitre.org/tactics/TA0040/"
+        },
+        "technique": [
+          {
+            "id": "T1531",
+            "name": "Account Access Removal",
+            "reference": "https://attack.mitre.org/techniques/T1531/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 5
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the creation of a group in AWS Identity and Access Management (IAM). Groups specify permissions for multiple users. Any user in a group automatically has the permissions that are assigned to the group.",
+    "false_positives": [
+      "A group may be created by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Group creations from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "from": "now-60m",
+    "index": [
+      "filebeat-*",
+      "logs-aws*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "AWS IAM Group Creation",
+    "note": "## Config\n\nThe AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.action:CreateGroup and event.outcome:success\n",
+    "references": [
+      "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/create-group.html",
+      "https://docs.aws.amazon.com/IAM/latest/APIReference/API_CreateGroup.html"
+    ],
+    "risk_score": 21,
+    "rule_id": "169f3a93-efc7-4df2-94d6-0d9438c310d1",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "AWS",
+      "Continuous Monitoring",
+      "SecOps",
+      "Identity and Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1136",
+            "name": "Create Account",
+            "reference": "https://attack.mitre.org/techniques/T1136/",
+            "subtechnique": [
+              {
+                "id": "T1136.003",
+                "name": "Cloud Account",
+                "reference": "https://attack.mitre.org/techniques/T1136/003/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 6
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the deletion of a specified AWS Identity and Access Management (IAM) resource group. Deleting a resource group does not delete resources that are members of the group; it only deletes the group structure.",
+    "false_positives": [
+      "A resource group may be deleted by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Resource group deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "from": "now-60m",
+    "index": [
+      "filebeat-*",
+      "logs-aws*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "AWS IAM Group Deletion",
+    "note": "## Config\n\nThe AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.action:DeleteGroup and event.outcome:success\n",
+    "references": [
+      "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/delete-group.html",
+      "https://docs.aws.amazon.com/IAM/latest/APIReference/API_DeleteGroup.html"
+    ],
+    "risk_score": 21,
+    "rule_id": "867616ec-41e5-4edc-ada2-ab13ab45de8a",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "AWS",
+      "Continuous Monitoring",
+      "SecOps",
+      "Monitoring"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0040",
+          "name": "Impact",
+          "reference": "https://attack.mitre.org/tactics/TA0040/"
+        },
+        "technique": [
+          {
+            "id": "T1531",
+            "name": "Account Access Removal",
+            "reference": "https://attack.mitre.org/techniques/T1531/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 5
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies AWS IAM password recovery requests. An adversary may attempt to gain unauthorized AWS access by abusing password recovery mechanisms.",
+    "false_positives": [
+      "Verify whether the user identity, user agent, and/or hostname should be requesting changes in your environment. Password reset attempts from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "from": "now-60m",
+    "index": [
+      "filebeat-*",
+      "logs-aws*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "AWS IAM Password Recovery Requested",
+    "note": "## Config\n\nThe AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:aws.cloudtrail and event.provider:signin.amazonaws.com and event.action:PasswordRecoveryRequested and event.outcome:success\n",
+    "references": [
+      "https://www.cadosecurity.com/2020/06/11/an-ongoing-aws-phishing-campaign/"
+    ],
+    "risk_score": 21,
+    "rule_id": "69c420e8-6c9e-4d28-86c0-8a2be2d1e78c",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "AWS",
+      "Continuous Monitoring",
+      "SecOps",
+      "Identity and Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0001",
+          "name": "Initial Access",
+          "reference": "https://attack.mitre.org/tactics/TA0001/"
+        },
+        "technique": [
+          {
+            "id": "T1078",
+            "name": "Valid Accounts",
+            "reference": "https://attack.mitre.org/techniques/T1078/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 5
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the addition of a user to a specified group in AWS Identity and Access Management (IAM).",
+    "false_positives": [
+      "Adding users to a specified group may be done by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. User additions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "from": "now-60m",
+    "index": [
+      "filebeat-*",
+      "logs-aws*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "AWS IAM User Addition to Group",
+    "note": "## Config\n\nThe AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.action:AddUserToGroup and event.outcome:success\n",
+    "references": [
+      "https://docs.aws.amazon.com/IAM/latest/APIReference/API_AddUserToGroup.html"
+    ],
+    "risk_score": 21,
+    "rule_id": "333de828-8190-4cf5-8d7c-7575846f6fe0",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "AWS",
+      "Continuous Monitoring",
+      "SecOps",
+      "Identity and Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0006",
+          "name": "Credential Access",
+          "reference": "https://attack.mitre.org/tactics/TA0006/"
+        },
+        "technique": []
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1098",
+            "name": "Account Manipulation",
+            "reference": "https://attack.mitre.org/techniques/T1098/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 6
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies a high number of failed authentication attempts to the AWS management console for the Root user identity. An adversary may attempt to brute force the password for the Root user identity, as it has complete access to all services and resources for the AWS account.",
+    "false_positives": [
+      "Automated processes that attempt to authenticate using expired credentials and unbounded retries may lead to false positives."
+    ],
+    "from": "now-20m",
+    "index": [
+      "filebeat-*",
+      "logs-aws*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "AWS Management Console Brute Force of Root User Identity",
+    "note": "## Config\n\nThe AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:aws.cloudtrail and event.provider:signin.amazonaws.com and event.action:ConsoleLogin and aws.cloudtrail.user_identity.type:Root and event.outcome:failure\n",
+    "references": [
+      "https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html"
+    ],
+    "risk_score": 73,
+    "rule_id": "4d50a94f-2844-43fa-8395-6afbd5e1c5ef",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "AWS",
+      "Continuous Monitoring",
+      "SecOps",
+      "Identity and Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0006",
+          "name": "Credential Access",
+          "reference": "https://attack.mitre.org/tactics/TA0006/"
+        },
+        "technique": [
+          {
+            "id": "T1110",
+            "name": "Brute Force",
+            "reference": "https://attack.mitre.org/techniques/T1110/"
+          }
+        ]
+      }
+    ],
+    "threshold": {
+      "field": [
+        "cloud.account.id"
+      ],
+      "value": 10
+    },
+    "type": "threshold",
+    "version": 3
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies a successful login to the AWS Management Console by the Root user.",
+    "false_positives": [
+      "It's strongly recommended that the root user is not used for everyday tasks, including the administrative ones. Verify whether the IP address, location, and/or hostname should be logging in as root in your environment. Unfamiliar root logins should be investigated immediately. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "from": "now-60m",
+    "index": [
+      "filebeat-*",
+      "logs-aws*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "AWS Management Console Root Login",
+    "note": "## Config\n\nThe AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:aws.cloudtrail and event.provider:signin.amazonaws.com and event.action:ConsoleLogin and aws.cloudtrail.user_identity.type:Root and event.outcome:success\n",
+    "references": [
+      "https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html"
+    ],
+    "risk_score": 73,
+    "rule_id": "e2a67480-3b79-403d-96e3-fdd2992c50ef",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "AWS",
+      "Continuous Monitoring",
+      "SecOps",
+      "Identity and Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0001",
+          "name": "Initial Access",
+          "reference": "https://attack.mitre.org/tactics/TA0001/"
+        },
+        "technique": [
+          {
+            "id": "T1078",
+            "name": "Valid Accounts",
+            "reference": "https://attack.mitre.org/techniques/T1078/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1078",
+            "name": "Valid Accounts",
+            "reference": "https://attack.mitre.org/techniques/T1078/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 5
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the creation of a new Amazon Relational Database Service (RDS) Aurora DB cluster or global database spread across multiple regions.",
+    "false_positives": [
+      "Valid clusters may be created by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Cluster creations from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "from": "now-60m",
+    "index": [
+      "filebeat-*",
+      "logs-aws*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "AWS RDS Cluster Creation",
+    "note": "## Config\n\nThe AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.action:(CreateDBCluster or CreateGlobalCluster) and event.outcome:success\n",
+    "references": [
+      "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/rds/create-db-cluster.html",
+      "https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_CreateDBCluster.html",
+      "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/rds/create-global-cluster.html",
+      "https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_CreateGlobalCluster.html"
+    ],
+    "risk_score": 21,
+    "rule_id": "e14c5fd7-fdd7-49c2-9e5b-ec49d817bc8d",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "AWS",
+      "Continuous Monitoring",
+      "SecOps",
+      "Asset Visibility"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1133",
+            "name": "External Remote Services",
+            "reference": "https://attack.mitre.org/techniques/T1133/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": []
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 6
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the deletion of an Amazon Relational Database Service (RDS) Aurora database cluster or global database cluster.",
+    "false_positives": [
+      "Clusters may be deleted by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Cluster deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "from": "now-60m",
+    "index": [
+      "filebeat-*",
+      "logs-aws*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "AWS RDS Cluster Deletion",
+    "note": "## Config\n\nThe AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.action:(DeleteDBCluster or DeleteGlobalCluster) and event.outcome:success\n",
+    "references": [
+      "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/rds/delete-db-cluster.html",
+      "https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_DeleteDBCluster.html",
+      "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/rds/delete-global-cluster.html",
+      "https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_DeleteGlobalCluster.html"
+    ],
+    "risk_score": 47,
+    "rule_id": "9055ece6-2689-4224-a0e0-b04881e1f8ad",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "AWS",
+      "Continuous Monitoring",
+      "SecOps",
+      "Asset Visibility"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0040",
+          "name": "Impact",
+          "reference": "https://attack.mitre.org/tactics/TA0040/"
+        },
+        "technique": [
+          {
+            "id": "T1485",
+            "name": "Data Destruction",
+            "reference": "https://attack.mitre.org/techniques/T1485/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 5
+  },
+  {
+    "author": [
+      "Elastic",
+      "Austin Songer"
+    ],
+    "description": "Identifies the creation of an Amazon Relational Database Service (RDS) Aurora database instance.",
+    "false_positives": [
+      "A database instance may be created by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Instances creations from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "from": "now-60m",
+    "index": [
+      "filebeat-*",
+      "logs-aws*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "AWS RDS Instance Creation",
+    "note": "## Config\n\nThe AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.action:CreateDBInstance and event.outcome:success\n",
+    "references": [
+      "https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_CreateDBInstance.html"
+    ],
+    "risk_score": 21,
+    "rule_id": "f30f3443-4fbb-4c27-ab89-c3ad49d62315",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "AWS",
+      "Continuous Monitoring",
+      "SecOps",
+      "Asset Visibility"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": []
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 2
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies that an Amazon Relational Database Service (RDS) cluster or instance has been stopped.",
+    "false_positives": [
+      "Valid clusters or instances may be stopped by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Cluster or instance stoppages from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "from": "now-60m",
+    "index": [
+      "filebeat-*",
+      "logs-aws*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "AWS RDS Instance/Cluster Stoppage",
+    "note": "## Config\n\nThe AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.action:(StopDBCluster or StopDBInstance) and event.outcome:success\n",
+    "references": [
+      "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/rds/stop-db-cluster.html",
+      "https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_StopDBCluster.html",
+      "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/rds/stop-db-instance.html",
+      "https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_StopDBInstance.html"
+    ],
+    "risk_score": 47,
+    "rule_id": "ecf2b32c-e221-4bd4-aa3b-c7d59b3bc01d",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "AWS",
+      "Continuous Monitoring",
+      "SecOps",
+      "Asset Visibility"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0040",
+          "name": "Impact",
+          "reference": "https://attack.mitre.org/tactics/TA0040/"
+        },
+        "technique": [
+          {
+            "id": "T1489",
+            "name": "Service Stop",
+            "reference": "https://attack.mitre.org/techniques/T1489/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 5
+  },
+  {
+    "author": [
+      "Elastic",
+      "Austin Songer"
+    ],
+    "description": "Identifies the creation of an Amazon Relational Database Service (RDS) Security group.",
+    "false_positives": [
+      "An RDS security group may be created by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Security group creations from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "from": "now-60m",
+    "index": [
+      "filebeat-*",
+      "logs-aws*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "AWS RDS Security Group Creation",
+    "note": "## Config\n\nThe AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.action:CreateDBSecurityGroup and event.outcome:success\n",
+    "references": [
+      "https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_CreateDBSecurityGroup.html"
+    ],
+    "risk_score": 21,
+    "rule_id": "378f9024-8a0c-46a5-aa08-ce147ac73a4e",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "AWS",
+      "Continuous Monitoring",
+      "SecOps",
+      "Monitoring"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1136",
+            "name": "Create Account",
+            "reference": "https://attack.mitre.org/techniques/T1136/",
+            "subtechnique": [
+              {
+                "id": "T1136.003",
+                "name": "Cloud Account",
+                "reference": "https://attack.mitre.org/techniques/T1136/003/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 2
+  },
+  {
+    "author": [
+      "Elastic",
+      "Austin Songer"
+    ],
+    "description": "Identifies the deletion of an Amazon Relational Database Service (RDS) Security group.",
+    "false_positives": [
+      "An RDS security group deletion may be done by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Security group deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "from": "now-60m",
+    "index": [
+      "filebeat-*",
+      "logs-aws*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "AWS RDS Security Group Deletion",
+    "note": "## Config\n\nThe AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.action:DeleteDBSecurityGroup and event.outcome:success\n",
+    "references": [
+      "https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_DeleteDBSecurityGroup.html"
+    ],
+    "risk_score": 21,
+    "rule_id": "863cdf31-7fd3-41cf-a185-681237ea277b",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "AWS",
+      "Continuous Monitoring",
+      "SecOps",
+      "Monitoring"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0040",
+          "name": "Impact",
+          "reference": "https://attack.mitre.org/tactics/TA0040/"
+        },
+        "technique": [
+          {
+            "id": "T1531",
+            "name": "Account Access Removal",
+            "reference": "https://attack.mitre.org/techniques/T1531/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 2
+  },
+  {
+    "author": [
+      "Elastic",
+      "Austin Songer"
+    ],
+    "description": "Identifies the export of an Amazon Relational Database Service (RDS) Aurora database snapshot.",
+    "false_positives": [
+      "Exporting snapshots may be done by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Snapshot exports from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "from": "now-60m",
+    "index": [
+      "filebeat-*",
+      "logs-aws*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "AWS RDS Snapshot Export",
+    "note": "## Config\n\nThe AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.action:StartExportTask and event.outcome:success\n",
+    "references": [
+      "https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_StartExportTask.html"
+    ],
+    "risk_score": 21,
+    "rule_id": "119c8877-8613-416d-a98a-96b6664ee73a",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "AWS",
+      "Continuous Monitoring",
+      "SecOps",
+      "Asset Visibility"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0010",
+          "name": "Exfiltration",
+          "reference": "https://attack.mitre.org/tactics/TA0010/"
+        },
+        "technique": []
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 1
+  },
+  {
+    "author": [
+      "Austin Songer"
+    ],
+    "description": "Identifies when an attempt was made to restore an RDS Snapshot. Snapshots are sometimes shared by threat actors in order to exfiltrate bulk data. If the permissions were modified, verify if the snapshot was shared with an unauthorized or unexpected AWS account.",
+    "false_positives": [
+      "Restoring snapshots may be done by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Snapshot restoration from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "index": [
+      "filebeat-*",
+      "logs-aws*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "AWS RDS Snapshot Restored",
+    "note": "## Config\n\nThe AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.action:RestoreDBInstanceFromDBSnapshot and\nevent.outcome:success\n",
+    "references": [
+      "https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_RestoreDBInstanceFromDBSnapshot.html",
+      "https://github.com/RhinoSecurityLabs/pacu/blob/master/pacu/modules/rds__explore_snapshots/main.py"
+    ],
+    "risk_score": 47,
+    "rule_id": "bf1073bf-ce26-4607-b405-ba1ed8e9e204",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "AWS",
+      "Continuous Monitoring",
+      "SecOps",
+      "Asset Visibility"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0010",
+          "name": "Exfiltration",
+          "reference": "https://attack.mitre.org/tactics/TA0010/"
+        },
+        "technique": []
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 2
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies attempts to login to AWS as the root user without using multi-factor authentication (MFA). Amazon AWS best practices indicate that the root user should be protected by MFA.",
+    "false_positives": [
+      "Some organizations allow login with the root user without MFA, however, this is not considered best practice by AWS and increases the risk of compromised credentials."
+    ],
+    "from": "now-60m",
+    "index": [
+      "filebeat-*",
+      "logs-aws*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "AWS Root Login Without MFA",
+    "note": "## Config\n\nThe AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:aws.cloudtrail and event.provider:signin.amazonaws.com and event.action:ConsoleLogin and\n  aws.cloudtrail.user_identity.type:Root and\n  aws.cloudtrail.console_login.additional_eventdata.mfa_used:false and\n  event.outcome:success\n",
+    "references": [
+      "https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html"
+    ],
+    "risk_score": 73,
+    "rule_id": "bc0c6f0d-dab0-47a3-b135-0925f0a333bc",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "AWS",
+      "Continuous Monitoring",
+      "SecOps",
+      "Identity and Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0004",
+          "name": "Privilege Escalation",
+          "reference": "https://attack.mitre.org/tactics/TA0004/"
+        },
+        "technique": [
+          {
+            "id": "T1078",
+            "name": "Valid Accounts",
+            "reference": "https://attack.mitre.org/techniques/T1078/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 5
+  },
+  {
+    "author": [
+      "Elastic",
+      "Austin Songer"
+    ],
+    "description": "Identifies when a transfer lock was removed from a Route 53 domain. It is recommended to refrain from performing this action unless intending to transfer the domain to a different registrar.",
+    "false_positives": [
+      "A domain transfer lock may be disabled by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Activity from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "from": "now-60m",
+    "index": [
+      "filebeat-*",
+      "logs-aws*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "AWS Route 53 Domain Transfer Lock Disabled",
+    "note": "## Config\n\nThe AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:aws.cloudtrail and event.provider:route53.amazonaws.com and event.action:DisableDomainTransferLock and event.outcome:success\n",
+    "references": [
+      "https://docs.aws.amazon.com/Route53/latest/APIReference/API_Operations_Amazon_Route_53.html",
+      "https://docs.aws.amazon.com/Route53/latest/APIReference/API_domains_DisableDomainTransferLock.html"
+    ],
+    "risk_score": 21,
+    "rule_id": "12051077-0124-4394-9522-8f4f4db1d674",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "AWS",
+      "Continuous Monitoring",
+      "SecOps",
+      "Asset Visibility"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1098",
+            "name": "Account Manipulation",
+            "reference": "https://attack.mitre.org/techniques/T1098/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0006",
+          "name": "Credential Access",
+          "reference": "https://attack.mitre.org/tactics/TA0006/"
+        },
+        "technique": []
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic",
+      "Austin Songer"
+    ],
+    "description": "Identifies when a request has been made to transfer a Route 53 domain to another AWS account.",
+    "false_positives": [
+      "A domain may be transferred to another AWS account by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Domain transfers from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "from": "now-60m",
+    "index": [
+      "filebeat-*",
+      "logs-aws*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "AWS Route 53 Domain Transferred to Another Account",
+    "note": "## Config\n\nThe AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:aws.cloudtrail and event.provider:route53.amazonaws.com and event.action:TransferDomainToAnotherAwsAccount and event.outcome:success\n",
+    "references": [
+      "https://docs.aws.amazon.com/Route53/latest/APIReference/API_Operations_Amazon_Route_53.html"
+    ],
+    "risk_score": 21,
+    "rule_id": "2045567e-b0af-444a-8c0b-0b6e2dae9e13",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "AWS",
+      "Continuous Monitoring",
+      "SecOps",
+      "Asset Visibility"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1098",
+            "name": "Account Manipulation",
+            "reference": "https://attack.mitre.org/techniques/T1098/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0006",
+          "name": "Credential Access",
+          "reference": "https://attack.mitre.org/tactics/TA0006/"
+        },
+        "technique": []
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic",
+      "Austin Songer"
+    ],
+    "description": "Identifies when an AWS Route Table has been created.",
+    "false_positives": [
+      "Route Table being created may be done by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Route Table being created from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule.  Automated processes that uses Terraform may lead to false positives."
+    ],
+    "from": "now-60m",
+    "index": [
+      "filebeat-*",
+      "logs-aws*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "AWS Route Table Created",
+    "note": "## Config\n\nThe AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:aws.cloudtrail and event.provider:cloudtrail.amazonaws.com and event.action:(CreateRoute or CreateRouteTable) and \nevent.outcome:success\n",
+    "references": [
+      "https://docs.datadoghq.com/security_platform/default_rules/cloudtrail-aws-route-table-modified/",
+      "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateRoute.html",
+      "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateRouteTable"
+    ],
+    "risk_score": 21,
+    "rule_id": "e12c0318-99b1-44f2-830c-3a38a43207ca",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "AWS",
+      "Continuous Monitoring",
+      "SecOps",
+      "Network Security"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": []
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic",
+      "Austin Songer"
+    ],
+    "description": "Identifies when an AWS Route Table has been modified or deleted.",
+    "false_positives": [
+      "Route Table could be modified or deleted by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Route Table being modified from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.  Also automated processes that uses Terraform may lead to false positives."
+    ],
+    "from": "now-60m",
+    "index": [
+      "filebeat-*",
+      "logs-aws*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "AWS Route Table Modified or Deleted",
+    "note": "## Config\n\nThe AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:aws.cloudtrail and event.provider:cloudtrail.amazonaws.com and event.action:(ReplaceRoute or ReplaceRouteTableAssociation or\nDeleteRouteTable or DeleteRoute or DisassociateRouteTable) and event.outcome:success\n",
+    "references": [
+      "https://github.com/easttimor/aws-incident-response#network-routing",
+      "https://docs.datadoghq.com/security_platform/default_rules/cloudtrail-aws-route-table-modified",
+      "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ReplaceRoute.html",
+      "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ReplaceRouteTableAssociation",
+      "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteRouteTable.html",
+      "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteRoute.html",
+      "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DisassociateRouteTable.html"
+    ],
+    "risk_score": 21,
+    "rule_id": "e7cd5982-17c8-4959-874c-633acde7d426",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "AWS",
+      "Continuous Monitoring",
+      "SecOps",
+      "Network Security"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": []
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 1
+  },
+  {
+    "author": [
+      "Austin Songer"
+    ],
+    "description": "Identifies when a Route53 private hosted zone has been associated with VPC.",
+    "false_positives": [
+      "A private hosted zone may be asssociated with a VPC by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "from": "now-60m",
+    "index": [
+      "filebeat-*",
+      "logs-aws*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "AWS Route53 private hosted zone associated with a VPC",
+    "note": "## Config\n\nThe AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:aws.cloudtrail and event.provider:route53.amazonaws.com and event.action:AssociateVPCWithHostedZone and \nevent.outcome:success\n",
+    "references": [
+      "https://docs.aws.amazon.com/Route53/latest/APIReference/API_AssociateVPCWithHostedZone.html"
+    ],
+    "risk_score": 21,
+    "rule_id": "e3c27562-709a-42bd-82f2-3ed926cced19",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "AWS",
+      "Continuous Monitoring",
+      "SecOps",
+      "Asset Visibility"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1098",
+            "name": "Account Manipulation",
+            "reference": "https://attack.mitre.org/techniques/T1098/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the deletion of various Amazon Simple Storage Service (S3) bucket configuration components.",
+    "false_positives": [
+      "Bucket components may be deleted by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Bucket component deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "from": "now-60m",
+    "index": [
+      "filebeat-*",
+      "logs-aws*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "AWS S3 Bucket Configuration Deletion",
+    "note": "## Config\n\nThe AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:aws.cloudtrail and event.provider:s3.amazonaws.com and\n  event.action:(DeleteBucketPolicy or DeleteBucketReplication or DeleteBucketCors or\n                DeleteBucketEncryption or DeleteBucketLifecycle)\n  and event.outcome:success\n",
+    "references": [
+      "https://docs.aws.amazon.com/AmazonS3/latest/API/API_DeleteBucketPolicy.html",
+      "https://docs.aws.amazon.com/AmazonS3/latest/API/API_DeleteBucketReplication.html",
+      "https://docs.aws.amazon.com/AmazonS3/latest/API/API_DeleteBucketCors.html",
+      "https://docs.aws.amazon.com/AmazonS3/latest/API/API_DeleteBucketEncryption.html",
+      "https://docs.aws.amazon.com/AmazonS3/latest/API/API_DeleteBucketLifecycle.html"
+    ],
+    "risk_score": 21,
+    "rule_id": "227dc608-e558-43d9-b521-150772250bae",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "AWS",
+      "Continuous Monitoring",
+      "SecOps",
+      "Asset Visibility"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1070",
+            "name": "Indicator Removal on Host",
+            "reference": "https://attack.mitre.org/techniques/T1070/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 5
+  },
+  {
+    "author": [
+      "Austin Songer"
+    ],
+    "description": "Identifies when SAML activity has occurred in AWS. An adversary could manipulate SAML to maintain access to the target.",
+    "false_positives": [
+      "SAML Provider could be updated by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. SAML Provider being updated from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "from": "now-25m",
+    "index": [
+      "filebeat-*",
+      "logs-aws*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "AWS SAML Activity",
+    "note": "## Config\n\nThe AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:aws.cloudtrail and event.provider:(iam.amazonaws.com or sts.amazonaws.com) and event.action:(Assumerolewithsaml or \nUpdateSAMLProvider) and event.outcome:success\n",
+    "references": [
+      "https://docs.aws.amazon.com/IAM/latest/APIReference/API_UpdateSAMLProvider.html",
+      "https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRoleWithSAML.html"
+    ],
+    "risk_score": 21,
+    "rule_id": "979729e7-0c52-4c4c-b71e-88103304a79f",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "AWS",
+      "Continuous Monitoring",
+      "SecOps",
+      "Identity and Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1550",
+            "name": "Use Alternate Authentication Material",
+            "reference": "https://attack.mitre.org/techniques/T1550/",
+            "subtechnique": [
+              {
+                "id": "T1550.001",
+                "name": "Application Access Token",
+                "reference": "https://attack.mitre.org/techniques/T1550/001/"
+              }
+            ]
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0001",
+          "name": "Initial Access",
+          "reference": "https://attack.mitre.org/tactics/TA0001/"
+        },
+        "technique": [
+          {
+            "id": "T1078",
+            "name": "Valid Accounts",
+            "reference": "https://attack.mitre.org/techniques/T1078/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 1
+  },
+  {
+    "author": [
+      "Austin Songer"
+    ],
+    "description": "Identifies the suspicious use of GetSessionToken. Tokens could be created and used by attackers to move laterally and escalate privileges.",
+    "false_positives": [
+      "GetSessionToken may be done by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. GetSessionToken from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "index": [
+      "filebeat-*",
+      "logs-aws*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "AWS STS GetSessionToken Abuse",
+    "note": "## Config\n\nThe AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:aws.cloudtrail and event.provider:sts.amazonaws.com and event.action:GetSessionToken and \naws.cloudtrail.user_identity.type:IAMUser and event.outcome:success\n",
+    "references": [
+      "https://docs.aws.amazon.com/STS/latest/APIReference/API_GetSessionToken.html"
+    ],
+    "risk_score": 21,
+    "rule_id": "b45ab1d2-712f-4f01-a751-df3826969807",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "AWS",
+      "Continuous Monitoring",
+      "SecOps",
+      "Identity and Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0004",
+          "name": "Privilege Escalation",
+          "reference": "https://attack.mitre.org/tactics/TA0004/"
+        },
+        "technique": [
+          {
+            "id": "T1548",
+            "name": "Abuse Elevation Control Mechanism",
+            "reference": "https://attack.mitre.org/techniques/T1548/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0008",
+          "name": "Lateral Movement",
+          "reference": "https://attack.mitre.org/tactics/TA0008/"
+        },
+        "technique": [
+          {
+            "id": "T1550",
+            "name": "Use Alternate Authentication Material",
+            "reference": "https://attack.mitre.org/techniques/T1550/",
+            "subtechnique": [
+              {
+                "id": "T1550.001",
+                "name": "Application Access Token",
+                "reference": "https://attack.mitre.org/techniques/T1550/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic",
+      "Austin Songer"
+    ],
+    "description": "Identifies a change to an AWS Security Group Configuration. A security group is like a virtual firewall, and modifying configurations may allow unauthorized access. Threat actors may abuse this to establish persistence, exfiltrate data, or pivot in an AWS environment.",
+    "false_positives": [
+      "A security group may be created by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Security group creations from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "from": "now-30m",
+    "index": [
+      "filebeat-*",
+      "logs-aws*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "AWS Security Group Configuration Change Detection",
+    "note": "## Config\n\nThe AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.action:(AuthorizeSecurityGroupEgress or \nCreateSecurityGroup or ModifyInstanceAttribute or ModifySecurityGroupRules or RevokeSecurityGroupEgress or \nRevokeSecurityGroupIngress) and event.outcome:success\n",
+    "references": [
+      "https://docs.aws.amazon.com/AWSEC2/latest/WindowsGuide/ec2-security-groups.html"
+    ],
+    "risk_score": 21,
+    "rule_id": "29052c19-ff3e-42fd-8363-7be14d7c5469",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "AWS",
+      "Continuous Monitoring",
+      "SecOps",
+      "Network Security"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": []
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1562",
+            "name": "Impair Defenses",
+            "reference": "https://attack.mitre.org/techniques/T1562/",
+            "subtechnique": [
+              {
+                "id": "T1562.007",
+                "name": "Disable or Modify Cloud Firewall",
+                "reference": "https://attack.mitre.org/techniques/T1562/007/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 2
+  },
+  {
+    "author": [
+      "Austin Songer"
+    ],
+    "description": "Identifies the use of AssumeRole. AssumeRole returns a set of temporary security credentials that can be used to access AWS resources. An adversary could use those credentials to move laterally and escalate privileges.",
+    "false_positives": [
+      "Automated processes that uses Terraform may lead to false positives."
+    ],
+    "index": [
+      "filebeat-*",
+      "logs-aws*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "AWS Security Token Service (STS) AssumeRole Usage",
+    "note": "## Config\n\nThe AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:aws.cloudtrail and event.provider:sts.amazonaws.com and event.action:AssumedRole and \naws.cloudtrail.user_identity.session_context.session_issuer.type:Role and event.outcome:success\n",
+    "references": [
+      "https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html"
+    ],
+    "risk_score": 21,
+    "rule_id": "93075852-b0f5-4b8b-89c3-a226efae5726",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "AWS",
+      "Continuous Monitoring",
+      "SecOps",
+      "Identity and Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0004",
+          "name": "Privilege Escalation",
+          "reference": "https://attack.mitre.org/tactics/TA0004/"
+        },
+        "technique": [
+          {
+            "id": "T1548",
+            "name": "Abuse Elevation Control Mechanism",
+            "reference": "https://attack.mitre.org/techniques/T1548/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0008",
+          "name": "Lateral Movement",
+          "reference": "https://attack.mitre.org/tactics/TA0008/"
+        },
+        "technique": [
+          {
+            "id": "T1550",
+            "name": "Use Alternate Authentication Material",
+            "reference": "https://attack.mitre.org/techniques/T1550/",
+            "subtechnique": [
+              {
+                "id": "T1550.001",
+                "name": "Application Access Token",
+                "reference": "https://attack.mitre.org/techniques/T1550/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the deletion of a specified AWS Web Application Firewall (WAF) access control list.",
+    "false_positives": [
+      "Firewall ACL's may be deleted by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Web ACL deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "from": "now-60m",
+    "index": [
+      "filebeat-*",
+      "logs-aws*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "AWS WAF Access Control List Deletion",
+    "note": "## Config\n\nThe AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:aws.cloudtrail and event.action:DeleteWebACL and event.outcome:success\n",
+    "references": [
+      "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/waf-regional/delete-web-acl.html",
+      "https://docs.aws.amazon.com/waf/latest/APIReference/API_wafRegional_DeleteWebACL.html"
+    ],
+    "risk_score": 47,
+    "rule_id": "91d04cd4-47a9-4334-ab14-084abe274d49",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "AWS",
+      "Continuous Monitoring",
+      "SecOps",
+      "Network Security"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1562",
+            "name": "Impair Defenses",
+            "reference": "https://attack.mitre.org/techniques/T1562/",
+            "subtechnique": [
+              {
+                "id": "T1562.001",
+                "name": "Disable or Modify Tools",
+                "reference": "https://attack.mitre.org/techniques/T1562/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 6
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the deletion of a specified AWS Web Application Firewall (WAF) rule or rule group.",
+    "false_positives": [
+      "WAF rules or rule groups may be deleted by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Rule deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "from": "now-60m",
+    "index": [
+      "filebeat-*",
+      "logs-aws*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "AWS WAF Rule or Rule Group Deletion",
+    "note": "## Config\n\nThe AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:aws.cloudtrail and event.action:(DeleteRule or DeleteRuleGroup) and event.outcome:success\n",
+    "references": [
+      "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/waf/delete-rule-group.html",
+      "https://docs.aws.amazon.com/waf/latest/APIReference/API_waf_DeleteRuleGroup.html"
+    ],
+    "risk_score": 47,
+    "rule_id": "5beaebc1-cc13-4bfc-9949-776f9e0dc318",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "AWS",
+      "Continuous Monitoring",
+      "SecOps",
+      "Network Security"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1562",
+            "name": "Impair Defenses",
+            "reference": "https://attack.mitre.org/techniques/T1562/",
+            "subtechnique": [
+              {
+                "id": "T1562.001",
+                "name": "Disable or Modify Tools",
+                "reference": "https://attack.mitre.org/techniques/T1562/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 6
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Specially crafted DNS requests can manipulate a known overflow vulnerability in some Windows DNS servers which result in Remote Code Execution (RCE) or a Denial of Service (DoS) from crashing the service.",
+    "false_positives": [
+      "Environments that leverage DNS responses over 60k bytes will result in false positives - if this traffic is predictable and expected, it should be filtered out. Additionally, this detection rule could be triggered by an authorized vulnerability scan or compromise assessment."
+    ],
+    "index": [
+      "packetbeat-*",
+      "filebeat-*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Abnormally Large DNS Response",
+    "note": "## Triage and analysis\n\n### Investigating Large DNS Responses\nDetection alerts from this rule indicate possible anomalous activity around large byte DNS responses from a Windows DNS\nserver. This detection rule was created based on activity represented in exploitation of vulnerability (CVE-2020-1350)\nalso known as [SigRed](https://www.elastic.co/blog/detection-rules-for-sigred-vulnerability) during July 2020.\n\n#### Possible investigation steps:\n- This specific rule is sourced from network log activity such as DNS or network level data. It's important to validate\nthe source of the incoming traffic and determine if this activity has been observed previously within an environment.\n- Activity can be further investigated and validated by reviewing available corresponding Intrusion Detection Signatures (IDS) alerts associated with activity.\n- Further examination can be made by reviewing the `dns.question_type` network fieldset with a protocol analyzer, such as Zeek, Packetbeat, or Suricata, for `SIG` or `RRSIG` data.\n- Validate the patch level and OS of the targeted DNS server to validate the observed activity was not large-scale Internet vulnerability scanning.\n- Validate that the source of the network activity was not from an authorized vulnerability scan or compromise assessment.\n\n#### False Positive Analysis\n- Based on this rule which looks for a threshold of 60k bytes, it is possible for activity to be generated under 65k bytes\nand related to legitimate behavior.  In packet capture files received by the [SANS Internet Storm Center](https://isc.sans.edu/forums/diary/PATCH+NOW+SIGRed+CVE20201350+Microsoft+DNS+Server+Vulnerability/26356/), byte responses\nwere all observed as greater than 65k bytes.\n- This activity has the ability to be triggered from compliance/vulnerability scanning or compromise assessment, it's\nimportant to determine the source of the activity and potential whitelist the source host\n\n\n### Related Rules\n- Unusual Child Process of dns.exe\n- Unusual File Modification by dns.exe\n\n### Response and Remediation\n- Review and implement the above detection logic within your environment using technology such as Endpoint security, Winlogbeat, Packetbeat, or network security monitoring (NSM) platforms such as Zeek or Suricata.\n- Ensure that you have deployed the latest Microsoft [Security Update](https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1350) (Monthly Rollup or Security Only) and restart the\npatched machines. If unable to patch immediately: Microsoft [released](https://support.microsoft.com/en-us/help/4569509/windows-dns-server-remote-code-execution-vulnerability) a registry-based workaround that doesn\u2019t require a\nrestart. This can be used as a temporary solution before the patch is applied.\n- Maintain backups of your critical systems to aid in quick recovery.\n- Perform routine vulnerability scans of your systems, monitor [CISA advisories](https://us-cert.cisa.gov/ncas/current-activity) and patch identified vulnerabilities.\n- If observed true positive activity, implement a remediation plan and monitor host-based artifacts for additional post-exploitation behavior.\n",
+    "query": "event.category:(network or network_traffic) and destination.port:53 and\n  (event.dataset:zeek.dns or type:dns or event.type:connection) and network.bytes > 60000\n",
+    "references": [
+      "https://research.checkpoint.com/2020/resolving-your-way-into-domain-admin-exploiting-a-17-year-old-bug-in-windows-dns-servers/",
+      "https://msrc-blog.microsoft.com/2020/07/14/july-2020-security-update-cve-2020-1350-vulnerability-in-windows-domain-name-system-dns-server/",
+      "https://github.com/maxpl0it/CVE-2020-1350-DoS"
+    ],
+    "risk_score": 47,
+    "rule_id": "11013227-0301-4a8c-b150-4db924484475",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Network",
+      "Threat Detection",
+      "Lateral Movement"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0008",
+          "name": "Lateral Movement",
+          "reference": "https://attack.mitre.org/tactics/TA0008/"
+        },
+        "technique": [
+          {
+            "id": "T1210",
+            "name": "Exploitation of Remote Services",
+            "reference": "https://attack.mitre.org/techniques/T1210/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 5
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the execution of a process with arguments pointing to known browser files that store passwords and cookies. Adversaries may acquire credentials from web browsers by reading files specific to the target browser.",
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Access of Stored Browser Credentials",
+    "query": "process where event.type in (\"start\", \"process_started\") and\n  process.args :\n    (\n      \"/Users/*/Library/Application Support/Google/Chrome/Default/Login Data\", \n      \"/Users/*/Library/Application Support/Google/Chrome/Default/Cookies\", \n      \"/Users/*/Library/Cookies*\", \n      \"/Users/*/Library/Application Support/Firefox/Profiles/*.default/cookies.sqlite\", \n      \"/Users/*/Library/Application Support/Firefox/Profiles/*.default/key*.db\", \n      \"/Users/*/Library/Application Support/Firefox/Profiles/*.default/logins.json\", \n      \"Login Data\",\n      \"Cookies.binarycookies\", \n      \"key4.db\", \n      \"key3.db\", \n      \"logins.json\", \n      \"cookies.sqlite\"\n    )\n",
+    "references": [
+      "https://securelist.com/calisto-trojan-for-macos/86543/"
+    ],
+    "risk_score": 73,
+    "rule_id": "20457e4f-d1de-4b92-ae69-142e27a4342a",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "macOS",
+      "Threat Detection",
+      "Credential Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0006",
+          "name": "Credential Access",
+          "reference": "https://attack.mitre.org/tactics/TA0006/"
+        },
+        "technique": [
+          {
+            "id": "T1555",
+            "name": "Credentials from Password Stores",
+            "reference": "https://attack.mitre.org/techniques/T1555/",
+            "subtechnique": [
+              {
+                "id": "T1555.003",
+                "name": "Credentials from Web Browsers",
+                "reference": "https://attack.mitre.org/techniques/T1555/003/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Adversaries may collect the keychain storage data from a system to acquire credentials. Keychains are the built-in way for macOS to keep track of users' passwords and credentials for many services and features such as WiFi passwords, websites, secure notes and certificates.",
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Access to Keychain Credentials Directories",
+    "query": "process where event.type in (\"start\", \"process_started\") and\n  process.args :\n    (\n      \"/Users/*/Library/Keychains/*\",\n      \"/Library/Keychains/*\",\n      \"/Network/Library/Keychains/*\",\n      \"System.keychain\",\n      \"login.keychain-db\",\n      \"login.keychain\"\n    ) and\n    not process.args : (\"find-certificate\",\n                      \"add-trusted-cert\",\n                      \"set-keychain-settings\",\n                      \"delete-certificate\",\n                      \"/Users/*/Library/Keychains/openvpn.keychain-db\",\n                      \"show-keychain-info\",\n                      \"lock-keychain\",\n                      \"set-key-partition-list\",\n                      \"import\",\n                      \"find-identity\") and\n    not process.parent.executable : \"/Applications/OpenVPN Connect/OpenVPN Connect.app/Contents/MacOS/OpenVPN Connect\"\n",
+    "references": [
+      "https://objective-see.com/blog/blog_0x25.html",
+      "https://securelist.com/calisto-trojan-for-macos/86543/"
+    ],
+    "risk_score": 73,
+    "rule_id": "96e90768-c3b7-4df6-b5d9-6237f8bc36a8",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "macOS",
+      "Threat Detection",
+      "Credential Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0006",
+          "name": "Credential Access",
+          "reference": "https://attack.mitre.org/tactics/TA0006/"
+        },
+        "technique": [
+          {
+            "id": "T1555",
+            "name": "Credentials from Password Stores",
+            "reference": "https://attack.mitre.org/techniques/T1555/",
+            "subtechnique": [
+              {
+                "id": "T1555.001",
+                "name": "Keychain",
+                "reference": "https://attack.mitre.org/techniques/T1555/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 5
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies an attempt to reset an account password remotely. Adversaries may manipulate account passwords to maintain access or evade password duration policies and preserve compromised credentials.",
+    "false_positives": [
+      "Legitimate remote account administration."
+    ],
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Account Password Reset Remotely",
+    "query": "sequence by host.id with maxspan=5m\n  [authentication where event.action == \"logged-in\" and\n    /* event 4624 need to be logged */\n    winlog.logon.type : \"Network\" and event.outcome == \"success\" and source.ip != null and\n    not source.ip in (\"127.0.0.1\", \"::1\")] by winlog.event_data.TargetLogonId\n   /* event 4724 need to be logged */\n  [iam where event.action == \"reset-password\"] by winlog.event_data.SubjectLogonId\n",
+    "references": [
+      "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4724",
+      "https://stealthbits.com/blog/manipulating-user-passwords-with-mimikatz/",
+      "https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES/blob/master/Credential%20Access/remote_pwd_reset_rpc_mimikatz_postzerologon_target_DC.evtx"
+    ],
+    "risk_score": 47,
+    "rule_id": "2820c9c2-bcd7-4d6e-9eba-faf3891ba450",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Persistence"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1098",
+            "name": "Account Manipulation",
+            "reference": "https://attack.mitre.org/techniques/T1098/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "This rule detects the Active Directory query tool, AdFind.exe. AdFind has legitimate purposes, but it is frequently leveraged by threat actors to perform post-exploitation Active Directory reconnaissance. The AdFind tool has been observed in Trickbot, Ryuk, Maze, and FIN6 campaigns. For Winlogbeat, this rule requires Sysmon.",
+    "from": "now-9m",
+    "index": [
+      "logs-endpoint.events.*",
+      "winlogbeat-*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "AdFind Command Activity",
+    "note": "## Triage and analysis\n\n### Investigating AdFind Command Activity\n\n[AdFind](http://www.joeware.net/freetools/tools/adfind/) is a freely available command-line tool used to retrieve information from\nActivity Directory (AD). Network discovery and enumeration tools like `AdFind` are useful to adversaries in the same ways\nthey are effective for network administrators. This tool provides quick ability to scope AD person/computer objects and\nunderstand subnets and domain information. There are many [examples](https://thedfirreport.com/category/adfind/)\nobserved where this tool has been adopted by ransomware and criminal groups and used in compromises.\n\n#### Possible investigation steps:\n- `AdFind` is a legitimate Active Directory enumeration tool used by network administrators, it's important to understand\nthe source of the activity.  This could involve identifying the account using `AdFind` and determining based on the command-lines\nwhat information was retrieved, then further determining if these actions are in scope of that user's traditional responsibilities.\n- In multiple public references, `AdFind` is leveraged after initial access is achieved, review previous activity on impacted\nmachine looking for suspicious indicators such as previous anti-virus/EDR alerts, phishing emails received, or network traffic\nto suspicious infrastructure\n\n### False Positive Analysis\n- This rule has the high chance to produce false positives as it is a legitimate tool used by network administrators. One\noption could be whitelisting specific users or groups who use the tool as part of their daily responsibilities. This can\nbe done by leveraging the exception workflow in the Kibana Security App or Elasticsearch API to tune this rule to your environment\n- Malicious behavior with `AdFind` should be investigated as part of a step within an attack chain. It doesn't happen in\nisolation, so reviewing previous logs/activity from impacted machines could be very telling.\n\n### Related Rules\n- Windows Network Enumeration\n- Enumeration of Administrator Accounts\n- Enumeration Command Spawned via WMIPrvSE\n\n### Response and Remediation\n- Immediate response should be taken to validate activity, investigate and potentially isolate activity to prevent further\npost-compromise behavior\n- It's important to understand that `AdFind` is an Active Directory enumeration tool and can be used for malicious or legitimate\npurposes, so understanding the intent behind the activity will help determine the appropropriate response.\n",
+    "query": "process where event.type in (\"start\", \"process_started\") and \n  (process.name : \"AdFind.exe\" or process.pe.original_file_name == \"AdFind.exe\") and \n  process.args : (\"objectcategory=computer\", \"(objectcategory=computer)\", \n                  \"objectcategory=person\", \"(objectcategory=person)\",\n                  \"objectcategory=subnet\", \"(objectcategory=subnet)\",\n                  \"objectcategory=group\", \"(objectcategory=group)\", \n                  \"objectcategory=organizationalunit\", \"(objectcategory=organizationalunit)\",\n                  \"objectcategory=attributeschema\", \"(objectcategory=attributeschema)\",\n                  \"domainlist\", \"dcmodes\", \"adinfo\", \"dclist\", \"computers_pwnotreqd\", \"trustdmp\")\n",
+    "references": [
+      "http://www.joeware.net/freetools/tools/adfind/",
+      "https://thedfirreport.com/2020/05/08/adfind-recon/",
+      "https://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html",
+      "https://www.cybereason.com/blog/dropping-anchor-from-a-trickbot-infection-to-the-discovery-of-the-anchor-malware",
+      "https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html",
+      "https://usa.visa.com/dam/VCOM/global/support-legal/documents/fin6-cybercrime-group-expands-threat-To-ecommerce-merchants.pdf"
+    ],
+    "risk_score": 21,
+    "rule_id": "eda499b8-a073-4e35-9733-22ec71f57f3a",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Discovery"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0007",
+          "name": "Discovery",
+          "reference": "https://attack.mitre.org/tactics/TA0007/"
+        },
+        "technique": [
+          {
+            "id": "T1069",
+            "name": "Permission Groups Discovery",
+            "reference": "https://attack.mitre.org/techniques/T1069/",
+            "subtechnique": [
+              {
+                "id": "T1069.002",
+                "name": "Domain Groups",
+                "reference": "https://attack.mitre.org/techniques/T1069/002/"
+              }
+            ]
+          },
+          {
+            "id": "T1087",
+            "name": "Account Discovery",
+            "reference": "https://attack.mitre.org/techniques/T1087/",
+            "subtechnique": [
+              {
+                "id": "T1087.002",
+                "name": "Domain Account",
+                "reference": "https://attack.mitre.org/techniques/T1087/002/"
+              }
+            ]
+          },
+          {
+            "id": "T1482",
+            "name": "Domain Trust Discovery",
+            "reference": "https://attack.mitre.org/techniques/T1482/"
+          },
+          {
+            "id": "T1018",
+            "name": "Remote System Discovery",
+            "reference": "https://attack.mitre.org/techniques/T1018/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 5
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Adversaries can add the 'hidden' attribute to files to hide them from the user in an attempt to evade detection.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Adding Hidden File Attribute via Attrib",
+    "query": "process where event.type in (\"start\", \"process_started\") and\n  process.name : \"attrib.exe\" and process.args : \"+h\"\n",
+    "risk_score": 21,
+    "rule_id": "4630d948-40d4-4cef-ac69-4002e29bc3db",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1564",
+            "name": "Hide Artifacts",
+            "reference": "https://attack.mitre.org/techniques/T1564/",
+            "subtechnique": [
+              {
+                "id": "T1564.001",
+                "name": "Hidden Files and Directories",
+                "reference": "https://attack.mitre.org/techniques/T1564/001/"
+              }
+            ]
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": []
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 9
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Detects when an administrator role is assigned to an Okta group. An adversary may attempt to assign administrator privileges to an Okta group in order to assign additional permissions to compromised user accounts and maintain access to their target organization.",
+    "false_positives": [
+      "Administrator roles may be assigned to Okta users by a Super Admin user. Verify that the behavior was expected. Exceptions can be added to this rule to filter expected behavior."
+    ],
+    "index": [
+      "filebeat-*",
+      "logs-okta*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Administrator Privileges Assigned to an Okta Group",
+    "note": "## Config\n\nThe Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:okta.system and event.action:group.privilege.grant\n",
+    "references": [
+      "https://help.okta.com/en/prod/Content/Topics/Security/administrators-admin-comparison.htm",
+      "https://developer.okta.com/docs/reference/api/system-log/",
+      "https://developer.okta.com/docs/reference/api/event-types/"
+    ],
+    "risk_score": 47,
+    "rule_id": "b8075894-0b62-46e5-977c-31275da34419",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Identity",
+      "Okta",
+      "Continuous Monitoring",
+      "SecOps",
+      "Monitoring"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1098",
+            "name": "Account Manipulation",
+            "reference": "https://attack.mitre.org/techniques/T1098/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 6
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies when an administrator role is assigned to an Okta user. An adversary may attempt to assign an administrator role to an Okta user in order to assign additional permissions to a user account and maintain access to their target's environment.",
+    "false_positives": [
+      "Administrator roles may be assigned to Okta users by a Super Admin user. Verify that the behavior was expected. Exceptions can be added to this rule to filter expected behavior."
+    ],
+    "index": [
+      "filebeat-*",
+      "logs-okta*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Administrator Role Assigned to an Okta User",
+    "note": "## Config\n\nThe Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:okta.system and event.action:user.account.privilege.grant\n",
+    "references": [
+      "https://help.okta.com/en/prod/Content/Topics/Security/administrators-admin-comparison.htm",
+      "https://developer.okta.com/docs/reference/api/system-log/",
+      "https://developer.okta.com/docs/reference/api/event-types/"
+    ],
+    "risk_score": 47,
+    "rule_id": "f06414a6-f2a4-466d-8eba-10f85e8abf71",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Okta",
+      "SecOps",
+      "Monitoring",
+      "Continuous Monitoring"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1098",
+            "name": "Account Manipulation",
+            "reference": "https://attack.mitre.org/techniques/T1098/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 4
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Detects writing executable files that will be automatically launched by Adobe on launch.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Adobe Hijack Persistence",
+    "query": "file where event.type == \"creation\" and\n  file.path : (\"?:\\\\Program Files (x86)\\\\Adobe\\\\Acrobat Reader DC\\\\Reader\\\\AcroCEF\\\\RdrCEF.exe\",\n               \"?:\\\\Program Files\\\\Adobe\\\\Acrobat Reader DC\\\\Reader\\\\AcroCEF\\\\RdrCEF.exe\") and\n  not process.name : \"msiexec.exe\"\n",
+    "risk_score": 21,
+    "rule_id": "2bf78aa2-9c56-48de-b139-f169bf99cf86",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Persistence"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1574",
+            "name": "Hijack Execution Flow",
+            "reference": "https://attack.mitre.org/techniques/T1574/",
+            "subtechnique": [
+              {
+                "id": "T1574.010",
+                "name": "Services File Permissions Weakness",
+                "reference": "https://attack.mitre.org/techniques/T1574/010/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 9
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Elastic Endgame detected an Adversary Behavior. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information.",
+    "from": "now-15m",
+    "index": [
+      "endgame-*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "max_signals": 10000,
+    "name": "Adversary Behavior - Detected - Elastic Endgame",
+    "query": "event.kind:alert and event.module:endgame and (event.action:rules_engine_event or endgame.event_subtype_full:rules_engine_event)\n",
+    "risk_score": 47,
+    "rule_id": "77a3c3df-8ec4-4da4-b758-878f551dee69",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Elastic Endgame"
+    ],
+    "type": "query",
+    "version": 7
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Detects events which have a mismatch on the expected event agent ID. The status \"agent_id_mismatch\" occurs when the expected agent ID associated with the API key does not match the actual agent ID in an event. This could indicate attempts to spoof events in order to masquerade actual activity to evade detection.",
+    "false_positives": [
+      "This is meant to run only on datasources using agents v7.14+ since versions prior to that will be missing the necessary field, resulting in false positives."
+    ],
+    "from": "now-9m",
+    "index": [
+      "logs-*",
+      "metrics-*",
+      "traces-*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Agent Spoofing - Mismatched Agent ID",
+    "query": "event.agent_id_status:agent_id_mismatch\n",
+    "risk_score": 73,
+    "rule_id": "3115bd2c-0baa-4df0-80ea-45e474b5ef93",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1036",
+            "name": "Masquerading",
+            "reference": "https://attack.mitre.org/techniques/T1036/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Detects when multiple hosts are using the same agent ID. This could occur in the event of an agent being taken over and used to inject illegitimate documents into an instance as an attempt to spoof events in order to masquerade actual activity to evade detection.",
+    "false_positives": [
+      "This is meant to run only on datasources using agents v7.14+ since versions prior to that will be missing the necessary field, resulting in false positives."
+    ],
+    "from": "now-9m",
+    "index": [
+      "logs-*",
+      "metrics-*",
+      "traces-*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Agent Spoofing - Multiple Hosts Using Same Agent",
+    "query": "event.agent_id_status:*\n",
+    "risk_score": 73,
+    "rule_id": "493834ca-f861-414c-8602-150d5505b777",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1036",
+            "name": "Masquerading",
+            "reference": "https://attack.mitre.org/techniques/T1036/"
+          }
+        ]
+      }
+    ],
+    "threshold": {
+      "cardinality": [
+        {
+          "field": "host.id",
+          "value": 2
+        }
+      ],
+      "field": [
+        "agent.id"
+      ],
+      "value": 2
+    },
+    "timestamp_override": "event.ingested",
+    "type": "threshold",
+    "version": 1
+  },
+  {
+    "anomaly_threshold": 25,
+    "author": [
+      "Elastic"
+    ],
+    "description": "Looks for unusual kernel module activity. Kernel modules are sometimes used by malware and persistence mechanisms for stealth.",
+    "false_positives": [
+      "A Linux host running unusual device drivers or other kinds of kernel modules could trigger this detection. Troubleshooting or debugging activity using unusual arguments could also trigger this detection."
+    ],
+    "from": "now-45m",
+    "interval": "15m",
+    "license": "Elastic License v2",
+    "machine_learning_job_id": "linux_rare_kernel_module_arguments",
+    "name": "Anomalous Kernel Module Activity",
+    "risk_score": 21,
+    "rule_id": "37b0816d-af40-40b4-885f-bb162b3c88a9",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "Threat Detection",
+      "ML"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1547",
+            "name": "Boot or Logon Autostart Execution",
+            "reference": "https://attack.mitre.org/techniques/T1547/",
+            "subtechnique": [
+              {
+                "id": "T1547.006",
+                "name": "Kernel Modules and Extensions",
+                "reference": "https://attack.mitre.org/techniques/T1547/006/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "type": "machine_learning",
+    "version": 4
+  },
+  {
+    "anomaly_threshold": 50,
+    "author": [
+      "Elastic"
+    ],
+    "description": "Looks for compiler activity by a user context which does not normally run compilers. This can be the result of ad-hoc software changes or unauthorized software deployment. This can also be due to local privilege elevation via locally run exploits or malware activity.",
+    "false_positives": [
+      "Uncommon compiler activity can be due to an engineer running a local build on a production or staging instance in the course of troubleshooting or fixing a software issue."
+    ],
+    "from": "now-45m",
+    "interval": "15m",
+    "license": "Elastic License v2",
+    "machine_learning_job_id": "linux_rare_user_compiler",
+    "name": "Anomalous Linux Compiler Activity",
+    "risk_score": 21,
+    "rule_id": "cd66a419-9b3f-4f57-8ff8-ac4cd2d5f530",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "Threat Detection",
+      "ML"
+    ],
+    "type": "machine_learning",
+    "version": 3
+  },
+  {
+    "anomaly_threshold": 50,
+    "author": [
+      "Elastic"
+    ],
+    "description": "Searches for rare processes running on multiple Linux hosts in an entire fleet or network. This reduces the detection of false positives since automated maintenance processes usually only run occasionally on a single machine but are common to all or many hosts in a fleet.",
+    "false_positives": [
+      "A newly installed program or one that runs rarely as part of a monthly or quarterly workflow could trigger this alert."
+    ],
+    "from": "now-45m",
+    "interval": "15m",
+    "license": "Elastic License v2",
+    "machine_learning_job_id": [
+      "linux_anomalous_process_all_hosts_ecs",
+      "v2_linux_anomalous_process_all_hosts_ecs"
+    ],
+    "name": "Anomalous Process For a Linux Population",
+    "note": "## Triage and analysis\n\n### Investigating an Unusual Linux Process\nDetection alerts from this rule indicate the presence of a Linux process that is rare and unusual for all of the monitored Linux hosts for which Auditbeat data is available. Here are some possible avenues of investigation:\n- Consider the user as identified by the username field. Is this program part of an expected workflow for the user who ran this program on this host?\n- Examine the history of execution. If this process only manifested recently, it might be part of a new software package. If it has a consistent cadence (for example if it runs monthly or quarterly), it might be part of a monthly or quarterly business process.\n- Examine the process arguments, title and working directory. These may provide indications as to the source of the program or the nature of the tasks it is performing.",
+    "references": [
+      "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"
+    ],
+    "risk_score": 21,
+    "rule_id": "647fc812-7996-4795-8869-9c4ea595fe88",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "Threat Detection",
+      "ML"
+    ],
+    "type": "machine_learning",
+    "version": 7
+  },
+  {
+    "anomaly_threshold": 50,
+    "author": [
+      "Elastic"
+    ],
+    "description": "Searches for rare processes running on multiple hosts in an entire fleet or network. This reduces the detection of false positives since automated maintenance processes usually only run occasionally on a single machine but are common to all or many hosts in a fleet.",
+    "false_positives": [
+      "A newly installed program or one that runs rarely as part of a monthly or quarterly workflow could trigger this alert."
+    ],
+    "from": "now-45m",
+    "interval": "15m",
+    "license": "Elastic License v2",
+    "machine_learning_job_id": [
+      "windows_anomalous_process_all_hosts_ecs",
+      "v2_windows_anomalous_process_all_hosts_ecs"
+    ],
+    "name": "Anomalous Process For a Windows Population",
+    "note": "## Triage and analysis\n\n### Investigating an Unusual Windows Process\nDetection alerts from this rule indicate the presence of a Windows process that is rare and unusual for all of the Windows hosts for which Winlogbeat data is available. Here are some possible avenues of investigation:\n- Consider the user as identified by the username field. Is this program part of an expected workflow for the user who ran this program on this host?\n- Examine the history of execution. If this process only manifested recently, it might be part of a new software package. If it has a consistent cadence (for example if it runs monthly or quarterly), it might be part of a monthly or quarterly business process.\n- Examine the process metadata like the values of the Company, Description and Product fields which may indicate whether the program is associated with an expected software vendor or package.\n- Examine arguments and working directory. These may provide indications as to the source of the program or the nature of the tasks it is performing.\n- Consider the same for the parent process. If the parent process is a legitimate system utility or service, this could be related to software updates or system management. If the parent process is something user-facing like an Office application, this process could be more suspicious.\n- If you have file hash values in the event data, and you suspect malware, you can optionally run a search for the file hash to see if the file is identified as malware by anti-malware tools. ",
+    "references": [
+      "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"
+    ],
+    "risk_score": 21,
+    "rule_id": "6e40d56f-5c0e-4ac6-aece-bee96645b172",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "ML"
+    ],
+    "type": "machine_learning",
+    "version": 7
+  },
+  {
+    "anomaly_threshold": 50,
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies unusual parent-child process relationships that can indicate malware execution or persistence mechanisms. Malicious scripts often call on other applications and processes as part of their exploit payload. For example, when a malicious Office document runs scripts as part of an exploit payload, Excel or Word may start a script interpreter process, which, in turn, runs a script that downloads and executes malware. Another common scenario is Outlook running an unusual process when malware is downloaded in an email. Monitoring and identifying anomalous process relationships is a method of detecting new and emerging malware that is not yet recognized by anti-virus scanners.",
+    "false_positives": [
+      "Users running scripts in the course of technical support operations of software upgrades could trigger this alert. A newly installed program or one that runs rarely as part of a monthly or quarterly workflow could trigger this alert."
+    ],
+    "from": "now-45m",
+    "interval": "15m",
+    "license": "Elastic License v2",
+    "machine_learning_job_id": [
+      "windows_anomalous_process_creation",
+      "v2_windows_anomalous_process_creation"
+    ],
+    "name": "Anomalous Windows Process Creation",
+    "references": [
+      "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"
+    ],
+    "risk_score": 21,
+    "rule_id": "0b29cab4-dbbd-4a3f-9e8e-1287c7c11ae5",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "ML"
+    ],
+    "type": "machine_learning",
+    "version": 5
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Detects execution via the Apple script interpreter (osascript) followed by a network connection from the same process within a short time period. Adversaries may use malicious scripts for execution and command and control.",
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Apple Script Execution followed by Network Connection",
+    "query": "sequence by host.id, process.entity_id with maxspan=30s\n [process where event.type == \"start\" and process.name == \"osascript\"]\n [network where event.type != \"end\" and process.name == \"osascript\" and destination.ip != \"::1\" and\n  not cidrmatch(destination.ip,\n    \"10.0.0.0/8\", \"127.0.0.0/8\", \"169.254.0.0/16\", \"172.16.0.0/12\", \"192.0.0.0/24\", \"192.0.0.0/29\", \"192.0.0.8/32\",\n    \"192.0.0.9/32\", \"192.0.0.10/32\", \"192.0.0.170/32\", \"192.0.0.171/32\", \"192.0.2.0/24\", \"192.31.196.0/24\",\n    \"192.52.193.0/24\", \"192.168.0.0/16\", \"192.88.99.0/24\", \"224.0.0.0/4\", \"100.64.0.0/10\", \"192.175.48.0/24\",\n    \"198.18.0.0/15\", \"198.51.100.0/24\", \"203.0.113.0/24\", \"240.0.0.0/4\", \"::1\", \"FE80::/10\", \"FF00::/8\")]\n",
+    "references": [
+      "https://developer.apple.com/library/archive/documentation/LanguagesUtilities/Conceptual/MacAutomationScriptingGuide/index.html",
+      "https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml"
+    ],
+    "risk_score": 47,
+    "rule_id": "47f76567-d58a-4fed-b32b-21f571e28910",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "macOS",
+      "Threat Detection",
+      "Command and Control",
+      "Execution"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0002",
+          "name": "Execution",
+          "reference": "https://attack.mitre.org/tactics/TA0002/"
+        },
+        "technique": [
+          {
+            "id": "T1059",
+            "name": "Command and Scripting Interpreter",
+            "reference": "https://attack.mitre.org/techniques/T1059/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0011",
+          "name": "Command and Control",
+          "reference": "https://attack.mitre.org/tactics/TA0011/"
+        },
+        "technique": [
+          {
+            "id": "T1105",
+            "name": "Ingress Tool Transfer",
+            "reference": "https://attack.mitre.org/techniques/T1105/"
+          }
+        ]
+      }
+    ],
+    "type": "eql",
+    "version": 3
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies execution of the Apple script interpreter (osascript) without a password prompt and with administrator privileges.",
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Apple Scripting Execution with Administrator Privileges",
+    "query": "process where event.type in (\"start\", \"process_started\") and process.name : \"osascript\" and\n  process.command_line : \"osascript*with administrator privileges\"\n",
+    "references": [
+      "https://discussions.apple.com/thread/2266150"
+    ],
+    "risk_score": 47,
+    "rule_id": "827f8d8f-4117-4ae4-b551-f56d54b9da6b",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "macOS",
+      "Threat Detection",
+      "Execution",
+      "Privilege Escalation"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0004",
+          "name": "Privilege Escalation",
+          "reference": "https://attack.mitre.org/tactics/TA0004/"
+        },
+        "technique": [
+          {
+            "id": "T1078",
+            "name": "Valid Accounts",
+            "reference": "https://attack.mitre.org/techniques/T1078/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0002",
+          "name": "Execution",
+          "reference": "https://attack.mitre.org/tactics/TA0002/"
+        },
+        "technique": [
+          {
+            "id": "T1059",
+            "name": "Command and Scripting Interpreter",
+            "reference": "https://attack.mitre.org/techniques/T1059/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Detects when a Google marketplace application is added to the Google Workspace domain. An adversary may add a malicious application to an organization\u2019s Google Workspace domain in order to maintain a presence in their target\u2019s organization and steal data.",
+    "false_positives": [
+      "Applications can be added to a Google Workspace domain by system administrators. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior."
+    ],
+    "from": "now-130m",
+    "index": [
+      "filebeat-*",
+      "logs-google_workspace*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Application Added to Google Workspace Domain",
+    "note": "## Config\n\nThe Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\n\n### Important Information Regarding Google Workspace Event Lag Times\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information:\n  - https://support.google.com/a/answer/7061566\n  - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html",
+    "query": "event.dataset:google_workspace.admin and event.provider:admin and event.category:iam and event.action:ADD_APPLICATION\n",
+    "references": [
+      "https://support.google.com/a/answer/6328701?hl=en#"
+    ],
+    "risk_score": 47,
+    "rule_id": "785a404b-75aa-4ffd-8be5-3334a5a544dd",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "Google Workspace",
+      "Continuous Monitoring",
+      "SecOps",
+      "Configuration Audit"
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 6
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Detects attempts to create an Okta API token. An adversary may create an Okta API token to maintain access to an organization's network while they work to achieve their objectives. An attacker may abuse an API token to execute techniques such as creating user accounts or disabling security rules or policies.",
+    "false_positives": [
+      "If the behavior of creating Okta API tokens is expected, consider adding exceptions to this rule to filter false positives."
+    ],
+    "index": [
+      "filebeat-*",
+      "logs-okta*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Attempt to Create Okta API Token",
+    "note": "## Config\n\nThe Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:okta.system and event.action:system.api_token.create\n",
+    "references": [
+      "https://developer.okta.com/docs/reference/api/system-log/",
+      "https://developer.okta.com/docs/reference/api/event-types/"
+    ],
+    "risk_score": 47,
+    "rule_id": "96b9f4ea-0e8c-435b-8d53-2096e75fcac5",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Identity",
+      "Okta",
+      "Continuous Monitoring",
+      "SecOps",
+      "Monitoring"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1136",
+            "name": "Create Account",
+            "reference": "https://attack.mitre.org/techniques/T1136/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 6
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Detects attempts to deactivate multi-factor authentication (MFA) for an Okta user. An adversary may deactivate MFA for an Okta user account in order to weaken the authentication requirements for the account.",
+    "false_positives": [
+      "If the behavior of deactivating MFA for Okta user accounts is expected, consider adding exceptions to this rule to filter false positives."
+    ],
+    "index": [
+      "filebeat-*",
+      "logs-okta*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Attempt to Deactivate MFA for an Okta User Account",
+    "note": "## Config\n\nThe Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:okta.system and event.action:user.mfa.factor.deactivate\n",
+    "references": [
+      "https://developer.okta.com/docs/reference/api/system-log/",
+      "https://developer.okta.com/docs/reference/api/event-types/"
+    ],
+    "risk_score": 21,
+    "rule_id": "cd89602e-9db0-48e3-9391-ae3bf241acd8",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Identity",
+      "Okta",
+      "Continuous Monitoring",
+      "SecOps",
+      "Identity and Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1098",
+            "name": "Account Manipulation",
+            "reference": "https://attack.mitre.org/techniques/T1098/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 6
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Detects attempts to deactivate an Okta application. An adversary may attempt to modify, deactivate, or delete an Okta application in order to weaken an organization's security controls or disrupt their business operations.",
+    "false_positives": [
+      "Consider adding exceptions to this rule to filter false positives if your organization's Okta applications are regularly deactivated and the behavior is expected."
+    ],
+    "index": [
+      "filebeat-*",
+      "logs-okta*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Attempt to Deactivate an Okta Application",
+    "note": "## Config\n\nThe Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:okta.system and event.action:application.lifecycle.deactivate\n",
+    "references": [
+      "https://help.okta.com/en/prod/Content/Topics/Apps/Apps_Apps.htm",
+      "https://developer.okta.com/docs/reference/api/system-log/",
+      "https://developer.okta.com/docs/reference/api/event-types/"
+    ],
+    "risk_score": 21,
+    "rule_id": "edb91186-1c7e-4db8-b53e-bfa33a1a0a8a",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Identity",
+      "Okta",
+      "Continuous Monitoring",
+      "SecOps",
+      "Monitoring"
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 4
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Detects attempts to deactivate an Okta network zone. Okta network zones can be configured to limit or restrict access to a network based on IP addresses or geolocations. An adversary may attempt to modify, delete, or deactivate an Okta network zone in order to remove or weaken an organization's security controls.",
+    "false_positives": [
+      "Consider adding exceptions to this rule to filter false positives if your organization's Okta network zones are regularly modified."
+    ],
+    "index": [
+      "filebeat-*",
+      "logs-okta*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Attempt to Deactivate an Okta Network Zone",
+    "note": "## Config\n\nThe Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:okta.system and event.action:zone.deactivate\n",
+    "references": [
+      "https://help.okta.com/en/prod/Content/Topics/Security/network/network-zones.htm",
+      "https://developer.okta.com/docs/reference/api/system-log/",
+      "https://developer.okta.com/docs/reference/api/event-types/"
+    ],
+    "risk_score": 47,
+    "rule_id": "8a5c1e5f-ad63-481e-b53a-ef959230f7f1",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Identity",
+      "Okta",
+      "Continuous Monitoring",
+      "SecOps",
+      "Network Security"
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 4
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Detects attempts to deactivate an Okta policy. An adversary may attempt to deactivate an Okta policy in order to weaken an organization's security controls. For example, an adversary may attempt to deactivate an Okta multi-factor authentication (MFA) policy in order to weaken the authentication requirements for user accounts.",
+    "false_positives": [
+      "If the behavior of deactivating Okta policies is expected, consider adding exceptions to this rule to filter false positives."
+    ],
+    "index": [
+      "filebeat-*",
+      "logs-okta*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Attempt to Deactivate an Okta Policy",
+    "note": "## Config\n\nThe Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:okta.system and event.action:policy.lifecycle.deactivate\n",
+    "references": [
+      "https://help.okta.com/en/prod/Content/Topics/Security/Security_Policies.htm",
+      "https://developer.okta.com/docs/reference/api/system-log/",
+      "https://developer.okta.com/docs/reference/api/event-types/"
+    ],
+    "risk_score": 21,
+    "rule_id": "b719a170-3bdb-4141-b0e3-13e3cf627bfe",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Identity",
+      "Okta",
+      "Continuous Monitoring",
+      "SecOps",
+      "Monitoring"
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 6
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Detects attempts to deactivate a rule within an Okta policy. An adversary may attempt to deactivate a rule within an Okta policy in order to remove or weaken an organization's security controls.",
+    "false_positives": [
+      "Consider adding exceptions to this rule to filter false positives if Okta MFA rules are regularly deactivated in your organization."
+    ],
+    "index": [
+      "filebeat-*",
+      "logs-okta*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Attempt to Deactivate an Okta Policy Rule",
+    "note": "## Config\n\nThe Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:okta.system and event.action:policy.rule.deactivate\n",
+    "references": [
+      "https://help.okta.com/en/prod/Content/Topics/Security/Security_Policies.htm",
+      "https://developer.okta.com/docs/reference/api/system-log/",
+      "https://developer.okta.com/docs/reference/api/event-types/"
+    ],
+    "risk_score": 47,
+    "rule_id": "cc92c835-da92-45c9-9f29-b4992ad621a0",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Identity",
+      "Okta",
+      "Continuous Monitoring",
+      "SecOps",
+      "Identity and Access"
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 6
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Detects attempts to delete an Okta application. An adversary may attempt to modify, deactivate, or delete an Okta application in order to weaken an organization's security controls or disrupt their business operations.",
+    "false_positives": [
+      "Consider adding exceptions to this rule to filter false positives if your organization's Okta applications are regularly deleted and the behavior is expected."
+    ],
+    "index": [
+      "filebeat-*",
+      "logs-okta*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Attempt to Delete an Okta Application",
+    "note": "## Config\n\nThe Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:okta.system and event.action:application.lifecycle.delete\n",
+    "references": [
+      "https://developer.okta.com/docs/reference/api/system-log/",
+      "https://developer.okta.com/docs/reference/api/event-types/"
+    ],
+    "risk_score": 21,
+    "rule_id": "d48e1c13-4aca-4d1f-a7b1-a9161c0ad86f",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Identity",
+      "Okta",
+      "Continuous Monitoring",
+      "SecOps",
+      "Monitoring"
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 4
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Detects attempts to delete an Okta network zone. Okta network zones can be configured to limit or restrict access to a network based on IP addresses or geolocations. An adversary may attempt to modify, delete, or deactivate an Okta network zone in order to remove or weaken an organization's security controls.",
+    "false_positives": [
+      "Consider adding exceptions to this rule to filter false positives if Oyour organization's Okta network zones are regularly deleted."
+    ],
+    "index": [
+      "filebeat-*",
+      "logs-okta*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Attempt to Delete an Okta Network Zone",
+    "note": "## Config\n\nThe Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:okta.system and event.action:zone.delete\n",
+    "references": [
+      "https://help.okta.com/en/prod/Content/Topics/Security/network/network-zones.htm",
+      "https://developer.okta.com/docs/reference/api/system-log/",
+      "https://developer.okta.com/docs/reference/api/event-types/"
+    ],
+    "risk_score": 47,
+    "rule_id": "c749e367-a069-4a73-b1f2-43a3798153ad",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Identity",
+      "Okta",
+      "Continuous Monitoring",
+      "SecOps",
+      "Network Security"
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 4
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Detects attempts to delete an Okta policy. An adversary may attempt to delete an Okta policy in order to weaken an organization's security controls. For example, an adversary may attempt to delete an Okta multi-factor authentication (MFA) policy in order to weaken the authentication requirements for user accounts.",
+    "false_positives": [
+      "Consider adding exceptions to this rule to filter false positives if Okta policies are regularly deleted in your organization."
+    ],
+    "index": [
+      "filebeat-*",
+      "logs-okta*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Attempt to Delete an Okta Policy",
+    "note": "## Config\n\nThe Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:okta.system and event.action:policy.lifecycle.delete\n",
+    "references": [
+      "https://help.okta.com/en/prod/Content/Topics/Security/Security_Policies.htm",
+      "https://developer.okta.com/docs/reference/api/system-log/",
+      "https://developer.okta.com/docs/reference/api/event-types/"
+    ],
+    "risk_score": 47,
+    "rule_id": "b4bb1440-0fcb-4ed1-87e5-b06d58efc5e9",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Identity",
+      "Okta",
+      "Continuous Monitoring",
+      "SecOps",
+      "Monitoring"
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 6
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Detects attempts to delete a rule within an Okta policy. An adversary may attempt to delete an Okta policy rule in order to weaken an organization's security controls.",
+    "false_positives": [
+      "Consider adding exceptions to this rule to filter false positives if Okta MFA rules are regularly modified in your organization."
+    ],
+    "index": [
+      "filebeat-*",
+      "logs-okta*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Attempt to Delete an Okta Policy Rule",
+    "note": "## Config\n\nThe Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:okta.system and event.action:policy.rule.delete\n",
+    "references": [
+      "https://help.okta.com/en/prod/Content/Topics/Security/Security_Policies.htm",
+      "https://developer.okta.com/docs/reference/api/system-log/",
+      "https://developer.okta.com/docs/reference/api/event-types/"
+    ],
+    "risk_score": 21,
+    "rule_id": "d5d86bf5-cf0c-4c06-b688-53fdc072fdfd",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Identity",
+      "Okta",
+      "Continuous Monitoring",
+      "SecOps",
+      "Monitoring"
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 4
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Detects attempts to disable Gatekeeper on macOS. Gatekeeper is a security feature that's designed to ensure that only trusted software is run. Adversaries may attempt to disable Gatekeeper before executing malicious code.",
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Attempt to Disable Gatekeeper",
+    "query": "event.category:process and event.type:(start or process_started) and \n  process.args:(spctl and \"--master-disable\")\n",
+    "references": [
+      "https://support.apple.com/en-us/HT202491",
+      "https://www.carbonblack.com/blog/tau-threat-intelligence-notification-new-macos-malware-variant-of-shlayer-osx-discovered/"
+    ],
+    "risk_score": 47,
+    "rule_id": "4da13d6e-904f-4636-81d8-6ab14b4e6ae9",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "macOS",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1553",
+            "name": "Subvert Trust Controls",
+            "reference": "https://attack.mitre.org/techniques/T1553/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Adversaries may attempt to disable the iptables or firewall service in an attempt to affect how a host is allowed to receive or send network traffic.",
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Attempt to Disable IPTables or Firewall",
+    "query": "event.category:process and event.type:(start or process_started) and\n  process.name:ufw and process.args:(allow or disable or reset) or\n\n  (((process.name:service and process.args:stop) or\n     (process.name:chkconfig and process.args:off) or\n     (process.name:systemctl and process.args:(disable or stop or kill))) and\n   process.args:(firewalld or ip6tables or iptables))\n",
+    "risk_score": 47,
+    "rule_id": "125417b8-d3df-479f-8418-12d7e034fee3",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1562",
+            "name": "Impair Defenses",
+            "reference": "https://attack.mitre.org/techniques/T1562/",
+            "subtechnique": [
+              {
+                "id": "T1562.001",
+                "name": "Disable or Modify Tools",
+                "reference": "https://attack.mitre.org/techniques/T1562/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 7
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Adversaries may attempt to disable the syslog service in an attempt to an attempt to disrupt event logging and evade detection by security controls.",
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Attempt to Disable Syslog Service",
+    "query": "event.category:process and event.type:(start or process_started) and\n  ((process.name:service and process.args:stop) or\n     (process.name:chkconfig and process.args:off) or\n     (process.name:systemctl and process.args:(disable or stop or kill)))\n  and process.args:(syslog or rsyslog or \"syslog-ng\")\n",
+    "risk_score": 47,
+    "rule_id": "2f8a1226-5720-437d-9c20-e0029deb6194",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1562",
+            "name": "Impair Defenses",
+            "reference": "https://attack.mitre.org/techniques/T1562/",
+            "subtechnique": [
+              {
+                "id": "T1562.001",
+                "name": "Disable or Modify Tools",
+                "reference": "https://attack.mitre.org/techniques/T1562/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 7
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies attempts to enable the root account using the dsenableroot command. This command may be abused by adversaries for persistence, as the root account is disabled by default.",
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Attempt to Enable the Root Account",
+    "query": "event.category:process and event.type:(start or process_started) and\n process.name:dsenableroot and not process.args:\"-d\"\n",
+    "references": [
+      "https://ss64.com/osx/dsenableroot.html"
+    ],
+    "risk_score": 47,
+    "rule_id": "cc2fd2d0-ba3a-4939-b87f-2901764ed036",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "macOS",
+      "Threat Detection",
+      "Persistence"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1078",
+            "name": "Valid Accounts",
+            "reference": "https://attack.mitre.org/techniques/T1078/",
+            "subtechnique": [
+              {
+                "id": "T1078.003",
+                "name": "Local Accounts",
+                "reference": "https://attack.mitre.org/techniques/T1078/003/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to their command and control servers. Root certificates are used in public key cryptography to identify a root certificate authority (CA). When a root certificate is installed, the system or application will trust certificates in the root's chain of trust that have been signed by the root certificate.",
+    "false_positives": [
+      "Certain applications may install root certificates for the purpose of inspecting SSL traffic."
+    ],
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Attempt to Install Root Certificate",
+    "query": "event.category:process and event.type:(start or process_started) and\n  process.name:security and process.args:\"add-trusted-cert\"\n",
+    "references": [
+      "https://ss64.com/osx/security-cert.html"
+    ],
+    "risk_score": 47,
+    "rule_id": "bc1eeacf-2972-434f-b782-3a532b100d67",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "macOS",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1553",
+            "name": "Subvert Trust Controls",
+            "reference": "https://attack.mitre.org/techniques/T1553/",
+            "subtechnique": [
+              {
+                "id": "T1553.004",
+                "name": "Install Root Certificate",
+                "reference": "https://attack.mitre.org/techniques/T1553/004/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Detects attempts to modify an Okta application. An adversary may attempt to modify, deactivate, or delete an Okta application in order to weaken an organization's security controls or disrupt their business operations.",
+    "false_positives": [
+      "Consider adding exceptions to this rule to filter false positives if your organization's Okta applications are regularly modified and the behavior is expected."
+    ],
+    "index": [
+      "filebeat-*",
+      "logs-okta*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Attempt to Modify an Okta Application",
+    "note": "## Config\n\nThe Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:okta.system and event.action:application.lifecycle.update\n",
+    "references": [
+      "https://help.okta.com/en/prod/Content/Topics/Apps/Apps_Apps.htm",
+      "https://developer.okta.com/docs/reference/api/system-log/",
+      "https://developer.okta.com/docs/reference/api/event-types/"
+    ],
+    "risk_score": 21,
+    "rule_id": "c74fd275-ab2c-4d49-8890-e2943fa65c09",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Identity",
+      "Okta",
+      "Continuous Monitoring",
+      "SecOps",
+      "Monitoring"
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 4
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Detects attempts to modify an Okta network zone. Okta network zones can be configured to limit or restrict access to a network based on IP addresses or geolocations. An adversary may attempt to modify, delete, or deactivate an Okta network zone in order to remove or weaken an organization's security controls.",
+    "false_positives": [
+      "Consider adding exceptions to this rule to filter false positives if Oyour organization's Okta network zones are regularly modified."
+    ],
+    "index": [
+      "filebeat-*",
+      "logs-okta*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Attempt to Modify an Okta Network Zone",
+    "note": "## Config\n\nThe Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:okta.system and event.action:(zone.update or network_zone.rule.disabled or zone.remove_blacklist)\n",
+    "references": [
+      "https://help.okta.com/en/prod/Content/Topics/Security/network/network-zones.htm",
+      "https://developer.okta.com/docs/reference/api/system-log/",
+      "https://developer.okta.com/docs/reference/api/event-types/"
+    ],
+    "risk_score": 47,
+    "rule_id": "e48236ca-b67a-4b4e-840c-fdc7782bc0c3",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Identity",
+      "Okta",
+      "Continuous Monitoring",
+      "SecOps",
+      "Network Security"
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 6
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Detects attempts to modify an Okta policy. An adversary may attempt to modify an Okta policy in order to weaken an organization's security controls. For example, an adversary may attempt to modify an Okta multi-factor authentication (MFA) policy in order to weaken the authentication requirements for user accounts.",
+    "false_positives": [
+      "Consider adding exceptions to this rule to filter false positives if Okta policies are regularly modified in your organization."
+    ],
+    "index": [
+      "filebeat-*",
+      "logs-okta*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Attempt to Modify an Okta Policy",
+    "note": "## Config\n\nThe Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:okta.system and event.action:policy.lifecycle.update\n",
+    "references": [
+      "https://developer.okta.com/docs/reference/api/system-log/",
+      "https://developer.okta.com/docs/reference/api/event-types/"
+    ],
+    "risk_score": 21,
+    "rule_id": "6731fbf2-8f28-49ed-9ab9-9a918ceb5a45",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Identity",
+      "Okta",
+      "Continuous Monitoring",
+      "SecOps",
+      "Monitoring"
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 6
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Detects attempts to modify a rule within an Okta policy. An adversary may attempt to modify an Okta policy rule in order to weaken an organization's security controls.",
+    "false_positives": [
+      "Consider adding exceptions to this rule to filter false positives if Okta MFA rules are regularly modified in your organization."
+    ],
+    "index": [
+      "filebeat-*",
+      "logs-okta*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Attempt to Modify an Okta Policy Rule",
+    "note": "## Config\n\nThe Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:okta.system and event.action:policy.rule.update\n",
+    "references": [
+      "https://help.okta.com/en/prod/Content/Topics/Security/Security_Policies.htm",
+      "https://developer.okta.com/docs/reference/api/system-log/",
+      "https://developer.okta.com/docs/reference/api/event-types/"
+    ],
+    "risk_score": 21,
+    "rule_id": "000047bb-b27a-47ec-8b62-ef1a5d2c9e19",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Identity",
+      "Okta",
+      "Continuous Monitoring",
+      "SecOps",
+      "Identity and Access"
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 6
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the execution of macOS built-in commands to mount a Server Message Block (SMB) network share. Adversaries may use valid accounts to interact with a remote network share using SMB.",
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Attempt to Mount SMB Share via Command Line",
+    "query": "process where event.type in (\"start\", \"process_started\") and\n  (\n    process.name : \"mount_smbfs\" or\n    (process.name : \"open\" and process.args : \"smb://*\") or\n    (process.name : \"mount\" and process.args : \"smbfs\") or\n    (process.name : \"osascript\" and process.command_line : \"osascript*mount volume*smb://*\")\n  )\n",
+    "references": [
+      "https://www.freebsd.org/cgi/man.cgi?mount_smbfs",
+      "https://ss64.com/osx/mount.html"
+    ],
+    "risk_score": 21,
+    "rule_id": "661545b4-1a90-4f45-85ce-2ebd7c6a15d0",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "macOS",
+      "Threat Detection",
+      "Lateral Movement"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0008",
+          "name": "Lateral Movement",
+          "reference": "https://attack.mitre.org/tactics/TA0008/"
+        },
+        "technique": [
+          {
+            "id": "T1021",
+            "name": "Remote Services",
+            "reference": "https://attack.mitre.org/techniques/T1021/",
+            "subtechnique": [
+              {
+                "id": "T1021.002",
+                "name": "SMB/Windows Admin Shares",
+                "reference": "https://attack.mitre.org/techniques/T1021/002/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies a potential Gatekeeper bypass. In macOS, when applications or programs are downloaded from the internet, there is a quarantine flag set on the file. This attribute is read by Apple's Gatekeeper defense program at execution time. An adversary may disable this attribute to evade defenses.",
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Attempt to Remove File Quarantine Attribute",
+    "query": "process where event.type in (\"start\", \"process_started\") and\n  process.args : \"xattr\" and\n  (\n    (process.args : \"com.apple.quarantine\" and process.args : (\"-d\", \"-w\")) or\n    (process.args : \"-c\" and process.command_line :\n      (\n        \"/bin/bash -c xattr -c *\",\n        \"/bin/zsh -c xattr -c *\",\n        \"/bin/sh -c xattr -c *\"\n      )\n    )\n  )\n",
+    "references": [
+      "https://www.trendmicro.com/en_us/research/20/k/new-macos-backdoor-connected-to-oceanlotus-surfaces.html",
+      "https://ss64.com/osx/xattr.html"
+    ],
+    "risk_score": 47,
+    "rule_id": "f0b48bbc-549e-4bcf-8ee0-a7a72586c6a7",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "macOS",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1562",
+            "name": "Impair Defenses",
+            "reference": "https://attack.mitre.org/techniques/T1562/",
+            "subtechnique": [
+              {
+                "id": "T1562.001",
+                "name": "Disable or Modify Tools",
+                "reference": "https://attack.mitre.org/techniques/T1562/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 3
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Detects attempts to reset an Okta user's enrolled multi-factor authentication (MFA) factors. An adversary may attempt to reset the MFA factors for an Okta user's account in order to register new MFA factors and abuse the account to blend in with normal activity in the victim's environment.",
+    "false_positives": [
+      "Consider adding exceptions to this rule to filter false positives if the MFA factors for Okta user accounts are regularly reset in your organization."
+    ],
+    "index": [
+      "filebeat-*",
+      "logs-okta*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Attempt to Reset MFA Factors for an Okta User Account",
+    "note": "## Config\n\nThe Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:okta.system and event.action:user.mfa.factor.reset_all\n",
+    "references": [
+      "https://developer.okta.com/docs/reference/api/system-log/",
+      "https://developer.okta.com/docs/reference/api/event-types/"
+    ],
+    "risk_score": 21,
+    "rule_id": "729aa18d-06a6-41c7-b175-b65b739b1181",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Identity",
+      "Okta",
+      "Continuous Monitoring",
+      "SecOps",
+      "Identity and Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1098",
+            "name": "Account Manipulation",
+            "reference": "https://attack.mitre.org/techniques/T1098/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 6
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies attempts to revoke an Okta API token. An adversary may attempt to revoke or delete an Okta API token to disrupt an organization's business operations.",
+    "false_positives": [
+      "If the behavior of revoking Okta API tokens is expected, consider adding exceptions to this rule to filter false positives."
+    ],
+    "index": [
+      "filebeat-*",
+      "logs-okta*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Attempt to Revoke Okta API Token",
+    "note": "## Config\n\nThe Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:okta.system and event.action:system.api_token.revoke\n",
+    "references": [
+      "https://developer.okta.com/docs/reference/api/system-log/",
+      "https://developer.okta.com/docs/reference/api/event-types/"
+    ],
+    "risk_score": 21,
+    "rule_id": "676cff2b-450b-4cf1-8ed2-c0c58a4a2dd7",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Identity",
+      "Okta",
+      "Continuous Monitoring",
+      "SecOps",
+      "Monitoring"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0040",
+          "name": "Impact",
+          "reference": "https://attack.mitre.org/tactics/TA0040/"
+        },
+        "technique": [
+          {
+            "id": "T1531",
+            "name": "Account Access Removal",
+            "reference": "https://attack.mitre.org/techniques/T1531/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 6
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies attempts to unload the Elastic Endpoint Security kernel extension via the kextunload command.",
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Attempt to Unload Elastic Endpoint Security Kernel Extension",
+    "query": "event.category:process and event.type:(start or process_started) and\n process.name:kextunload and process.args:(\"/System/Library/Extensions/EndpointSecurity.kext\" or \"EndpointSecurity.kext\")\n",
+    "risk_score": 73,
+    "rule_id": "70fa1af4-27fd-4f26-bd03-50b6af6b9e24",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "macOS",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1562",
+            "name": "Impair Defenses",
+            "reference": "https://attack.mitre.org/techniques/T1562/",
+            "subtechnique": [
+              {
+                "id": "T1562.001",
+                "name": "Disable or Modify Tools",
+                "reference": "https://attack.mitre.org/techniques/T1562/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Detects attempts to bypass Okta multi-factor authentication (MFA). An adversary may attempt to bypass the Okta MFA policies configured for an organization in order to obtain unauthorized access to an application.",
+    "index": [
+      "filebeat-*",
+      "logs-okta*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Attempted Bypass of Okta MFA",
+    "note": "## Config\n\nThe Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:okta.system and event.action:user.mfa.attempt_bypass\n",
+    "references": [
+      "https://developer.okta.com/docs/reference/api/system-log/",
+      "https://developer.okta.com/docs/reference/api/event-types/"
+    ],
+    "risk_score": 73,
+    "rule_id": "3805c3dc-f82c-4f8d-891e-63c24d3102b0",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Identity",
+      "Okta",
+      "Continuous Monitoring",
+      "SecOps",
+      "Identity and Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0006",
+          "name": "Credential Access",
+          "reference": "https://attack.mitre.org/tactics/TA0006/"
+        },
+        "technique": [
+          {
+            "id": "T1111",
+            "name": "Two-Factor Authentication Interception",
+            "reference": "https://attack.mitre.org/techniques/T1111/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 6
+  },
+  {
+    "author": [
+      "Elastic",
+      "Willem D'Haese",
+      "Austin Songer"
+    ],
+    "description": "Identifies attempts to brute force a Microsoft 365 user account. An adversary may attempt a brute force attack to obtain unauthorized access to user accounts.",
+    "false_positives": [
+      "Automated processes that attempt to authenticate using expired credentials and unbounded retries may lead to false positives."
+    ],
+    "from": "now-30m",
+    "index": [
+      "filebeat-*",
+      "logs-o365*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Attempts to Brute Force a Microsoft 365 User Account",
+    "note": "## Config\n\nThe Microsoft 365 Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:o365.audit and event.provider:(AzureActiveDirectory or Exchange) and\n  event.category:authentication and event.action:(UserLoginFailed or PasswordLogonInitialAuthUsingPassword) and\n  not o365.audit.LogonError:(UserAccountNotFound or EntitlementGrantsNotFound or UserStrongAuthEnrollmentRequired or\n                             UserStrongAuthClientAuthNRequired or InvalidReplyTo) and event.outcome:failure\n",
+    "references": [
+      "https://blueteamblog.com/7-ways-to-monitor-your-office-365-logs-using-siem"
+    ],
+    "risk_score": 73,
+    "rule_id": "26f68dba-ce29-497b-8e13-b4fde1db5a2d",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "Microsoft 365",
+      "Continuous Monitoring",
+      "SecOps",
+      "Identity and Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0006",
+          "name": "Credential Access",
+          "reference": "https://attack.mitre.org/tactics/TA0006/"
+        },
+        "technique": [
+          {
+            "id": "T1110",
+            "name": "Brute Force",
+            "reference": "https://attack.mitre.org/techniques/T1110/"
+          }
+        ]
+      }
+    ],
+    "threshold": {
+      "field": [
+        "user.id"
+      ],
+      "value": 10
+    },
+    "type": "threshold",
+    "version": 5
+  },
+  {
+    "author": [
+      "Elastic",
+      "@BenB196",
+      "Austin Songer"
+    ],
+    "description": "Identifies when an Okta user account is locked out 3 times within a 3 hour window. An adversary may attempt a brute force or password spraying attack to obtain unauthorized access to user accounts. The default Okta authentication policy ensures that a user account is locked out after 10 failed authentication attempts.",
+    "from": "now-180m",
+    "index": [
+      "filebeat-*",
+      "logs-okta*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Attempts to Brute Force an Okta User Account",
+    "note": "## Config\n\nThe Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:okta.system and event.action:user.account.lock\n",
+    "references": [
+      "https://developer.okta.com/docs/reference/api/system-log/",
+      "https://developer.okta.com/docs/reference/api/event-types/"
+    ],
+    "risk_score": 47,
+    "rule_id": "e08ccd49-0380-4b2b-8d71-8000377d6e49",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Identity",
+      "Okta",
+      "Continuous Monitoring",
+      "SecOps",
+      "Identity and Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0006",
+          "name": "Credential Access",
+          "reference": "https://attack.mitre.org/tactics/TA0006/"
+        },
+        "technique": [
+          {
+            "id": "T1110",
+            "name": "Brute Force",
+            "reference": "https://attack.mitre.org/techniques/T1110/"
+          }
+        ]
+      }
+    ],
+    "threshold": {
+      "field": [
+        "okta.actor.alternate_id"
+      ],
+      "value": 3
+    },
+    "type": "threshold",
+    "version": 5
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies that a login attempt occurred at a forbidden time.",
+    "index": [
+      "auditbeat-*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Auditd Login Attempt at Forbidden Time",
+    "query": "event.module:auditd and event.action:\"attempted-log-in-during-unusual-hour-to\"\n",
+    "references": [
+      "https://github.com/linux-pam/linux-pam/blob/aac5a8fdc4aa3f7e56335a6343774cc1b63b408d/modules/pam_time/pam_time.c#L666"
+    ],
+    "risk_score": 47,
+    "rule_id": "90e28af7-1d96-4582-bf11-9a1eff21d0e5",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "Threat Detection",
+      "Initial Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0001",
+          "name": "Initial Access",
+          "reference": "https://attack.mitre.org/tactics/TA0001/"
+        },
+        "technique": [
+          {
+            "id": "T1078",
+            "name": "Valid Accounts",
+            "reference": "https://attack.mitre.org/techniques/T1078/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1078",
+            "name": "Valid Accounts",
+            "reference": "https://attack.mitre.org/techniques/T1078/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies that a login attempt has happened from a forbidden location.",
+    "index": [
+      "auditbeat-*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Auditd Login from Forbidden Location",
+    "query": "event.module:auditd and event.action:\"attempted-log-in-from-unusual-place-to\"\n",
+    "references": [
+      "https://github.com/linux-pam/linux-pam/blob/aac5a8fdc4aa3f7e56335a6343774cc1b63b408d/modules/pam_access/pam_access.c#L412"
+    ],
+    "risk_score": 73,
+    "rule_id": "cab4f01c-793f-4a54-a03e-e5d85b96d7af",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "Threat Detection",
+      "Initial Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0001",
+          "name": "Initial Access",
+          "reference": "https://attack.mitre.org/tactics/TA0001/"
+        },
+        "technique": [
+          {
+            "id": "T1078",
+            "name": "Valid Accounts",
+            "reference": "https://attack.mitre.org/techniques/T1078/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1078",
+            "name": "Valid Accounts",
+            "reference": "https://attack.mitre.org/techniques/T1078/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies that the maximum number of failed login attempts has been reached for a user.",
+    "index": [
+      "auditbeat-*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Auditd Max Failed Login Attempts",
+    "query": "event.module:auditd and event.action:\"failed-log-in-too-many-times-to\"\n",
+    "references": [
+      "https://github.com/linux-pam/linux-pam/blob/0adbaeb273da1d45213134aa271e95987103281c/modules/pam_faillock/pam_faillock.c#L574"
+    ],
+    "risk_score": 47,
+    "rule_id": "fb9937ce-7e21-46bf-831d-1ad96eac674d",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "Threat Detection",
+      "Initial Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0001",
+          "name": "Initial Access",
+          "reference": "https://attack.mitre.org/tactics/TA0001/"
+        },
+        "technique": [
+          {
+            "id": "T1078",
+            "name": "Valid Accounts",
+            "reference": "https://attack.mitre.org/techniques/T1078/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1078",
+            "name": "Valid Accounts",
+            "reference": "https://attack.mitre.org/techniques/T1078/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies that the maximum number login sessions has been reached for a user.",
+    "index": [
+      "auditbeat-*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Auditd Max Login Sessions",
+    "query": "event.module:auditd and event.action:\"opened-too-many-sessions-to\"\n",
+    "references": [
+      "https://github.com/linux-pam/linux-pam/blob/70c32cc6fca51338f92afa58eb75b1107a5c2430/modules/pam_limits/pam_limits.c#L1007"
+    ],
+    "risk_score": 47,
+    "rule_id": "20dc4620-3b68-4269-8124-ca5091e00ea8",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "Threat Detection",
+      "Initial Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0001",
+          "name": "Initial Access",
+          "reference": "https://attack.mitre.org/tactics/TA0001/"
+        },
+        "technique": [
+          {
+            "id": "T1078",
+            "name": "Valid Accounts",
+            "reference": "https://attack.mitre.org/techniques/T1078/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1078",
+            "name": "Valid Accounts",
+            "reference": "https://attack.mitre.org/techniques/T1078/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Authorization plugins are used to extend the authorization services API and implement mechanisms that are not natively supported by the OS, such as multi-factor authentication with third party software. Adversaries may abuse this feature to persist and/or collect clear text credentials as they traverse the registered plugins during user logon.",
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Authorization Plugin Modification",
+    "query": "event.category:file and not event.type:deletion and\n  file.path:(/Library/Security/SecurityAgentPlugins/* and\n  not /Library/Security/SecurityAgentPlugins/TeamViewerAuthPlugin.bundle/Contents/*)\n",
+    "references": [
+      "https://developer.apple.com/documentation/security/authorization_plug-ins",
+      "https://www.xorrior.com/persistent-credential-theft/"
+    ],
+    "risk_score": 47,
+    "rule_id": "e6c98d38-633d-4b3e-9387-42112cd5ac10",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "macOS",
+      "Threat Detection",
+      "Persistence"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1547",
+            "name": "Boot or Logon Autostart Execution",
+            "reference": "https://attack.mitre.org/techniques/T1547/",
+            "subtechnique": [
+              {
+                "id": "T1547.002",
+                "name": "Authentication Package",
+                "reference": "https://attack.mitre.org/techniques/T1547/002/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic",
+      "Willem D'Haese"
+    ],
+    "description": "Identifies high risk Azure Active Directory (AD) sign-ins by leveraging Microsoft's Identity Protection machine learning and heuristics. Identity Protection categorizes risk into three tiers: low, medium, and high. While Microsoft does not provide specific details about how risk is calculated, each level brings higher confidence that the user or sign-in is compromised.",
+    "from": "now-25m",
+    "index": [
+      "filebeat-*",
+      "logs-azure*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Azure Active Directory High Risk Sign-in",
+    "note": "## Config\n\nThe Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:azure.signinlogs and\n  (azure.signinlogs.properties.risk_level_during_signin:high or azure.signinlogs.properties.risk_level_aggregated:high) and\n  event.outcome:(success or Success)\n",
+    "references": [
+      "https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/howto-conditional-access-policy-risk",
+      "https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/overview-identity-protection",
+      "https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/howto-identity-protection-investigate-risk"
+    ],
+    "risk_score": 73,
+    "rule_id": "37994bca-0611-4500-ab67-5588afe73b77",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "Azure",
+      "Continuous Monitoring",
+      "SecOps",
+      "Identity and Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0001",
+          "name": "Initial Access",
+          "reference": "https://attack.mitre.org/tactics/TA0001/"
+        },
+        "technique": [
+          {
+            "id": "T1078",
+            "name": "Valid Accounts",
+            "reference": "https://attack.mitre.org/techniques/T1078/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 3
+  },
+  {
+    "author": [
+      "Austin Songer"
+    ],
+    "description": "Identifies high risk Azure Active Directory (AD) sign-ins by leveraging Microsoft Identity Protection machine learning and heuristics.",
+    "from": "now-25m",
+    "index": [
+      "filebeat-*",
+      "logs-azure*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Azure Active Directory High Risk User Sign-in Heuristic",
+    "note": "## Config\n\nThe Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:azure.signinlogs and\n  azure.signinlogs.properties.risk_state:(\"confirmedCompromised\" or \"atRisk\") and event.outcome:(success or Success)\n",
+    "references": [
+      "https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/reference-azure-monitor-sign-ins-log-schema",
+      "https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/overview-identity-protection",
+      "https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/howto-identity-protection-investigate-risk"
+    ],
+    "risk_score": 47,
+    "rule_id": "26edba02-6979-4bce-920a-70b080a7be81",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "Azure",
+      "Continuous Monitoring",
+      "SecOps",
+      "Identity and Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0001",
+          "name": "Initial Access",
+          "reference": "https://attack.mitre.org/tactics/TA0001/"
+        },
+        "technique": [
+          {
+            "id": "T1078",
+            "name": "Valid Accounts",
+            "reference": "https://attack.mitre.org/techniques/T1078/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies a sign-in using the Azure Active Directory PowerShell module. PowerShell for Azure Active Directory allows for managing settings from the command line, which is intended for users who are members of an admin role.",
+    "false_positives": [
+      "Sign-ins using PowerShell may be done by a system or network administrator. Verify whether the username, hostname, and/or resource name should be signing into your environment. Sign-ins from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "from": "now-25m",
+    "index": [
+      "filebeat-*",
+      "logs-azure*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Azure Active Directory PowerShell Sign-in",
+    "note": "## Config\n\nThe Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:azure.signinlogs and\n  azure.signinlogs.properties.app_display_name:\"Azure Active Directory PowerShell\" and\n  azure.signinlogs.properties.token_issuer_type:AzureAD and event.outcome:(success or Success)\n",
+    "references": [
+      "https://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber-attacks/",
+      "https://docs.microsoft.com/en-us/microsoft-365/enterprise/connect-to-microsoft-365-powershell?view=o365-worldwide"
+    ],
+    "risk_score": 21,
+    "rule_id": "a605c51a-73ad-406d-bf3a-f24cc41d5c97",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "Azure",
+      "Continuous Monitoring",
+      "SecOps",
+      "Identity and Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0001",
+          "name": "Initial Access",
+          "reference": "https://attack.mitre.org/tactics/TA0001/"
+        },
+        "technique": [
+          {
+            "id": "T1078",
+            "name": "Valid Accounts",
+            "reference": "https://attack.mitre.org/techniques/T1078/",
+            "subtechnique": [
+              {
+                "id": "T1078.004",
+                "name": "Cloud Accounts",
+                "reference": "https://attack.mitre.org/techniques/T1078/004/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 4
+  },
+  {
+    "author": [
+      "Austin Songer"
+    ],
+    "description": "Identifies the creation of suppression rules in Azure. Suppression rules are a mechanism used to suppress alerts previously identified as False Positives or too noisy to be in Production. This mechanism can be abused or mistakenly configured, resulting in defense evasions and loss of security visibility.",
+    "false_positives": [
+      "Suppression Rules can be created legitimately by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Suppression Rules created by unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "from": "now-25m",
+    "index": [
+      "filebeat-*",
+      "logs-azure*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Azure Alert Suppression Rule Created or Modified",
+    "note": "## Config\n\nThe Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:\"MICROSOFT.SECURITY/ALERTSSUPPRESSIONRULES/WRITE\" and \nevent.outcome: \"success\"\n",
+    "references": [
+      "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations",
+      "https://docs.microsoft.com/en-us/rest/api/securitycenter/alerts-suppression-rules/update"
+    ],
+    "risk_score": 21,
+    "rule_id": "f0bc081a-2346-4744-a6a4-81514817e888",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "Azure",
+      "Continuous Monitoring",
+      "SecOps",
+      "Configuration Audit"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1562",
+            "name": "Impair Defenses",
+            "reference": "https://attack.mitre.org/techniques/T1562/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies when a new credential is added to an application in Azure. An application may use a certificate or secret string to prove its identity when requesting a token. Multiple certificates and secrets can be added for an application and an adversary may abuse this by creating an additional authentication method to evade defenses or persist in an environment.",
+    "false_positives": [
+      "Application credential additions may be done by a system or network administrator. Verify whether the username, hostname, and/or resource name should be making changes in your environment. Application credential additions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "from": "now-25m",
+    "index": [
+      "filebeat-*",
+      "logs-azure*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Azure Application Credential Modification",
+    "note": "## Config\n\nThe Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:azure.auditlogs and azure.auditlogs.operation_name:\"Update application - Certificates and secrets management\" and event.outcome:(success or Success)\n",
+    "references": [
+      "https://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber-attacks/"
+    ],
+    "risk_score": 47,
+    "rule_id": "1a36cace-11a7-43a8-9a10-b497c5a02cd3",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "Azure",
+      "Continuous Monitoring",
+      "SecOps",
+      "Identity and Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1550",
+            "name": "Use Alternate Authentication Material",
+            "reference": "https://attack.mitre.org/techniques/T1550/",
+            "subtechnique": [
+              {
+                "id": "T1550.001",
+                "name": "Application Access Token",
+                "reference": "https://attack.mitre.org/techniques/T1550/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 4
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies when an Azure Automation account is created. Azure Automation accounts can be used to automate management tasks and orchestrate actions across systems. An adversary may create an Automation account in order to maintain persistence in their target's environment.",
+    "from": "now-25m",
+    "index": [
+      "filebeat-*",
+      "logs-azure*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Azure Automation Account Created",
+    "note": "## Config\n\nThe Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:\"MICROSOFT.AUTOMATION/AUTOMATIONACCOUNTS/WRITE\" and event.outcome:(Success or success)\n",
+    "references": [
+      "https://powerzure.readthedocs.io/en/latest/Functions/operational.html#create-backdoor",
+      "https://github.com/hausec/PowerZure",
+      "https://posts.specterops.io/attacking-azure-azure-ad-and-introducing-powerzure-ca70b330511a",
+      "https://azure.microsoft.com/en-in/blog/azure-automation-runbook-management/"
+    ],
+    "risk_score": 21,
+    "rule_id": "df26fd74-1baa-4479-b42e-48da84642330",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "Azure",
+      "Continuous Monitoring",
+      "SecOps",
+      "Identity and Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1078",
+            "name": "Valid Accounts",
+            "reference": "https://attack.mitre.org/techniques/T1078/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1078",
+            "name": "Valid Accounts",
+            "reference": "https://attack.mitre.org/techniques/T1078/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 5
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies when an Azure Automation runbook is created or modified. An adversary may create or modify an Azure Automation runbook to execute malicious code and maintain persistence in their target's environment.",
+    "from": "now-25m",
+    "index": [
+      "filebeat-*",
+      "logs-azure*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Azure Automation Runbook Created or Modified",
+    "note": "## Config\n\nThe Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:azure.activitylogs and\n  azure.activitylogs.operation_name:\n  (\n    \"MICROSOFT.AUTOMATION/AUTOMATIONACCOUNTS/RUNBOOKS/DRAFT/WRITE\" or\n    \"MICROSOFT.AUTOMATION/AUTOMATIONACCOUNTS/RUNBOOKS/WRITE\" or\n    \"MICROSOFT.AUTOMATION/AUTOMATIONACCOUNTS/RUNBOOKS/PUBLISH/ACTION\"\n  ) and\n  event.outcome:(Success or success)\n",
+    "references": [
+      "https://powerzure.readthedocs.io/en/latest/Functions/operational.html#create-backdoor",
+      "https://github.com/hausec/PowerZure",
+      "https://posts.specterops.io/attacking-azure-azure-ad-and-introducing-powerzure-ca70b330511a",
+      "https://azure.microsoft.com/en-in/blog/azure-automation-runbook-management/"
+    ],
+    "risk_score": 21,
+    "rule_id": "16280f1e-57e6-4242-aa21-bb4d16f13b2f",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "Azure",
+      "Continuous Monitoring",
+      "SecOps",
+      "Configuration Audit"
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 5
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies when an Azure Automation runbook is deleted. An adversary may delete an Azure Automation runbook in order to disrupt their target's automated business operations or to remove a malicious runbook that was used for persistence.",
+    "from": "now-25m",
+    "index": [
+      "filebeat-*",
+      "logs-azure*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Azure Automation Runbook Deleted",
+    "note": "## Config\n\nThe Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:\"MICROSOFT.AUTOMATION/AUTOMATIONACCOUNTS/RUNBOOKS/DELETE\" and event.outcome:(Success or success)\n",
+    "references": [
+      "https://powerzure.readthedocs.io/en/latest/Functions/operational.html#create-backdoor",
+      "https://github.com/hausec/PowerZure",
+      "https://posts.specterops.io/attacking-azure-azure-ad-and-introducing-powerzure-ca70b330511a",
+      "https://azure.microsoft.com/en-in/blog/azure-automation-runbook-management/"
+    ],
+    "risk_score": 21,
+    "rule_id": "8ddab73b-3d15-4e5d-9413-47f05553c1d7",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "Azure",
+      "Continuous Monitoring",
+      "SecOps",
+      "Configuration Audit"
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 5
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies when an Azure Automation webhook is created. Azure Automation runbooks can be configured to execute via a webhook. A webhook uses a custom URL passed to Azure Automation along with a data payload specific to the runbook. An adversary may create a webhook in order to trigger a runbook that contains malicious code.",
+    "from": "now-25m",
+    "index": [
+      "filebeat-*",
+      "logs-azure*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Azure Automation Webhook Created",
+    "note": "## Config\n\nThe Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:azure.activitylogs and\n  azure.activitylogs.operation_name:\n    (\n      \"MICROSOFT.AUTOMATION/AUTOMATIONACCOUNTS/WEBHOOKS/ACTION\" or\n      \"MICROSOFT.AUTOMATION/AUTOMATIONACCOUNTS/WEBHOOKS/WRITE\"\n    ) and\n  event.outcome:(Success or success)\n",
+    "references": [
+      "https://powerzure.readthedocs.io/en/latest/Functions/operational.html#create-backdoor",
+      "https://github.com/hausec/PowerZure",
+      "https://posts.specterops.io/attacking-azure-azure-ad-and-introducing-powerzure-ca70b330511a",
+      "https://www.ciraltos.com/webhooks-and-azure-automation-runbooks/"
+    ],
+    "risk_score": 21,
+    "rule_id": "e9ff9c1c-fe36-4d0d-b3fd-9e0bf4853a62",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "Azure",
+      "Continuous Monitoring",
+      "SecOps",
+      "Configuration Audit"
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 5
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies changes to container access levels in Azure. Anonymous public read access to containers and blobs in Azure is a way to share data broadly, but can present a security risk if access to sensitive data is not managed judiciously.",
+    "false_positives": [
+      "Access level modifications may be done by a system or network administrator. Verify whether the username, hostname, and/or resource name should be making changes in your environment. Access level modifications from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "from": "now-25m",
+    "index": [
+      "filebeat-*",
+      "logs-azure*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Azure Blob Container Access Level Modification",
+    "note": "## Config\n\nThe Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:\"MICROSOFT.STORAGE/STORAGEACCOUNTS/BLOBSERVICES/CONTAINERS/WRITE\" and event.outcome:(Success or success)\n",
+    "references": [
+      "https://docs.microsoft.com/en-us/azure/storage/blobs/anonymous-read-access-prevent"
+    ],
+    "risk_score": 21,
+    "rule_id": "2636aa6c-88b5-4337-9c31-8d0192a8ef45",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "Azure",
+      "Continuous Monitoring",
+      "SecOps",
+      "Asset Visibility"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0007",
+          "name": "Discovery",
+          "reference": "https://attack.mitre.org/tactics/TA0007/"
+        },
+        "technique": [
+          {
+            "id": "T1526",
+            "name": "Cloud Service Discovery",
+            "reference": "https://attack.mitre.org/techniques/T1526/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0001",
+          "name": "Initial Access",
+          "reference": "https://attack.mitre.org/tactics/TA0001/"
+        },
+        "technique": [
+          {
+            "id": "T1190",
+            "name": "Exploit Public-Facing Application",
+            "reference": "https://attack.mitre.org/techniques/T1190/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 5
+  },
+  {
+    "author": [
+      "Austin Songer"
+    ],
+    "description": "Identifies when the Azure role-based access control (Azure RBAC) permissions are modified for an Azure Blob. An adversary may modify the permissions on a blob to weaken their target's security controls or an administrator may inadvertently modify the permissions, which could lead to data exposure or loss.",
+    "false_positives": [
+      "Blob permissions may be modified by system administrators. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior."
+    ],
+    "index": [
+      "filebeat-*",
+      "logs-azure*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Azure Blob Permissions Modification",
+    "note": "## Config\n\nThe Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:(\n     \"MICROSOFT.STORAGE/STORAGEACCOUNTS/BLOBSERVICES/CONTAINERS/BLOBS/MANAGEOWNERSHIP/ACTION\" or\n     \"MICROSOFT.STORAGE/STORAGEACCOUNTS/BLOBSERVICES/CONTAINERS/BLOBS/MODIFYPERMISSIONS/ACTION\") and \n  event.outcome:(Success or success)\n",
+    "references": [
+      "https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles"
+    ],
+    "risk_score": 47,
+    "rule_id": "d79c4b2a-6134-4edd-86e6-564a92a933f9",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "Azure",
+      "Continuous Monitoring",
+      "SecOps",
+      "Identity and Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1222",
+            "name": "File and Directory Permissions Modification",
+            "reference": "https://attack.mitre.org/techniques/T1222/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies command execution on a virtual machine (VM) in Azure. A Virtual Machine Contributor role lets you manage virtual machines, but not access them, nor access the virtual network or storage account they\u2019re connected to. However, commands can be run via PowerShell on the VM, which execute as System. Other roles, such as certain Administrator roles may be able to execute commands on a VM as well.",
+    "false_positives": [
+      "Command execution on a virtual machine may be done by a system or network administrator. Verify whether the username, hostname, and/or resource name should be making changes in your environment. Command execution from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "from": "now-25m",
+    "index": [
+      "filebeat-*",
+      "logs-azure*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Azure Command Execution on Virtual Machine",
+    "note": "## Config\n\nThe Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:\"MICROSOFT.COMPUTE/VIRTUALMACHINES/RUNCOMMAND/ACTION\" and event.outcome:(Success or success)\n",
+    "references": [
+      "https://adsecurity.org/?p=4277",
+      "https://posts.specterops.io/attacking-azure-azure-ad-and-introducing-powerzure-ca70b330511a",
+      "https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#virtual-machine-contributor"
+    ],
+    "risk_score": 47,
+    "rule_id": "60884af6-f553-4a6c-af13-300047455491",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "Azure",
+      "Continuous Monitoring",
+      "SecOps",
+      "Log Auditing"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0002",
+          "name": "Execution",
+          "reference": "https://attack.mitre.org/tactics/TA0002/"
+        },
+        "technique": [
+          {
+            "id": "T1059",
+            "name": "Command and Scripting Interpreter",
+            "reference": "https://attack.mitre.org/techniques/T1059/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 5
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies when an Azure Conditional Access policy is modified. Azure Conditional Access policies control access to resources via if-then statements. For example, if a user wants to access a resource, then they must complete an action such as using multi-factor authentication to access it. An adversary may modify a Conditional Access policy in order to weaken their target's security controls.",
+    "from": "now-25m",
+    "index": [
+      "filebeat-*",
+      "logs-azure*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Azure Conditional Access Policy Modified",
+    "note": "## Config\n\nThe Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:(azure.activitylogs or azure.auditlogs) and\n  (\n    azure.activitylogs.operation_name:\"Update policy\" or\n    azure.auditlogs.operation_name:\"Update policy\"\n  ) and\n  event.outcome:(Success or success)\n",
+    "references": [
+      "https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/overview"
+    ],
+    "risk_score": 47,
+    "rule_id": "bc48bba7-4a23-4232-b551-eca3ca1e3f20",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "Azure",
+      "Continuous Monitoring",
+      "SecOps",
+      "Configuration Audit"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1098",
+            "name": "Account Manipulation",
+            "reference": "https://attack.mitre.org/techniques/T1098/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 5
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the deletion of diagnostic settings in Azure, which send platform logs and metrics to different destinations. An adversary may delete diagnostic settings in an attempt to evade defenses.",
+    "false_positives": [
+      "Deletion of diagnostic settings may be done by a system or network administrator. Verify whether the username, hostname, and/or resource name should be making changes in your environment. Diagnostic settings deletion from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "from": "now-25m",
+    "index": [
+      "filebeat-*",
+      "logs-azure*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Azure Diagnostic Settings Deletion",
+    "note": "## Config\n\nThe Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:\"MICROSOFT.INSIGHTS/DIAGNOSTICSETTINGS/DELETE\" and event.outcome:(Success or success)\n",
+    "references": [
+      "https://docs.microsoft.com/en-us/azure/azure-monitor/platform/diagnostic-settings"
+    ],
+    "risk_score": 47,
+    "rule_id": "5370d4cd-2bb3-4d71-abf5-1e1d0ff5a2de",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "Azure",
+      "Continuous Monitoring",
+      "SecOps",
+      "Monitoring"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1562",
+            "name": "Impair Defenses",
+            "reference": "https://attack.mitre.org/techniques/T1562/",
+            "subtechnique": [
+              {
+                "id": "T1562.001",
+                "name": "Disable or Modify Tools",
+                "reference": "https://attack.mitre.org/techniques/T1562/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 5
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies when an Event Hub Authorization Rule is created or updated in Azure. An authorization rule is associated with specific rights, and carries a pair of cryptographic keys. When you create an Event Hubs namespace, a policy rule named RootManageSharedAccessKey is created for the namespace. This has manage permissions for the entire namespace and it's recommended that you treat this rule like an administrative root account and don't use it in your application.",
+    "false_positives": [
+      "Authorization rule additions or modifications may be done by a system or network administrator. Verify whether the username, hostname, and/or resource name should be making changes in your environment. Authorization rule additions or modifications from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "from": "now-25m",
+    "index": [
+      "filebeat-*",
+      "logs-azure*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Azure Event Hub Authorization Rule Created or Updated",
+    "note": "## Config\n\nThe Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:\"MICROSOFT.EVENTHUB/NAMESPACES/AUTHORIZATIONRULES/WRITE\" and event.outcome:(Success or success)\n",
+    "references": [
+      "https://docs.microsoft.com/en-us/azure/event-hubs/authorize-access-shared-access-signature"
+    ],
+    "risk_score": 47,
+    "rule_id": "b6dce542-2b75-4ffb-b7d6-38787298ba9d",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "Azure",
+      "Continuous Monitoring",
+      "SecOps",
+      "Log Auditing"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0009",
+          "name": "Collection",
+          "reference": "https://attack.mitre.org/tactics/TA0009/"
+        },
+        "technique": [
+          {
+            "id": "T1530",
+            "name": "Data from Cloud Storage Object",
+            "reference": "https://attack.mitre.org/techniques/T1530/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0010",
+          "name": "Exfiltration",
+          "reference": "https://attack.mitre.org/tactics/TA0010/"
+        },
+        "technique": [
+          {
+            "id": "T1537",
+            "name": "Transfer Data to Cloud Account",
+            "reference": "https://attack.mitre.org/techniques/T1537/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 5
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies an Event Hub deletion in Azure. An Event Hub is an event processing service that ingests and processes large volumes of events and data. An adversary may delete an Event Hub in an attempt to evade detection.",
+    "false_positives": [
+      "Event Hub deletions may be done by a system or network administrator. Verify whether the username, hostname, and/or resource name should be making changes in your environment. Event Hub deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "from": "now-25m",
+    "index": [
+      "filebeat-*",
+      "logs-azure*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Azure Event Hub Deletion",
+    "note": "## Config\n\nThe Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:\"MICROSOFT.EVENTHUB/NAMESPACES/EVENTHUBS/DELETE\" and event.outcome:(Success or success)\n",
+    "references": [
+      "https://docs.microsoft.com/en-us/azure/event-hubs/event-hubs-about",
+      "https://azure.microsoft.com/en-in/services/event-hubs/",
+      "https://docs.microsoft.com/en-us/azure/event-hubs/event-hubs-features"
+    ],
+    "risk_score": 47,
+    "rule_id": "e0f36de1-0342-453d-95a9-a068b257b053",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "Azure",
+      "Continuous Monitoring",
+      "SecOps",
+      "Log Auditing"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1562",
+            "name": "Impair Defenses",
+            "reference": "https://attack.mitre.org/techniques/T1562/",
+            "subtechnique": [
+              {
+                "id": "T1562.001",
+                "name": "Disable or Modify Tools",
+                "reference": "https://attack.mitre.org/techniques/T1562/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 5
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies an invitation to an external user in Azure Active Directory (AD). Azure AD is extended to include collaboration, allowing you to invite people from outside your organization to be guest users in your cloud account. Unless there is a business need to provision guest access, it is best practice avoid creating guest users. Guest users could potentially be overlooked indefinitely leading to a potential vulnerability.",
+    "false_positives": [
+      "Guest user invitations may be sent out by a system or network administrator. Verify whether the username, hostname, and/or resource name should be making changes in your environment. Guest user invitations from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "from": "now-25m",
+    "index": [
+      "filebeat-*",
+      "logs-azure*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Azure External Guest User Invitation",
+    "note": "## Config\n\nThe Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:azure.auditlogs and azure.auditlogs.operation_name:\"Invite external user\" and azure.auditlogs.properties.target_resources.*.display_name:guest and event.outcome:(Success or success)\n",
+    "references": [
+      "https://docs.microsoft.com/en-us/azure/governance/policy/samples/cis-azure-1-1-0"
+    ],
+    "risk_score": 21,
+    "rule_id": "141e9b3a-ff37-4756-989d-05d7cbf35b0e",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "Azure",
+      "Continuous Monitoring",
+      "SecOps",
+      "Identity and Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0001",
+          "name": "Initial Access",
+          "reference": "https://attack.mitre.org/tactics/TA0001/"
+        },
+        "technique": [
+          {
+            "id": "T1078",
+            "name": "Valid Accounts",
+            "reference": "https://attack.mitre.org/techniques/T1078/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1078",
+            "name": "Valid Accounts",
+            "reference": "https://attack.mitre.org/techniques/T1078/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 5
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the deletion of a firewall policy in Azure. An adversary may delete a firewall policy in an attempt to evade defenses and/or to eliminate barriers in carrying out their initiative.",
+    "false_positives": [
+      "Firewall policy deletions may be done by a system or network administrator. Verify whether the username, hostname, and/or resource name should be making changes in your environment. Firewall policy deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "from": "now-25m",
+    "index": [
+      "filebeat-*",
+      "logs-azure*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Azure Firewall Policy Deletion",
+    "note": "## Config\n\nThe Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:\"MICROSOFT.NETWORK/FIREWALLPOLICIES/DELETE\" and event.outcome:(Success or success)\n",
+    "references": [
+      "https://docs.microsoft.com/en-us/azure/firewall-manager/policy-overview"
+    ],
+    "risk_score": 21,
+    "rule_id": "e02bd3ea-72c6-4181-ac2b-0f83d17ad969",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "Azure",
+      "Continuous Monitoring",
+      "SecOps",
+      "Network Security"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1562",
+            "name": "Impair Defenses",
+            "reference": "https://attack.mitre.org/techniques/T1562/",
+            "subtechnique": [
+              {
+                "id": "T1562.001",
+                "name": "Disable or Modify Tools",
+                "reference": "https://attack.mitre.org/techniques/T1562/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 5
+  },
+  {
+    "author": [
+      "Austin Songer"
+    ],
+    "description": "Identifies the deletion of a Frontdoor Web Application Firewall (WAF) Policy in Azure. An adversary may delete a Frontdoor Web Application Firewall (WAF) Policy in an attempt to evade defenses and/or to eliminate barriers in carrying out their initiative.",
+    "false_positives": [
+      "Azure Front Web Application Firewall (WAF) Policy deletions may be done by a system or network administrator. Verify whether the username, hostname, and/or resource name should be making changes in your environment. Azure Front Web Application Firewall (WAF) Policy deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "from": "now-25m",
+    "index": [
+      "filebeat-*",
+      "logs-azure*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Azure Frontdoor Web Application Firewall (WAF) Policy Deleted",
+    "note": "## Config\n\nThe Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:\"MICROSOFT.NETWORK/FRONTDOORWEBAPPLICATIONFIREWALLPOLICIES/DELETE\" and event.outcome:(Success or success)\n",
+    "references": [
+      "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#networking"
+    ],
+    "risk_score": 21,
+    "rule_id": "09d028a5-dcde-409f-8ae0-557cef1b7082",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "Azure",
+      "Continuous Monitoring",
+      "SecOps",
+      "Network Security"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1562",
+            "name": "Impair Defenses",
+            "reference": "https://attack.mitre.org/techniques/T1562/",
+            "subtechnique": [
+              {
+                "id": "T1562.001",
+                "name": "Disable or Modify Tools",
+                "reference": "https://attack.mitre.org/techniques/T1562/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 1
+  },
+  {
+    "author": [
+      "Austin Songer"
+    ],
+    "description": "Identifies potential full network packet capture in Azure. Packet Capture is an Azure Network Watcher feature that can be used to inspect network traffic. This feature can potentially be abused to read sensitive data from unencrypted internal traffic.",
+    "false_positives": [
+      "Full Network Packet Capture may be done by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Full Network Packet Capture from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "from": "now-25m",
+    "index": [
+      "filebeat-*",
+      "logs-azure*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Azure Full Network Packet Capture Detected",
+    "note": "## Config\n\nThe Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:\n    (\n        \"MICROSOFT.NETWORK/*/STARTPACKETCAPTURE/ACTION\" or\n        \"MICROSOFT.NETWORK/*/VPNCONNECTIONS/STARTPACKETCAPTURE/ACTION\" or\n        \"MICROSOFT.NETWORK/*/PACKETCAPTURES/WRITE\"\n    ) and \nevent.outcome:(Success or success)\n",
+    "references": [
+      "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"
+    ],
+    "risk_score": 47,
+    "rule_id": "3ad77ed4-4dcf-4c51-8bfc-e3f7ce316b2f",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "Azure",
+      "Continuous Monitoring",
+      "SecOps",
+      "Monitoring"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0006",
+          "name": "Credential Access",
+          "reference": "https://attack.mitre.org/tactics/TA0006/"
+        },
+        "technique": [
+          {
+            "id": "T1040",
+            "name": "Network Sniffing",
+            "reference": "https://attack.mitre.org/techniques/T1040/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies an Azure Active Directory (AD) Global Administrator role addition to a Privileged Identity Management (PIM) user account. PIM is a service that enables you to manage, control, and monitor access to important resources in an organization. Users who are assigned to the Global administrator role can read and modify any administrative setting in your Azure AD organization.",
+    "false_positives": [
+      "Global administrator additions may be done by a system or network administrator. Verify whether the username, hostname, and/or resource name should be making changes in your environment. Global administrator additions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "index": [
+      "filebeat-*",
+      "logs-azure*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Azure Global Administrator Role Addition to PIM User",
+    "note": "## Config\n\nThe Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:azure.auditlogs and azure.auditlogs.properties.category:RoleManagement and\n    azure.auditlogs.operation_name:(\"Add eligible member to role in PIM completed (permanent)\" or\n                                    \"Add member to role in PIM completed (timebound)\") and\n    azure.auditlogs.properties.target_resources.*.display_name:\"Global Administrator\" and\n    event.outcome:(Success or success)\n",
+    "references": [
+      "https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/directory-assign-admin-roles"
+    ],
+    "risk_score": 73,
+    "rule_id": "ed9ecd27-e3e6-4fd9-8586-7754803f7fc8",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "Azure",
+      "Continuous Monitoring",
+      "SecOps",
+      "Identity and Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1098",
+            "name": "Account Manipulation",
+            "reference": "https://attack.mitre.org/techniques/T1098/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 5
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies modifications to a Key Vault in Azure. The Key Vault is a service that safeguards encryption keys and secrets like certificates, connection strings, and passwords. Because this data is sensitive and business critical, access to key vaults should be secured to allow only authorized applications and users.",
+    "false_positives": [
+      "Key vault modifications may be done by a system or network administrator. Verify whether the username, hostname, and/or resource name should be making changes in your environment. Key vault modifications from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "from": "now-25m",
+    "index": [
+      "filebeat-*",
+      "logs-azure*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Azure Key Vault Modified",
+    "note": "## Config\n\nThe Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:\"MICROSOFT.KEYVAULT/VAULTS/WRITE\" and event.outcome:(Success or success)\n",
+    "references": [
+      "https://docs.microsoft.com/en-us/azure/key-vault/general/basic-concepts",
+      "https://docs.microsoft.com/en-us/azure/key-vault/general/secure-your-key-vault"
+    ],
+    "risk_score": 47,
+    "rule_id": "792dd7a6-7e00-4a0a-8a9a-a7c24720b5ec",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "Azure",
+      "Continuous Monitoring",
+      "SecOps",
+      "Data Protection"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0006",
+          "name": "Credential Access",
+          "reference": "https://attack.mitre.org/tactics/TA0006/"
+        },
+        "technique": [
+          {
+            "id": "T1552",
+            "name": "Unsecured Credentials",
+            "reference": "https://attack.mitre.org/techniques/T1552/",
+            "subtechnique": [
+              {
+                "id": "T1552.001",
+                "name": "Credentials In Files",
+                "reference": "https://attack.mitre.org/techniques/T1552/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 5
+  },
+  {
+    "author": [
+      "Austin Songer"
+    ],
+    "description": "Identifies when events are deleted in Azure Kubernetes. Kubernetes events are objects that log any state changes. Example events are a container creation, an image pull, or a pod scheduling on a node.  An adversary may delete events in Azure Kubernetes in an attempt to evade detection.",
+    "false_positives": [
+      "Events deletions may be done by a system or network administrator. Verify whether the username, hostname, and/or resource name should be making changes in your environment. Events deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "from": "now-25m",
+    "index": [
+      "filebeat-*",
+      "logs-azure*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Azure Kubernetes Events Deleted",
+    "note": "## Config\n\nThe Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:\"MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/EVENTS.K8S.IO/EVENTS/DELETE\" and \nevent.outcome:(Success or success)\n",
+    "references": [
+      "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes"
+    ],
+    "risk_score": 47,
+    "rule_id": "8b64d36a-1307-4b2e-a77b-a0027e4d27c8",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "Azure",
+      "Continuous Monitoring",
+      "SecOps",
+      "Log Auditing"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1562",
+            "name": "Impair Defenses",
+            "reference": "https://attack.mitre.org/techniques/T1562/",
+            "subtechnique": [
+              {
+                "id": "T1562.001",
+                "name": "Disable or Modify Tools",
+                "reference": "https://attack.mitre.org/techniques/T1562/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 2
+  },
+  {
+    "author": [
+      "Austin Songer"
+    ],
+    "description": "Identifies the deletion of Azure Kubernetes Pods. Adversaries may delete a Kubernetes pod to disrupt the normal behavior of the environment.",
+    "false_positives": [
+      "Pods may be deleted by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Pods deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "from": "now-25m",
+    "index": [
+      "filebeat-*",
+      "logs-azure*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Azure Kubernetes Pods Deleted",
+    "note": "## Config\n\nThe Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:\"MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/PODS/DELETE\" and \nevent.outcome:(Success or success)\n",
+    "references": [
+      "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes"
+    ],
+    "risk_score": 47,
+    "rule_id": "83a1931d-8136-46fc-b7b9-2db4f639e014",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "Azure",
+      "Continuous Monitoring",
+      "SecOps",
+      "Asset Visibility"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0040",
+          "name": "Impact",
+          "reference": "https://attack.mitre.org/tactics/TA0040/"
+        },
+        "technique": []
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 2
+  },
+  {
+    "author": [
+      "Austin Songer"
+    ],
+    "description": "Identifies the creation of role binding or cluster role bindings. You can assign these roles to Kubernetes subjects (users, groups, or service accounts) with role bindings and cluster role bindings. An adversary who has permissions to create bindings and cluster-bindings in the cluster can create a binding to the cluster-admin ClusterRole or to other high privileges roles.",
+    "from": "now-20m",
+    "index": [
+      "filebeat-*",
+      "logs-azure*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Azure Kubernetes Rolebindings Created",
+    "note": "## Config\n\nThe Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:\n\t(\"MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/RBAC.AUTHORIZATION.K8S.IO/ROLEBINDINGS/WRITE\" or\n\t \"MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/RBAC.AUTHORIZATION.K8S.IO/CLUSTERROLEBINDINGS/WRITE\") and \nevent.outcome:(Success or success)\n",
+    "references": [
+      "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes",
+      "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/"
+    ],
+    "risk_score": 21,
+    "rule_id": "1c966416-60c1-436b-bfd0-e002fddbfd89",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "Azure",
+      "Continuous Monitoring",
+      "SecOps",
+      "Identity and Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0004",
+          "name": "Privilege Escalation",
+          "reference": "https://attack.mitre.org/tactics/TA0004/"
+        },
+        "technique": []
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the deletion of a Network Watcher in Azure. Network Watchers are used to monitor, diagnose, view metrics, and enable or disable logs for resources in an Azure virtual network. An adversary may delete a Network Watcher in an attempt to evade defenses.",
+    "false_positives": [
+      "Network Watcher deletions may be done by a system or network administrator. Verify whether the username, hostname, and/or resource name should be making changes in your environment. Network Watcher deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "from": "now-25m",
+    "index": [
+      "filebeat-*",
+      "logs-azure*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Azure Network Watcher Deletion",
+    "note": "## Config\n\nThe Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:\"MICROSOFT.NETWORK/NETWORKWATCHERS/DELETE\" and event.outcome:(Success or success)\n",
+    "references": [
+      "https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-monitoring-overview"
+    ],
+    "risk_score": 47,
+    "rule_id": "323cb487-279d-4218-bcbd-a568efe930c6",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "Azure",
+      "Continuous Monitoring",
+      "SecOps",
+      "Network Security"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1562",
+            "name": "Impair Defenses",
+            "reference": "https://attack.mitre.org/techniques/T1562/",
+            "subtechnique": [
+              {
+                "id": "T1562.001",
+                "name": "Disable or Modify Tools",
+                "reference": "https://attack.mitre.org/techniques/T1562/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 5
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Azure Active Directory (AD) Privileged Identity Management (PIM) is a service that enables you to manage, control, and monitor access to important resources in an organization. PIM can be used to manage the built-in Azure resource roles such as Global Administrator and Application Administrator. An adversary may add a user to a PIM role in order to maintain persistence in their target's environment or modify a PIM role to weaken their target's security controls.",
+    "from": "now-25m",
+    "index": [
+      "filebeat-*",
+      "logs-azure*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Azure Privilege Identity Management Role Modified",
+    "note": "## Config\n\nThe Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:azure.auditlogs and azure.auditlogs.operation_name:\"Update role setting in PIM\" and event.outcome:(Success or success)\n",
+    "references": [
+      "https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-resource-roles-assign-roles",
+      "https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-configure"
+    ],
+    "risk_score": 47,
+    "rule_id": "7882cebf-6cf1-4de3-9662-213aa13e8b80",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "Azure",
+      "Continuous Monitoring",
+      "SecOps",
+      "Identity and Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1078",
+            "name": "Valid Accounts",
+            "reference": "https://attack.mitre.org/techniques/T1078/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1078",
+            "name": "Valid Accounts",
+            "reference": "https://attack.mitre.org/techniques/T1078/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 5
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the deletion of a resource group in Azure, which includes all resources within the group. Deletion is permanent and irreversible. An adversary may delete a resource group in an attempt to evade defenses or intentionally destroy data.",
+    "false_positives": [
+      "Deletion of a resource group may be done by a system or network administrator. Verify whether the username, hostname, and/or resource name should be making changes in your environment. Resource group deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "from": "now-25m",
+    "index": [
+      "filebeat-*",
+      "logs-azure*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Azure Resource Group Deletion",
+    "note": "## Config\n\nThe Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:\"MICROSOFT.RESOURCES/SUBSCRIPTIONS/RESOURCEGROUPS/DELETE\" and event.outcome:(Success or success)\n",
+    "references": [
+      "https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/manage-resource-groups-portal"
+    ],
+    "risk_score": 47,
+    "rule_id": "bb4fe8d2-7ae2-475c-8b5d-55b449e4264f",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "Azure",
+      "Continuous Monitoring",
+      "SecOps",
+      "Log Auditing"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0040",
+          "name": "Impact",
+          "reference": "https://attack.mitre.org/tactics/TA0040/"
+        },
+        "technique": [
+          {
+            "id": "T1485",
+            "name": "Data Destruction",
+            "reference": "https://attack.mitre.org/techniques/T1485/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1562",
+            "name": "Impair Defenses",
+            "reference": "https://attack.mitre.org/techniques/T1562/",
+            "subtechnique": [
+              {
+                "id": "T1562.001",
+                "name": "Disable or Modify Tools",
+                "reference": "https://attack.mitre.org/techniques/T1562/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 5
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies when a new service principal is added in Azure. An application, hosted service, or automated tool that accesses or modifies resources needs an identity created. This identity is known as a service principal. For security reasons, it's always recommended to use service principals with automated tools rather than allowing them to log in with a user identity.",
+    "false_positives": [
+      "A service principal may be created by a system or network administrator. Verify whether the username, hostname, and/or resource name should be making changes in your environment. Service principal additions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "from": "now-25m",
+    "index": [
+      "filebeat-*",
+      "logs-azure*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Azure Service Principal Addition",
+    "note": "## Config\n\nThe Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:azure.auditlogs and azure.auditlogs.operation_name:\"Add service principal\" and event.outcome:(success or Success)\n",
+    "references": [
+      "https://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber-attacks/",
+      "https://docs.microsoft.com/en-us/azure/active-directory/develop/howto-create-service-principal-portal"
+    ],
+    "risk_score": 47,
+    "rule_id": "60b6b72f-0fbc-47e7-9895-9ba7627a8b50",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "Azure",
+      "Continuous Monitoring",
+      "SecOps",
+      "Identity and Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1550",
+            "name": "Use Alternate Authentication Material",
+            "reference": "https://attack.mitre.org/techniques/T1550/",
+            "subtechnique": [
+              {
+                "id": "T1550.001",
+                "name": "Application Access Token",
+                "reference": "https://attack.mitre.org/techniques/T1550/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 4
+  },
+  {
+    "author": [
+      "Elastic",
+      "Austin Songer"
+    ],
+    "description": "Identifies when new Service Principal credentials have been added in Azure. In most organizations, credentials will be added to service principals infrequently. Hijacking an application (by adding a rogue secret or certificate) with granted permissions will allow the attacker to access data that is normally protected by MFA requirements.",
+    "false_positives": [
+      "Service principal credential additions may be done by a system or network administrator. Verify whether the username, hostname, and/or resource name should be making changes in your environment. Credential additions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "from": "now-25m",
+    "index": [
+      "filebeat-*",
+      "logs-azure*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Azure Service Principal Credentials Added",
+    "note": "## Config\n\nThe Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:azure.auditlogs and azure.auditlogs.operation_name:\"Add service principal credentials.\" and event.outcome:(success or Success)\n",
+    "references": [
+      "https://www.fireeye.com/content/dam/collateral/en/wp-m-unc2452.pdf"
+    ],
+    "risk_score": 47,
+    "rule_id": "f766ffaf-9568-4909-b734-75d19b35cbf4",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "Azure",
+      "Continuous Monitoring",
+      "SecOps",
+      "Identity and Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0040",
+          "name": "Impact",
+          "reference": "https://attack.mitre.org/tactics/TA0040/"
+        },
+        "technique": [
+          {
+            "id": "T1496",
+            "name": "Resource Hijacking",
+            "reference": "https://attack.mitre.org/techniques/T1496/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies a rotation to storage account access keys in Azure. Regenerating access keys can affect any applications or Azure services that are dependent on the storage account key. Adversaries may regenerate a key as a means of acquiring credentials to access systems and resources.",
+    "false_positives": [
+      "It's recommended that you rotate your access keys periodically to help keep your storage account secure. Normal key rotation can be exempted from the rule. An abnormal time frame and/or a key rotation from unfamiliar users, hosts, or locations should be investigated."
+    ],
+    "from": "now-25m",
+    "index": [
+      "filebeat-*",
+      "logs-azure*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Azure Storage Account Key Regenerated",
+    "note": "## Config\n\nThe Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:\"MICROSOFT.STORAGE/STORAGEACCOUNTS/REGENERATEKEY/ACTION\" and event.outcome:(Success or success)\n",
+    "references": [
+      "https://docs.microsoft.com/en-us/azure/storage/common/storage-account-keys-manage?tabs=azure-portal"
+    ],
+    "risk_score": 21,
+    "rule_id": "1e0b832e-957e-43ae-b319-db82d228c908",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "Azure",
+      "Continuous Monitoring",
+      "SecOps",
+      "Identity and Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0006",
+          "name": "Credential Access",
+          "reference": "https://attack.mitre.org/tactics/TA0006/"
+        },
+        "technique": [
+          {
+            "id": "T1528",
+            "name": "Steal Application Access Token",
+            "reference": "https://attack.mitre.org/techniques/T1528/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 5
+  },
+  {
+    "author": [
+      "Austin Songer"
+    ],
+    "description": "Identifies when a virtual network device is being modified or deleted. This can be a network virtual appliance, virtual hub, or virtual router.",
+    "false_positives": [
+      "Virtual Network Device being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Virtual Network Device modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "from": "now-25m",
+    "index": [
+      "filebeat-*",
+      "logs-azure*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Azure Virtual Network Device Modified or Deleted",
+    "note": "## Config\n\nThe Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:(\"MICROSOFT.NETWORK/NETWORKINTERFACES/TAPCONFIGURATIONS/WRITE\" or\n\"MICROSOFT.NETWORK/NETWORKINTERFACES/TAPCONFIGURATIONS/DELETE\" or \"MICROSOFT.NETWORK/NETWORKINTERFACES/WRITE\" or\n\"MICROSOFT.NETWORK/NETWORKINTERFACES/JOIN/ACTION\" or \"MICROSOFT.NETWORK/NETWORKINTERFACES/DELETE\"or\n\"MICROSOFT.NETWORK/NETWORKVIRTUALAPPLIANCES/DELETE\" or \"MICROSOFT.NETWORK/NETWORKVIRTUALAPPLIANCES/WRITE\" or\n\"MICROSOFT.NETWORK/VIRTUALHUBS/DELETE\" or \"MICROSOFT.NETWORK/VIRTUALHUBS/WRITE\" or\n\"MICROSOFT.NETWORK/VIRTUALROUTERS/WRITE\" or \"MICROSOFT.NETWORK/VIRTUALROUTERS/DELETE\") and \nevent.outcome:(Success or success)\n",
+    "references": [
+      "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"
+    ],
+    "risk_score": 21,
+    "rule_id": "573f6e7a-7acf-4bcd-ad42-c4969124d3c0",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "Azure",
+      "Continuous Monitoring",
+      "SecOps",
+      "Network Security"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0040",
+          "name": "Impact",
+          "reference": "https://attack.mitre.org/tactics/TA0040/"
+        },
+        "technique": []
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Adversaries may encode/decode data in an attempt to evade detection by host- or network-based security controls.",
+    "false_positives": [
+      "Automated tools such as Jenkins may encode or decode files as part of their normal behavior. These events can be filtered by the process executable or username values."
+    ],
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Base16 or Base32 Encoding/Decoding Activity",
+    "query": "event.category:process and event.type:(start or process_started) and\n  process.name:(base16 or base32 or base32plain or base32hex)\n",
+    "risk_score": 21,
+    "rule_id": "debff20a-46bc-4a4d-bae5-5cdd14222795",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1140",
+            "name": "Deobfuscate/Decode Files or Information",
+            "reference": "https://attack.mitre.org/techniques/T1140/"
+          },
+          {
+            "id": "T1027",
+            "name": "Obfuscated Files or Information",
+            "reference": "https://attack.mitre.org/techniques/T1027/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 7
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Both ~/.bash_profile and ~/.bashrc are files containing shell commands that are run when Bash is invoked. These files are executed in a user's context, either interactively or non-interactively, when a user logs in so that their environment is set correctly. Adversaries may abuse this to establish persistence by executing malicious content triggered by a user\u2019s shell.",
+    "false_positives": [
+      "Changes to the Shell Profile tend to be noisy, a tuning per your environment will be required."
+    ],
+    "from": "now-9m",
+    "index": [
+      "logs-endpoint.events.*",
+      "auditbeat-*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Bash Shell Profile Modification",
+    "query": "event.category:file and event.type:change and\n  process.name:(* and not (sudo or\n                           vim or\n                           zsh or\n                           env or\n                           nano or\n                           bash or\n                           Terminal or\n                           xpcproxy or\n                           login or\n                           cat or\n                           cp or\n                           launchctl or\n                           java)) and\n  not process.executable:(/Applications/* or /private/var/folders/* or /usr/local/*) and\n  file.path:(/private/etc/rc.local or\n             /etc/rc.local or\n             /home/*/.profile or\n             /home/*/.profile1 or\n             /home/*/.bash_profile or\n             /home/*/.bash_profile1 or\n             /home/*/.bashrc or\n             /Users/*/.bash_profile or\n             /Users/*/.zshenv)\n",
+    "references": [
+      "https://www.anomali.com/blog/pulling-linux-rabbit-rabbot-malware-out-of-a-hat"
+    ],
+    "risk_score": 47,
+    "rule_id": "e6c1a552-7776-44ad-ae0f-8746cc07773c",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "macOS",
+      "Linux",
+      "Threat Detection",
+      "Persistence"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1546",
+            "name": "Event Triggered Execution",
+            "reference": "https://attack.mitre.org/techniques/T1546/",
+            "subtechnique": [
+              {
+                "id": "T1546.004",
+                "name": "Unix Shell Configuration Modification",
+                "reference": "https://attack.mitre.org/techniques/T1546/004/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 2
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies User Account Control (UAC) bypass via eventvwr.exe. Attackers bypass UAC to stealthily execute code with elevated permissions.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Bypass UAC via Event Viewer",
+    "query": "process where event.type in (\"start\", \"process_started\") and\n  process.parent.name : \"eventvwr.exe\" and\n  not process.executable : \n            (\"?:\\\\Windows\\\\SysWOW64\\\\mmc.exe\", \n             \"?:\\\\Windows\\\\System32\\\\mmc.exe\",\n             \"?:\\\\Windows\\\\SysWOW64\\\\WerFault.exe\",\n             \"?:\\\\Windows\\\\System32\\\\WerFault.exe\")\n",
+    "risk_score": 73,
+    "rule_id": "31b4c719-f2b4-41f6-a9bd-fce93c2eaf62",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Privilege Escalation"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0004",
+          "name": "Privilege Escalation",
+          "reference": "https://attack.mitre.org/tactics/TA0004/"
+        },
+        "technique": [
+          {
+            "id": "T1548",
+            "name": "Abuse Elevation Control Mechanism",
+            "reference": "https://attack.mitre.org/techniques/T1548/",
+            "subtechnique": [
+              {
+                "id": "T1548.002",
+                "name": "Bypass User Account Control",
+                "reference": "https://attack.mitre.org/techniques/T1548/002/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 9
+  },
+  {
+    "author": [
+      "Austin Songer"
+    ],
+    "description": "Identifies when a user attempts to clear console history. An adversary may clear the command history of a compromised account to conceal the actions undertaken during an intrusion.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Clearing Windows Console History",
+    "query": "process where event.action == \"start\" and\n  (process.name : (\"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\") or process.pe.original_file_name == \"PowerShell.EXE\") and\n     (process.args : \"*Clear-History*\" or\n     (process.args : (\"*Remove-Item*\", \"rm\") and process.args : (\"*ConsoleHost_history.txt*\", \"*(Get-PSReadlineOption).HistorySavePath*\")) or\n     (process.args : \"*Set-PSReadlineOption*\" and process.args : \"*SaveNothing*\"))\n",
+    "references": [
+      "https://stefanos.cloud/blog/kb/how-to-clear-the-powershell-command-history/",
+      "https://www.shellhacks.com/clear-history-powershell/",
+      "https://community.sophos.com/sophos-labs/b/blog/posts/powershell-command-history-forensics"
+    ],
+    "risk_score": 47,
+    "rule_id": "b5877334-677f-4fb9-86d5-a9721274223b",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1070",
+            "name": "Indicator Removal on Host",
+            "reference": "https://attack.mitre.org/techniques/T1070/",
+            "subtechnique": [
+              {
+                "id": "T1070.003",
+                "name": "Clear Command History",
+                "reference": "https://attack.mitre.org/techniques/T1070/003/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies attempts to clear or disable Windows event log stores using Windows wevetutil command. This is often done by attackers in an attempt to evade detection or destroy forensic evidence on a system.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Clearing Windows Event Logs",
+    "query": "process where event.type in (\"process_started\", \"start\") and\n  (process.name : \"wevtutil.exe\" or process.pe.original_file_name == \"wevtutil.exe\") and\n    process.args : (\"/e:false\", \"cl\", \"clear-log\") or\n  process.name : (\"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\") and process.args : \"Clear-EventLog\"\n",
+    "risk_score": 21,
+    "rule_id": "d331bbe2-6db4-4941-80a5-8270db72eb61",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1070",
+            "name": "Indicator Removal on Host",
+            "reference": "https://attack.mitre.org/techniques/T1070/",
+            "subtechnique": [
+              {
+                "id": "T1070.001",
+                "name": "Clear Windows Event Logs",
+                "reference": "https://attack.mitre.org/techniques/T1070/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 11
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Cobalt Strike is a threat emulation platform commonly modified and used by adversaries to conduct network attack and exploitation campaigns. This rule detects a network activity algorithm leveraged by Cobalt Strike implant beacons for command and control.",
+    "false_positives": [
+      "This rule should be tailored to either exclude systems, as sources or destinations, in which this behavior is expected."
+    ],
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "filebeat-*",
+      "packetbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "lucene",
+    "license": "Elastic License v2",
+    "name": "Cobalt Strike Command and Control Beacon",
+    "note": "## Threat intel\n\nThis activity has been observed in FIN7 campaigns.",
+    "query": "event.category:(network OR network_traffic) AND type:(tls OR http) AND network.transport:tcp AND destination.domain:/[a-z]{3}.stage.[0-9]{8}\\..*/\n",
+    "references": [
+      "https://blog.morphisec.com/fin7-attacks-restaurant-industry",
+      "https://www.fireeye.com/blog/threat-research/2017/04/fin7-phishing-lnk.html"
+    ],
+    "risk_score": 73,
+    "rule_id": "cf53f532-9cc9-445a-9ae7-fced307ec53c",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Network",
+      "Threat Detection",
+      "Command and Control",
+      "Host"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0011",
+          "name": "Command and Control",
+          "reference": "https://attack.mitre.org/tactics/TA0011/"
+        },
+        "technique": [
+          {
+            "id": "T1071",
+            "name": "Application Layer Protocol",
+            "reference": "https://attack.mitre.org/techniques/T1071/"
+          },
+          {
+            "id": "T1568",
+            "name": "Dynamic Resolution",
+            "reference": "https://attack.mitre.org/techniques/T1568/",
+            "subtechnique": [
+              {
+                "id": "T1568.002",
+                "name": "Domain Generation Algorithms",
+                "reference": "https://attack.mitre.org/techniques/T1568/002/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 6
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "A suspicious SolarWinds child process (Cmd.exe or Powershell.exe) was detected.",
+    "false_positives": [
+      "Trusted SolarWinds child processes. Verify process details such as network connections and file writes."
+    ],
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Command Execution via SolarWinds Process",
+    "query": "process where event.type in (\"start\", \"process_started\") and process.name: (\"cmd.exe\", \"powershell.exe\") and\nprocess.parent.name: (\n     \"ConfigurationWizard*.exe\",\n     \"NetflowDatabaseMaintenance*.exe\",\n     \"NetFlowService*.exe\",\n     \"SolarWinds.Administration*.exe\",\n     \"SolarWinds.Collector.Service*.exe\",\n     \"SolarwindsDiagnostics*.exe\"\n     )\n",
+    "references": [
+      "https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html",
+      "https://github.com/fireeye/sunburst_countermeasures/blob/main/rules/SUNBURST/hxioc/SOLARWINDS%20SUSPICIOUS%20FILEWRITES%20(METHODOLOGY).ioc"
+    ],
+    "risk_score": 47,
+    "rule_id": "d72e33fc-6e91-42ff-ac8b-e573268c5a87",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Execution"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0002",
+          "name": "Execution",
+          "reference": "https://attack.mitre.org/tactics/TA0002/"
+        },
+        "technique": [
+          {
+            "id": "T1059",
+            "name": "Command and Scripting Interpreter",
+            "reference": "https://attack.mitre.org/techniques/T1059/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0001",
+          "name": "Initial Access",
+          "reference": "https://attack.mitre.org/tactics/TA0001/"
+        },
+        "technique": [
+          {
+            "id": "T1195",
+            "name": "Supply Chain Compromise",
+            "reference": "https://attack.mitre.org/techniques/T1195/",
+            "subtechnique": [
+              {
+                "id": "T1195.002",
+                "name": "Compromise Software Supply Chain",
+                "reference": "https://attack.mitre.org/techniques/T1195/002/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 3
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies cmd.exe making a network connection. Adversaries could abuse cmd.exe to download or execute malware from a remote URL.",
+    "false_positives": [
+      "Administrators may use the command prompt for regular administrative tasks. It's important to baseline your environment for network connections being made from the command prompt to determine any abnormal use of this tool."
+    ],
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Command Prompt Network Connection",
+    "query": "sequence by process.entity_id\n  [process where process.name : \"cmd.exe\" and event.type == \"start\"]\n  [network where process.name : \"cmd.exe\" and\n     not cidrmatch(destination.ip, \"10.0.0.0/8\", \"127.0.0.0/8\", \"169.254.0.0/16\", \"172.16.0.0/12\", \"192.0.0.0/24\",\n                                  \"192.0.0.0/29\", \"192.0.0.8/32\", \"192.0.0.9/32\", \"192.0.0.10/32\", \"192.0.0.170/32\",\n                                  \"192.0.0.171/32\", \"192.0.2.0/24\", \"192.31.196.0/24\", \"192.52.193.0/24\",\n                                  \"192.168.0.0/16\", \"192.88.99.0/24\", \"224.0.0.0/4\", \"100.64.0.0/10\", \"192.175.48.0/24\",\n                                  \"198.18.0.0/15\", \"198.51.100.0/24\", \"203.0.113.0/24\", \"240.0.0.0/4\", \"::1\",\n                                  \"FE80::/10\", \"FF00::/8\")]\n",
+    "references": [
+      "https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml"
+    ],
+    "risk_score": 21,
+    "rule_id": "89f9a4b0-9f8f-4ee0-8823-c4751a6d6696",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Execution"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0002",
+          "name": "Execution",
+          "reference": "https://attack.mitre.org/tactics/TA0002/"
+        },
+        "technique": [
+          {
+            "id": "T1059",
+            "name": "Command and Scripting Interpreter",
+            "reference": "https://attack.mitre.org/techniques/T1059/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0011",
+          "name": "Command and Control",
+          "reference": "https://attack.mitre.org/tactics/TA0011/"
+        },
+        "technique": [
+          {
+            "id": "T1105",
+            "name": "Ingress Tool Transfer",
+            "reference": "https://attack.mitre.org/techniques/T1105/"
+          }
+        ]
+      }
+    ],
+    "type": "eql",
+    "version": 7
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies command shell activity started via RunDLL32, which is commonly abused by attackers to host malicious code.",
+    "false_positives": [
+      "Microsoft Windows installers leveraging RunDLL32 for installation."
+    ],
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Command Shell Activity Started via RunDLL32",
+    "query": "process where event.type == \"start\" and\n process.name : (\"cmd.exe\", \"powershell.exe\") and\n  process.parent.name : \"rundll32.exe\" and process.parent.command_line != null and\n  /* common FPs can be added here */\n  not process.parent.args : (\"C:\\\\Windows\\\\System32\\\\SHELL32.dll,RunAsNewUser_RunDLL\",\n                             \"C:\\\\WINDOWS\\\\*.tmp,zzzzInvokeManagedCustomActionOutOfProc\")\n",
+    "risk_score": 21,
+    "rule_id": "9ccf3ce0-0057-440a-91f5-870c6ad39093",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Execution"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0002",
+          "name": "Execution",
+          "reference": "https://attack.mitre.org/tactics/TA0002/"
+        },
+        "technique": [
+          {
+            "id": "T1059",
+            "name": "Command and Scripting Interpreter",
+            "reference": "https://attack.mitre.org/techniques/T1059/",
+            "subtechnique": [
+              {
+                "id": "T1059.001",
+                "name": "PowerShell",
+                "reference": "https://attack.mitre.org/techniques/T1059/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 4
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies Component Object Model (COM) hijacking via registry modification. Adversaries may establish persistence by executing malicious content triggered by hijacked references to COM objects.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Component Object Model Hijacking",
+    "query": "registry where\n /* uncomment once length is stable length(bytes_written_string) > 0 and */\n (registry.path : \"HK*}\\\\InprocServer32\\\\\" and registry.data.strings: (\"scrobj.dll\", \"C:\\\\*\\\\scrobj.dll\") and\n not registry.path : \"*\\\\{06290BD*-48AA-11D2-8432-006008C3FBFC}\\\\*\") \n or\n /* in general COM Registry changes on Users Hive is less noisy and worth alerting */\n (registry.path : (\"HKEY_USERS\\\\*Classes\\\\*\\\\InprocServer32\\\\\",\n                   \"HKEY_USERS\\\\*Classes\\\\*\\\\LocalServer32\\\\\",\n                   \"HKEY_USERS\\\\*Classes\\\\*\\\\DelegateExecute\\\\\", \n                   \"HKEY_USERS\\\\*Classes\\\\*\\\\TreatAs\\\\\", \n                   \"HKEY_USERS\\\\*Classes\\\\CLSID\\\\*\\\\ScriptletURL\\\\\") and\n not (process.executable : \"?:\\\\Program Files*\\\\Veeam\\\\Backup and Replication\\\\Console\\\\veeam.backup.shell.exe\" and\n      registry.path : \"HKEY_USERS\\\\S-1-5-21-*_Classes\\\\CLSID\\\\*\\\\LocalServer32\\\\\") and\n /* not necessary but good for filtering privileged installations */\n user.domain != \"NT AUTHORITY\")\n",
+    "references": [
+      "https://bohops.com/2018/08/18/abusing-the-com-registry-structure-part-2-loading-techniques-for-evasion-and-persistence/"
+    ],
+    "risk_score": 47,
+    "rule_id": "16a52c14-7883-47af-8745-9357803f0d4c",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Persistence"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1546",
+            "name": "Event Triggered Execution",
+            "reference": "https://attack.mitre.org/techniques/T1546/",
+            "subtechnique": [
+              {
+                "id": "T1546.015",
+                "name": "Component Object Model Hijacking",
+                "reference": "https://attack.mitre.org/techniques/T1546/015/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 5
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Detects when the Console Window Host (conhost.exe) process is spawned by a suspicious parent process, which could be indicative of code injection.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Conhost Spawned By Suspicious Parent Process",
+    "query": "process where event.type in (\"start\", \"process_started\") and\n  process.name : \"conhost.exe\" and\n  process.parent.name : (\"svchost.exe\", \"lsass.exe\", \"services.exe\", \"smss.exe\", \"winlogon.exe\", \"explorer.exe\",\n                         \"dllhost.exe\", \"rundll32.exe\", \"regsvr32.exe\", \"userinit.exe\", \"wininit.exe\", \"spoolsv.exe\",\n                         \"wermgr.exe\", \"csrss.exe\", \"ctfmon.exe\")\n",
+    "references": [
+      "https://www.fireeye.com/blog/threat-research/2017/08/monitoring-windows-console-activity-part-one.html"
+    ],
+    "risk_score": 73,
+    "rule_id": "05b358de-aa6d-4f6c-89e6-78f74018b43b",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Execution"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0002",
+          "name": "Execution",
+          "reference": "https://attack.mitre.org/tactics/TA0002/"
+        },
+        "technique": [
+          {
+            "id": "T1059",
+            "name": "Command and Scripting Interpreter",
+            "reference": "https://attack.mitre.org/techniques/T1059/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 4
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies unusual processes connecting to domains using known free SSL certificates. Adversaries may employ a known encryption algorithm to conceal command and control traffic.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Connection to Commonly Abused Free SSL Certificate Providers",
+    "query": "network where network.protocol == \"dns\" and\n  /* Add new free SSL certificate provider domains here */\n  dns.question.name : (\"*letsencrypt.org\", \"*.sslforfree.com\", \"*.zerossl.com\", \"*.freessl.org\") and\n  \n  /* Native Windows process paths that are unlikely to have network connections to domains secured using free SSL certificates */\n  process.executable : (\"C:\\\\Windows\\\\System32\\\\*.exe\",\n                        \"C:\\\\Windows\\\\System\\\\*.exe\",\n\t                  \"C:\\\\Windows\\\\SysWOW64\\\\*.exe\",\n\t\t          \"C:\\\\Windows\\\\Microsoft.NET\\\\Framework*\\\\*.exe\",\n\t\t          \"C:\\\\Windows\\\\explorer.exe\",\n\t\t          \"C:\\\\Windows\\\\notepad.exe\") and\n  \n  /* Insert noisy false positives here */\n  not process.name : (\"svchost.exe\", \"MicrosoftEdge*.exe\", \"msedge.exe\")\n",
+    "risk_score": 21,
+    "rule_id": "e3cf38fa-d5b8-46cc-87f9-4a7513e4281d",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Command and Control"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0011",
+          "name": "Command and Control",
+          "reference": "https://attack.mitre.org/tactics/TA0011/"
+        },
+        "technique": [
+          {
+            "id": "T1573",
+            "name": "Encrypted Channel",
+            "reference": "https://attack.mitre.org/techniques/T1573/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 3
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Adversaries may implement command and control communications that use common web services in order to hide their activity. This attack technique is typically targeted to an organization and uses web services common to the victim network which allows the adversary to blend into legitimate traffic. activity. These popular services are typically targeted since they have most likely been used before a compromise and allow adversaries to blend in the network.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Connection to Commonly Abused Web Services",
+    "query": "network where network.protocol == \"dns\" and\n    process.name != null and user.id not in (\"S-1-5-18\", \"S-1-5-19\", \"S-1-5-20\") and\n    /* Add new WebSvc domains here */\n    dns.question.name :\n    (\n        \"raw.githubusercontent.*\",\n        \"*.pastebin.*\",\n        \"*drive.google.*\",\n        \"*docs.live.*\",\n        \"*api.dropboxapi.*\",\n        \"*dropboxusercontent.*\",\n        \"*onedrive.*\",\n        \"*4shared.*\",\n        \"*.file.io\",\n        \"*filebin.net\",\n        \"*slack-files.com\",\n        \"*ghostbin.*\",\n        \"*ngrok.*\",\n        \"*portmap.*\",\n        \"*serveo.net\",\n        \"*localtunnel.me\",\n        \"*pagekite.me\",\n        \"*localxpose.io\",\n        \"*notabug.org\",\n        \"rawcdn.githack.*\",\n        \"paste.nrecom.net\",\n        \"zerobin.net\",\n        \"controlc.com\",\n        \"requestbin.net\",\n        \"cdn.discordapp.com\",\n        \"discordapp.com\",\n        \"discord.com\"\n    ) and\n    /* Insert noisy false positives here */\n    not process.executable :\n    (\n      \"?:\\\\Program Files\\\\*.exe\",\n      \"?:\\\\Program Files (x86)\\\\*.exe\",\n      \"?:\\\\Windows\\\\System32\\\\WWAHost.exe\",\n      \"?:\\\\Windows\\\\System32\\\\smartscreen.exe\",\n      \"?:\\\\Windows\\\\System32\\\\MicrosoftEdgeCP.exe\",\n      \"?:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\Platform\\\\*\\\\MsMpEng.exe\",\n      \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe\",\n      \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Programs\\\\Fiddler\\\\Fiddler.exe\",\n      \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Programs\\\\Microsoft VS Code\\\\Code.exe\",\n      \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Microsoft\\\\OneDrive\\\\OneDrive.exe\",\n      \"?:\\\\Windows\\\\system32\\\\mobsync.exe\",\n      \"?:\\\\Windows\\\\SysWOW64\\\\mobsync.exe\",\n      \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Discord\\\\-*\\\\Discord.exe\"\n    )\n",
+    "risk_score": 21,
+    "rule_id": "66883649-f908-4a5b-a1e0-54090a1d3a32",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Command and Control"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0011",
+          "name": "Command and Control",
+          "reference": "https://attack.mitre.org/tactics/TA0011/"
+        },
+        "technique": [
+          {
+            "id": "T1102",
+            "name": "Web Service",
+            "reference": "https://attack.mitre.org/techniques/T1102/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0010",
+          "name": "Exfiltration",
+          "reference": "https://attack.mitre.org/tactics/TA0010/"
+        },
+        "technique": [
+          {
+            "id": "T1567",
+            "name": "Exfiltration Over Web Service",
+            "reference": "https://attack.mitre.org/techniques/T1567/",
+            "subtechnique": [
+              {
+                "id": "T1567.001",
+                "name": "Exfiltration to Code Repository",
+                "reference": "https://attack.mitre.org/techniques/T1567/001/"
+              },
+              {
+                "id": "T1567.002",
+                "name": "Exfiltration to Cloud Storage",
+                "reference": "https://attack.mitre.org/techniques/T1567/002/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 6
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Telnet provides a command line interface for communication with a remote device or server. This rule identifies Telnet network connections to publicly routable IP addresses.",
+    "false_positives": [
+      "Telnet can be used for both benign or malicious purposes. Telnet is included by default in some Linux distributions, so its presence is not inherently suspicious. The use of Telnet to manage devices remotely has declined in recent years in favor of more secure protocols such as SSH. Telnet usage by non-automated tools or frameworks may be suspicious."
+    ],
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Connection to External Network via Telnet",
+    "query": "sequence by process.entity_id\n  [process where process.name == \"telnet\" and event.type == \"start\"]\n  [network where process.name == \"telnet\" and\n    not cidrmatch(destination.ip, \"10.0.0.0/8\", \"127.0.0.0/8\", \"169.254.0.0/16\", \"172.16.0.0/12\", \"192.0.0.0/24\",\n                                  \"192.0.0.0/29\", \"192.0.0.8/32\", \"192.0.0.9/32\", \"192.0.0.10/32\", \"192.0.0.170/32\",\n                                  \"192.0.0.171/32\", \"192.0.2.0/24\", \"192.31.196.0/24\", \"192.52.193.0/24\",\n                                  \"192.168.0.0/16\", \"192.88.99.0/24\", \"224.0.0.0/4\", \"100.64.0.0/10\", \"192.175.48.0/24\",\n                                  \"198.18.0.0/15\", \"198.51.100.0/24\", \"203.0.113.0/24\", \"240.0.0.0/4\", \"::1\",\n                                  \"FE80::/10\", \"FF00::/8\")]\n",
+    "references": [
+      "https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml"
+    ],
+    "risk_score": 47,
+    "rule_id": "e19e64ee-130e-4c07-961f-8a339f0b8362",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "Threat Detection",
+      "Lateral Movement"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0008",
+          "name": "Lateral Movement",
+          "reference": "https://attack.mitre.org/tactics/TA0008/"
+        },
+        "technique": [
+          {
+            "id": "T1021",
+            "name": "Remote Services",
+            "reference": "https://attack.mitre.org/techniques/T1021/"
+          }
+        ]
+      }
+    ],
+    "type": "eql",
+    "version": 6
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Telnet provides a command line interface for communication with a remote device or server. This rule identifies Telnet network connections to non-publicly routable IP addresses.",
+    "false_positives": [
+      "Telnet can be used for both benign or malicious purposes. Telnet is included by default in some Linux distributions, so its presence is not inherently suspicious. The use of Telnet to manage devices remotely has declined in recent years in favor of more secure protocols such as SSH. Telnet usage by non-automated tools or frameworks may be suspicious."
+    ],
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Connection to Internal Network via Telnet",
+    "query": "sequence by process.entity_id\n  [process where process.name == \"telnet\" and event.type == \"start\"]\n  [network where process.name == \"telnet\" and\n    cidrmatch(destination.ip, \"10.0.0.0/8\", \"127.0.0.0/8\", \"169.254.0.0/16\", \"172.16.0.0/12\", \"192.0.0.0/24\",\n                              \"192.0.0.0/29\", \"192.0.0.8/32\", \"192.0.0.9/32\", \"192.0.0.10/32\", \"192.0.0.170/32\",\n                              \"192.0.0.171/32\", \"192.0.2.0/24\", \"192.31.196.0/24\", \"192.52.193.0/24\",\n                              \"192.168.0.0/16\", \"192.88.99.0/24\", \"224.0.0.0/4\", \"100.64.0.0/10\", \"192.175.48.0/24\",\n                              \"198.18.0.0/15\", \"198.51.100.0/24\", \"203.0.113.0/24\", \"240.0.0.0/4\", \"::1\",\n                              \"FE80::/10\", \"FF00::/8\")]\n",
+    "references": [
+      "https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml"
+    ],
+    "risk_score": 47,
+    "rule_id": "1b21abcc-4d9f-4b08-a7f5-316f5f94b973",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "Threat Detection",
+      "Lateral Movement"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0008",
+          "name": "Lateral Movement",
+          "reference": "https://attack.mitre.org/tactics/TA0008/"
+        },
+        "technique": [
+          {
+            "id": "T1021",
+            "name": "Remote Services",
+            "reference": "https://attack.mitre.org/techniques/T1021/"
+          }
+        ]
+      }
+    ],
+    "type": "eql",
+    "version": 6
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies unusual instances of Control Panel with suspicious keywords or paths in the process command line value. Adversaries may abuse control.exe to proxy execution of malicious code.",
+    "from": "now-9m",
+    "index": [
+      "logs-endpoint.events.*",
+      "winlogbeat-*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Control Panel Process with Unusual Arguments",
+    "query": "process where event.type in (\"start\", \"process_started\") and\n process.executable : (\"?:\\\\Windows\\\\SysWOW64\\\\control.exe\", \"?:\\\\Windows\\\\System32\\\\control.exe\") and\n process.command_line :\n          (\"*.jpg*\",\n           \"*.png*\",\n           \"*.gif*\",\n           \"*.bmp*\",\n           \"*.jpeg*\",\n           \"*.TIFF*\",\n           \"*.inf*\",\n           \"*.dat*\",\n           \"*.cpl:*/*\",\n           \"*../../..*\",\n           \"*/AppData/Local/*\",\n           \"*:\\\\Users\\\\Public\\\\*\",\n           \"*\\\\AppData\\\\Local\\\\*\")\n",
+    "references": [
+      "https://www.joesandbox.com/analysis/476188/1/html"
+    ],
+    "risk_score": 73,
+    "rule_id": "416697ae-e468-4093-a93d-59661fa619ec",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1218",
+            "name": "Signed Binary Proxy Execution",
+            "reference": "https://attack.mitre.org/techniques/T1218/",
+            "subtechnique": [
+              {
+                "id": "T1218.002",
+                "name": "Control Panel",
+                "reference": "https://attack.mitre.org/techniques/T1218/002/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 2
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Users can mark specific files as hidden simply by putting a \".\" as the first character in the file or folder name. Adversaries can use this to their advantage to hide files and folders on the system for persistence and defense evasion. This rule looks for hidden files or folders in common writable directories.",
+    "false_positives": [
+      "Certain tools may create hidden temporary files or directories upon installation or as part of their normal behavior. These events can be filtered by the process arguments, username, or process name values."
+    ],
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "max_signals": 33,
+    "name": "Creation of Hidden Files and Directories",
+    "query": "process where event.type in (\"start\", \"process_started\") and\n  process.working_directory in (\"/tmp\", \"/var/tmp\", \"/dev/shm\") and\n  process.args regex~ \"\"\"\\.[a-z0-9_\\-][a-z0-9_\\-\\.]{1,254}\"\"\" and\n  not process.name in (\"ls\", \"find\")\n",
+    "risk_score": 47,
+    "rule_id": "b9666521-4742-49ce-9ddc-b8e84c35acae",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1564",
+            "name": "Hide Artifacts",
+            "reference": "https://attack.mitre.org/techniques/T1564/",
+            "subtechnique": [
+              {
+                "id": "T1564.001",
+                "name": "Hidden Files and Directories",
+                "reference": "https://attack.mitre.org/techniques/T1564/001/"
+              }
+            ]
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": []
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 7
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the creation of a hidden launch agent or daemon. An adversary may establish persistence by installing a new launch agent or daemon which executes at login.",
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Creation of Hidden Launch Agent or Daemon",
+    "query": "file where event.type != \"deletion\" and\n  file.path : \n  (\n    \"/System/Library/LaunchAgents/.*.plist\",\n    \"/Library/LaunchAgents/.*.plist\",\n    \"/Users/*/Library/LaunchAgents/.*.plist\",\n    \"/System/Library/LaunchDaemons/.*.plist\",\n    \"/Library/LaunchDaemons/.*.plist\"\n  )\n",
+    "references": [
+      "https://developer.apple.com/library/archive/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/CreatingLaunchdJobs.html"
+    ],
+    "risk_score": 47,
+    "rule_id": "092b068f-84ac-485d-8a55-7dd9e006715f",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "macOS",
+      "Threat Detection",
+      "Persistence",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1543",
+            "name": "Create or Modify System Process",
+            "reference": "https://attack.mitre.org/techniques/T1543/",
+            "subtechnique": [
+              {
+                "id": "T1543.001",
+                "name": "Launch Agent",
+                "reference": "https://attack.mitre.org/techniques/T1543/001/"
+              }
+            ]
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1564",
+            "name": "Hide Artifacts",
+            "reference": "https://attack.mitre.org/techniques/T1564/",
+            "subtechnique": [
+              {
+                "id": "T1564.001",
+                "name": "Hidden Files and Directories",
+                "reference": "https://attack.mitre.org/techniques/T1564/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the execution of osascript to create a hidden login item. This may indicate an attempt to persist a malicious program while concealing its presence.",
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Creation of Hidden Login Item via Apple Script",
+    "query": "process where event.type in (\"start\", \"process_started\") and process.name : \"osascript\" and\n process.command_line : \"osascript*login item*hidden:true*\"\n",
+    "risk_score": 47,
+    "rule_id": "f24bcae1-8980-4b30-b5dd-f851b055c9e7",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "macOS",
+      "Threat Detection",
+      "Persistence",
+      "Execution"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1547",
+            "name": "Boot or Logon Autostart Execution",
+            "reference": "https://attack.mitre.org/techniques/T1547/",
+            "subtechnique": [
+              {
+                "id": "T1547.011",
+                "name": "Plist Modification",
+                "reference": "https://attack.mitre.org/techniques/T1547/011/"
+              }
+            ]
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0002",
+          "name": "Execution",
+          "reference": "https://attack.mitre.org/tactics/TA0002/"
+        },
+        "technique": [
+          {
+            "id": "T1059",
+            "name": "Command and Scripting Interpreter",
+            "reference": "https://attack.mitre.org/techniques/T1059/",
+            "subtechnique": [
+              {
+                "id": "T1059.002",
+                "name": "AppleScript",
+                "reference": "https://attack.mitre.org/techniques/T1059/002/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the creation of a hidden local user account by appending the dollar sign to the account name. This is sometimes done by attackers to increase access to a system and avoid appearing in the results of accounts listing using the net users command.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Creation of a Hidden Local User Account",
+    "query": "registry where registry.path : \"HKLM\\\\SAM\\\\SAM\\\\Domains\\\\Account\\\\Users\\\\Names\\\\*$\\\\\"\n",
+    "references": [
+      "https://blog.menasec.net/2019/02/threat-hunting-6-hiding-in-plain-sights_8.html",
+      "https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/tree/master/2020/2020.12.15.Lazarus_Campaign"
+    ],
+    "risk_score": 73,
+    "rule_id": "2edc8076-291e-41e9-81e4-e3fcbc97ae5e",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Persistence"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1136",
+            "name": "Create Account",
+            "reference": "https://attack.mitre.org/techniques/T1136/",
+            "subtechnique": [
+              {
+                "id": "T1136.001",
+                "name": "Local Account",
+                "reference": "https://attack.mitre.org/techniques/T1136/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 2
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the creation or modification of Domain Backup private keys. Adversaries may extract the Data Protection API (DPAPI) domain backup key from a Domain Controller (DC) to be able to decrypt any domain user master key file.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Creation or Modification of Domain Backup DPAPI private key",
+    "note": "## Triage and analysis\n\nDomain DPAPI Backup keys are stored on domain controllers and can be dumped remotely with tools such as Mimikatz. The resulting .pvk private key can be used to decrypt ANY domain user masterkeys, which then can be used to decrypt any secrets protected by those keys.",
+    "query": "file where event.type != \"deletion\" and file.name : (\"ntds_capi_*.pfx\", \"ntds_capi_*.pvk\")\n",
+    "references": [
+      "https://www.dsinternals.com/en/retrieving-dpapi-backup-keys-from-active-directory/",
+      "https://www.harmj0y.net/blog/redteaming/operational-guidance-for-offensive-user-dpapi-abuse/"
+    ],
+    "risk_score": 73,
+    "rule_id": "b83a7e96-2eb3-4edf-8346-427b6858d3bd",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Credential Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0006",
+          "name": "Credential Access",
+          "reference": "https://attack.mitre.org/tactics/TA0006/"
+        },
+        "technique": [
+          {
+            "id": "T1552",
+            "name": "Unsecured Credentials",
+            "reference": "https://attack.mitre.org/techniques/T1552/",
+            "subtechnique": [
+              {
+                "id": "T1552.004",
+                "name": "Private Keys",
+                "reference": "https://attack.mitre.org/techniques/T1552/004/"
+              }
+            ]
+          },
+          {
+            "id": "T1555",
+            "name": "Credentials from Password Stores",
+            "reference": "https://attack.mitre.org/techniques/T1555/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 6
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the creation or modification of a local trusted root certificate in Windows. The install of a malicious root certificate would allow an attacker the ability to masquerade malicious files as valid signed components from any entity (e.g. Microsoft). It could also allow an attacker to decrypt SSL traffic.",
+    "false_positives": [
+      "Certain applications may install root certificates for the purpose of inspecting SSL traffic."
+    ],
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Creation or Modification of Root Certificate",
+    "query": "registry where event.type in (\"creation\", \"change\") and\n  registry.path :\n    (\n      \"HKLM\\\\Software\\\\Microsoft\\\\SystemCertificates\\\\Root\\\\Certificates\\\\*\\\\Blob\",\n      \"HKLM\\\\Software\\\\Microsoft\\\\SystemCertificates\\\\AuthRoot\\\\Certificates\\\\*\\\\Blob\",\n      \"HKLM\\\\Software\\\\Policies\\\\Microsoft\\\\SystemCertificates\\\\Root\\\\Certificates\\\\*\\\\Blob\",\n      \"HKLM\\\\Software\\\\Policies\\\\Microsoft\\\\SystemCertificates\\\\AuthRoot\\\\Certificates\\\\*\\\\Blob\"\n    )\n",
+    "references": [
+      "https://posts.specterops.io/code-signing-certificate-cloning-attacks-and-defenses-6f98657fc6ec",
+      "https://www.ired.team/offensive-security/persistence/t1130-install-root-certificate"
+    ],
+    "risk_score": 21,
+    "rule_id": "203ab79b-239b-4aa5-8e54-fc50623ee8e4",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1553",
+            "name": "Subvert Trust Controls",
+            "reference": "https://attack.mitre.org/techniques/T1553/",
+            "subtechnique": [
+              {
+                "id": "T1553.004",
+                "name": "Install Root Certificate",
+                "reference": "https://attack.mitre.org/techniques/T1553/004/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Detects the creation or modification of a new Group Policy based scheduled task or service. These methods are used for legitimate system administration, but can also be abused by an attacker with domain admin permissions to execute a malicious payload remotely on all or a subset of the domain joined machines.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Creation or Modification of a new GPO Scheduled Task or Service",
+    "query": "file where event.type != \"deletion\" and\n  file.path : (\"?:\\\\Windows\\\\SYSVOL\\\\domain\\\\Policies\\\\*\\\\MACHINE\\\\Preferences\\\\ScheduledTasks\\\\ScheduledTasks.xml\",\n               \"?:\\\\Windows\\\\SYSVOL\\\\domain\\\\Policies\\\\*\\\\MACHINE\\\\Preferences\\\\Preferences\\\\Services\\\\Services.xml\") and\n  not process.name : \"dfsrs.exe\"\n",
+    "risk_score": 21,
+    "rule_id": "c0429aa8-9974-42da-bfb6-53a0a515a145",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Persistence"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1053",
+            "name": "Scheduled Task/Job",
+            "reference": "https://attack.mitre.org/techniques/T1053/",
+            "subtechnique": [
+              {
+                "id": "T1053.005",
+                "name": "Scheduled Task",
+                "reference": "https://attack.mitre.org/techniques/T1053/005/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 6
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies attempts to export a registry hive which may contain credentials using the Windows reg.exe tool.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Credential Acquisition via Registry Hive Dumping",
+    "query": "process where event.type in (\"start\", \"process_started\") and\n process.pe.original_file_name == \"reg.exe\" and\n process.args : (\"save\", \"export\") and\n process.args : (\"hklm\\\\sam\", \"hklm\\\\security\")\n",
+    "references": [
+      "https://medium.com/threatpunter/detecting-attempts-to-steal-passwords-from-the-registry-7512674487f8"
+    ],
+    "risk_score": 73,
+    "rule_id": "a7e7bfa3-088e-4f13-b29e-3986e0e756b8",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Credential Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0006",
+          "name": "Credential Access",
+          "reference": "https://attack.mitre.org/tactics/TA0006/"
+        },
+        "technique": [
+          {
+            "id": "T1003",
+            "name": "OS Credential Dumping",
+            "reference": "https://attack.mitre.org/techniques/T1003/",
+            "subtechnique": [
+              {
+                "id": "T1003.002",
+                "name": "Security Account Manager",
+                "reference": "https://attack.mitre.org/techniques/T1003/002/"
+              },
+              {
+                "id": "T1003.004",
+                "name": "LSA Secrets",
+                "reference": "https://attack.mitre.org/techniques/T1003/004/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 4
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Elastic Endgame detected Credential Dumping. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information.",
+    "from": "now-15m",
+    "index": [
+      "endgame-*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "max_signals": 10000,
+    "name": "Credential Dumping - Detected - Elastic Endgame",
+    "query": "event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:cred_theft_event or endgame.event_subtype_full:cred_theft_event)\n",
+    "risk_score": 73,
+    "rule_id": "571afc56-5ed9-465d-a2a9-045f099f6e7e",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Elastic Endgame"
+    ],
+    "type": "query",
+    "version": 7
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Elastic Endgame prevented Credential Dumping. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information.",
+    "from": "now-15m",
+    "index": [
+      "endgame-*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "max_signals": 10000,
+    "name": "Credential Dumping - Prevented - Elastic Endgame",
+    "query": "event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:cred_theft_event or endgame.event_subtype_full:cred_theft_event)\n",
+    "risk_score": 47,
+    "rule_id": "db8c33a8-03cd-4988-9e2c-d0a4863adb13",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Elastic Endgame"
+    ],
+    "type": "query",
+    "version": 7
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Elastic Endgame detected Credential Manipulation. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information.",
+    "from": "now-15m",
+    "index": [
+      "endgame-*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "max_signals": 10000,
+    "name": "Credential Manipulation - Detected - Elastic Endgame",
+    "query": "event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:token_manipulation_event or endgame.event_subtype_full:token_manipulation_event)\n",
+    "risk_score": 73,
+    "rule_id": "c0be5f31-e180-48ed-aa08-96b36899d48f",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Elastic Endgame"
+    ],
+    "type": "query",
+    "version": 7
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Elastic Endgame prevented Credential Manipulation. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information.",
+    "from": "now-15m",
+    "index": [
+      "endgame-*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "max_signals": 10000,
+    "name": "Credential Manipulation - Prevented - Elastic Endgame",
+    "query": "event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:token_manipulation_event or endgame.event_subtype_full:token_manipulation_event)\n",
+    "risk_score": 47,
+    "rule_id": "c9e38e64-3f4c-4bf3-ad48-0e61a60ea1fa",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Elastic Endgame"
+    ],
+    "type": "query",
+    "version": 7
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the occurrence of a CyberArk Privileged Access Security (PAS) error level audit event. The event.code correlates to the CyberArk Vault Audit Action Code.",
+    "false_positives": [
+      "To tune this rule, add exceptions to exclude any event.code which should not trigger this rule."
+    ],
+    "from": "now-30m",
+    "index": [
+      "filebeat-*",
+      "logs-cyberarkpas.audit*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "CyberArk Privileged Access Security Error",
+    "note": "## Config\n\nThe CyberArk Privileged Access Security (PAS) Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\n\n## Triage and analysis\n\nThis is a promotion rule for CyberArk error events, which are alertable events per the vendor.\nConsult vendor documentation on interpreting specific events.\n",
+    "query": "event.dataset:cyberarkpas.audit and event.type:error\n",
+    "references": [
+      "https://docs.cyberark.com/Product-Doc/OnlineHelp/PAS/Latest/en/Content/PASREF/Vault%20Audit%20Action%20Codes.htm?tocpath=Administration%7CReferences%7C_____3"
+    ],
+    "risk_score": 73,
+    "rule_id": "3f0e5410-a4bf-4e8c-bcfc-79d67a285c54",
+    "rule_name_override": "event.action",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "cyberarkpas",
+      "SecOps",
+      "Log Auditing",
+      "Threat Detection",
+      "Privilege Escalation"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0004",
+          "name": "Privilege Escalation",
+          "reference": "https://attack.mitre.org/tactics/TA0004/"
+        },
+        "technique": [
+          {
+            "id": "T1078",
+            "name": "Valid Accounts",
+            "reference": "https://attack.mitre.org/techniques/T1078/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0001",
+          "name": "Initial Access",
+          "reference": "https://attack.mitre.org/tactics/TA0001/"
+        },
+        "technique": []
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the occurrence of a CyberArk Privileged Access Security (PAS) non-error level audit event which is recommended for monitoring by the vendor. The event.code correlates to the CyberArk Vault Audit Action Code.",
+    "false_positives": [
+      "To tune this rule, add exceptions to exclude any event.code which should not trigger this rule."
+    ],
+    "from": "now-30m",
+    "index": [
+      "filebeat-*",
+      "logs-cyberarkpas.audit*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "CyberArk Privileged Access Security Recommended Monitor",
+    "note": "## Config\n\nThe CyberArk Privileged Access Security (PAS) Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\n\n## Triage and analysis\n\nThis is a promotion rule for CyberArk events, which the vendor recommends should be monitored.\nConsult vendor documentation on interpreting specific events.\n",
+    "query": "event.dataset:cyberarkpas.audit and\n  event.code:(4 or 22 or 24 or 31 or 38 or 57 or 60 or 130 or 295 or 300 or 302 or\n              308 or 319 or 344 or 346 or 359 or 361 or 378 or 380 or 411) and\n  not event.type:error\n",
+    "references": [
+      "https://docs.cyberark.com/Product-Doc/OnlineHelp/PAS/Latest/en/Content/PASREF/Vault%20Audit%20Action%20Codes.htm?tocpath=Administration%7CReferences%7C_____3#RecommendedActionCodesforMonitoring"
+    ],
+    "risk_score": 73,
+    "rule_id": "c5f81243-56e0-47f9-b5bb-55a5ed89ba57",
+    "rule_name_override": "event.action",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "cyberarkpas",
+      "SecOps",
+      "Log Auditing",
+      "Threat Detection",
+      "Privilege Escalation"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0004",
+          "name": "Privilege Escalation",
+          "reference": "https://attack.mitre.org/tactics/TA0004/"
+        },
+        "technique": [
+          {
+            "id": "T1078",
+            "name": "Valid Accounts",
+            "reference": "https://attack.mitre.org/techniques/T1078/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0001",
+          "name": "Initial Access",
+          "reference": "https://attack.mitre.org/tactics/TA0001/"
+        },
+        "technique": []
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "This rule detects when an internal network client sends DNS traffic directly to the Internet. This is atypical behavior for a managed network and can be indicative of malware, exfiltration, command and control, or simply misconfiguration. This DNS activity also impacts your organization's ability to provide enterprise monitoring and logging of DNS, and it opens your network to a variety of abuses and malicious communications.",
+    "false_positives": [
+      "Exclude DNS servers from this rule as this is expected behavior. Endpoints usually query local DNS servers defined in their DHCP scopes, but this may be overridden if a user configures their endpoint to use a remote DNS server. This is uncommon in managed enterprise networks because it could break intranet name resolution when split horizon DNS is utilized. Some consumer VPN services and browser plug-ins may send DNS traffic to remote Internet destinations. In that case, such devices or networks can be excluded from this rule when this is expected behavior."
+    ],
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "filebeat-*",
+      "packetbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "DNS Activity to the Internet",
+    "query": "event.category:(network or network_traffic) and (event.type:connection or type:dns) and (destination.port:53 or event.dataset:zeek.dns)\n  and source.ip:(\n    10.0.0.0/8 or\n    172.16.0.0/12 or\n    192.168.0.0/16\n  ) and\n  not destination.ip:(\n    10.0.0.0/8 or\n    127.0.0.0/8 or\n    169.254.0.0/16 or\n    172.16.0.0/12 or\n    192.0.0.0/24 or\n    192.0.0.0/29 or\n    192.0.0.8/32 or\n    192.0.0.9/32 or\n    192.0.0.10/32 or\n    192.0.0.170/32 or\n    192.0.0.171/32 or\n    192.0.2.0/24 or\n    192.31.196.0/24 or\n    192.52.193.0/24 or\n    192.168.0.0/16 or\n    192.88.99.0/24 or\n    224.0.0.0/4 or\n    100.64.0.0/10 or\n    192.175.48.0/24 or\n    198.18.0.0/15 or\n    198.51.100.0/24 or\n    203.0.113.0/24 or\n    240.0.0.0/4 or\n    \"::1\" or\n    \"FE80::/10\" or\n    \"FF00::/8\"\n  )\n",
+    "references": [
+      "https://www.us-cert.gov/ncas/alerts/TA15-240A",
+      "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-81-2.pdf",
+      "https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml"
+    ],
+    "risk_score": 47,
+    "rule_id": "6ea71ff0-9e95-475b-9506-2580d1ce6154",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Network",
+      "Threat Detection",
+      "Command and Control",
+      "Host"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0011",
+          "name": "Command and Control",
+          "reference": "https://attack.mitre.org/tactics/TA0011/"
+        },
+        "technique": []
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 12
+  },
+  {
+    "anomaly_threshold": 50,
+    "author": [
+      "Elastic"
+    ],
+    "description": "A machine learning job detected unusually large numbers of DNS queries for a single top-level DNS domain, which is often used for DNS tunneling. DNS tunneling can be used for command-and-control, persistence, or data exfiltration activity. For example, dnscat tends to generate many DNS questions for a top-level domain as it uses the DNS protocol to tunnel data.",
+    "false_positives": [
+      "DNS domains that use large numbers of child domains, such as software or content distribution networks, can trigger this alert and such parent domains can be excluded."
+    ],
+    "from": "now-45m",
+    "interval": "15m",
+    "license": "Elastic License v2",
+    "machine_learning_job_id": "packetbeat_dns_tunneling",
+    "name": "DNS Tunneling",
+    "references": [
+      "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"
+    ],
+    "risk_score": 21,
+    "rule_id": "91f02f01-969f-4167-8f66-07827ac3bdd9",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Network",
+      "Threat Detection",
+      "ML"
+    ],
+    "type": "machine_learning",
+    "version": 4
+  },
+  {
+    "author": [
+      "Austin Songer"
+    ],
+    "description": "Identifies when a user enables DNS-over-HTTPS. This can be used to hide internet activity or the process of exfiltrating data. With this enabled, an organization will lose visibility into data such as query type, response, and originating IP, which are used to determine bad actors.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "DNS-over-HTTPS Enabled via Registry",
+    "query": "registry where event.type in (\"creation\", \"change\") and\n  (registry.path : \"*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Edge\\\\BuiltInDnsClientEnabled\" and\n  registry.data.strings : \"1\") or\n  (registry.path : \"*\\\\SOFTWARE\\\\Google\\\\Chrome\\\\DnsOverHttpsMode\" and\n  registry.data.strings : \"secure\") or\n  (registry.path : \"*\\\\SOFTWARE\\\\Policies\\\\Mozilla\\\\Firefox\\\\DNSOverHTTPS\" and\n  registry.data.strings : \"1\")\n",
+    "references": [
+      "https://www.tenforums.com/tutorials/151318-how-enable-disable-dns-over-https-doh-microsoft-edge.html",
+      "https://chromeenterprise.google/policies/?policy=DnsOverHttpsMode"
+    ],
+    "risk_score": 21,
+    "rule_id": "a22a09c2-2162-4df0-a356-9aacbeb56a04",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1562",
+            "name": "Impair Defenses",
+            "reference": "https://attack.mitre.org/techniques/T1562/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 2
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "This rule detects the use of the default Cobalt Strike Team Server TLS certificate. Cobalt Strike is software for Adversary Simulations and Red Team Operations which are security assessments that replicate the tactics and techniques of an advanced adversary in a network. Modifications to the Packetbeat configuration can be made to include MD5 and SHA256 hashing algorithms (the default is SHA1). See the References section for additional information on module configuration.",
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "filebeat-*",
+      "packetbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Default Cobalt Strike Team Server Certificate",
+    "note": "## Threat intel\n\nWhile Cobalt Strike is intended to be used for penetration tests and IR training, it is frequently used by actual threat actors (TA) such as APT19, APT29, APT32, APT41, FIN6, DarkHydrus, CopyKittens, Cobalt Group, Leviathan, and many other unnamed criminal TAs. This rule uses high-confidence atomic indicators, so alerts should be investigated rapidly.",
+    "query": "event.category:(network or network_traffic) and (tls.server.hash.md5:950098276A495286EB2A2556FBAB6D83 or\n  tls.server.hash.sha1:6ECE5ECE4192683D2D84E25B0BA7E04F9CB7EB7C or\n  tls.server.hash.sha256:87F2085C32B6A2CC709B365F55873E207A9CAA10BFFECF2FD16D3CF9D94D390C)\n",
+    "references": [
+      "https://attack.mitre.org/software/S0154/",
+      "https://www.cobaltstrike.com/help-setup-collaboration",
+      "https://www.elastic.co/guide/en/beats/packetbeat/current/configuration-tls.html",
+      "https://www.elastic.co/guide/en/beats/filebeat/7.9/filebeat-module-suricata.html",
+      "https://www.elastic.co/guide/en/beats/filebeat/7.9/filebeat-module-zeek.html"
+    ],
+    "risk_score": 99,
+    "rule_id": "e7075e8d-a966-458e-a183-85cd331af255",
+    "severity": "critical",
+    "tags": [
+      "Command and Control",
+      "Post-Execution",
+      "Threat Detection",
+      "Elastic",
+      "Network",
+      "Host"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0011",
+          "name": "Command and Control",
+          "reference": "https://attack.mitre.org/tactics/TA0011/"
+        },
+        "technique": [
+          {
+            "id": "T1071",
+            "name": "Application Layer Protocol",
+            "reference": "https://attack.mitre.org/techniques/T1071/",
+            "subtechnique": [
+              {
+                "id": "T1071.001",
+                "name": "Web Protocols",
+                "reference": "https://attack.mitre.org/techniques/T1071/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 6
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies use of the fsutil.exe to delete the volume USNJRNL. This technique is used by attackers to eliminate evidence of files created during post-exploitation activities.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Delete Volume USN Journal with Fsutil",
+    "query": "process where event.type in (\"start\", \"process_started\") and\n  (process.name : \"fsutil.exe\" or process.pe.original_file_name == \"fsutil.exe\") and \n  process.args : \"deletejournal\" and process.args : \"usn\"\n",
+    "risk_score": 21,
+    "rule_id": "f675872f-6d85-40a3-b502-c0d2ef101e92",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1070",
+            "name": "Indicator Removal on Host",
+            "reference": "https://attack.mitre.org/techniques/T1070/",
+            "subtechnique": [
+              {
+                "id": "T1070.004",
+                "name": "File Deletion",
+                "reference": "https://attack.mitre.org/techniques/T1070/004/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 9
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies use of the wbadmin.exe to delete the backup catalog. Ransomware and other malware may do this to prevent system recovery.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Deleting Backup Catalogs with Wbadmin",
+    "query": "process where event.type in (\"start\", \"process_started\") and\n  (process.name : \"wbadmin.exe\" or process.pe.original_file_name == \"WBADMIN.EXE\") and\n  process.args : \"catalog\" and process.args : \"delete\"\n",
+    "risk_score": 21,
+    "rule_id": "581add16-df76-42bb-af8e-c979bfb39a59",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Impact"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0040",
+          "name": "Impact",
+          "reference": "https://attack.mitre.org/tactics/TA0040/"
+        },
+        "technique": [
+          {
+            "id": "T1490",
+            "name": "Inhibit System Recovery",
+            "reference": "https://attack.mitre.org/techniques/T1490/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 10
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies unexpected processes making network connections over port 445. Windows File Sharing is typically implemented over Server Message Block (SMB), which communicates between hosts using port 445. When legitimate, these network connections are established by the kernel. Processes making 445/tcp connections may be port scanners, exploits, or suspicious user-level processes moving laterally.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Direct Outbound SMB Connection",
+    "query": "sequence by process.entity_id\n  [process where event.type == \"start\" and process.pid != 4]\n  [network where destination.port == 445 and process.pid != 4 and\n     not cidrmatch(destination.ip, \"127.0.0.1\", \"::1\")]\n",
+    "risk_score": 47,
+    "rule_id": "c82c7d8f-fb9e-4874-a4bd-fd9e3f9becf1",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Lateral Movement"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0008",
+          "name": "Lateral Movement",
+          "reference": "https://attack.mitre.org/tactics/TA0008/"
+        },
+        "technique": [
+          {
+            "id": "T1021",
+            "name": "Remote Services",
+            "reference": "https://attack.mitre.org/techniques/T1021/",
+            "subtechnique": [
+              {
+                "id": "T1021.002",
+                "name": "SMB/Windows Admin Shares",
+                "reference": "https://attack.mitre.org/techniques/T1021/002/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "type": "eql",
+    "version": 7
+  },
+  {
+    "author": [
+      "Elastic",
+      "Ivan Ninichuck",
+      "Austin Songer"
+    ],
+    "description": "Identifies attempts to disable EventLog via the logman Windows utility, PowerShell, or auditpol. This is often done by attackers in an attempt to evade detection on a system.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Disable Windows Event and Security Logs Using Built-in Tools",
+    "query": "process where event.type in (\"start\", \"process_started\") and\n\n  ((process.name:\"logman.exe\" or process.pe.original_file_name == \"Logman.exe\") and\n      process.args : \"EventLog-*\" and process.args : (\"stop\", \"delete\")) or\n\n  ((process.name : (\"pwsh.exe\", \"powershell.exe\", \"powershell_ise.exe\") or process.pe.original_file_name in\n      (\"pwsh.exe\", \"powershell.exe\", \"powershell_ise.exe\")) and\n\tprocess.args : \"Set-Service\" and process.args: \"EventLog\" and process.args : \"Disabled\")  or\n\t\n  ((process.name:\"auditpol.exe\" or process.pe.original_file_name == \"AUDITPOL.EXE\") and process.args : \"/success:disable\")\n",
+    "references": [
+      "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/logman"
+    ],
+    "risk_score": 21,
+    "rule_id": "4de76544-f0e5-486a-8f84-eae0b6063cdc",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1070",
+            "name": "Indicator Removal on Host",
+            "reference": "https://attack.mitre.org/techniques/T1070/",
+            "subtechnique": [
+              {
+                "id": "T1070.001",
+                "name": "Clear Windows Event Logs",
+                "reference": "https://attack.mitre.org/techniques/T1070/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 2
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies use of the netsh.exe to disable or weaken the local firewall. Attackers will use this command line tool to disable the firewall during troubleshooting or to enable network mobility.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Disable Windows Firewall Rules via Netsh",
+    "query": "process where event.type in (\"start\", \"process_started\") and\n  process.name : \"netsh.exe\" and\n  (process.args : \"disable\" and process.args : \"firewall\" and process.args : \"set\") or\n  (process.args : \"advfirewall\" and process.args : \"off\" and process.args : \"state\")\n",
+    "risk_score": 47,
+    "rule_id": "4b438734-3793-4fda-bd42-ceeada0be8f9",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1562",
+            "name": "Impair Defenses",
+            "reference": "https://attack.mitre.org/techniques/T1562/",
+            "subtechnique": [
+              {
+                "id": "T1562.004",
+                "name": "Disable or Modify System Firewall",
+                "reference": "https://attack.mitre.org/techniques/T1562/004/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 10
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "User Account Control (UAC) can help mitigate the impact of malware on Windows hosts. With UAC, apps and tasks always run in the security context of a non-administrator account, unless an administrator specifically authorizes administrator-level access to the system. This rule identifies registry value changes to bypass User Access Control (UAC) protection.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Disabling User Account Control via Registry Modification",
+    "query": "registry where event.type == \"change\" and\n  registry.path :\n    (\n      \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\EnableLUA\",\n      \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\ConsentPromptBehaviorAdmin\",\n      \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\PromptOnSecureDesktop\"\n    ) and\n  registry.data.strings : \"0\"\n",
+    "references": [
+      "https://www.greyhathacker.net/?p=796",
+      "https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/user-account-control-group-policy-and-registry-key-settings",
+      "https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/user-account-control-overview"
+    ],
+    "risk_score": 47,
+    "rule_id": "d31f183a-e5b1-451b-8534-ba62bca0b404",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Privilege Escalation"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0004",
+          "name": "Privilege Escalation",
+          "reference": "https://attack.mitre.org/tactics/TA0004/"
+        },
+        "technique": [
+          {
+            "id": "T1548",
+            "name": "Abuse Elevation Control Mechanism",
+            "reference": "https://attack.mitre.org/techniques/T1548/",
+            "subtechnique": [
+              {
+                "id": "T1548.002",
+                "name": "Bypass User Account Control",
+                "reference": "https://attack.mitre.org/techniques/T1548/002/"
+              }
+            ]
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1548",
+            "name": "Abuse Elevation Control Mechanism",
+            "reference": "https://attack.mitre.org/techniques/T1548/",
+            "subtechnique": [
+              {
+                "id": "T1548.002",
+                "name": "Bypass User Account Control",
+                "reference": "https://attack.mitre.org/techniques/T1548/002/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 2
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies use of the Set-MpPreference PowerShell command to disable or weaken certain Windows Defender settings.",
+    "false_positives": [
+      "Planned Windows Defender configuration changes."
+    ],
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Disabling Windows Defender Security Settings via PowerShell",
+    "query": "process where event.type == \"start\" and\n (process.name : (\"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\") or process.pe.original_file_name in (\"powershell.exe\", \"pwsh.dll\", \"powershell_ise.exe\")) and\n process.args : \"Set-MpPreference\" and process.args : (\"-Disable*\", \"Disabled\", \"NeverSend\", \"-Exclusion*\")\n",
+    "references": [
+      "https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2019-ps"
+    ],
+    "risk_score": 47,
+    "rule_id": "c8cccb06-faf2-4cd5-886e-2c9636cfcb87",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1562",
+            "name": "Impair Defenses",
+            "reference": "https://attack.mitre.org/techniques/T1562/",
+            "subtechnique": [
+              {
+                "id": "T1562.001",
+                "name": "Disable or Modify Tools",
+                "reference": "https://attack.mitre.org/techniques/T1562/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 2
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Detects when a domain is added to the list of trusted Google Workspace domains. An adversary may add a trusted domain in order to collect and exfiltrate data from their target\u2019s organization with less restrictive security controls.",
+    "false_positives": [
+      "Trusted domains may be added by system administrators. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior."
+    ],
+    "from": "now-130m",
+    "index": [
+      "filebeat-*",
+      "logs-google_workspace*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Domain Added to Google Workspace Trusted Domains",
+    "note": "## Config\n\nThe Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\n\n### Important Information Regarding Google Workspace Event Lag Times\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information:\n  - https://support.google.com/a/answer/7061566\n  - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html",
+    "query": "event.dataset:google_workspace.admin and event.provider:admin and event.category:iam and event.action:ADD_TRUSTED_DOMAINS\n",
+    "references": [
+      "https://support.google.com/a/answer/6160020?hl=en"
+    ],
+    "risk_score": 73,
+    "rule_id": "cf549724-c577-4fd6-8f9b-d1b8ec519ec0",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "Google Workspace",
+      "Continuous Monitoring",
+      "SecOps",
+      "Configuration Audit"
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 6
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the execution of macOS built-in commands used to dump user account hashes. Adversaries may attempt to dump credentials to obtain account login information in the form of a hash. These hashes can be cracked or leveraged for lateral movement.",
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Dumping Account Hashes via Built-In Commands",
+    "query": "event.category:process and event.type:start and\n process.name:(defaults or mkpassdb) and process.args:(ShadowHashData or \"-dump\")\n",
+    "references": [
+      "https://apple.stackexchange.com/questions/186893/os-x-10-9-where-are-password-hashes-stored",
+      "https://www.unix.com/man-page/osx/8/mkpassdb/"
+    ],
+    "risk_score": 73,
+    "rule_id": "02ea4563-ec10-4974-b7de-12e65aa4f9b3",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "macOS",
+      "Threat Detection",
+      "Credential Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0006",
+          "name": "Credential Access",
+          "reference": "https://attack.mitre.org/tactics/TA0006/"
+        },
+        "technique": [
+          {
+            "id": "T1003",
+            "name": "OS Credential Dumping",
+            "reference": "https://attack.mitre.org/techniques/T1003/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Adversaries may dump the content of the keychain storage data from a system to acquire credentials. Keychains are the built-in way for macOS to keep track of users' passwords and credentials for many services and features, including Wi-Fi and website passwords, secure notes, certificates, and Kerberos.",
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Dumping of Keychain Content via Security Command",
+    "query": "process where event.type in (\"start\", \"process_started\") and process.args : \"dump-keychain\" and process.args : \"-d\"\n",
+    "references": [
+      "https://ss64.com/osx/security.html"
+    ],
+    "risk_score": 73,
+    "rule_id": "565d6ca5-75ba-4c82-9b13-add25353471c",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "macOS",
+      "Threat Detection",
+      "Credential Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0006",
+          "name": "Credential Access",
+          "reference": "https://attack.mitre.org/tactics/TA0006/"
+        },
+        "technique": [
+          {
+            "id": "T1555",
+            "name": "Credentials from Password Stores",
+            "reference": "https://attack.mitre.org/techniques/T1555/",
+            "subtechnique": [
+              {
+                "id": "T1555.001",
+                "name": "Keychain",
+                "reference": "https://attack.mitre.org/techniques/T1555/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the execution of and EggShell Backdoor. EggShell is a known post exploitation tool for macOS and Linux.",
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "EggShell Backdoor Execution",
+    "query": "event.category:process and event.type:(start or process_started) and process.name:espl and process.args:eyJkZWJ1ZyI6*\n",
+    "references": [
+      "https://github.com/neoneggplant/EggShell"
+    ],
+    "risk_score": 73,
+    "rule_id": "41824afb-d68c-4d0e-bfee-474dac1fa56e",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "macOS",
+      "Threat Detection",
+      "Execution"
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the creation or modification of the Event Monitor Daemon (emond) rules. Adversaries may abuse this service by writing a rule to execute commands when a defined event occurs, such as system start up or user authentication.",
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Emond Rules Creation or Modification",
+    "query": "file where event.type != \"deletion\" and\n file.path : (\"/private/etc/emond.d/rules/*.plist\", \"/etc/emon.d/rules/*.plist\")\n",
+    "references": [
+      "https://www.xorrior.com/emond-persistence/"
+    ],
+    "risk_score": 47,
+    "rule_id": "a6bf4dd4-743e-4da8-8c03-3ebd753a6c90",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "macOS",
+      "Threat Detection",
+      "Persistence"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1546",
+            "name": "Event Triggered Execution",
+            "reference": "https://attack.mitre.org/techniques/T1546/",
+            "subtechnique": [
+              {
+                "id": "T1546.014",
+                "name": "Emond",
+                "reference": "https://attack.mitre.org/techniques/T1546/014/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies use of the netsh.exe program to enable host discovery via the network. Attackers can use this command-line tool to weaken the host firewall settings.",
+    "false_positives": [
+      "Host Windows Firewall planned system administration changes."
+    ],
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Enable Host Network Discovery via Netsh",
+    "query": "process where event.type == \"start\" and\nprocess.name : \"netsh.exe\" and\nprocess.args : (\"firewall\", \"advfirewall\") and process.args : \"group=Network Discovery\" and process.args : \"enable=Yes\"\n",
+    "risk_score": 47,
+    "rule_id": "8b4f0816-6a65-4630-86a6-c21c179c0d09",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1562",
+            "name": "Impair Defenses",
+            "reference": "https://attack.mitre.org/techniques/T1562/",
+            "subtechnique": [
+              {
+                "id": "T1562.004",
+                "name": "Disable or Modify System Firewall",
+                "reference": "https://attack.mitre.org/techniques/T1562/004/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 2
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies registry write modifications to hide an encoded portable executable. This could be indicative of adversary defense evasion by avoiding the storing of malicious content directly on disk.",
+    "from": "now-9m",
+    "index": [
+      "logs-endpoint.events.*",
+      "winlogbeat-*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Encoded Executable Stored in the Registry",
+    "query": "registry where\n/* update here with encoding combinations */\n registry.data.strings : \"TVqQAAMAAAAEAAAA*\"\n",
+    "risk_score": 47,
+    "rule_id": "93c1ce76-494c-4f01-8167-35edfb52f7b1",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1140",
+            "name": "Deobfuscate/Decode Files or Information",
+            "reference": "https://attack.mitre.org/techniques/T1140/"
+          },
+          {
+            "id": "T1112",
+            "name": "Modify Registry",
+            "reference": "https://attack.mitre.org/techniques/T1112/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 4
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies use of WinRar or 7z to create an encrypted files. Adversaries will often compress and encrypt data in preparation for exfiltration.",
+    "from": "now-9m",
+    "index": [
+      "logs-endpoint.events.*",
+      "winlogbeat-*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Encrypting Files with WinRar or 7z",
+    "query": "process where event.type in (\"start\", \"process_started\") and\n  ((process.name:\"rar.exe\" or process.code_signature.subject_name == \"win.rar GmbH\" or\n      process.pe.original_file_name == \"Command line RAR\") and\n    process.args == \"a\" and process.args : (\"-hp*\", \"-p*\", \"-dw\", \"-tb\", \"-ta\", \"/hp*\", \"/p*\", \"/dw\", \"/tb\", \"/ta\"))\n\n  or\n  (process.pe.original_file_name in (\"7z.exe\", \"7za.exe\") and\n     process.args == \"a\" and process.args : (\"-p*\", \"-sdel\"))\n\n  /* uncomment if noisy for backup software related FPs */\n  /* not process.parent.executable : (\"C:\\\\Program Files\\\\*.exe\", \"C:\\\\Program Files (x86)\\\\*.exe\") */\n",
+    "references": [
+      "https://www.welivesecurity.com/2020/12/02/turla-crutch-keeping-back-door-open/"
+    ],
+    "risk_score": 47,
+    "rule_id": "45d273fb-1dca-457d-9855-bcb302180c21",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Collection"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0009",
+          "name": "Collection",
+          "reference": "https://attack.mitre.org/tactics/TA0009/"
+        },
+        "technique": [
+          {
+            "id": "T1560",
+            "name": "Archive Collected Data",
+            "reference": "https://attack.mitre.org/techniques/T1560/",
+            "subtechnique": [
+              {
+                "id": "T1560.001",
+                "name": "Archive via Utility",
+                "reference": "https://attack.mitre.org/techniques/T1560/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 4
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Generates a detection alert each time an Elastic Endpoint Security alert is received. Enabling this rule allows you to immediately begin investigating your Endpoint alerts.",
+    "enabled": true,
+    "exceptions_list": [
+      {
+        "id": "endpoint_list",
+        "list_id": "endpoint_list",
+        "namespace_type": "agnostic",
+        "type": "endpoint"
+      }
+    ],
+    "from": "now-10m",
+    "index": [
+      "logs-endpoint.alerts-*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "max_signals": 10000,
+    "name": "Endpoint Security",
+    "query": "event.kind:alert and event.module:(endpoint and not endgame)\n",
+    "risk_score": 47,
+    "risk_score_mapping": [
+      {
+        "field": "event.risk_score",
+        "operator": "equals",
+        "value": ""
+      }
+    ],
+    "rule_id": "9a1a2dae-0b5f-4c3d-8305-a268d404c306",
+    "rule_name_override": "message",
+    "severity": "medium",
+    "severity_mapping": [
+      {
+        "field": "event.severity",
+        "operator": "equals",
+        "severity": "low",
+        "value": "21"
+      },
+      {
+        "field": "event.severity",
+        "operator": "equals",
+        "severity": "medium",
+        "value": "47"
+      },
+      {
+        "field": "event.severity",
+        "operator": "equals",
+        "severity": "high",
+        "value": "73"
+      },
+      {
+        "field": "event.severity",
+        "operator": "equals",
+        "severity": "critical",
+        "value": "99"
+      }
+    ],
+    "tags": [
+      "Elastic",
+      "Endpoint Security"
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 3
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies native Windows host and network enumeration commands spawned by the Windows Management Instrumentation Provider Service (WMIPrvSE).",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Enumeration Command Spawned via WMIPrvSE",
+    "query": "process where event.type in (\"start\", \"process_started\") and\n  process.name:\n  (\n    \"arp.exe\",\n    \"dsquery.exe\",\n    \"dsget.exe\",\n    \"gpresult.exe\",\n    \"hostname.exe\",\n    \"ipconfig.exe\",\n    \"nbtstat.exe\",\n    \"net.exe\",\n    \"net1.exe\",\n    \"netsh.exe\",\n    \"netstat.exe\",\n    \"nltest.exe\",\n    \"ping.exe\",\n    \"qprocess.exe\",\n    \"quser.exe\",\n    \"qwinsta.exe\",\n    \"reg.exe\",\n    \"sc.exe\",\n    \"systeminfo.exe\",\n    \"tasklist.exe\",\n    \"tracert.exe\",\n    \"whoami.exe\"\n  ) and\n  process.parent.name:\"wmiprvse.exe\"\n",
+    "risk_score": 21,
+    "rule_id": "770e0c4d-b998-41e5-a62e-c7901fd7f470",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Execution"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0002",
+          "name": "Execution",
+          "reference": "https://attack.mitre.org/tactics/TA0002/"
+        },
+        "technique": [
+          {
+            "id": "T1047",
+            "name": "Windows Management Instrumentation",
+            "reference": "https://attack.mitre.org/techniques/T1047/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0007",
+          "name": "Discovery",
+          "reference": "https://attack.mitre.org/tactics/TA0007/"
+        },
+        "technique": [
+          {
+            "id": "T1518",
+            "name": "Software Discovery",
+            "reference": "https://attack.mitre.org/techniques/T1518/"
+          },
+          {
+            "id": "T1087",
+            "name": "Account Discovery",
+            "reference": "https://attack.mitre.org/techniques/T1087/"
+          },
+          {
+            "id": "T1018",
+            "name": "Remote System Discovery",
+            "reference": "https://attack.mitre.org/techniques/T1018/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 2
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies instances of lower privilege accounts enumerating Administrator accounts or groups using built-in Windows tools.",
+    "from": "now-9m",
+    "index": [
+      "logs-endpoint.events.*",
+      "winlogbeat-*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Enumeration of Administrator Accounts",
+    "query": "process where event.type in (\"start\", \"process_started\") and\n  (((process.name : \"net.exe\" or process.pe.original_file_name == \"net.exe\") or\n    ((process.name : \"net1.exe\" or process.pe.original_file_name == \"net1.exe\") and\n        not process.parent.name : \"net.exe\")) and\n   process.args : (\"group\", \"user\", \"localgroup\") and\n   process.args : (\"admin\", \"Domain Admins\", \"Remote Desktop Users\", \"Enterprise Admins\", \"Organization Management\") and\n   not process.args : \"/add\")\n\n   or\n\n  ((process.name : \"wmic.exe\" or process.pe.original_file_name == \"wmic.exe\") and\n     process.args : (\"group\", \"useraccount\"))\n",
+    "risk_score": 21,
+    "rule_id": "871ea072-1b71-4def-b016-6278b505138d",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Discovery"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0007",
+          "name": "Discovery",
+          "reference": "https://attack.mitre.org/tactics/TA0007/"
+        },
+        "technique": [
+          {
+            "id": "T1069",
+            "name": "Permission Groups Discovery",
+            "reference": "https://attack.mitre.org/techniques/T1069/",
+            "subtechnique": [
+              {
+                "id": "T1069.002",
+                "name": "Domain Groups",
+                "reference": "https://attack.mitre.org/techniques/T1069/002/"
+              }
+            ]
+          },
+          {
+            "id": "T1087",
+            "name": "Account Discovery",
+            "reference": "https://attack.mitre.org/techniques/T1087/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 4
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Loadable Kernel Modules (or LKMs) are pieces of code that can be loaded and unloaded into the kernel upon demand. They extend the functionality of the kernel without the need to reboot the system. This identifies attempts to enumerate information about a kernel module.",
+    "false_positives": [
+      "Security tools and device drivers may run these programs in order to enumerate kernel modules. Use of these programs by ordinary users is uncommon. These can be exempted by process name or username."
+    ],
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Enumeration of Kernel Modules",
+    "query": "event.category:process and event.type:(start or process_started) and\n  process.args:(kmod and list and sudo or sudo and (depmod or lsmod or modinfo))\n",
+    "risk_score": 47,
+    "rule_id": "2d8043ed-5bda-4caf-801c-c1feb7410504",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "Threat Detection",
+      "Discovery"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0007",
+          "name": "Discovery",
+          "reference": "https://attack.mitre.org/tactics/TA0007/"
+        },
+        "technique": [
+          {
+            "id": "T1082",
+            "name": "System Information Discovery",
+            "reference": "https://attack.mitre.org/techniques/T1082/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 6
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies instances of an unusual process enumerating built-in Windows privileged local groups membership like Administrators or Remote Desktop users.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Enumeration of Privileged Local Groups Membership",
+    "note": "## Config\n\nThis will require Windows security event 4799 by enabling audit success for the windows Account Management category and\nthe Security Group Management subcategory.\n",
+    "query": "iam where event.action == \"user-member-enumerated\" and\n\n /* noisy and usual legit processes excluded */\n not winlog.event_data.CallerProcessName:\n              (\"?:\\\\Windows\\\\System32\\\\VSSVC.exe\",\n               \"?:\\\\Windows\\\\System32\\\\SearchIndexer.exe\",\n               \"?:\\\\Windows\\\\System32\\\\CompatTelRunner.exe\",\n               \"?:\\\\Windows\\\\System32\\\\oobe\\\\msoobe.exe\",\n               \"?:\\\\Windows\\\\System32\\\\net1.exe\",\n               \"?:\\\\Windows\\\\System32\\\\svchost.exe\",\n               \"?:\\\\Windows\\\\System32\\\\Netplwiz.exe\",\n               \"?:\\\\Windows\\\\System32\\\\msiexec.exe\",\n               \"?:\\\\Windows\\\\System32\\\\CloudExperienceHostBroker.exe\",\n               \"?:\\\\Windows\\\\System32\\\\wbem\\\\WmiPrvSE.exe\",\n               \"?:\\\\Windows\\\\System32\\\\SrTasks.exe\",\n               \"?:\\\\Windows\\\\System32\\\\lsass.exe\",\n               \"?:\\\\Windows\\\\System32\\\\diskshadow.exe\",\n               \"?:\\\\Windows\\\\System32\\\\dfsrs.exe\",\n               \"?:\\\\Program Files\\\\*.exe\",\n               \"?:\\\\Program Files (x86)\\\\*.exe\") and\n  /* privileged local groups */\n (group.name:(\"admin*\",\"RemoteDesktopUsers\") or\n  winlog.event_data.TargetSid:(\"S-1-5-32-544\",\"S-1-5-32-555\"))\n",
+    "risk_score": 43,
+    "rule_id": "291a0de9-937a-4189-94c0-3e847c8b13e4",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Discovery"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0007",
+          "name": "Discovery",
+          "reference": "https://attack.mitre.org/tactics/TA0007/"
+        },
+        "technique": [
+          {
+            "id": "T1069",
+            "name": "Permission Groups Discovery",
+            "reference": "https://attack.mitre.org/techniques/T1069/",
+            "subtechnique": [
+              {
+                "id": "T1069.001",
+                "name": "Local Groups",
+                "reference": "https://attack.mitre.org/techniques/T1069/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the execution of macOS built-in commands related to account or group enumeration.",
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Enumeration of Users or Groups via Built-in Commands",
+    "query": "process where event.type in (\"start\", \"process_started\") and\n  not process.parent.executable : (\"/Applications/NoMAD.app/Contents/MacOS/NoMAD\", \n    \"/Applications/ZoomPresence.app/Contents/MacOS/ZoomPresence\",\n     \"/Applications/Sourcetree.app/Contents/MacOS/Sourcetree\",\n     \"/Library/Application Support/JAMF/Jamf.app/Contents/MacOS/JamfDaemon.app/Contents/MacOS/JamfDaemon\",\n     \"/usr/local/jamf/bin/jamf\"\n    ) and \n  process.name : (\"ldapsearch\", \"dsmemberutil\") or\n  (process.name : \"dscl\" and \n     process.args : (\"read\", \"-read\", \"list\", \"-list\", \"ls\", \"search\", \"-search\") and \n     process.args : (\"/Active Directory/*\", \"/Users*\", \"/Groups*\"))\n",
+    "risk_score": 21,
+    "rule_id": "6e9b351e-a531-4bdc-b73e-7034d6eed7ff",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "macOS",
+      "Threat Detection",
+      "Discovery"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0007",
+          "name": "Discovery",
+          "reference": "https://attack.mitre.org/tactics/TA0007/"
+        },
+        "technique": [
+          {
+            "id": "T1069",
+            "name": "Permission Groups Discovery",
+            "reference": "https://attack.mitre.org/techniques/T1069/"
+          },
+          {
+            "id": "T1087",
+            "name": "Account Discovery",
+            "reference": "https://attack.mitre.org/techniques/T1087/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 2
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Masquerading can allow an adversary to evade defenses and better blend in with the environment. One way it occurs is when the name or location of a file is manipulated as a means of tricking a user into executing what they think is a benign file type but is actually executable code.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Executable File Creation with Multiple Extensions",
+    "query": "file where event.type == \"creation\" and file.extension : \"exe\" and\n  file.name regex~ \"\"\".*\\.(vbs|vbe|bat|js|cmd|wsh|ps1|pdf|docx?|xlsx?|pptx?|txt|rtf|gif|jpg|png|bmp|hta|txt|img|iso)\\.exe\"\"\"\n",
+    "risk_score": 47,
+    "rule_id": "8b2b3a62-a598-4293-bc14-3d5fa22bb98f",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1036",
+            "name": "Masquerading",
+            "reference": "https://attack.mitre.org/techniques/T1036/",
+            "subtechnique": [
+              {
+                "id": "T1036.004",
+                "name": "Masquerade Task or Service",
+                "reference": "https://attack.mitre.org/techniques/T1036/004/"
+              }
+            ]
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0002",
+          "name": "Execution",
+          "reference": "https://attack.mitre.org/tactics/TA0002/"
+        },
+        "technique": [
+          {
+            "id": "T1204",
+            "name": "User Execution",
+            "reference": "https://attack.mitre.org/techniques/T1204/",
+            "subtechnique": [
+              {
+                "id": "T1204.002",
+                "name": "Malicious File",
+                "reference": "https://attack.mitre.org/techniques/T1204/002/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 3
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies process execution from suspicious default Windows directories. This may be abused by adversaries to hide malware in trusted paths.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Execution from Unusual Directory - Command Line",
+    "note": "## Triage and analysis\n\nThis is related to the `Process Execution from an Unusual Directory rule`.",
+    "query": "process where event.type in (\"start\", \"process_started\", \"info\") and\n  process.name : (\"wscript.exe\", \n                  \"cscript.exe\", \n                  \"rundll32.exe\", \n                  \"regsvr32.exe\", \n                  \"cmstp.exe\",\n                  \"RegAsm.exe\",\n                  \"installutil.exe\",\n                  \"mshta.exe\",\n                  \"RegSvcs.exe\", \n                  \"powershell.exe\", \n                  \"pwsh.exe\", \n                  \"cmd.exe\") and\n                  \n  /* add suspicious execution paths here */\n  process.args : (\"C:\\\\PerfLogs\\\\*\",\n                  \"C:\\\\Users\\\\Public\\\\*\",\n                  \"C:\\\\Users\\\\Default\\\\*\",\n                  \"C:\\\\Windows\\\\Tasks\\\\*\",\n                  \"C:\\\\Intel\\\\*\", \n                  \"C:\\\\AMD\\\\Temp\\\\*\", \n                  \"C:\\\\Windows\\\\AppReadiness\\\\*\", \n                  \"C:\\\\Windows\\\\ServiceState\\\\*\",\n                  \"C:\\\\Windows\\\\security\\\\*\",\n                  \"C:\\\\Windows\\\\IdentityCRL\\\\*\",\n                  \"C:\\\\Windows\\\\Branding\\\\*\",\n                  \"C:\\\\Windows\\\\csc\\\\*\",\n                  \"C:\\\\Windows\\\\DigitalLocker\\\\*\",\n                  \"C:\\\\Windows\\\\en-US\\\\*\",\n                  \"C:\\\\Windows\\\\wlansvc\\\\*\",\n                  \"C:\\\\Windows\\\\Prefetch\\\\*\",\n                  \"C:\\\\Windows\\\\Fonts\\\\*\",\n                  \"C:\\\\Windows\\\\diagnostics\\\\*\",\n                  \"C:\\\\Windows\\\\TAPI\\\\*\",\n                  \"C:\\\\Windows\\\\INF\\\\*\",\n                  \"C:\\\\Windows\\\\System32\\\\Speech\\\\*\",\n                  \"C:\\\\windows\\\\tracing\\\\*\",\n                  \"c:\\\\windows\\\\IME\\\\*\",\n                  \"c:\\\\Windows\\\\Performance\\\\*\",\n                  \"c:\\\\windows\\\\intel\\\\*\",\n                  \"c:\\\\windows\\\\ms\\\\*\",\n                  \"C:\\\\Windows\\\\dot3svc\\\\*\",\n                  \"C:\\\\Windows\\\\ServiceProfiles\\\\*\",\n                  \"C:\\\\Windows\\\\panther\\\\*\",\n                  \"C:\\\\Windows\\\\RemotePackages\\\\*\",\n                  \"C:\\\\Windows\\\\OCR\\\\*\",\n                  \"C:\\\\Windows\\\\appcompat\\\\*\",\n                  \"C:\\\\Windows\\\\apppatch\\\\*\",\n                  \"C:\\\\Windows\\\\addins\\\\*\",\n                  \"C:\\\\Windows\\\\Setup\\\\*\",\n                  \"C:\\\\Windows\\\\Help\\\\*\",\n                  \"C:\\\\Windows\\\\SKB\\\\*\",\n                  \"C:\\\\Windows\\\\Vss\\\\*\",\n                  \"C:\\\\Windows\\\\Web\\\\*\",\n                  \"C:\\\\Windows\\\\servicing\\\\*\",\n                  \"C:\\\\Windows\\\\CbsTemp\\\\*\",\n                  \"C:\\\\Windows\\\\Logs\\\\*\",\n                  \"C:\\\\Windows\\\\WaaS\\\\*\",\n                  \"C:\\\\Windows\\\\twain_32\\\\*\",\n                  \"C:\\\\Windows\\\\ShellExperiences\\\\*\",\n                  \"C:\\\\Windows\\\\ShellComponents\\\\*\",\n                  \"C:\\\\Windows\\\\PLA\\\\*\",\n                  \"C:\\\\Windows\\\\Migration\\\\*\",\n                  \"C:\\\\Windows\\\\debug\\\\*\",\n                  \"C:\\\\Windows\\\\Cursors\\\\*\",\n                  \"C:\\\\Windows\\\\Containers\\\\*\",\n                  \"C:\\\\Windows\\\\Boot\\\\*\",\n                  \"C:\\\\Windows\\\\bcastdvr\\\\*\",\n                  \"C:\\\\Windows\\\\assembly\\\\*\",\n                  \"C:\\\\Windows\\\\TextInput\\\\*\",\n                  \"C:\\\\Windows\\\\security\\\\*\",\n                  \"C:\\\\Windows\\\\schemas\\\\*\",\n                  \"C:\\\\Windows\\\\SchCache\\\\*\",\n                  \"C:\\\\Windows\\\\Resources\\\\*\",\n                  \"C:\\\\Windows\\\\rescache\\\\*\",\n                  \"C:\\\\Windows\\\\Provisioning\\\\*\",\n                  \"C:\\\\Windows\\\\PrintDialog\\\\*\",\n                  \"C:\\\\Windows\\\\PolicyDefinitions\\\\*\",\n                  \"C:\\\\Windows\\\\media\\\\*\",\n                  \"C:\\\\Windows\\\\Globalization\\\\*\",\n                  \"C:\\\\Windows\\\\L2Schemas\\\\*\",\n                  \"C:\\\\Windows\\\\LiveKernelReports\\\\*\",\n                  \"C:\\\\Windows\\\\ModemLogs\\\\*\",\n                  \"C:\\\\Windows\\\\ImmersiveControlPanel\\\\*\",\n                  \"C:\\\\$Recycle.Bin\\\\*\") and\n  not process.parent.executable : (\"C:\\\\WINDOWS\\\\System32\\\\DriverStore\\\\FileRepository\\\\*\\\\igfxCUIService*.exe\",\n                                   \"C:\\\\Windows\\\\System32\\\\spacedeskService.exe\",\n                                   \"C:\\\\Program Files\\\\Dell\\\\SupportAssistAgent\\\\SRE\\\\SRE.exe\") and\n  not (process.name : \"rundll32.exe\" and process.args : (\"uxtheme.dll,#64\", \"PRINTUI.DLL,PrintUIEntry\"))\n",
+    "risk_score": 47,
+    "rule_id": "cff92c41-2225-4763-b4ce-6f71e5bda5e6",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Execution"
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 4
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Windows Component Object Model (COM) is an inter-process communication (IPC) component of the native Windows application programming interface (API) that enables interaction between software objects or executable code. Xwizard can be used to run a COM object created in registry to evade defensive counter measures.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Execution of COM object via Xwizard",
+    "query": "process where event.type in (\"start\", \"process_started\") and\n process.pe.original_file_name : \"xwizard.exe\" and\n (\n   (process.args : \"RunWizard\" and process.args : \"{*}\") or\n   (process.executable != null and\n     not process.executable : (\"C:\\\\Windows\\\\SysWOW64\\\\xwizard.exe\", \"C:\\\\Windows\\\\System32\\\\xwizard.exe\")\n   )\n )\n",
+    "references": [
+      "https://lolbas-project.github.io/lolbas/Binaries/Xwizard/",
+      "http://www.hexacorn.com/blog/2017/07/31/the-wizard-of-x-oppa-plugx-style/"
+    ],
+    "risk_score": 47,
+    "rule_id": "1a6075b0-7479-450e-8fe7-b8b8438ac570",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Execution"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0002",
+          "name": "Execution",
+          "reference": "https://attack.mitre.org/tactics/TA0002/"
+        },
+        "technique": [
+          {
+            "id": "T1559",
+            "name": "Inter-Process Communication",
+            "reference": "https://attack.mitre.org/techniques/T1559/",
+            "subtechnique": [
+              {
+                "id": "T1559.001",
+                "name": "Component Object Model",
+                "reference": "https://attack.mitre.org/techniques/T1559/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies an executable created by a Microsoft Office application and subsequently executed. These processes are often launched via scripts inside documents or during exploitation of Microsoft Office applications.",
+    "from": "now-120m",
+    "index": [
+      "logs-endpoint.events.*",
+      "winlogbeat-*",
+      "logs-windows.*"
+    ],
+    "interval": "60m",
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Execution of File Written or Modified by Microsoft Office",
+    "query": "sequence with maxspan=2h\n  [file where event.type != \"deletion\" and file.extension : \"exe\" and\n     (process.name : \"WINWORD.EXE\" or\n      process.name : \"EXCEL.EXE\" or\n      process.name : \"OUTLOOK.EXE\" or\n      process.name : \"POWERPNT.EXE\" or\n      process.name : \"eqnedt32.exe\" or\n      process.name : \"fltldr.exe\" or\n      process.name : \"MSPUB.EXE\" or\n      process.name : \"MSACCESS.EXE\")\n  ] by host.id, file.path\n  [process where event.type in (\"start\", \"process_started\")] by host.id, process.executable\n",
+    "risk_score": 21,
+    "rule_id": "0d8ad79f-9025-45d8-80c1-4f0cd3c5e8e5",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Execution"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0002",
+          "name": "Execution",
+          "reference": "https://attack.mitre.org/tactics/TA0002/"
+        },
+        "technique": []
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0001",
+          "name": "Initial Access",
+          "reference": "https://attack.mitre.org/tactics/TA0001/"
+        },
+        "technique": [
+          {
+            "id": "T1566",
+            "name": "Phishing",
+            "reference": "https://attack.mitre.org/techniques/T1566/",
+            "subtechnique": [
+              {
+                "id": "T1566.001",
+                "name": "Spearphishing Attachment",
+                "reference": "https://attack.mitre.org/techniques/T1566/001/"
+              },
+              {
+                "id": "T1566.002",
+                "name": "Spearphishing Link",
+                "reference": "https://attack.mitre.org/techniques/T1566/002/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "type": "eql",
+    "version": 5
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies a suspicious file that was written by a PDF reader application and subsequently executed. These processes are often launched via exploitation of PDF applications.",
+    "from": "now-120m",
+    "index": [
+      "logs-endpoint.events.*",
+      "winlogbeat-*",
+      "logs-windows.*"
+    ],
+    "interval": "60m",
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Execution of File Written or Modified by PDF Reader",
+    "query": "sequence with maxspan=2h\n  [file where event.type != \"deletion\" and file.extension : \"exe\" and\n     (process.name : \"AcroRd32.exe\" or\n      process.name : \"rdrcef.exe\" or\n      process.name : \"FoxitPhantomPDF.exe\" or\n      process.name : \"FoxitReader.exe\") and\n     not (file.name : \"FoxitPhantomPDF.exe\" or\n          file.name : \"FoxitPhantomPDFUpdater.exe\" or\n          file.name : \"FoxitReader.exe\" or\n          file.name : \"FoxitReaderUpdater.exe\" or\n          file.name : \"AcroRd32.exe\" or\n          file.name : \"rdrcef.exe\")\n  ] by host.id, file.path\n  [process where event.type in (\"start\", \"process_started\")] by host.id, process.executable\n",
+    "risk_score": 21,
+    "rule_id": "1defdd62-cd8d-426e-a246-81a37751bb2b",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Execution"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0002",
+          "name": "Execution",
+          "reference": "https://attack.mitre.org/tactics/TA0002/"
+        },
+        "technique": []
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0001",
+          "name": "Initial Access",
+          "reference": "https://attack.mitre.org/tactics/TA0001/"
+        },
+        "technique": [
+          {
+            "id": "T1566",
+            "name": "Phishing",
+            "reference": "https://attack.mitre.org/techniques/T1566/",
+            "subtechnique": [
+              {
+                "id": "T1566.001",
+                "name": "Spearphishing Attachment",
+                "reference": "https://attack.mitre.org/techniques/T1566/001/"
+              },
+              {
+                "id": "T1566.002",
+                "name": "Spearphishing Link",
+                "reference": "https://attack.mitre.org/techniques/T1566/002/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "type": "eql",
+    "version": 4
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies execution of suspicious persistent programs (scripts, rundll32, etc.) by looking at process lineage and command line usage.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Execution of Persistent Suspicious Program",
+    "query": "/* userinit followed by explorer followed by early child process of explorer (unlikely to be launched interactively) within 1m */\nsequence by host.id, user.name with maxspan=1m\n  [process where event.type in (\"start\", \"process_started\") and process.name : \"userinit.exe\" and process.parent.name : \"winlogon.exe\"]\n  [process where event.type in (\"start\", \"process_started\") and process.name : \"explorer.exe\"]\n  [process where event.type in (\"start\", \"process_started\") and process.parent.name : \"explorer.exe\" and\n   /* add suspicious programs here */\n   process.pe.original_file_name in (\"cscript.exe\",\n                                     \"wscript.exe\",\n                                     \"PowerShell.EXE\",\n                                     \"MSHTA.EXE\",\n                                     \"RUNDLL32.EXE\",\n                                     \"REGSVR32.EXE\",\n                                     \"RegAsm.exe\",\n                                     \"MSBuild.exe\",\n                                     \"InstallUtil.exe\") and\n    /* add potential suspicious paths here */\n    process.args : (\"C:\\\\Users\\\\*\", \"C:\\\\ProgramData\\\\*\", \"C:\\\\Windows\\\\Temp\\\\*\", \"C:\\\\Windows\\\\Tasks\\\\*\", \"C:\\\\PerfLogs\\\\*\", \"C:\\\\Intel\\\\*\")\n   ]\n",
+    "risk_score": 47,
+    "rule_id": "e7125cea-9fe1-42a5-9a05-b0792cf86f5a",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Persistence"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1547",
+            "name": "Boot or Logon Autostart Execution",
+            "reference": "https://attack.mitre.org/techniques/T1547/",
+            "subtechnique": [
+              {
+                "id": "T1547.001",
+                "name": "Registry Run Keys / Startup Folder",
+                "reference": "https://attack.mitre.org/techniques/T1547/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "type": "eql",
+    "version": 2
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies attempts to execute a child process from within the context of an Electron application using the child_process Node.js module. Adversaries may abuse this technique to inherit permissions from parent processes.",
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Execution via Electron Child Process Node.js Module",
+    "query": "event.category:process and event.type:(start or process_started) and process.args:(\"-e\" and const*require*child_process*)\n",
+    "references": [
+      "https://www.matthewslipper.com/2019/09/22/everything-you-wanted-electron-child-process.html",
+      "https://www.trustedsec.com/blog/macos-injection-via-third-party-frameworks/",
+      "https://nodejs.org/api/child_process.html"
+    ],
+    "risk_score": 47,
+    "rule_id": "35330ba2-c859-4c98-8b7f-c19159ea0e58",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "macOS",
+      "Threat Detection",
+      "Defense Evasion",
+      "Execution"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0002",
+          "name": "Execution",
+          "reference": "https://attack.mitre.org/tactics/TA0002/"
+        },
+        "technique": [
+          {
+            "id": "T1059",
+            "name": "Command and Scripting Interpreter",
+            "reference": "https://attack.mitre.org/techniques/T1059/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1548",
+            "name": "Abuse Elevation Control Mechanism",
+            "reference": "https://attack.mitre.org/techniques/T1548/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies execution via MSSQL xp_cmdshell stored procedure. Malicious users may attempt to elevate their privileges by using xp_cmdshell, which is disabled by default, thus, it's important to review the context of it's use.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Execution via MSSQL xp_cmdshell Stored Procedure",
+    "query": "process where event.type in (\"start\", \"process_started\") and\n  process.name : \"cmd.exe\" and process.parent.name : \"sqlservr.exe\"\n",
+    "risk_score": 73,
+    "rule_id": "4ed493fc-d637-4a36-80ff-ac84937e5461",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Execution"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0002",
+          "name": "Execution",
+          "reference": "https://attack.mitre.org/tactics/TA0002/"
+        },
+        "technique": [
+          {
+            "id": "T1059",
+            "name": "Command and Scripting Interpreter",
+            "reference": "https://attack.mitre.org/techniques/T1059/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 4
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies execution from the Remote Desktop Protocol (RDP) shared mountpoint tsclient on the target host. This may indicate a lateral movement attempt.",
+    "from": "now-9m",
+    "index": [
+      "logs-endpoint.events.*",
+      "winlogbeat-*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Execution via TSClient Mountpoint",
+    "query": "process where event.type in (\"start\", \"process_started\") and process.executable : \"\\\\Device\\\\Mup\\\\tsclient\\\\*.exe\"\n",
+    "references": [
+      "https://posts.specterops.io/revisiting-remote-desktop-lateral-movement-8fb905cb46c3"
+    ],
+    "risk_score": 73,
+    "rule_id": "4fe9d835-40e1-452d-8230-17c147cafad8",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Lateral Movement"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0008",
+          "name": "Lateral Movement",
+          "reference": "https://attack.mitre.org/tactics/TA0008/"
+        },
+        "technique": [
+          {
+            "id": "T1021",
+            "name": "Remote Services",
+            "reference": "https://attack.mitre.org/techniques/T1021/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 3
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the creation, change, or deletion of a DLL module within a Windows SxS local folder. Adversaries may abuse shared modules to execute malicious payloads by instructing the Windows module loader to load DLLs from arbitrary local paths.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Execution via local SxS Shared Module",
+    "note": "## Triage and analysis\n\nThe SxS DotLocal folder is a legitimate feature that can be abused to hijack standard modules loading order by forcing an executable on the same application.exe.local folder to load a malicious DLL module from the same directory.",
+    "query": "file where file.extension : \"dll\" and file.path : \"C:\\\\*\\\\*.exe.local\\\\*.dll\"\n",
+    "references": [
+      "https://docs.microsoft.com/en-us/windows/win32/dlls/dynamic-link-library-redirection"
+    ],
+    "risk_score": 47,
+    "rule_id": "a3ea12f3-0d4e-4667-8b44-4230c63f3c75",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Execution"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0002",
+          "name": "Execution",
+          "reference": "https://attack.mitre.org/tactics/TA0002/"
+        },
+        "technique": [
+          {
+            "id": "T1129",
+            "name": "Shared Modules",
+            "reference": "https://attack.mitre.org/techniques/T1129/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 4
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies execution of the security_authtrampoline process via a scripting interpreter. This occurs when programs use AuthorizationExecute-WithPrivileges from the Security.framework to run another program with root privileges. It should not be run by itself, as this is a sign of execution with explicit logon credentials.",
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Execution with Explicit Credentials via Scripting",
+    "query": "event.category:process and event.type:(start or process_started) and\n process.name:\"security_authtrampoline\" and\n process.parent.name:(osascript or com.apple.automator.runner or sh or bash or dash or zsh or python* or perl* or php* or ruby or pwsh)\n",
+    "references": [
+      "https://objectivebythesea.com/v2/talks/OBTS_v2_Thomas.pdf",
+      "https://www.manpagez.com/man/8/security_authtrampoline/"
+    ],
+    "risk_score": 47,
+    "rule_id": "f0eb70e9-71e9-40cd-813f-bf8e8c812cb1",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "macOS",
+      "Threat Detection",
+      "Execution",
+      "Privilege Escalation"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0004",
+          "name": "Privilege Escalation",
+          "reference": "https://attack.mitre.org/tactics/TA0004/"
+        },
+        "technique": [
+          {
+            "id": "T1078",
+            "name": "Valid Accounts",
+            "reference": "https://attack.mitre.org/techniques/T1078/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0002",
+          "name": "Execution",
+          "reference": "https://attack.mitre.org/tactics/TA0002/"
+        },
+        "technique": [
+          {
+            "id": "T1059",
+            "name": "Command and Scripting Interpreter",
+            "reference": "https://attack.mitre.org/techniques/T1059/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 2
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Elastic Endgame detected an Exploit. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information.",
+    "from": "now-15m",
+    "index": [
+      "endgame-*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "max_signals": 10000,
+    "name": "Exploit - Detected - Elastic Endgame",
+    "query": "event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:exploit_event or endgame.event_subtype_full:exploit_event)\n",
+    "risk_score": 73,
+    "rule_id": "2003cdc8-8d83-4aa5-b132-1f9a8eb48514",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Elastic Endgame"
+    ],
+    "type": "query",
+    "version": 7
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Elastic Endgame prevented an Exploit. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information.",
+    "from": "now-15m",
+    "index": [
+      "endgame-*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "max_signals": 10000,
+    "name": "Exploit - Prevented - Elastic Endgame",
+    "query": "event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:exploit_event or endgame.event_subtype_full:exploit_event)\n",
+    "risk_score": 47,
+    "rule_id": "2863ffeb-bf77-44dd-b7a5-93ef94b72036",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Elastic Endgame"
+    ],
+    "type": "query",
+    "version": 7
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the use of the Exchange PowerShell cmdlet, New-MailBoxExportRequest, to export the contents of a primary mailbox or archive to a .pst file. Adversaries may target user email to collect sensitive information.",
+    "false_positives": [
+      "Legitimate exchange system administration activity."
+    ],
+    "from": "now-9m",
+    "index": [
+      "logs-endpoint.events.*",
+      "winlogbeat-*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Exporting Exchange Mailbox via PowerShell",
+    "query": "process where event.type in (\"start\", \"process_started\") and\n  process.name: (\"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\") and process.args : \"New-MailboxExportRequest*\"\n",
+    "references": [
+      "https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/",
+      "https://docs.microsoft.com/en-us/powershell/module/exchange/new-mailboxexportrequest?view=exchange-ps"
+    ],
+    "risk_score": 47,
+    "rule_id": "6aace640-e631-4870-ba8e-5fdda09325db",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Collection"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0009",
+          "name": "Collection",
+          "reference": "https://attack.mitre.org/tactics/TA0009/"
+        },
+        "technique": [
+          {
+            "id": "T1114",
+            "name": "Email Collection",
+            "reference": "https://attack.mitre.org/techniques/T1114/",
+            "subtechnique": [
+              {
+                "id": "T1114.002",
+                "name": "Remote Email Collection",
+                "reference": "https://attack.mitre.org/techniques/T1114/002/"
+              }
+            ]
+          },
+          {
+            "id": "T1005",
+            "name": "Data from Local System",
+            "reference": "https://attack.mitre.org/techniques/T1005/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 6
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Generates a detection alert for each external alert written to the configured indices. Enabling this rule allows you to immediately begin investigating external alerts in the app.",
+    "index": [
+      "apm-*-transaction*",
+      "traces-apm*",
+      "auditbeat-*",
+      "filebeat-*",
+      "logs-*",
+      "packetbeat-*",
+      "winlogbeat-*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "max_signals": 10000,
+    "name": "External Alerts",
+    "query": "event.kind:alert and not event.module:(endgame or endpoint)\n",
+    "risk_score": 47,
+    "risk_score_mapping": [
+      {
+        "field": "event.risk_score",
+        "operator": "equals",
+        "value": ""
+      }
+    ],
+    "rule_id": "eb079c62-4481-4d6e-9643-3ca499df7aaa",
+    "rule_name_override": "message",
+    "severity": "medium",
+    "severity_mapping": [
+      {
+        "field": "event.severity",
+        "operator": "equals",
+        "severity": "low",
+        "value": "21"
+      },
+      {
+        "field": "event.severity",
+        "operator": "equals",
+        "severity": "medium",
+        "value": "47"
+      },
+      {
+        "field": "event.severity",
+        "operator": "equals",
+        "severity": "high",
+        "value": "73"
+      },
+      {
+        "field": "event.severity",
+        "operator": "equals",
+        "severity": "critical",
+        "value": "99"
+      }
+    ],
+    "tags": [
+      "Elastic",
+      "Network",
+      "Windows",
+      "APM",
+      "macOS",
+      "Linux"
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 4
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies domains commonly used by adversaries for post-exploitation IP lookups. It is common for adversaries to test for Internet access and acquire their external IP address after they have gained access to a system. Among others, this has been observed in campaigns leveraging the information stealer, Trickbot.",
+    "false_positives": [
+      "If the domains listed in this rule are used as part of an authorized workflow, this rule will be triggered by those events. Validate that this is expected activity and tune the rule to fit your environment variables."
+    ],
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "External IP Lookup from Non-Browser Process",
+    "query": "network where network.protocol == \"dns\" and\n    process.name != null and user.id not in (\"S-1-5-19\", \"S-1-5-20\") and\n    event.action == \"lookup_requested\" and\n    /* Add new external IP lookup services here */\n    dns.question.name :\n    (\n        \"*api.ipify.org\",\n        \"*freegeoip.app\",\n        \"*checkip.amazonaws.com\",\n        \"*checkip.dyndns.org\",\n        \"*freegeoip.app\",\n        \"*icanhazip.com\",\n        \"*ifconfig.*\",\n        \"*ipecho.net\",\n        \"*ipgeoapi.com\",\n        \"*ipinfo.io\",\n        \"*ip.anysrc.net\",\n        \"*myexternalip.com\",\n        \"*myipaddress.com\",\n        \"*showipaddress.com\",\n        \"*whatismyipaddress.com\",\n        \"*wtfismyip.com\",\n        \"*ipapi.co\",\n        \"*ip-lookup.net\",\n        \"*ipstack.com\"\n    ) and\n    /* Insert noisy false positives here */\n    not process.executable :\n    (\n      \"?:\\\\Program Files\\\\*.exe\",\n      \"?:\\\\Program Files (x86)\\\\*.exe\",\n      \"?:\\\\Windows\\\\System32\\\\WWAHost.exe\",\n      \"?:\\\\Windows\\\\System32\\\\smartscreen.exe\",\n      \"?:\\\\Windows\\\\System32\\\\MicrosoftEdgeCP.exe\",\n      \"?:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\Platform\\\\*\\\\MsMpEng.exe\",\n      \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe\",\n      \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Programs\\\\Fiddler\\\\Fiddler.exe\",\n      \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Programs\\\\Microsoft VS Code\\\\Code.exe\",\n      \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Microsoft\\\\OneDrive\\\\OneDrive.exe\"\n    )\n",
+    "references": [
+      "https://community.jisc.ac.uk/blogs/csirt/article/trickbot-analysis-and-mitigation",
+      "https://www.cybereason.com/blog/dropping-anchor-from-a-trickbot-infection-to-the-discovery-of-the-anchor-malware"
+    ],
+    "risk_score": 21,
+    "rule_id": "1d72d014-e2ab-4707-b056-9b96abe7b511",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Discovery"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0007",
+          "name": "Discovery",
+          "reference": "https://attack.mitre.org/tactics/TA0007/"
+        },
+        "technique": [
+          {
+            "id": "T1016",
+            "name": "System Network Configuration Discovery",
+            "reference": "https://attack.mitre.org/techniques/T1016/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 6
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Malware or other files dropped or created on a system by an adversary may leave traces behind as to what was done within a network and how. Adversaries may remove these files over the course of an intrusion to keep their footprint low or remove them at the end as part of the post-intrusion cleanup process.",
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "File Deletion via Shred",
+    "query": "event.category:process and event.type:(start or process_started) and process.name:shred and\n  process.args:(\"-u\" or \"--remove\" or \"-z\" or \"--zero\")\n",
+    "risk_score": 21,
+    "rule_id": "a1329140-8de3-4445-9f87-908fb6d824f4",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1070",
+            "name": "Indicator Removal on Host",
+            "reference": "https://attack.mitre.org/techniques/T1070/",
+            "subtechnique": [
+              {
+                "id": "T1070.004",
+                "name": "File Deletion",
+                "reference": "https://attack.mitre.org/techniques/T1070/004/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 7
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies file permission modifications in common writable directories by a non-root user. Adversaries often drop files or payloads into a writable directory and change permissions prior to execution.",
+    "false_positives": [
+      "Certain programs or applications may modify files or change ownership in writable directories. These can be exempted by username."
+    ],
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "File Permission Modification in Writable Directory",
+    "query": "event.category:process and event.type:(start or process_started) and\n  process.name:(chmod or chown or chattr or chgrp) and\n  process.working_directory:(/tmp or /var/tmp or /dev/shm) and\n  not user.name:root\n",
+    "risk_score": 21,
+    "rule_id": "9f9a2a82-93a8-4b1a-8778-1780895626d4",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1222",
+            "name": "File and Directory Permissions Modification",
+            "reference": "https://attack.mitre.org/techniques/T1222/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 6
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Enumeration of files and directories using built-in tools. Adversaries may use the information discovered to plan follow-on activity.",
+    "false_positives": [
+      "Enumeration of files and directories may not be inherently malicious and noise may come from scripts, automation tools, or normal command line usage. It's important to baseline your environment to determine the amount of expected noise and exclude any known FP's from the rule."
+    ],
+    "from": "now-9m",
+    "index": [
+      "logs-endpoint.events.*",
+      "winlogbeat-*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "File and Directory Discovery",
+    "query": "sequence by agent.id, user.name with maxspan=1m\n[process where event.type in (\"start\", \"process_started\") and\n  ((process.name : \"cmd.exe\" or process.pe.original_file_name == \"Cmd.Exe\") and process.args : \"dir\") or\n    process.name : \"tree.com\"]\n[process where event.type in (\"start\", \"process_started\") and\n  ((process.name : \"cmd.exe\" or process.pe.original_file_name == \"Cmd.Exe\") and process.args : \"dir\") or\n    process.name : \"tree.com\"]\n[process where event.type in (\"start\", \"process_started\") and\n  ((process.name : \"cmd.exe\" or process.pe.original_file_name == \"Cmd.Exe\") and process.args : \"dir\") or\n    process.name : \"tree.com\"]\n",
+    "risk_score": 21,
+    "rule_id": "7b08314d-47a0-4b71-ae4e-16544176924f",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Discovery"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0007",
+          "name": "Discovery",
+          "reference": "https://attack.mitre.org/tactics/TA0007/"
+        },
+        "technique": [
+          {
+            "id": "T1083",
+            "name": "File and Directory Discovery",
+            "reference": "https://attack.mitre.org/techniques/T1083/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 3
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Finder Sync plugins enable users to extend Finder\u2019s functionality by modifying the user interface. Adversaries may abuse this feature by adding a rogue Finder Plugin to repeatedly execute malicious payloads for persistence.",
+    "false_positives": [
+      "Trusted Finder Sync Plugins"
+    ],
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Finder Sync Plugin Registered and Enabled",
+    "query": "sequence by host.id, user.id with maxspan = 5s\n  [process where event.type in (\"start\", \"process_started\") and process.name : \"pluginkit\" and process.args : \"-a\"]\n  [process where event.type in (\"start\", \"process_started\") and process.name : \"pluginkit\" and\n    process.args : \"-e\" and process.args : \"use\" and process.args : \"-i\" and\n    not process.args :\n    (\n      \"com.google.GoogleDrive.FinderSyncAPIExtension\",\n      \"com.google.drivefs.findersync\",\n      \"com.boxcryptor.osx.Rednif\",\n      \"com.adobe.accmac.ACCFinderSync\",\n      \"com.microsoft.OneDrive.FinderSync\",\n      \"com.insynchq.Insync.Insync-Finder-Integration\",\n      \"com.box.desktop.findersyncext\"\n    )\n  ]\n",
+    "references": [
+      "https://github.com/specterops/presentations/raw/master/Leo%20Pitt/Hey_Im_Still_in_Here_Modern_macOS_Persistence_SO-CON2020.pdf"
+    ],
+    "risk_score": 47,
+    "rule_id": "37f638ea-909d-4f94-9248-edd21e4a9906",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "macOS",
+      "Threat Detection",
+      "Persistence"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1543",
+            "name": "Create or Modify System Process",
+            "reference": "https://attack.mitre.org/techniques/T1543/"
+          }
+        ]
+      }
+    ],
+    "type": "eql",
+    "version": 2
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies when a firewall rule is created in Google Cloud Platform (GCP). Virtual Private Cloud (VPC) firewall rules can be configured to allow or deny connections to or from virtual machine (VM) instances. An adversary may create a new firewall rule in order to weaken their target's security controls and allow more permissive ingress or egress traffic flows for their benefit.",
+    "false_positives": [
+      "Firewall rules may be created by system administrators. Verify that the firewall configuration change was expected. Exceptions can be added to this rule to filter expected behavior."
+    ],
+    "index": [
+      "filebeat-*",
+      "logs-gcp*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "GCP Firewall Rule Creation",
+    "note": "## Config\n\nThe GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:(googlecloud.audit or gcp.audit) and event.action:v*.compute.firewalls.insert\n",
+    "references": [
+      "https://cloud.google.com/vpc/docs/firewalls"
+    ],
+    "risk_score": 21,
+    "rule_id": "30562697-9859-4ae0-a8c5-dab45d664170",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "GCP",
+      "Continuous Monitoring",
+      "SecOps",
+      "Configuration Audit"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1562",
+            "name": "Impair Defenses",
+            "reference": "https://attack.mitre.org/techniques/T1562/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 5
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies when a firewall rule is deleted in Google Cloud Platform (GCP). Virtual Private Cloud (VPC) firewall rules can be configured to allow or deny connections to or from virtual machine (VM) instances. An adversary may delete a firewall rule in order to weaken their target's security controls.",
+    "false_positives": [
+      "Firewall rules may be deleted by system administrators. Verify that the firewall configuration change was expected. Exceptions can be added to this rule to filter expected behavior."
+    ],
+    "index": [
+      "filebeat-*",
+      "logs-gcp*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "GCP Firewall Rule Deletion",
+    "note": "## Config\n\nThe GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:(googlecloud.audit or gcp.audit) and event.action:v*.compute.firewalls.delete\n",
+    "references": [
+      "https://cloud.google.com/vpc/docs/firewalls"
+    ],
+    "risk_score": 47,
+    "rule_id": "ff9b571e-61d6-4f6c-9561-eb4cca3bafe1",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "GCP",
+      "Continuous Monitoring",
+      "SecOps",
+      "Configuration Audit"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1562",
+            "name": "Impair Defenses",
+            "reference": "https://attack.mitre.org/techniques/T1562/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 5
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies when a firewall rule is modified in Google Cloud Platform (GCP). Virtual Private Cloud (VPC) firewall rules can be configured to allow or deny connections to or from virtual machine (VM) instances. An adversary may modify a firewall rule in order to weaken their target's security controls.",
+    "false_positives": [
+      "Firewall rules may be modified by system administrators. Verify that the firewall configuration change was expected. Exceptions can be added to this rule to filter expected behavior."
+    ],
+    "index": [
+      "filebeat-*",
+      "logs-gcp*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "GCP Firewall Rule Modification",
+    "note": "## Config\n\nThe GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:(googlecloud.audit or gcp.audit) and event.action:v*.compute.firewalls.patch\n",
+    "references": [
+      "https://cloud.google.com/vpc/docs/firewalls"
+    ],
+    "risk_score": 47,
+    "rule_id": "2783d84f-5091-4d7d-9319-9fceda8fa71b",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "GCP",
+      "Continuous Monitoring",
+      "SecOps",
+      "Configuration Audit"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1562",
+            "name": "Impair Defenses",
+            "reference": "https://attack.mitre.org/techniques/T1562/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 5
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies an Identity and Access Management (IAM) custom role creation in Google Cloud Platform (GCP). Custom roles are user-defined, and allow for the bundling of one or more supported permissions to meet specific needs. Custom roles will not be updated automatically and could lead to privilege creep if not carefully scrutinized.",
+    "false_positives": [
+      "Custom role creations may be done by a system or network administrator. Verify whether the user email, resource name, and/or hostname should be making changes in your environment. Role creations from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "index": [
+      "filebeat-*",
+      "logs-gcp*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "GCP IAM Custom Role Creation",
+    "note": "## Config\n\nThe GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:(googlecloud.audit or gcp.audit) and event.action:google.iam.admin.v*.CreateRole and event.outcome:success\n",
+    "references": [
+      "https://cloud.google.com/iam/docs/understanding-custom-roles"
+    ],
+    "risk_score": 47,
+    "rule_id": "aa8007f0-d1df-49ef-8520-407857594827",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "GCP",
+      "Continuous Monitoring",
+      "SecOps",
+      "Identity and Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0001",
+          "name": "Initial Access",
+          "reference": "https://attack.mitre.org/tactics/TA0001/"
+        },
+        "technique": [
+          {
+            "id": "T1078",
+            "name": "Valid Accounts",
+            "reference": "https://attack.mitre.org/techniques/T1078/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1078",
+            "name": "Valid Accounts",
+            "reference": "https://attack.mitre.org/techniques/T1078/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 5
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies an Identity and Access Management (IAM) role deletion in Google Cloud Platform (GCP). A role contains a set of permissions that allows you to perform specific actions on Google Cloud resources. An adversary may delete an IAM role to inhibit access to accounts utilized by legitimate users.",
+    "false_positives": [
+      "Role deletions may be done by a system or network administrator. Verify whether the user email, resource name, and/or hostname should be making changes in your environment. Role deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "index": [
+      "filebeat-*",
+      "logs-gcp*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "GCP IAM Role Deletion",
+    "note": "## Config\n\nThe GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:(googlecloud.audit or gcp.audit) and event.action:google.iam.admin.v*.DeleteRole and event.outcome:success\n",
+    "references": [
+      "https://cloud.google.com/iam/docs/understanding-roles"
+    ],
+    "risk_score": 21,
+    "rule_id": "e2fb5b18-e33c-4270-851e-c3d675c9afcd",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "GCP",
+      "Continuous Monitoring",
+      "SecOps",
+      "Identity and Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0040",
+          "name": "Impact",
+          "reference": "https://attack.mitre.org/tactics/TA0040/"
+        },
+        "technique": [
+          {
+            "id": "T1531",
+            "name": "Account Access Removal",
+            "reference": "https://attack.mitre.org/techniques/T1531/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 5
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the deletion of an Identity and Access Management (IAM) service account key in Google Cloud Platform (GCP). Each service account is associated with two sets of public/private RSA key pairs that are used to authenticate. If a key is deleted, the application will no longer be able to access Google Cloud resources using that key. A security best practice is to rotate your service account keys regularly.",
+    "false_positives": [
+      "Service account key deletions may be done by a system or network administrator. Verify whether the user email, resource name, and/or hostname should be making changes in your environment. Key deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "index": [
+      "filebeat-*",
+      "logs-gcp*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "GCP IAM Service Account Key Deletion",
+    "note": "## Config\n\nThe GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:(googlecloud.audit or gcp.audit) and event.action:google.iam.admin.v*.DeleteServiceAccountKey and event.outcome:success\n",
+    "references": [
+      "https://cloud.google.com/iam/docs/service-accounts",
+      "https://cloud.google.com/iam/docs/creating-managing-service-account-keys"
+    ],
+    "risk_score": 21,
+    "rule_id": "9890ee61-d061-403d-9bf6-64934c51f638",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "GCP",
+      "Continuous Monitoring",
+      "SecOps",
+      "Identity and Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1098",
+            "name": "Account Manipulation",
+            "reference": "https://attack.mitre.org/techniques/T1098/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 5
+  },
+  {
+    "author": [
+      "Elastic",
+      "Austin Songer"
+    ],
+    "description": "Identifies the creation or patching of potential malicious rolebinding. You can assign these roles to Kubernetes subjects (users, groups, or service accounts) with role bindings and cluster role bindings.",
+    "from": "now-20m",
+    "index": [
+      "filebeat-*",
+      "logs-gcp*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "GCP Kubernetes Rolebindings Created or Patched",
+    "note": "## Config\n\nThe GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:(googlecloud.audit or gcp.audit) and event.action:(io.k8s.authorization.rbac.v*.clusterrolebindings.create or \nio.k8s.authorization.rbac.v*.rolebindings.create or io.k8s.authorization.rbac.v*.clusterrolebindings.patch or \nio.k8s.authorization.rbac.v*.rolebindings.patch) and event.outcome:success\n",
+    "references": [
+      "https://cloud.google.com/kubernetes-engine/docs/how-to/audit-logging",
+      "https://unofficial-kubernetes.readthedocs.io/en/latest/admin/authorization/rbac/",
+      "https://cloud.google.com/kubernetes-engine/docs/how-to/role-based-access-control"
+    ],
+    "risk_score": 47,
+    "rule_id": "2f0bae2d-bf20-4465-be86-1311addebaa3",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "GCP",
+      "Continuous Monitoring",
+      "SecOps",
+      "Configuration Audit"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0004",
+          "name": "Privilege Escalation",
+          "reference": "https://attack.mitre.org/tactics/TA0004/"
+        },
+        "technique": []
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies a Logging bucket deletion in Google Cloud Platform (GCP). Log buckets are containers that store and organize log data. A deleted bucket stays in a pending state for 7 days, and Logging continues to route logs to the bucket during that time. To stop routing logs to a deleted bucket, the log sinks can be deleted that have the bucket as a destination, or the filter for the sinks can be modified to stop routing logs to the deleted bucket. An adversary may delete a log bucket to evade detection.",
+    "false_positives": [
+      "Logging bucket deletions may be done by a system or network administrator. Verify whether the user email, resource name, and/or hostname should be making changes in your environment. Logging bucket deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "index": [
+      "filebeat-*",
+      "logs-gcp*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "GCP Logging Bucket Deletion",
+    "note": "## Config\n\nThe GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:(googlecloud.audit or gcp.audit) and event.action:google.logging.v*.ConfigServiceV*.DeleteBucket and event.outcome:success\n",
+    "references": [
+      "https://cloud.google.com/logging/docs/buckets",
+      "https://cloud.google.com/logging/docs/storage"
+    ],
+    "risk_score": 47,
+    "rule_id": "5663b693-0dea-4f2e-8275-f1ae5ff2de8e",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "GCP",
+      "Continuous Monitoring",
+      "SecOps",
+      "Log Auditing"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1562",
+            "name": "Impair Defenses",
+            "reference": "https://attack.mitre.org/techniques/T1562/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 5
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies a Logging sink deletion in Google Cloud Platform (GCP). Every time a log entry arrives, Logging compares the log entry to the sinks in that resource. Each sink whose filter matches the log entry writes a copy of the log entry to the sink's export destination. An adversary may delete a Logging sink to evade detection.",
+    "false_positives": [
+      "Logging sink deletions may be done by a system or network administrator. Verify whether the user email, resource name, and/or hostname should be making changes in your environment. Logging sink deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "index": [
+      "filebeat-*",
+      "logs-gcp*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "GCP Logging Sink Deletion",
+    "note": "## Config\n\nThe GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:(googlecloud.audit or gcp.audit) and event.action:google.logging.v*.ConfigServiceV*.DeleteSink and event.outcome:success\n",
+    "references": [
+      "https://cloud.google.com/logging/docs/export"
+    ],
+    "risk_score": 47,
+    "rule_id": "51859fa0-d86b-4214-bf48-ebb30ed91305",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "GCP",
+      "Continuous Monitoring",
+      "SecOps",
+      "Log Auditing"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1562",
+            "name": "Impair Defenses",
+            "reference": "https://attack.mitre.org/techniques/T1562/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 5
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies a modification to a Logging sink in Google Cloud Platform (GCP). Logging compares the log entry to the sinks in that resource. Each sink whose filter matches the log entry writes a copy of the log entry to the sink's export destination. An adversary may update a Logging sink to exfiltrate logs to a different export destination.",
+    "false_positives": [
+      "Logging sink modifications may be done by a system or network administrator. Verify whether the user email, resource name, and/or hostname should be making changes in your environment. Sink modifications from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "index": [
+      "filebeat-*",
+      "logs-gcp*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "GCP Logging Sink Modification",
+    "note": "## Config\n\nThe GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:(googlecloud.audit or gcp.audit) and event.action:google.logging.v*.ConfigServiceV*.UpdateSink and event.outcome:success\n",
+    "references": [
+      "https://cloud.google.com/logging/docs/export#how_sinks_work"
+    ],
+    "risk_score": 21,
+    "rule_id": "184dfe52-2999-42d9-b9d1-d1ca54495a61",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "GCP",
+      "Continuous Monitoring",
+      "SecOps",
+      "Log Auditing"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0010",
+          "name": "Exfiltration",
+          "reference": "https://attack.mitre.org/tactics/TA0010/"
+        },
+        "technique": [
+          {
+            "id": "T1537",
+            "name": "Transfer Data to Cloud Account",
+            "reference": "https://attack.mitre.org/techniques/T1537/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 5
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the creation of a subscription in Google Cloud Platform (GCP). In GCP, the publisher-subscriber relationship (Pub/Sub) is an asynchronous messaging service that decouples event-producing and event-processing services. A subscription is a named resource representing the stream of messages to be delivered to the subscribing application.",
+    "false_positives": [
+      "Subscription creations may be done by a system or network administrator. Verify whether the user email, resource name, and/or hostname should be making changes in your environment. Subscription creations from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "index": [
+      "filebeat-*",
+      "logs-gcp*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "GCP Pub/Sub Subscription Creation",
+    "note": "## Config\n\nThe GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:(googlecloud.audit or gcp.audit) and event.action:google.pubsub.v*.Subscriber.CreateSubscription and event.outcome:success\n",
+    "references": [
+      "https://cloud.google.com/pubsub/docs/overview"
+    ],
+    "risk_score": 21,
+    "rule_id": "d62b64a8-a7c9-43e5-aee3-15a725a794e7",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "GCP",
+      "Continuous Monitoring",
+      "SecOps",
+      "Log Auditing"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0009",
+          "name": "Collection",
+          "reference": "https://attack.mitre.org/tactics/TA0009/"
+        },
+        "technique": [
+          {
+            "id": "T1530",
+            "name": "Data from Cloud Storage Object",
+            "reference": "https://attack.mitre.org/techniques/T1530/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 5
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the deletion of a subscription in Google Cloud Platform (GCP). In GCP, the publisher-subscriber relationship (Pub/Sub) is an asynchronous messaging service that decouples event-producing and event-processing services. A subscription is a named resource representing the stream of messages to be delivered to the subscribing application.",
+    "false_positives": [
+      "Subscription deletions may be done by a system or network administrator. Verify whether the user email, resource name, and/or hostname should be making changes in your environment. Subscription deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "index": [
+      "filebeat-*",
+      "logs-gcp*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "GCP Pub/Sub Subscription Deletion",
+    "note": "## Config\n\nThe GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:(googlecloud.audit or gcp.audit) and event.action:google.pubsub.v*.Subscriber.DeleteSubscription and event.outcome:success\n",
+    "references": [
+      "https://cloud.google.com/pubsub/docs/overview"
+    ],
+    "risk_score": 21,
+    "rule_id": "cc89312d-6f47-48e4-a87c-4977bd4633c3",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "GCP",
+      "Continuous Monitoring",
+      "SecOps",
+      "Log Auditing"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1562",
+            "name": "Impair Defenses",
+            "reference": "https://attack.mitre.org/techniques/T1562/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 5
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the creation of a topic in Google Cloud Platform (GCP). In GCP, the publisher-subscriber relationship (Pub/Sub) is an asynchronous messaging service that decouples event-producing and event-processing services. A topic is used to forward messages from publishers to subscribers.",
+    "false_positives": [
+      "Topic creations may be done by a system or network administrator. Verify whether the user email, resource name, and/or hostname should be making changes in your environment. Topic creations from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "index": [
+      "filebeat-*",
+      "logs-gcp*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "GCP Pub/Sub Topic Creation",
+    "note": "## Config\n\nThe GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:(googlecloud.audit or gcp.audit) and event.action:google.pubsub.v*.Publisher.CreateTopic and event.outcome:success\n",
+    "references": [
+      "https://cloud.google.com/pubsub/docs/admin"
+    ],
+    "risk_score": 21,
+    "rule_id": "a10d3d9d-0f65-48f1-8b25-af175e2594f5",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "GCP",
+      "Continuous Monitoring",
+      "SecOps",
+      "Log Auditing"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0009",
+          "name": "Collection",
+          "reference": "https://attack.mitre.org/tactics/TA0009/"
+        },
+        "technique": [
+          {
+            "id": "T1530",
+            "name": "Data from Cloud Storage Object",
+            "reference": "https://attack.mitre.org/techniques/T1530/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 5
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the deletion of a topic in Google Cloud Platform (GCP). In GCP, the publisher-subscriber relationship (Pub/Sub) is an asynchronous messaging service that decouples event-producing and event-processing services. A publisher application creates and sends messages to a topic. Deleting a topic can interrupt message flow in the Pub/Sub pipeline.",
+    "false_positives": [
+      "Topic deletions may be done by a system or network administrator. Verify whether the user email, resource name, and/or hostname should be making changes in your environment. Topic deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "index": [
+      "filebeat-*",
+      "logs-gcp*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "GCP Pub/Sub Topic Deletion",
+    "note": "## Config\n\nThe GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:(googlecloud.audit or gcp.audit) and event.action:google.pubsub.v*.Publisher.DeleteTopic and event.outcome:success\n",
+    "references": [
+      "https://cloud.google.com/pubsub/docs/overview"
+    ],
+    "risk_score": 21,
+    "rule_id": "3202e172-01b1-4738-a932-d024c514ba72",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "GCP",
+      "Continuous Monitoring",
+      "SecOps",
+      "Log Auditing"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1562",
+            "name": "Impair Defenses",
+            "reference": "https://attack.mitre.org/techniques/T1562/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 5
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies when a new service account is created in Google Cloud Platform (GCP). A service account is a special type of account used by an application or a virtual machine (VM) instance, not a person. Applications use service accounts to make authorized API calls, authorized as either the service account itself, or as G Suite or Cloud Identity users through domain-wide delegation. If service accounts are not tracked and managed properly, they can present a security risk. An adversary may create a new service account to use during their operations in order to avoid using a standard user account and attempt to evade detection.",
+    "false_positives": [
+      "Service accounts can be created by system administrators. Verify that the behavior was expected. Exceptions can be added to this rule to filter expected behavior."
+    ],
+    "index": [
+      "filebeat-*",
+      "logs-gcp*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "GCP Service Account Creation",
+    "note": "## Config\n\nThe GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:(googlecloud.audit or gcp.audit) and event.action:google.iam.admin.v*.CreateServiceAccount and event.outcome:success\n",
+    "references": [
+      "https://cloud.google.com/iam/docs/service-accounts"
+    ],
+    "risk_score": 21,
+    "rule_id": "7ceb2216-47dd-4e64-9433-cddc99727623",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "GCP",
+      "Continuous Monitoring",
+      "SecOps",
+      "Identity and Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1136",
+            "name": "Create Account",
+            "reference": "https://attack.mitre.org/techniques/T1136/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 5
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies when a service account is deleted in Google Cloud Platform (GCP). A service account is a special type of account used by an application or a virtual machine (VM) instance, not a person. Applications use service accounts to make authorized API calls, authorized as either the service account itself, or as G Suite or Cloud Identity users through domain-wide delegation. An adversary may delete a service account in order to disrupt their target's business operations.",
+    "false_positives": [
+      "Service accounts may be deleted by system administrators. Verify that the behavior was expected. Exceptions can be added to this rule to filter expected behavior."
+    ],
+    "index": [
+      "filebeat-*",
+      "logs-gcp*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "GCP Service Account Deletion",
+    "note": "## Config\n\nThe GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:(googlecloud.audit or gcp.audit) and event.action:google.iam.admin.v*.DeleteServiceAccount and event.outcome:success\n",
+    "references": [
+      "https://cloud.google.com/iam/docs/service-accounts"
+    ],
+    "risk_score": 47,
+    "rule_id": "8fb75dda-c47a-4e34-8ecd-34facf7aad13",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "GCP",
+      "Continuous Monitoring",
+      "SecOps",
+      "Identity and Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0040",
+          "name": "Impact",
+          "reference": "https://attack.mitre.org/tactics/TA0040/"
+        },
+        "technique": [
+          {
+            "id": "T1531",
+            "name": "Account Access Removal",
+            "reference": "https://attack.mitre.org/techniques/T1531/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 5
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies when a service account is disabled in Google Cloud Platform (GCP). A service account is a special type of account used by an application or a virtual machine (VM) instance, not a person. Applications use service accounts to make authorized API calls, authorized as either the service account itself, or as G Suite or Cloud Identity users through domain-wide delegation. An adversary may disable a service account in order to disrupt to disrupt their target's business operations.",
+    "false_positives": [
+      "Service accounts may be disabled by system administrators. Verify that the behavior was expected. Exceptions can be added to this rule to filter expected behavior."
+    ],
+    "index": [
+      "filebeat-*",
+      "logs-gcp*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "GCP Service Account Disabled",
+    "note": "## Config\n\nThe GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:(googlecloud.audit or gcp.audit) and event.action:google.iam.admin.v*.DisableServiceAccount and event.outcome:success\n",
+    "references": [
+      "https://cloud.google.com/iam/docs/service-accounts"
+    ],
+    "risk_score": 47,
+    "rule_id": "bca7d28e-4a48-47b1-adb7-5074310e9a61",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "GCP",
+      "Continuous Monitoring",
+      "SecOps",
+      "Identity and Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0040",
+          "name": "Impact",
+          "reference": "https://attack.mitre.org/tactics/TA0040/"
+        },
+        "technique": [
+          {
+            "id": "T1531",
+            "name": "Account Access Removal",
+            "reference": "https://attack.mitre.org/techniques/T1531/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 5
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies when a new key is created for a service account in Google Cloud Platform (GCP). A service account is a special type of account used by an application or a virtual machine (VM) instance, not a person. Applications use service accounts to make authorized API calls, authorized as either the service account itself, or as G Suite or Cloud Identity users through domain-wide delegation. If private keys are not tracked and managed properly, they can present a security risk. An adversary may create a new key for a service account in order to attempt to abuse the permissions assigned to that account and evade detection.",
+    "false_positives": [
+      "Service account keys may be created by system administrators. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior."
+    ],
+    "index": [
+      "filebeat-*",
+      "logs-gcp*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "GCP Service Account Key Creation",
+    "note": "## Config\n\nThe GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:(googlecloud.audit or gcp.audit) and event.action:google.iam.admin.v*.CreateServiceAccountKey and event.outcome:success\n",
+    "references": [
+      "https://cloud.google.com/iam/docs/service-accounts",
+      "https://cloud.google.com/iam/docs/creating-managing-service-account-keys"
+    ],
+    "risk_score": 21,
+    "rule_id": "0e5acaae-6a64-4bbc-adb8-27649c03f7e1",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "GCP",
+      "Continuous Monitoring",
+      "SecOps",
+      "Identity and Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1098",
+            "name": "Account Manipulation",
+            "reference": "https://attack.mitre.org/techniques/T1098/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 5
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies when the configuration is modified for a storage bucket in Google Cloud Platform (GCP). An adversary may modify the configuration of a storage bucket in order to weaken the security controls of their target's environment.",
+    "false_positives": [
+      "Storage bucket configuration may be modified by system administrators. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior."
+    ],
+    "index": [
+      "filebeat-*",
+      "logs-gcp*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "GCP Storage Bucket Configuration Modification",
+    "note": "## Config\n\nThe GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:(googlecloud.audit or gcp.audit) and event.action:\"storage.buckets.update\" and event.outcome:success\n",
+    "references": [
+      "https://cloud.google.com/storage/docs/key-terms#buckets"
+    ],
+    "risk_score": 47,
+    "rule_id": "97359fd8-757d-4b1d-9af1-ef29e4a8680e",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "GCP",
+      "Continuous Monitoring",
+      "SecOps",
+      "Identity and Access"
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 5
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies when a Google Cloud Platform (GCP) storage bucket is deleted. An adversary may delete a storage bucket in order to disrupt their target's business operations.",
+    "false_positives": [
+      "Storage buckets may be deleted by a system or network administrator. Verify whether the user email, resource name, and/or hostname should be making changes in your environment. Bucket deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "index": [
+      "filebeat-*",
+      "logs-gcp*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "GCP Storage Bucket Deletion",
+    "note": "## Config\n\nThe GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:(googlecloud.audit or gcp.audit) and event.action:\"storage.buckets.delete\"\n",
+    "references": [
+      "https://cloud.google.com/storage/docs/key-terms#buckets"
+    ],
+    "risk_score": 47,
+    "rule_id": "bc0f2d83-32b8-4ae2-b0e6-6a45772e9331",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "GCP",
+      "Continuous Monitoring",
+      "SecOps",
+      "Monitoring"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0040",
+          "name": "Impact",
+          "reference": "https://attack.mitre.org/tactics/TA0040/"
+        },
+        "technique": [
+          {
+            "id": "T1485",
+            "name": "Data Destruction",
+            "reference": "https://attack.mitre.org/techniques/T1485/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 5
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies when the Identity and Access Management (IAM) permissions are modified for a Google Cloud Platform (GCP) storage bucket. An adversary may modify the permissions on a storage bucket to weaken their target's security controls or an administrator may inadvertently modify the permissions, which could lead to data exposure or loss.",
+    "false_positives": [
+      "Storage bucket permissions may be modified by system administrators. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior."
+    ],
+    "index": [
+      "filebeat-*",
+      "logs-gcp*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "GCP Storage Bucket Permissions Modification",
+    "note": "## Config\n\nThe GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:(googlecloud.audit or gcp.audit) and event.action:\"storage.setIamPermissions\" and event.outcome:success\n",
+    "references": [
+      "https://cloud.google.com/storage/docs/access-control/iam-permissions"
+    ],
+    "risk_score": 47,
+    "rule_id": "2326d1b2-9acf-4dee-bd21-867ea7378b4d",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "GCP",
+      "Continuous Monitoring",
+      "SecOps",
+      "Identity and Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1222",
+            "name": "File and Directory Permissions Modification",
+            "reference": "https://attack.mitre.org/techniques/T1222/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 5
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies when a Virtual Private Cloud (VPC) network is deleted in Google Cloud Platform (GCP). A VPC network is a virtual version of a physical network within a GCP project. Each VPC network has its own subnets, routes, and firewall, as well as other elements. An adversary may delete a VPC network in order to disrupt their target's network and business operations.",
+    "false_positives": [
+      "Virtual Private Cloud networks may be deleted by system administrators. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior."
+    ],
+    "index": [
+      "filebeat-*",
+      "logs-gcp*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "GCP Virtual Private Cloud Network Deletion",
+    "note": "## Config\n\nThe GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:(googlecloud.audit or gcp.audit) and event.action:v*.compute.networks.delete and event.outcome:success\n",
+    "references": [
+      "https://cloud.google.com/vpc/docs/vpc"
+    ],
+    "risk_score": 47,
+    "rule_id": "c58c3081-2e1d-4497-8491-e73a45d1a6d6",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "GCP",
+      "Continuous Monitoring",
+      "SecOps",
+      "Configuration Audit"
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 5
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies when a Virtual Private Cloud a virtual private cloud (VPC) route is created in Google Cloud Platform (GCP). Google Cloud routes define the paths that network traffic takes from a virtual machine (VM) instance to other destinations. These destinations can be inside a Google VPC network or outside it. An adversary may create a route in order to impact the flow of network traffic in their target's cloud environment.",
+    "false_positives": [
+      "Virtual Private Cloud routes may be created by system administrators. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior."
+    ],
+    "index": [
+      "filebeat-*",
+      "logs-gcp*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "GCP Virtual Private Cloud Route Creation",
+    "note": "## Config\n\nThe GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:(googlecloud.audit or gcp.audit) and event.action:(v*.compute.routes.insert or \"beta.compute.routes.insert\")\n",
+    "references": [
+      "https://cloud.google.com/vpc/docs/routes",
+      "https://cloud.google.com/vpc/docs/using-routes"
+    ],
+    "risk_score": 21,
+    "rule_id": "9180ffdf-f3d0-4db3-bf66-7a14bcff71b8",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "GCP",
+      "Continuous Monitoring",
+      "SecOps",
+      "Configuration Audit"
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 6
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies when a Virtual Private Cloud (VPC) route is deleted in Google Cloud Platform (GCP). Google Cloud routes define the paths that network traffic takes from a virtual machine (VM) instance to other destinations. These destinations can be inside a Google VPC network or outside it. An adversary may delete a route in order to impact the flow of network traffic in their target's cloud environment.",
+    "false_positives": [
+      "Virtual Private Cloud routes may be deleted by system administrators. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior."
+    ],
+    "index": [
+      "filebeat-*",
+      "logs-gcp*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "GCP Virtual Private Cloud Route Deletion",
+    "note": "## Config\n\nThe GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:(googlecloud.audit or gcp.audit) and event.action:v*.compute.routes.delete and event.outcome:success\n",
+    "references": [
+      "https://cloud.google.com/vpc/docs/routes",
+      "https://cloud.google.com/vpc/docs/using-routes"
+    ],
+    "risk_score": 47,
+    "rule_id": "a17bcc91-297b-459b-b5ce-bc7460d8f82a",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "GCP",
+      "Continuous Monitoring",
+      "SecOps",
+      "Configuration Audit"
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 5
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Detects when a domain-wide delegation of authority is granted to a service account. Domain-wide delegation can be configured to grant third-party and internal applications to access the data of Google Workspace users. An adversary may configure domain-wide delegation to maintain access to their target\u2019s data.",
+    "false_positives": [
+      "Domain-wide delegation of authority may be granted to service accounts by system administrators. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior."
+    ],
+    "from": "now-130m",
+    "index": [
+      "filebeat-*",
+      "logs-google_workspace*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Google Workspace API Access Granted via Domain-Wide Delegation of Authority",
+    "note": "## Config\n\nThe Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\n\n### Important Information Regarding Google Workspace Event Lag Times\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information:\n  - https://support.google.com/a/answer/7061566\n  - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html",
+    "query": "event.dataset:google_workspace.admin and event.provider:admin and event.category:iam and event.action:AUTHORIZE_API_CLIENT_ACCESS\n",
+    "references": [
+      "https://developers.google.com/admin-sdk/directory/v1/guides/delegation"
+    ],
+    "risk_score": 47,
+    "rule_id": "acbc8bb9-2486-49a8-8779-45fb5f9a93ee",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "Google Workspace",
+      "Continuous Monitoring",
+      "SecOps",
+      "Identity and Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1098",
+            "name": "Account Manipulation",
+            "reference": "https://attack.mitre.org/techniques/T1098/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 6
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Detects when an admin role is assigned to a Google Workspace user. An adversary may assign an admin role to a user in order to elevate the permissions of another user account and persist in their target\u2019s environment.",
+    "false_positives": [
+      "Google Workspace admin role assignments may be modified by system administrators. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior."
+    ],
+    "from": "now-130m",
+    "index": [
+      "filebeat-*",
+      "logs-google_workspace*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Google Workspace Admin Role Assigned to a User",
+    "note": "## Config\n\nThe Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\n\n### Important Information Regarding Google Workspace Event Lag Times\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information:\n  - https://support.google.com/a/answer/7061566\n  - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html",
+    "query": "event.dataset:google_workspace.admin and event.provider:admin and event.category:iam and event.action:ASSIGN_ROLE\n",
+    "references": [
+      "https://support.google.com/a/answer/172176?hl=en"
+    ],
+    "risk_score": 47,
+    "rule_id": "68994a6c-c7ba-4e82-b476-26a26877adf6",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "Google Workspace",
+      "Continuous Monitoring",
+      "SecOps",
+      "Identity and Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1098",
+            "name": "Account Manipulation",
+            "reference": "https://attack.mitre.org/techniques/T1098/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 6
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Detects when a custom admin role is deleted. An adversary may delete a custom admin role in order to impact the permissions or capabilities of system administrators.",
+    "false_positives": [
+      "Google Workspace admin roles may be deleted by system administrators. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior."
+    ],
+    "from": "now-130m",
+    "index": [
+      "filebeat-*",
+      "logs-google_workspace*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Google Workspace Admin Role Deletion",
+    "note": "## Config\n\nThe Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\n\n### Important Information Regarding Google Workspace Event Lag Times\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information:\n  - https://support.google.com/a/answer/7061566\n  - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html",
+    "query": "event.dataset:google_workspace.admin and event.provider:admin and event.category:iam and event.action:DELETE_ROLE\n",
+    "references": [
+      "https://support.google.com/a/answer/2406043?hl=en"
+    ],
+    "risk_score": 47,
+    "rule_id": "93e63c3e-4154-4fc6-9f86-b411e0987bbf",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "Google Workspace",
+      "Continuous Monitoring",
+      "SecOps",
+      "Identity and Access"
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 6
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Detects when a custom admin role is created in Google Workspace. An adversary may create a custom admin role in order to elevate the permissions of other user accounts and persist in their target\u2019s environment.",
+    "false_positives": [
+      "Custom Google Workspace admin roles may be created by system administrators. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior."
+    ],
+    "from": "now-130m",
+    "index": [
+      "filebeat-*",
+      "logs-google_workspace*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Google Workspace Custom Admin Role Created",
+    "note": "## Config\n\nThe Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\n\n### Important Information Regarding Google Workspace Event Lag Times\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information:\n  - https://support.google.com/a/answer/7061566\n  - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html",
+    "query": "event.dataset:google_workspace.admin and event.provider:admin and event.category:iam and event.action:CREATE_ROLE\n",
+    "references": [
+      "https://support.google.com/a/answer/2406043?hl=en"
+    ],
+    "risk_score": 47,
+    "rule_id": "ad3f2807-2b3e-47d7-b282-f84acbbe14be",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "Google Workspace",
+      "Continuous Monitoring",
+      "SecOps",
+      "Identity and Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1098",
+            "name": "Account Manipulation",
+            "reference": "https://attack.mitre.org/techniques/T1098/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 6
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Detects when multi-factor authentication (MFA) enforcement is disabled for Google Workspace users. An adversary may disable MFA enforcement in order to weaken an organization\u2019s security controls.",
+    "false_positives": [
+      "MFA policies may be modified by system administrators. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior."
+    ],
+    "from": "now-130m",
+    "index": [
+      "filebeat-*",
+      "logs-google_workspace*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Google Workspace MFA Enforcement Disabled",
+    "note": "## Config\n\nThe Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\n\n### Important Information Regarding Google Workspace Event Lag Times\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information:\n  - https://support.google.com/a/answer/7061566\n  - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html",
+    "query": "event.dataset:google_workspace.admin and event.provider:admin and event.category:iam and event.action:ENFORCE_STRONG_AUTHENTICATION and google_workspace.admin.new_value:false\n",
+    "references": [
+      "https://support.google.com/a/answer/9176657?hl=en#"
+    ],
+    "risk_score": 47,
+    "rule_id": "cad4500a-abd7-4ef3-b5d3-95524de7cfe1",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "Google Workspace",
+      "Continuous Monitoring",
+      "SecOps",
+      "Configuration Audit"
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 7
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Detects when a Google Workspace password policy is modified. An adversary may attempt to modify a password policy in order to weaken an organization\u2019s security controls.",
+    "false_positives": [
+      "Password policies may be modified by system administrators. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior."
+    ],
+    "from": "now-130m",
+    "index": [
+      "filebeat-*",
+      "logs-google_workspace*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Google Workspace Password Policy Modified",
+    "note": "## Config\n\nThe Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\n\n### Important Information Regarding Google Workspace Event Lag Times\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information:\n  - https://support.google.com/a/answer/7061566\n  - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html",
+    "query": "event.dataset:google_workspace.admin and event.provider:admin and event.category:iam and\n  event.action:(CHANGE_APPLICATION_SETTING or CREATE_APPLICATION_SETTING) and\n  google_workspace.admin.setting.name:(\n    \"Password Management - Enforce strong password\" or\n    \"Password Management - Password reset frequency\" or\n    \"Password Management - Enable password reuse\" or\n    \"Password Management - Enforce password policy at next login\" or\n    \"Password Management - Minimum password length\" or\n    \"Password Management - Maximum password length\"\n  )\n",
+    "risk_score": 47,
+    "rule_id": "a99f82f5-8e77-4f8b-b3ce-10c0f6afbc73",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "Google Workspace",
+      "Continuous Monitoring",
+      "SecOps",
+      "Identity and Access"
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 7
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Detects when a custom admin role or its permissions are modified. An adversary may modify a custom admin role in order to elevate the permissions of other user accounts and persist in their target\u2019s environment.",
+    "false_positives": [
+      "Google Workspace admin roles may be modified by system administrators. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior."
+    ],
+    "from": "now-130m",
+    "index": [
+      "filebeat-*",
+      "logs-google_workspace*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Google Workspace Role Modified",
+    "note": "## Config\n\nThe Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\n\n### Important Information Regarding Google Workspace Event Lag Times\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information:\n  - https://support.google.com/a/answer/7061566\n  - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html",
+    "query": "event.dataset:google_workspace.admin and event.provider:admin and event.category:iam and event.action:(ADD_PRIVILEGE or UPDATE_ROLE)\n",
+    "references": [
+      "https://support.google.com/a/answer/2406043?hl=en"
+    ],
+    "risk_score": 47,
+    "rule_id": "6f435062-b7fc-4af9-acea-5b1ead65c5a5",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "Google Workspace",
+      "Continuous Monitoring",
+      "SecOps",
+      "Identity and Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1098",
+            "name": "Account Manipulation",
+            "reference": "https://attack.mitre.org/techniques/T1098/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 6
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "This rule detects the first occurrence of a modification to Group Policy Object Attributes to add privileges to user accounts or use them to add users as local admins.",
+    "index": [
+      "winlogbeat-*",
+      "logs-system.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Group Policy Abuse for Privilege Addition",
+    "note": "## Triage and analysis\n\n### Investigating Group Policy Abuse for Privilege Addition\n\nGroup Policy Objects can be used to add rights and/or modify Group Membership on GPOs by changing the contents of an INF file named\nGptTmpl.inf, which is responsible for storing every setting under the Security Settings container in the GPO, this file is unique\nfor each GPO, and only exists if the GPO contains security settings.\nExample Path: \"\\\\DC.com\\SysVol\\DC.com\\Policies\\{21B9B880-B2FB-4836-9C2D-2013E0D832E9}\\Machine\\Microsoft\\Windows NT\\SecEdit\\GptTmpl.inf\"\n\n#### Possible investigation steps:\n- This attack abuses a legitimate mechanism of the Active Directory, so it is important to determine whether the activity is legitimate\nand the administrator is authorized to perform this operation.\n- Retrieve the contents of the `GptTmpl.inf` file, under the `Privilege Rights` section, look for potentially dangerous high privileges,\nfor example: SeTakeOwnershipPrivilege, SeEnableDelegationPrivilege, etc.\n- Inspect the user SIDs associated with these privileges\n\n### False Positive Analysis\n- Verify if these User SIDs should have these privileges enabled.\n- Inspect whether the user that has done these modifications should be allowed to do it. The user name can be found in the\n`winlog.event_data.SubjectUserName` field\n\n### Related Rules\n- Scheduled Task Execution at Scale via GPO\n- Startup/Logon Script added to Group Policy Object\n\n### Response and Remediation\n- Immediate response should be taken to validate activity, investigate and potentially isolate activity to prevent further\npost-compromise behavior.\n\n## Config\n\nThe 'Audit Directory Service Changes' audit policy is required be configured (Success Failure).\nSteps to implement the logging policy with with Advanced Audit Configuration:\n```\nComputer Configuration > \nPolicies > \nWindows Settings > \nSecurity Settings > \nAdvanced Audit Policies Configuration > \nAudit Policies > \nDS Access > \nAudit Directory Service Changes (Success,Failure)\n```\n",
+    "query": "event.code: \"5136\" and winlog.event_data.AttributeLDAPDisplayName:\"gPCMachineExtensionNames\" and \nwinlog.event_data.AttributeValue:(*827D319E-6EAC-11D2-A4EA-00C04F79F83A* and *803E14A0-B4FB-11D0-A0D0-00A0C90F574B*)\n",
+    "references": [
+      "https://github.com/atc-project/atc-data/blob/master/docs/Logging_Policies/LP_0025_windows_audit_directory_service_changes.md",
+      "https://labs.f-secure.com/tools/sharpgpoabuse"
+    ],
+    "risk_score": 73,
+    "rule_id": "b9554892-5e0e-424b-83a0-5aef95aa43bf",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Privilege Escalation",
+      "Active Directory"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0004",
+          "name": "Privilege Escalation",
+          "reference": "https://attack.mitre.org/tactics/TA0004/"
+        },
+        "technique": [
+          {
+            "id": "T1484",
+            "name": "Domain Policy Modification",
+            "reference": "https://attack.mitre.org/techniques/T1484/",
+            "subtechnique": [
+              {
+                "id": "T1484.001",
+                "name": "Group Policy Modification",
+                "reference": "https://attack.mitre.org/techniques/T1484/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Halfbaked is a malware family used to establish persistence in a contested network. This rule detects a network activity algorithm leveraged by Halfbaked implant beacons for command and control.",
+    "false_positives": [
+      "This rule should be tailored to exclude systems, either as sources or destinations, in which this behavior is expected."
+    ],
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "filebeat-*",
+      "packetbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "lucene",
+    "license": "Elastic License v2",
+    "name": "Halfbaked Command and Control Beacon",
+    "note": "## Threat intel\n\nThis activity has been observed in FIN7 campaigns.",
+    "query": "event.category:(network OR network_traffic) AND network.protocol:http AND\n  network.transport:tcp AND url.full:/http:\\/\\/[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}\\/cd/ AND\n  destination.port:(53 OR 80 OR 8080 OR 443)\n",
+    "references": [
+      "https://www.fireeye.com/blog/threat-research/2017/04/fin7-phishing-lnk.html",
+      "https://attack.mitre.org/software/S0151/"
+    ],
+    "risk_score": 73,
+    "rule_id": "2e580225-2a58-48ef-938b-572933be06fe",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Network",
+      "Threat Detection",
+      "Command and Control",
+      "Host"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0011",
+          "name": "Command and Control",
+          "reference": "https://attack.mitre.org/tactics/TA0011/"
+        },
+        "technique": [
+          {
+            "id": "T1071",
+            "name": "Application Layer Protocol",
+            "reference": "https://attack.mitre.org/techniques/T1071/"
+          },
+          {
+            "id": "T1568",
+            "name": "Dynamic Resolution",
+            "reference": "https://attack.mitre.org/techniques/T1568/",
+            "subtechnique": [
+              {
+                "id": "T1568.002",
+                "name": "Domain Generation Algorithms",
+                "reference": "https://attack.mitre.org/techniques/T1568/002/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 6
+  },
+  {
+    "author": [
+      "Elastic",
+      "@BenB196",
+      "Austin Songer"
+    ],
+    "description": "Identifies a high number of Okta user password reset or account unlock attempts. An adversary may attempt to obtain unauthorized access to Okta user accounts using these methods and attempt to blend in with normal activity in their target's environment and evade detection.",
+    "false_positives": [
+      "The number of Okta user password reset or account unlock attempts will likely vary between organizations. To fit this rule to their organization, users can duplicate this rule and edit the schedule and threshold values in the new rule."
+    ],
+    "from": "now-60m",
+    "index": [
+      "filebeat-*",
+      "logs-okta*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "High Number of Okta User Password Reset or Unlock Attempts",
+    "note": "## Config\n\nThe Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:okta.system and\n  event.action:(system.email.account_unlock.sent_message or system.email.password_reset.sent_message or\n                system.sms.send_account_unlock_message or system.sms.send_password_reset_message or\n                system.voice.send_account_unlock_call or system.voice.send_password_reset_call or\n                user.account.unlock_token)\n",
+    "references": [
+      "https://developer.okta.com/docs/reference/api/system-log/",
+      "https://developer.okta.com/docs/reference/api/event-types/"
+    ],
+    "risk_score": 47,
+    "rule_id": "e90ee3af-45fc-432e-a850-4a58cf14a457",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Identity",
+      "Okta",
+      "Continuous Monitoring",
+      "SecOps",
+      "Identity and Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1078",
+            "name": "Valid Accounts",
+            "reference": "https://attack.mitre.org/techniques/T1078/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1078",
+            "name": "Valid Accounts",
+            "reference": "https://attack.mitre.org/techniques/T1078/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0001",
+          "name": "Initial Access",
+          "reference": "https://attack.mitre.org/tactics/TA0001/"
+        },
+        "technique": [
+          {
+            "id": "T1078",
+            "name": "Valid Accounts",
+            "reference": "https://attack.mitre.org/techniques/T1078/"
+          }
+        ]
+      }
+    ],
+    "threshold": {
+      "field": [
+        "okta.actor.alternate_id"
+      ],
+      "value": 5
+    },
+    "type": "threshold",
+    "version": 5
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "This rule identifies a high number (10) of process terminations (stop, delete, or suspend) from the same host within a short time period.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "High Number of Process and/or Service Terminations",
+    "query": "event.category:process and event.type:start and process.name:(net.exe or sc.exe or taskkill.exe) and\n process.args:(stop or pause or delete or \"/PID\" or \"/IM\" or \"/T\" or \"/F\" or \"/t\" or \"/f\" or \"/im\" or \"/pid\")\n",
+    "risk_score": 47,
+    "rule_id": "035889c4-2686-4583-a7df-67f89c292f2c",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Impact"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0040",
+          "name": "Impact",
+          "reference": "https://attack.mitre.org/tactics/TA0040/"
+        },
+        "technique": [
+          {
+            "id": "T1489",
+            "name": "Service Stop",
+            "reference": "https://attack.mitre.org/techniques/T1489/"
+          }
+        ]
+      }
+    ],
+    "threshold": {
+      "field": [
+        "host.id"
+      ],
+      "value": 10
+    },
+    "type": "threshold",
+    "version": 3
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "The hosts file on endpoints is used to control manual IP address to hostname resolutions. The hosts file is the first point of lookup for DNS hostname resolution so if adversaries can modify the endpoint hosts file, they can route traffic to malicious infrastructure. This rule detects modifications to the hosts file on Microsoft Windows, Linux (Ubuntu or RHEL) and macOS systems.",
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Hosts File Modified",
+    "note": "## Config\n\nFor Windows systems using Auditbeat, this rule requires adding `C:/Windows/System32/drivers/etc` as an additional path in the 'file_integrity' module of auditbeat.yml.",
+    "query": "any where\n\n  /* file events for creation; file change events are not captured by some of the included sources for linux and so may\n     miss this, which is the purpose of the process + command line args logic below */\n  (\n   event.category == \"file\" and event.type in (\"change\", \"creation\") and\n     file.path : (\"/private/etc/hosts\", \"/etc/hosts\", \"?:\\\\Windows\\\\System32\\\\drivers\\\\etc\\\\hosts\")\n  )\n  or\n\n  /* process events for change targeting linux only */\n  (\n   event.category == \"process\" and event.type in (\"start\") and\n     process.name in (\"nano\", \"vim\", \"vi\", \"emacs\", \"echo\", \"sed\") and\n     process.args : (\"/etc/hosts\")\n  )\n",
+    "references": [
+      "https://www.elastic.co/guide/en/beats/auditbeat/current/auditbeat-reference-yml.html"
+    ],
+    "risk_score": 47,
+    "rule_id": "9c260313-c811-4ec8-ab89-8f6530e0246c",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "Windows",
+      "macOS",
+      "Threat Detection",
+      "Impact"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0040",
+          "name": "Impact",
+          "reference": "https://attack.mitre.org/tactics/TA0040/"
+        },
+        "technique": [
+          {
+            "id": "T1565",
+            "name": "Data Manipulation",
+            "reference": "https://attack.mitre.org/techniques/T1565/",
+            "subtechnique": [
+              {
+                "id": "T1565.001",
+                "name": "Stored Data Manipulation",
+                "reference": "https://attack.mitre.org/techniques/T1565/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 6
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Hping ran on a Linux host. Hping is a FOSS command-line packet analyzer and has the ability to construct network packets for a wide variety of network security testing applications, including scanning and firewall auditing.",
+    "false_positives": [
+      "Normal use of hping is uncommon apart from security testing and research. Use by non-security engineers is very uncommon."
+    ],
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Hping Process Activity",
+    "query": "event.category:process and event.type:(start or process_started) and process.name:(hping or hping2 or hping3)\n",
+    "references": [
+      "https://en.wikipedia.org/wiki/Hping"
+    ],
+    "risk_score": 73,
+    "rule_id": "90169566-2260-4824-b8e4-8615c3b4ed52",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "Threat Detection"
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 7
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies when Internet Information Services (IIS) HTTP Logging is disabled on a server. An attacker with IIS server access via a webshell or other mechanism can disable HTTP Logging as an effective anti-forensics measure.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "max_signals": 33,
+    "name": "IIS HTTP Logging Disabled",
+    "query": "process where event.type in (\"start\", \"process_started\") and\n  (process.name : \"appcmd.exe\" or process.pe.original_file_name == \"appcmd.exe\") and\n  process.args : \"/dontLog*:*True\" and\n  not process.parent.name : \"iissetup.exe\"\n",
+    "risk_score": 73,
+    "rule_id": "ebf1adea-ccf2-4943-8b96-7ab11ca173a5",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1562",
+            "name": "Impair Defenses",
+            "reference": "https://attack.mitre.org/techniques/T1562/",
+            "subtechnique": [
+              {
+                "id": "T1562.002",
+                "name": "Disable Windows Event Logging",
+                "reference": "https://attack.mitre.org/techniques/T1562/002/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 6
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "This rule detects events that could be describing IPSEC NAT Traversal traffic. IPSEC is a VPN technology that allows one system to talk to another using encrypted tunnels. NAT Traversal enables these tunnels to communicate over the Internet where one of the sides is behind a NAT router gateway. This may be common on your network, but this technique is also used by threat actors to avoid detection.",
+    "false_positives": [
+      "Some networks may utilize these protocols but usage that is unfamiliar to local network administrators can be unexpected and suspicious. Because this port is in the ephemeral range, this rule may false under certain conditions, such as when an application server with a public IP address replies to a client which has used a UDP port in the range by coincidence. This is uncommon but such servers can be excluded."
+    ],
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "filebeat-*",
+      "packetbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "IPSEC NAT Traversal Port Activity",
+    "query": "event.category:(network or network_traffic) and network.transport:udp and destination.port:4500\n",
+    "risk_score": 21,
+    "rule_id": "a9cb3641-ff4b-4cdc-a063-b4b8d02a67c7",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Network",
+      "Threat Detection",
+      "Command and Control",
+      "Host"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0011",
+          "name": "Command and Control",
+          "reference": "https://attack.mitre.org/tactics/TA0011/"
+        },
+        "technique": []
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 8
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "The Debugger and SilentProcessExit registry keys can allow an adversary to intercept the execution of files, causing a different process to be executed. This functionality can be abused by an adversary to establish persistence.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Image File Execution Options Injection",
+    "query": "registry where length(registry.data.strings) > 0 and\n registry.path : (\"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\*.exe\\\\Debugger\", \n                  \"HKLM\\\\SOFTWARE\\\\WOW6432Node\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\*\\\\Debugger\", \n                  \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\SilentProcessExit\\\\*\\\\MonitorProcess\", \n                  \"HKLM\\\\SOFTWARE\\\\WOW6432Node\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\SilentProcessExit\\\\*\\\\MonitorProcess\") and\n   /* add FPs here */\n not registry.data.strings regex~ (\"\"\"C:\\\\Program Files( \\(x86\\))?\\\\ThinKiosk\\\\thinkiosk\\.exe\"\"\", \"\"\".*\\\\PSAppDeployToolkit\\\\.*\"\"\")\n",
+    "references": [
+      "https://oddvar.moe/2018/04/10/persistence-using-globalflags-in-image-file-execution-options-hidden-from-autoruns-exe/"
+    ],
+    "risk_score": 41,
+    "rule_id": "6839c821-011d-43bd-bd5b-acff00257226",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Persistence"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1546",
+            "name": "Event Triggered Execution",
+            "reference": "https://attack.mitre.org/techniques/T1546/",
+            "subtechnique": [
+              {
+                "id": "T1546.012",
+                "name": "Image File Execution Options Injection",
+                "reference": "https://attack.mitre.org/techniques/T1546/012/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 4
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies abuse of the Windows Update Auto Update Client (wuauclt.exe) to load an arbitrary DLL. This behavior is used as a defense evasion technique to blend-in malicious activity with legitimate Windows software.",
+    "from": "now-9m",
+    "index": [
+      "logs-endpoint.events.*",
+      "winlogbeat-*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "ImageLoad via Windows Update Auto Update Client",
+    "query": "process where event.type in (\"start\", \"process_started\") and\n  (process.pe.original_file_name == \"wuauclt.exe\" or process.name : \"wuauclt.exe\") and\n   /* necessary windows update client args to load a dll */\n   process.args : \"/RunHandlerComServer\" and process.args : \"/UpdateDeploymentProvider\" and\n   /* common paths writeable by a standard user where the target DLL can be placed */\n   process.args : (\"C:\\\\Users\\\\*.dll\", \"C:\\\\ProgramData\\\\*.dll\", \"C:\\\\Windows\\\\Temp\\\\*.dll\", \"C:\\\\Windows\\\\Tasks\\\\*.dll\")\n",
+    "references": [
+      "https://dtm.uk/wuauclt/"
+    ],
+    "risk_score": 47,
+    "rule_id": "edf8ee23-5ea7-4123-ba19-56b41e424ae3",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1218",
+            "name": "Signed Binary Proxy Execution",
+            "reference": "https://attack.mitre.org/techniques/T1218/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 3
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies Elasticsearch nodes that do not have Transport Layer Security (TLS), and/or lack authentication, and are accepting inbound network connections over the default Elasticsearch port.",
+    "false_positives": [
+      "If you have front-facing proxies that provide authentication and TLS, this rule would need to be tuned to eliminate the source IP address of your reverse-proxy."
+    ],
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "filebeat-*",
+      "packetbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "lucene",
+    "license": "Elastic License v2",
+    "name": "Inbound Connection to an Unsecure Elasticsearch Node",
+    "note": "## Config\n\nThis rule requires the addition of port `9200` and `send_all_headers` to the `HTTP` protocol configuration in `packetbeat.yml`. See the References section for additional configuration documentation.",
+    "query": "event.category:network_traffic AND network.protocol:http AND status:OK AND destination.port:9200 AND network.direction:inbound AND NOT http.response.headers.content-type:\"image/x-icon\" AND NOT _exists_:http.request.headers.authorization\n",
+    "references": [
+      "https://www.elastic.co/guide/en/elasticsearch/reference/current/configuring-security.html",
+      "https://www.elastic.co/guide/en/beats/packetbeat/current/packetbeat-http-options.html#_send_all_headers"
+    ],
+    "risk_score": 47,
+    "rule_id": "31295df3-277b-4c56-a1fb-84e31b4222a9",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Network",
+      "Threat Detection",
+      "Initial Access",
+      "Host"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0001",
+          "name": "Initial Access",
+          "reference": "https://attack.mitre.org/tactics/TA0001/"
+        },
+        "technique": [
+          {
+            "id": "T1190",
+            "name": "Exploit Public-Facing Application",
+            "reference": "https://attack.mitre.org/techniques/T1190/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 5
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the use of Distributed Component Object Model (DCOM) to execute commands from a remote host, which are launched via the HTA Application COM Object. This behavior may indicate an attacker abusing a DCOM application to move laterally while attempting to evading detection.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Incoming DCOM Lateral Movement via MSHTA",
+    "query": "sequence with maxspan=1m\n  [process where event.type in (\"start\", \"process_started\") and\n     process.name : \"mshta.exe\" and process.args : \"-Embedding\"\n  ] by host.id, process.entity_id\n  [network where event.type == \"start\" and process.name : \"mshta.exe\" and \n     network.direction : (\"incoming\", \"ingress\") and network.transport == \"tcp\" and\n     source.port > 49151 and destination.port > 49151 and source.ip != \"127.0.0.1\" and source.ip != \"::1\"\n  ] by host.id, process.entity_id\n",
+    "references": [
+      "https://codewhitesec.blogspot.com/2018/07/lethalhta.html"
+    ],
+    "risk_score": 73,
+    "rule_id": "622ecb68-fa81-4601-90b5-f8cd661e4520",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Lateral Movement"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0008",
+          "name": "Lateral Movement",
+          "reference": "https://attack.mitre.org/tactics/TA0008/"
+        },
+        "technique": [
+          {
+            "id": "T1021",
+            "name": "Remote Services",
+            "reference": "https://attack.mitre.org/techniques/T1021/",
+            "subtechnique": [
+              {
+                "id": "T1021.003",
+                "name": "Distributed Component Object Model",
+                "reference": "https://attack.mitre.org/techniques/T1021/003/"
+              }
+            ]
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1218",
+            "name": "Signed Binary Proxy Execution",
+            "reference": "https://attack.mitre.org/techniques/T1218/",
+            "subtechnique": [
+              {
+                "id": "T1218.005",
+                "name": "Mshta",
+                "reference": "https://attack.mitre.org/techniques/T1218/005/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "type": "eql",
+    "version": 5
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the use of Distributed Component Object Model (DCOM) to run commands from a remote host, which are launched via the MMC20 Application COM Object. This behavior may indicate an attacker abusing a DCOM application to move laterally.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Incoming DCOM Lateral Movement with MMC",
+    "query": "sequence by host.id with maxspan=1m\n [network where event.type == \"start\" and process.name : \"mmc.exe\" and source.port >= 49152 and\n destination.port >= 49152 and source.ip != \"127.0.0.1\" and source.ip != \"::1\" and\n  network.direction : (\"incoming\", \"ingress\") and network.transport == \"tcp\"\n ] by process.entity_id\n [process where event.type in (\"start\", \"process_started\") and process.parent.name : \"mmc.exe\"\n ] by process.parent.entity_id\n",
+    "references": [
+      "https://enigma0x3.net/2017/01/05/lateral-movement-using-the-mmc20-application-com-object/"
+    ],
+    "risk_score": 73,
+    "rule_id": "51ce96fb-9e52-4dad-b0ba-99b54440fc9a",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Lateral Movement"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0008",
+          "name": "Lateral Movement",
+          "reference": "https://attack.mitre.org/tactics/TA0008/"
+        },
+        "technique": [
+          {
+            "id": "T1021",
+            "name": "Remote Services",
+            "reference": "https://attack.mitre.org/techniques/T1021/",
+            "subtechnique": [
+              {
+                "id": "T1021.003",
+                "name": "Distributed Component Object Model",
+                "reference": "https://attack.mitre.org/techniques/T1021/003/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "type": "eql",
+    "version": 5
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies use of Distributed Component Object Model (DCOM) to run commands from a remote host, which are launched via the ShellBrowserWindow or ShellWindows Application COM Object. This behavior may indicate an attacker abusing a DCOM application to stealthily move laterally.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Incoming DCOM Lateral Movement with ShellBrowserWindow or ShellWindows",
+    "query": "sequence by host.id with maxspan=5s\n [network where event.type == \"start\" and process.name : \"explorer.exe\" and\n  network.direction : (\"incoming\", \"ingress\") and network.transport == \"tcp\" and\n  source.port > 49151 and destination.port > 49151 and source.ip != \"127.0.0.1\" and source.ip != \"::1\"\n ] by process.entity_id\n [process where event.type in (\"start\", \"process_started\") and\n  process.parent.name : \"explorer.exe\"\n ] by process.parent.entity_id\n",
+    "references": [
+      "https://enigma0x3.net/2017/01/23/lateral-movement-via-dcom-round-2/"
+    ],
+    "risk_score": 47,
+    "rule_id": "8f919d4b-a5af-47ca-a594-6be59cd924a4",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Lateral Movement"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0008",
+          "name": "Lateral Movement",
+          "reference": "https://attack.mitre.org/tactics/TA0008/"
+        },
+        "technique": [
+          {
+            "id": "T1021",
+            "name": "Remote Services",
+            "reference": "https://attack.mitre.org/techniques/T1021/",
+            "subtechnique": [
+              {
+                "id": "T1021.003",
+                "name": "Distributed Component Object Model",
+                "reference": "https://attack.mitre.org/techniques/T1021/003/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "type": "eql",
+    "version": 5
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies remote execution via Windows PowerShell remoting. Windows PowerShell remoting allows for running any Windows PowerShell command on one or more remote computers. This could be an indication of lateral movement.",
+    "false_positives": [
+      "PowerShell remoting is a dual-use protocol that can be used for benign or malicious activity. It's important to baseline your environment to determine the amount of noise to expect from this tool."
+    ],
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Incoming Execution via PowerShell Remoting",
+    "query": "sequence by host.id with maxspan = 30s\n   [network where network.direction : (\"incoming\", \"ingress\") and destination.port in (5985, 5986) and\n    network.protocol == \"http\" and source.ip != \"127.0.0.1\" and source.ip != \"::1\"\n   ]\n   [process where event.type == \"start\" and process.parent.name : \"wsmprovhost.exe\" and not process.name : \"conhost.exe\"]\n",
+    "references": [
+      "https://docs.microsoft.com/en-us/powershell/scripting/learn/remoting/running-remote-commands?view=powershell-7.1"
+    ],
+    "risk_score": 47,
+    "rule_id": "2772264c-6fb9-4d9d-9014-b416eed21254",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Lateral Movement"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0008",
+          "name": "Lateral Movement",
+          "reference": "https://attack.mitre.org/tactics/TA0008/"
+        },
+        "technique": [
+          {
+            "id": "T1021",
+            "name": "Remote Services",
+            "reference": "https://attack.mitre.org/techniques/T1021/"
+          }
+        ]
+      }
+    ],
+    "type": "eql",
+    "version": 4
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies remote execution via Windows Remote Management (WinRM) remote shell on a target host. This could be an indication of lateral movement.",
+    "false_positives": [
+      "WinRM is a dual-use protocol that can be used for benign or malicious activity. It's important to baseline your environment to determine the amount of noise to expect from this tool."
+    ],
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Incoming Execution via WinRM Remote Shell",
+    "query": "sequence by host.id with maxspan=30s\n   [network where process.pid == 4 and network.direction : (\"incoming\", \"ingress\") and\n    destination.port in (5985, 5986) and network.protocol == \"http\" and source.ip != \"127.0.0.1\" and source.ip != \"::1\"\n   ]\n   [process where event.type == \"start\" and process.parent.name : \"winrshost.exe\" and not process.name : \"conhost.exe\"]\n",
+    "risk_score": 47,
+    "rule_id": "1cd01db9-be24-4bef-8e7c-e923f0ff78ab",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Lateral Movement"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0008",
+          "name": "Lateral Movement",
+          "reference": "https://attack.mitre.org/tactics/TA0008/"
+        },
+        "technique": [
+          {
+            "id": "T1021",
+            "name": "Remote Services",
+            "reference": "https://attack.mitre.org/techniques/T1021/"
+          }
+        ]
+      }
+    ],
+    "type": "eql",
+    "version": 4
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies InstallUtil.exe making outbound network connections. This may indicate adversarial activity as InstallUtil is often leveraged by adversaries to execute code and evade detection.",
+    "from": "now-9m",
+    "index": [
+      "logs-endpoint.events.*",
+      "winlogbeat-*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "InstallUtil Process Making Network Connections",
+    "query": "/* the benefit of doing this as an eql sequence vs kql is this will limit to alerting only on the first network connection */\n\nsequence by process.entity_id\n  [process where event.type in (\"start\", \"process_started\") and process.name : \"installutil.exe\"]\n  [network where process.name : \"installutil.exe\" and network.direction : (\"outgoing\", \"egress\")]\n",
+    "risk_score": 21,
+    "rule_id": "a13167f1-eec2-4015-9631-1fee60406dcf",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1218",
+            "name": "Signed Binary Proxy Execution",
+            "reference": "https://attack.mitre.org/techniques/T1218/",
+            "subtechnique": [
+              {
+                "id": "T1218.004",
+                "name": "InstallUtil",
+                "reference": "https://attack.mitre.org/techniques/T1218/004/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "type": "eql",
+    "version": 4
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the installation of custom Application Compatibility Shim databases. This Windows functionality has been abused by attackers to stealthily gain persistence and arbitrary code execution in legitimate Windows processes.",
+    "from": "now-9m",
+    "index": [
+      "logs-endpoint.events.*",
+      "winlogbeat-*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Installation of Custom Shim Databases",
+    "query": "sequence by process.entity_id with maxspan = 5m\n  [process where event.type in (\"start\", \"process_started\") and\n    not (process.name : \"sdbinst.exe\" and process.parent.name : \"msiexec.exe\")]\n  [registry where event.type in (\"creation\", \"change\") and\n    registry.path : \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\AppCompatFlags\\\\Custom\\\\*.sdb\"]\n",
+    "risk_score": 21,
+    "rule_id": "c5ce48a6-7f57-4ee8-9313-3d0024caee10",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Persistence"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1546",
+            "name": "Event Triggered Execution",
+            "reference": "https://attack.mitre.org/techniques/T1546/",
+            "subtechnique": [
+              {
+                "id": "T1546.011",
+                "name": "Application Shimming",
+                "reference": "https://attack.mitre.org/techniques/T1546/011/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "type": "eql",
+    "version": 3
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies registry modifications related to the Windows Security Support Provider (SSP) configuration. Adversaries may abuse this to establish persistence in an environment.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Installation of Security Support Provider",
+    "query": "registry where\n   registry.path : (\"HKLM\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\Lsa\\\\Security Packages*\", \n                    \"HKLM\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\Lsa\\\\OSConfig\\\\Security Packages*\") and\n   not process.executable : (\"C:\\\\Windows\\\\System32\\\\msiexec.exe\", \"C:\\\\Windows\\\\SysWOW64\\\\msiexec.exe\")\n",
+    "risk_score": 47,
+    "rule_id": "e86da94d-e54b-4fb5-b96c-cecff87e8787",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Persistence"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1547",
+            "name": "Boot or Logon Autostart Execution",
+            "reference": "https://attack.mitre.org/techniques/T1547/",
+            "subtechnique": [
+              {
+                "id": "T1547.005",
+                "name": "Security Support Provider",
+                "reference": "https://attack.mitre.org/techniques/T1547/005/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 3
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies when a terminal (tty) is spawned via Perl. Attackers may upgrade a simple reverse shell to a fully interactive tty after obtaining initial access to a host.",
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Interactive Terminal Spawned via Perl",
+    "query": "event.category:process and event.type:(start or process_started) and process.name:perl and\n  process.args:(\"exec \\\"/bin/sh\\\";\" or \"exec \\\"/bin/dash\\\";\" or \"exec \\\"/bin/bash\\\";\")\n",
+    "risk_score": 73,
+    "rule_id": "05e5a668-7b51-4a67-93ab-e9af405c9ef3",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "Threat Detection",
+      "Execution"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0002",
+          "name": "Execution",
+          "reference": "https://attack.mitre.org/tactics/TA0002/"
+        },
+        "technique": [
+          {
+            "id": "T1059",
+            "name": "Command and Scripting Interpreter",
+            "reference": "https://attack.mitre.org/techniques/T1059/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 6
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies when a terminal (tty) is spawned via Python. Attackers may upgrade a simple reverse shell to a fully interactive tty after obtaining initial access to a host.",
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Interactive Terminal Spawned via Python",
+    "query": "event.category:process and event.type:(start or process_started) and process.name:python and\n  process.args:(\"import pty; pty.spawn(\\\"/bin/sh\\\")\" or\n                \"import pty; pty.spawn(\\\"/bin/dash\\\")\" or\n                \"import pty; pty.spawn(\\\"/bin/bash\\\")\")\n",
+    "risk_score": 73,
+    "rule_id": "d76b02ef-fc95-4001-9297-01cb7412232f",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "Threat Detection",
+      "Execution"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0002",
+          "name": "Execution",
+          "reference": "https://attack.mitre.org/tactics/TA0002/"
+        },
+        "technique": [
+          {
+            "id": "T1059",
+            "name": "Command and Scripting Interpreter",
+            "reference": "https://attack.mitre.org/techniques/T1059/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 6
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the use of the Kerberos credential cache (kcc) utility to dump locally cached Kerberos tickets.",
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Kerberos Cached Credentials Dumping",
+    "query": "event.category:process and event.type:(start or process_started) and\n  process.name:kcc and\n  process.args:copy_cred_cache\n",
+    "references": [
+      "https://github.com/EmpireProject/EmPyre/blob/master/lib/modules/collection/osx/kerberosdump.py",
+      "https://opensource.apple.com/source/Heimdal/Heimdal-323.12/kuser/kcc-commands.in.auto.html"
+    ],
+    "risk_score": 73,
+    "rule_id": "ad88231f-e2ab-491c-8fc6-64746da26cfe",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "macOS",
+      "Threat Detection",
+      "Credential Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0006",
+          "name": "Credential Access",
+          "reference": "https://attack.mitre.org/tactics/TA0006/"
+        },
+        "technique": [
+          {
+            "id": "T1003",
+            "name": "OS Credential Dumping",
+            "reference": "https://attack.mitre.org/techniques/T1003/"
+          },
+          {
+            "id": "T1558",
+            "name": "Steal or Forge Kerberos Tickets",
+            "reference": "https://attack.mitre.org/techniques/T1558/",
+            "subtechnique": [
+              {
+                "id": "T1558.003",
+                "name": "Kerberoasting",
+                "reference": "https://attack.mitre.org/techniques/T1558/003/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 4
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies network connections to the standard Kerberos port from an unusual process. On Windows, the only process that normally performs Kerberos traffic from a domain joined host is lsass.exe.",
+    "false_positives": [
+      "HTTP traffic on a non standard port. Verify that the destination IP address is not related to a Domain Controller."
+    ],
+    "from": "now-9m",
+    "index": [
+      "logs-endpoint.events.*",
+      "winlogbeat-*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Kerberos Traffic from Unusual Process",
+    "query": "network where event.type == \"start\" and network.direction : (\"outgoing\", \"egress\") and\n destination.port == 88 and source.port >= 49152 and\n process.executable != \"C:\\\\Windows\\\\System32\\\\lsass.exe\" and destination.address !=\"127.0.0.1\" and destination.address !=\"::1\" and\n /* insert False Positives here */\n not process.name in (\"swi_fc.exe\", \"fsIPcam.exe\", \"IPCamera.exe\", \"MicrosoftEdgeCP.exe\", \"MicrosoftEdge.exe\", \"iexplore.exe\", \"chrome.exe\", \"msedge.exe\", \"opera.exe\", \"firefox.exe\")\n",
+    "risk_score": 47,
+    "rule_id": "897dc6b5-b39f-432a-8d75-d3730d50c782",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Credential Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0006",
+          "name": "Credential Access",
+          "reference": "https://attack.mitre.org/tactics/TA0006/"
+        },
+        "technique": [
+          {
+            "id": "T1558",
+            "name": "Steal or Forge Kerberos Tickets",
+            "reference": "https://attack.mitre.org/techniques/T1558/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 4
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Kernel modules are pieces of code that can be loaded and unloaded into the kernel upon demand. They extend the functionality of the kernel without the need to reboot the system. This rule identifies attempts to remove a kernel module.",
+    "false_positives": [
+      "There is usually no reason to remove modules, but some buggy modules require it. These can be exempted by username. Note that some Linux distributions are not built to support the removal of modules at all."
+    ],
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Kernel Module Removal",
+    "query": "event.category:process and event.type:(start or process_started) and\n  process.args:((rmmod and sudo) or (modprobe and sudo and (\"--remove\" or \"-r\")))\n",
+    "references": [
+      "http://man7.org/linux/man-pages/man8/modprobe.8.html"
+    ],
+    "risk_score": 73,
+    "rule_id": "cd66a5af-e34b-4bb0-8931-57d0a043f2ef",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1562",
+            "name": "Impair Defenses",
+            "reference": "https://attack.mitre.org/techniques/T1562/",
+            "subtechnique": [
+              {
+                "id": "T1562.001",
+                "name": "Disable or Modify Tools",
+                "reference": "https://attack.mitre.org/techniques/T1562/001/"
+              }
+            ]
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1547",
+            "name": "Boot or Logon Autostart Execution",
+            "reference": "https://attack.mitre.org/techniques/T1547/",
+            "subtechnique": [
+              {
+                "id": "T1547.006",
+                "name": "Kernel Modules and Extensions",
+                "reference": "https://attack.mitre.org/techniques/T1547/006/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 7
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Adversaries may collect keychain storage data from a system to in order to acquire credentials. Keychains are the built-in way for macOS to keep track of users' passwords and credentials for many services and features, including Wi-Fi and website passwords, secure notes, certificates, and Kerberos.",
+    "false_positives": [
+      "Applications for password management."
+    ],
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Keychain Password Retrieval via Command Line",
+    "query": "process where event.type == \"start\" and\n process.name : \"security\" and process.args : \"-wa\" and process.args : (\"find-generic-password\", \"find-internet-password\") and\n process.args : (\"Chrome*\", \"Chromium\", \"Opera\", \"Safari*\", \"Brave\", \"Microsoft Edge\", \"Edge\", \"Firefox*\") and\n not process.parent.executable : \"/Applications/Keeper Password Manager.app/Contents/Frameworks/Keeper Password Manager Helper*/Contents/MacOS/Keeper Password Manager Helper*\"\n",
+    "references": [
+      "https://www.netmeister.org/blog/keychain-passwords.html",
+      "https://github.com/priyankchheda/chrome_password_grabber/blob/master/chrome.py",
+      "https://ss64.com/osx/security.html",
+      "https://www.intezer.com/blog/research/operation-electrorat-attacker-creates-fake-companies-to-drain-your-crypto-wallets/"
+    ],
+    "risk_score": 73,
+    "rule_id": "9092cd6c-650f-4fa3-8a8a-28256c7489c9",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "macOS",
+      "Threat Detection",
+      "Credential Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0006",
+          "name": "Credential Access",
+          "reference": "https://attack.mitre.org/tactics/TA0006/"
+        },
+        "technique": [
+          {
+            "id": "T1555",
+            "name": "Credentials from Password Stores",
+            "reference": "https://attack.mitre.org/techniques/T1555/",
+            "subtechnique": [
+              {
+                "id": "T1555.001",
+                "name": "Keychain",
+                "reference": "https://attack.mitre.org/techniques/T1555/001/"
+              }
+            ]
+          },
+          {
+            "id": "T1555",
+            "name": "Credentials from Password Stores",
+            "reference": "https://attack.mitre.org/techniques/T1555/",
+            "subtechnique": [
+              {
+                "id": "T1555.003",
+                "name": "Credentials from Web Browsers",
+                "reference": "https://attack.mitre.org/techniques/T1555/003/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 2
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the creation of a Local Security Authority Subsystem Service (lsass.exe) default memory dump. This may indicate a credential access attempt via trusted system utilities such as Task Manager (taskmgr.exe) and SQL Dumper (sqldumper.exe) or known pentesting tools such as Dumpert and AndrewSpecial.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "LSASS Memory Dump Creation",
+    "query": "file where file.name : (\"lsass*.dmp\", \"dumpert.dmp\", \"Andrew.dmp\", \"SQLDmpr*.mdmp\", \"Coredump.dmp\")\n",
+    "references": [
+      "https://github.com/outflanknl/Dumpert",
+      "https://github.com/hoangprod/AndrewSpecial"
+    ],
+    "risk_score": 73,
+    "rule_id": "f2f46686-6f3c-4724-bd7d-24e31c70f98f",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Credential Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0006",
+          "name": "Credential Access",
+          "reference": "https://attack.mitre.org/tactics/TA0006/"
+        },
+        "technique": [
+          {
+            "id": "T1003",
+            "name": "OS Credential Dumping",
+            "reference": "https://attack.mitre.org/techniques/T1003/",
+            "subtechnique": [
+              {
+                "id": "T1003.001",
+                "name": "LSASS Memory",
+                "reference": "https://attack.mitre.org/techniques/T1003/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 5
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies suspicious file creations in the startup folder of a remote system. An adversary could abuse this to move laterally by dropping a malicious script or executable that will be executed after a reboot or user logon.",
+    "from": "now-9m",
+    "index": [
+      "logs-endpoint.events.*",
+      "winlogbeat-*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Lateral Movement via Startup Folder",
+    "query": "file where event.type in (\"creation\", \"change\") and\n /* via RDP TSClient mounted share or SMB */\n  (process.name : \"mstsc.exe\" or process.pid == 4) and\n   file.path : \"C:\\\\*\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\\\\*\"\n",
+    "references": [
+      "https://www.mdsec.co.uk/2017/06/rdpinception/"
+    ],
+    "risk_score": 73,
+    "rule_id": "25224a80-5a4a-4b8a-991e-6ab390465c4f",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Lateral Movement"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0008",
+          "name": "Lateral Movement",
+          "reference": "https://attack.mitre.org/tactics/TA0008/"
+        },
+        "technique": [
+          {
+            "id": "T1021",
+            "name": "Remote Services",
+            "reference": "https://attack.mitre.org/techniques/T1021/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1547",
+            "name": "Boot or Logon Autostart Execution",
+            "reference": "https://attack.mitre.org/techniques/T1547/",
+            "subtechnique": [
+              {
+                "id": "T1547.001",
+                "name": "Registry Run Keys / Startup Folder",
+                "reference": "https://attack.mitre.org/techniques/T1547/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 3
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the creation or change of a Windows executable file over network shares. Adversaries may transfer tools or other files between systems in a compromised environment.",
+    "from": "now-9m",
+    "index": [
+      "logs-endpoint.events.*",
+      "winlogbeat-*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Lateral Tool Transfer",
+    "query": "sequence by host.id with maxspan=30s\n  [network where event.type == \"start\" and process.pid == 4 and destination.port == 445 and\n   network.direction : (\"incoming\", \"ingress\") and\n   network.transport == \"tcp\" and source.ip != \"127.0.0.1\" and source.ip != \"::1\"\n  ] by process.entity_id\n  /* add more executable extensions here if they are not noisy in your environment */\n  [file where event.type in (\"creation\", \"change\") and process.pid == 4 and file.extension : (\"exe\", \"dll\", \"bat\", \"cmd\")] by process.entity_id\n",
+    "risk_score": 47,
+    "rule_id": "58bc134c-e8d2-4291-a552-b4b3e537c60b",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Lateral Movement"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0008",
+          "name": "Lateral Movement",
+          "reference": "https://attack.mitre.org/tactics/TA0008/"
+        },
+        "technique": [
+          {
+            "id": "T1570",
+            "name": "Lateral Tool Transfer",
+            "reference": "https://attack.mitre.org/techniques/T1570/"
+          }
+        ]
+      }
+    ],
+    "type": "eql",
+    "version": 4
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "An adversary can establish persistence by installing a new launch agent that executes at login by using launchd or launchctl to load a plist into the appropriate directories.",
+    "false_positives": [
+      "Trusted applications persisting via LaunchAgent"
+    ],
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Launch Agent Creation or Modification and Immediate Loading",
+    "query": "sequence by host.id with maxspan=1m\n [file where event.type != \"deletion\" and \n  file.path : (\"/System/Library/LaunchAgents/*\", \"/Library/LaunchAgents/*\", \"/Users/*/Library/LaunchAgents/*\")\n ]\n [process where event.type in (\"start\", \"process_started\") and process.name == \"launchctl\" and process.args == \"load\"]\n",
+    "references": [
+      "https://developer.apple.com/library/archive/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/CreatingLaunchdJobs.html"
+    ],
+    "risk_score": 21,
+    "rule_id": "082e3f8c-6f80-485c-91eb-5b112cb79b28",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "macOS",
+      "Threat Detection",
+      "Persistence"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1543",
+            "name": "Create or Modify System Process",
+            "reference": "https://attack.mitre.org/techniques/T1543/",
+            "subtechnique": [
+              {
+                "id": "T1543.001",
+                "name": "Launch Agent",
+                "reference": "https://attack.mitre.org/techniques/T1543/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "type": "eql",
+    "version": 2
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Adversaries may create or modify launch daemons to repeatedly execute malicious payloads as part of persistence.",
+    "false_positives": [
+      "Trusted applications persisting via LaunchDaemons"
+    ],
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "LaunchDaemon Creation or Modification and Immediate Loading",
+    "query": "sequence by host.id with maxspan=1m\n [file where event.type != \"deletion\" and file.path in (\"/System/Library/LaunchDaemons/*\", \"/Library/LaunchDaemons/*\")]\n [process where event.type in (\"start\", \"process_started\") and process.name == \"launchctl\" and process.args == \"load\"]\n",
+    "references": [
+      "https://developer.apple.com/library/archive/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/CreatingLaunchdJobs.html"
+    ],
+    "risk_score": 21,
+    "rule_id": "9d19ece6-c20e-481a-90c5-ccca596537de",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "macOS",
+      "Threat Detection",
+      "Persistence"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1543",
+            "name": "Create or Modify System Process",
+            "reference": "https://attack.mitre.org/techniques/T1543/"
+          }
+        ]
+      }
+    ],
+    "type": "eql",
+    "version": 3
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "A scheduled task can be used by an adversary to establish persistence, move laterally, and/or escalate privileges.",
+    "false_positives": [
+      "Legitimate scheduled tasks may be created during installation of new software."
+    ],
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Local Scheduled Task Creation",
+    "query": "sequence with maxspan=1m\n  [process where event.type != \"end\" and\n    ((process.name : (\"cmd.exe\", \"wscript.exe\", \"rundll32.exe\", \"regsvr32.exe\", \"wmic.exe\", \"mshta.exe\",\n                      \"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\", \"WmiPrvSe.exe\", \"wsmprovhost.exe\", \"winrshost.exe\") or\n    process.pe.original_file_name : (\"cmd.exe\", \"wscript.exe\", \"rundll32.exe\", \"regsvr32.exe\", \"wmic.exe\", \"mshta.exe\",\n                                     \"powershell.exe\", \"pwsh.dll\", \"powershell_ise.exe\", \"WmiPrvSe.exe\", \"wsmprovhost.exe\",\n                                     \"winrshost.exe\")) or\n    process.code_signature.trusted == false)] by process.entity_id\n  [process where event.type == \"start\" and\n    (process.name : \"schtasks.exe\" or process.pe.original_file_name == \"schtasks.exe\") and\n    process.args : (\"/create\", \"-create\") and process.args : (\"/RU\", \"/SC\", \"/TN\", \"/TR\", \"/F\", \"/XML\") and\n    /* exclude SYSTEM SIDs - look for task creations by non-SYSTEM user */\n    not user.id : (\"S-1-5-18\", \"S-1-5-19\", \"S-1-5-20\")] by process.parent.entity_id\n",
+    "risk_score": 21,
+    "rule_id": "afcce5ad-65de-4ed2-8516-5e093d3ac99a",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Persistence"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1053",
+            "name": "Scheduled Task/Job",
+            "reference": "https://attack.mitre.org/techniques/T1053/",
+            "subtechnique": [
+              {
+                "id": "T1053.005",
+                "name": "Scheduled Task",
+                "reference": "https://attack.mitre.org/techniques/T1053/005/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 9
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Detects when multi-factor authentication (MFA) is disabled for a Google Workspace organization. An adversary may attempt to modify a password policy in order to weaken an organization\u2019s security controls.",
+    "false_positives": [
+      "MFA settings may be modified by system administrators. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior."
+    ],
+    "from": "now-130m",
+    "index": [
+      "filebeat-*",
+      "logs-google_workspace*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "MFA Disabled for Google Workspace Organization",
+    "note": "## Config\n\nThe Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\n\n### Important Information Regarding Google Workspace Event Lag Times\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information:\n  - https://support.google.com/a/answer/7061566\n  - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html",
+    "query": "event.dataset:google_workspace.admin and event.provider:admin and event.category:iam and event.action:(ENFORCE_STRONG_AUTHENTICATION or ALLOW_STRONG_AUTHENTICATION) and google_workspace.admin.new_value:false\n",
+    "risk_score": 47,
+    "rule_id": "e555105c-ba6d-481f-82bb-9b633e7b4827",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "Google Workspace",
+      "Continuous Monitoring",
+      "SecOps",
+      "Identity and Access"
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 7
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Elastic Endgame detected Malware. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information.",
+    "from": "now-15m",
+    "index": [
+      "endgame-*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "max_signals": 10000,
+    "name": "Malware - Detected - Elastic Endgame",
+    "query": "event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:file_classification_event or endgame.event_subtype_full:file_classification_event)\n",
+    "risk_score": 99,
+    "rule_id": "0a97b20f-4144-49ea-be32-b540ecc445de",
+    "severity": "critical",
+    "tags": [
+      "Elastic",
+      "Elastic Endgame"
+    ],
+    "type": "query",
+    "version": 7
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Elastic Endgame prevented Malware. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information.",
+    "from": "now-15m",
+    "index": [
+      "endgame-*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "max_signals": 10000,
+    "name": "Malware - Prevented - Elastic Endgame",
+    "query": "event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:file_classification_event or endgame.event_subtype_full:file_classification_event)\n",
+    "risk_score": 73,
+    "rule_id": "3b382770-efbb-44f4-beed-f5e0a051b895",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Elastic Endgame"
+    ],
+    "type": "query",
+    "version": 7
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the deletion of an anti-phishing policy in Microsoft 365. By default, Microsoft 365 includes built-in features that help protect users from phishing attacks. Anti-phishing polices increase this protection by refining settings to better detect and prevent attacks.",
+    "false_positives": [
+      "An anti-phishing policy may be deleted by a system or network administrator. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior."
+    ],
+    "from": "now-30m",
+    "index": [
+      "filebeat-*",
+      "logs-o365*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Microsoft 365 Exchange Anti-Phish Policy Deletion",
+    "note": "## Config\n\nThe Microsoft 365 Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:\"Remove-AntiPhishPolicy\" and event.outcome:success\n",
+    "references": [
+      "https://docs.microsoft.com/en-us/powershell/module/exchange/remove-antiphishpolicy?view=exchange-ps",
+      "https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/set-up-anti-phishing-policies?view=o365-worldwide"
+    ],
+    "risk_score": 47,
+    "rule_id": "d68eb1b5-5f1c-4b6d-9e63-5b6b145cd4aa",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "Microsoft 365",
+      "Continuous Monitoring",
+      "SecOps",
+      "Configuration Audit"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0001",
+          "name": "Initial Access",
+          "reference": "https://attack.mitre.org/tactics/TA0001/"
+        },
+        "technique": [
+          {
+            "id": "T1566",
+            "name": "Phishing",
+            "reference": "https://attack.mitre.org/techniques/T1566/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 4
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the modification of an anti-phishing rule in Microsoft 365. By default, Microsoft 365 includes built-in features that help protect users from phishing attacks. Anti-phishing rules increase this protection by refining settings to better detect and prevent attacks.",
+    "false_positives": [
+      "An anti-phishing rule may be deleted by a system or network administrator. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior."
+    ],
+    "from": "now-30m",
+    "index": [
+      "filebeat-*",
+      "logs-o365*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Microsoft 365 Exchange Anti-Phish Rule Modification",
+    "note": "## Config\n\nThe Microsoft 365 Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:(\"Remove-AntiPhishRule\" or \"Disable-AntiPhishRule\") and event.outcome:success\n",
+    "references": [
+      "https://docs.microsoft.com/en-us/powershell/module/exchange/remove-antiphishrule?view=exchange-ps",
+      "https://docs.microsoft.com/en-us/powershell/module/exchange/disable-antiphishrule?view=exchange-ps"
+    ],
+    "risk_score": 47,
+    "rule_id": "97314185-2568-4561-ae81-f3e480e5e695",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "Microsoft 365",
+      "Continuous Monitoring",
+      "SecOps",
+      "Configuration Audit"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0001",
+          "name": "Initial Access",
+          "reference": "https://attack.mitre.org/tactics/TA0001/"
+        },
+        "technique": [
+          {
+            "id": "T1566",
+            "name": "Phishing",
+            "reference": "https://attack.mitre.org/techniques/T1566/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 4
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies when a DomainKeys Identified Mail (DKIM) signing configuration is disabled in Microsoft 365. With DKIM in Microsoft 365, messages that are sent from Exchange Online will be cryptographically signed. This will allow the receiving email system to validate that the messages were generated by a server that the organization authorized and not being spoofed.",
+    "false_positives": [
+      "Disabling a DKIM configuration may be done by a system or network administrator. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior."
+    ],
+    "from": "now-30m",
+    "index": [
+      "filebeat-*",
+      "logs-o365*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Microsoft 365 Exchange DKIM Signing Configuration Disabled",
+    "note": "## Config\n\nThe Microsoft 365 Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:\"Set-DkimSigningConfig\" and o365.audit.Parameters.Enabled:False and event.outcome:success\n",
+    "references": [
+      "https://docs.microsoft.com/en-us/powershell/module/exchange/set-dkimsigningconfig?view=exchange-ps"
+    ],
+    "risk_score": 47,
+    "rule_id": "514121ce-c7b6-474a-8237-68ff71672379",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "Microsoft 365",
+      "Continuous Monitoring",
+      "SecOps",
+      "Data Protection"
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 4
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies when a Data Loss Prevention (DLP) policy is removed in Microsoft 365. An adversary may remove a DLP policy to evade existing DLP monitoring.",
+    "false_positives": [
+      "A DLP policy may be removed by a system or network administrator. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior."
+    ],
+    "from": "now-30m",
+    "index": [
+      "filebeat-*",
+      "logs-o365*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Microsoft 365 Exchange DLP Policy Removed",
+    "note": "## Config\n\nThe Microsoft 365 Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:\"Remove-DlpPolicy\" and event.outcome:success\n",
+    "references": [
+      "https://docs.microsoft.com/en-us/powershell/module/exchange/remove-dlppolicy?view=exchange-ps",
+      "https://docs.microsoft.com/en-us/microsoft-365/compliance/data-loss-prevention-policies?view=o365-worldwide"
+    ],
+    "risk_score": 47,
+    "rule_id": "60f3adec-1df9-4104-9c75-b97d9f078b25",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "Microsoft 365",
+      "Continuous Monitoring",
+      "SecOps",
+      "Configuration Audit"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1562",
+            "name": "Impair Defenses",
+            "reference": "https://attack.mitre.org/techniques/T1562/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 4
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies when a malware filter policy has been deleted in Microsoft 365. A malware filter policy is used to alert administrators that an internal user sent a message that contained malware. This may indicate an account or machine compromise that would need to be investigated. Deletion of a malware filter policy may be done to evade detection.",
+    "false_positives": [
+      "A malware filter policy may be deleted by a system or network administrator. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior."
+    ],
+    "from": "now-30m",
+    "index": [
+      "filebeat-*",
+      "logs-o365*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Microsoft 365 Exchange Malware Filter Policy Deletion",
+    "note": "## Config\n\nThe Microsoft 365 Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:\"Remove-MalwareFilterPolicy\" and event.outcome:success\n",
+    "references": [
+      "https://docs.microsoft.com/en-us/powershell/module/exchange/remove-malwarefilterpolicy?view=exchange-ps"
+    ],
+    "risk_score": 47,
+    "rule_id": "d743ff2a-203e-4a46-a3e3-40512cfe8fbb",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "Microsoft 365",
+      "Continuous Monitoring",
+      "SecOps",
+      "Configuration Audit"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1562",
+            "name": "Impair Defenses",
+            "reference": "https://attack.mitre.org/techniques/T1562/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 4
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies when a malware filter rule has been deleted or disabled in Microsoft 365. An adversary or insider threat may want to modify a malware filter rule to evade detection.",
+    "false_positives": [
+      "A malware filter rule may be deleted by a system or network administrator. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior."
+    ],
+    "from": "now-30m",
+    "index": [
+      "filebeat-*",
+      "logs-o365*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Microsoft 365 Exchange Malware Filter Rule Modification",
+    "note": "## Config\n\nThe Microsoft 365 Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:(\"Remove-MalwareFilterRule\" or \"Disable-MalwareFilterRule\") and event.outcome:success\n",
+    "references": [
+      "https://docs.microsoft.com/en-us/powershell/module/exchange/remove-malwarefilterrule?view=exchange-ps",
+      "https://docs.microsoft.com/en-us/powershell/module/exchange/disable-malwarefilterrule?view=exchange-ps"
+    ],
+    "risk_score": 47,
+    "rule_id": "ca79768e-40e1-4e45-a097-0e5fbc876ac2",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "Microsoft 365",
+      "Continuous Monitoring",
+      "SecOps",
+      "Configuration Audit"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1562",
+            "name": "Impair Defenses",
+            "reference": "https://attack.mitre.org/techniques/T1562/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 4
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies when a new role is assigned to a management group in Microsoft 365. An adversary may attempt to add a role in order to maintain persistence in an environment.",
+    "false_positives": [
+      "A new role may be assigned to a management group by a system or network administrator. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior."
+    ],
+    "from": "now-30m",
+    "index": [
+      "filebeat-*",
+      "logs-o365*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Microsoft 365 Exchange Management Group Role Assignment",
+    "note": "## Config\n\nThe Microsoft 365 Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:\"New-ManagementRoleAssignment\" and event.outcome:success\n",
+    "references": [
+      "https://docs.microsoft.com/en-us/powershell/module/exchange/new-managementroleassignment?view=exchange-ps",
+      "https://docs.microsoft.com/en-us/microsoft-365/admin/add-users/about-admin-roles?view=o365-worldwide"
+    ],
+    "risk_score": 47,
+    "rule_id": "98995807-5b09-4e37-8a54-5cae5dc932d7",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "Microsoft 365",
+      "Continuous Monitoring",
+      "SecOps",
+      "Identity and Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1098",
+            "name": "Account Manipulation",
+            "reference": "https://attack.mitre.org/techniques/T1098/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 4
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies when a safe attachment rule is disabled in Microsoft 365. Safe attachment rules can extend malware protections to include routing all messages and attachments without a known malware signature to a special hypervisor environment. An adversary or insider threat may disable a safe attachment rule to exfiltrate data or evade defenses.",
+    "false_positives": [
+      "A safe attachment rule may be disabled by a system or network administrator. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior."
+    ],
+    "from": "now-30m",
+    "index": [
+      "filebeat-*",
+      "logs-o365*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Microsoft 365 Exchange Safe Attachment Rule Disabled",
+    "note": "## Config\n\nThe Microsoft 365 Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:\"Disable-SafeAttachmentRule\" and event.outcome:success\n",
+    "references": [
+      "https://docs.microsoft.com/en-us/powershell/module/exchange/disable-safeattachmentrule?view=exchange-ps"
+    ],
+    "risk_score": 21,
+    "rule_id": "03024bd9-d23f-4ec1-8674-3cf1a21e130b",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "Microsoft 365",
+      "Continuous Monitoring",
+      "SecOps",
+      "Configuration Audit"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1562",
+            "name": "Impair Defenses",
+            "reference": "https://attack.mitre.org/techniques/T1562/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 4
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies when a Safe Link policy is disabled in Microsoft 365. Safe Link policies for Office applications extend phishing protection to documents that contain hyperlinks, even after they have been delivered to a user.",
+    "false_positives": [
+      "Disabling safe links may be done by a system or network administrator. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior."
+    ],
+    "from": "now-30m",
+    "index": [
+      "filebeat-*",
+      "logs-o365*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Microsoft 365 Exchange Safe Link Policy Disabled",
+    "note": "## Config\n\nThe Microsoft 365 Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:\"Disable-SafeLinksRule\" and event.outcome:success\n",
+    "references": [
+      "https://docs.microsoft.com/en-us/powershell/module/exchange/disable-safelinksrule?view=exchange-ps",
+      "https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/atp-safe-links?view=o365-worldwide"
+    ],
+    "risk_score": 47,
+    "rule_id": "a989fa1b-9a11-4dd8-a3e9-f0de9c6eb5f2",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "Microsoft 365",
+      "Continuous Monitoring",
+      "SecOps",
+      "Identity and Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0001",
+          "name": "Initial Access",
+          "reference": "https://attack.mitre.org/tactics/TA0001/"
+        },
+        "technique": [
+          {
+            "id": "T1566",
+            "name": "Phishing",
+            "reference": "https://attack.mitre.org/techniques/T1566/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 4
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies a transport rule creation in Microsoft 365. Exchange Online mail transport rules should be set to not forward email to domains outside of your organization as a best practice. An adversary may create transport rules to exfiltrate data.",
+    "false_positives": [
+      "A new transport rule may be created by a system or network administrator. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior."
+    ],
+    "from": "now-30m",
+    "index": [
+      "filebeat-*",
+      "logs-o365*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Microsoft 365 Exchange Transport Rule Creation",
+    "note": "## Config\n\nThe Microsoft 365 Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:\"New-TransportRule\" and event.outcome:success\n",
+    "references": [
+      "https://docs.microsoft.com/en-us/powershell/module/exchange/new-transportrule?view=exchange-ps",
+      "https://docs.microsoft.com/en-us/exchange/security-and-compliance/mail-flow-rules/mail-flow-rules"
+    ],
+    "risk_score": 47,
+    "rule_id": "ff4dd44a-0ac6-44c4-8609-3f81bc820f02",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "Microsoft 365",
+      "Continuous Monitoring",
+      "SecOps",
+      "Configuration Audit"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0010",
+          "name": "Exfiltration",
+          "reference": "https://attack.mitre.org/tactics/TA0010/"
+        },
+        "technique": [
+          {
+            "id": "T1537",
+            "name": "Transfer Data to Cloud Account",
+            "reference": "https://attack.mitre.org/techniques/T1537/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 4
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies when a transport rule has been disabled or deleted in Microsoft 365. Mail flow rules (also known as transport rules) are used to identify and take action on messages that flow through your organization. An adversary or insider threat may modify a transport rule to exfiltrate data or evade defenses.",
+    "false_positives": [
+      "A transport rule may be modified by a system or network administrator. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior."
+    ],
+    "from": "now-30m",
+    "index": [
+      "filebeat-*",
+      "logs-o365*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Microsoft 365 Exchange Transport Rule Modification",
+    "note": "## Config\n\nThe Microsoft 365 Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:(\"Remove-TransportRule\" or \"Disable-TransportRule\") and event.outcome:success\n",
+    "references": [
+      "https://docs.microsoft.com/en-us/powershell/module/exchange/remove-transportrule?view=exchange-ps",
+      "https://docs.microsoft.com/en-us/powershell/module/exchange/disable-transportrule?view=exchange-ps",
+      "https://docs.microsoft.com/en-us/exchange/security-and-compliance/mail-flow-rules/mail-flow-rules"
+    ],
+    "risk_score": 47,
+    "rule_id": "272a6484-2663-46db-a532-ef734bf9a796",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "Microsoft 365",
+      "Continuous Monitoring",
+      "SecOps",
+      "Configuration Audit"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0010",
+          "name": "Exfiltration",
+          "reference": "https://attack.mitre.org/tactics/TA0010/"
+        },
+        "technique": [
+          {
+            "id": "T1537",
+            "name": "Transfer Data to Cloud Account",
+            "reference": "https://attack.mitre.org/techniques/T1537/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 4
+  },
+  {
+    "author": [
+      "Elastic",
+      "Gary Blackwell",
+      "Austin Songer"
+    ],
+    "description": "Identifies when a new Inbox rule is created in Microsoft 365. Inbox rules process messages in the Inbox based on conditions and take actions, such as moving a message to a specified folder or deleting a message. Adequate permissions are required on the mailbox to create an Inbox rule.",
+    "false_positives": [
+      "An inbox rule may be created by a system or network administrator. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior."
+    ],
+    "from": "now-30m",
+    "index": [
+      "filebeat-*",
+      "logs-o365*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Microsoft 365 New Inbox Rule Created",
+    "note": "## Config\n\nThe Microsoft 365 Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:\"New-InboxRule\" and event.outcome:success\n",
+    "references": [
+      "https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/responding-to-a-compromised-email-account?view=o365-worldwide",
+      "https://docs.microsoft.com/en-us/powershell/module/exchange/new-inboxrule?view=exchange-ps",
+      "https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/detect-and-remediate-outlook-rules-forms-attack?view=o365-worldwide"
+    ],
+    "risk_score": 21,
+    "rule_id": "ec8efb0c-604d-42fa-ac46-ed1cfbc38f78",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "Microsoft 365",
+      "Continuous Monitoring",
+      "SecOps",
+      "Configuration Audit"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0009",
+          "name": "Collection",
+          "reference": "https://attack.mitre.org/tactics/TA0009/"
+        },
+        "technique": [
+          {
+            "id": "T1114",
+            "name": "Email Collection",
+            "reference": "https://attack.mitre.org/techniques/T1114/",
+            "subtechnique": [
+              {
+                "id": "T1114.003",
+                "name": "Email Forwarding Rule",
+                "reference": "https://attack.mitre.org/techniques/T1114/003/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 1
+  },
+  {
+    "author": [
+      "Austin Songer"
+    ],
+    "description": "Identifies when Microsoft Cloud App Security reports that a user has uploaded files to the cloud that might be infected with ransomware.",
+    "false_positives": [
+      "If Cloud App Security identifies, for example, a high rate of file uploads or file deletion activities it may represent an adverse encryption process."
+    ],
+    "from": "now-30m",
+    "index": [
+      "filebeat-*",
+      "logs-o365*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Microsoft 365 Potential ransomware activity",
+    "note": "## Config\n\nThe Microsoft 365 Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\n",
+    "query": "event.dataset:o365.audit and event.provider:SecurityComplianceCenter and event.category:web and event.action:\"Potential ransomware activity\" and event.outcome:success\n",
+    "references": [
+      "https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy",
+      "https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference"
+    ],
+    "risk_score": 47,
+    "rule_id": "721999d0-7ab2-44bf-b328-6e63367b9b29",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "Microsoft 365",
+      "Continuous Monitoring",
+      "SecOps",
+      "Configuration Audit"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0040",
+          "name": "Impact",
+          "reference": "https://attack.mitre.org/tactics/TA0040/"
+        },
+        "technique": [
+          {
+            "id": "T1486",
+            "name": "Data Encrypted for Impact",
+            "reference": "https://attack.mitre.org/techniques/T1486/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 2
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies when custom applications are allowed in Microsoft Teams. If an organization requires applications other than those available in the Teams app store, custom applications can be developed as packages and uploaded. An adversary may abuse this behavior to establish persistence in an environment.",
+    "false_positives": [
+      "Custom applications may be allowed by a system or network administrator. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior."
+    ],
+    "from": "now-30m",
+    "index": [
+      "filebeat-*",
+      "logs-o365*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Microsoft 365 Teams Custom Application Interaction Allowed",
+    "note": "## Config\n\nThe Microsoft 365 Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:o365.audit and event.provider:MicrosoftTeams and\nevent.category:web and event.action:TeamsTenantSettingChanged and\no365.audit.Name:\"Allow sideloading and interaction of custom apps\" and\no365.audit.NewValue:True and event.outcome:success\n",
+    "references": [
+      "https://docs.microsoft.com/en-us/microsoftteams/platform/concepts/deploy-and-publish/apps-upload"
+    ],
+    "risk_score": 47,
+    "rule_id": "bbd1a775-8267-41fa-9232-20e5582596ac",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "Microsoft 365",
+      "Continuous Monitoring",
+      "SecOps",
+      "Configuration Audit"
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 4
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies when external access is enabled in Microsoft Teams. External access lets Teams and Skype for Business users communicate with other users that are outside their organization. An adversary may enable external access or add an allowed domain to exfiltrate data or maintain persistence in an environment.",
+    "false_positives": [
+      "Teams external access may be enabled by a system or network administrator. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior."
+    ],
+    "from": "now-30m",
+    "index": [
+      "filebeat-*",
+      "logs-o365*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Microsoft 365 Teams External Access Enabled",
+    "note": "## Config\n\nThe Microsoft 365 Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:o365.audit and event.provider:(SkypeForBusiness or MicrosoftTeams) and\nevent.category:web and event.action:\"Set-CsTenantFederationConfiguration\" and\no365.audit.Parameters.AllowFederatedUsers:True and event.outcome:success\n",
+    "references": [
+      "https://docs.microsoft.com/en-us/microsoftteams/manage-external-access"
+    ],
+    "risk_score": 47,
+    "rule_id": "27f7c15a-91f8-4c3d-8b9e-1f99cc030a51",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "Microsoft 365",
+      "Continuous Monitoring",
+      "SecOps",
+      "Configuration Audit"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1098",
+            "name": "Account Manipulation",
+            "reference": "https://attack.mitre.org/techniques/T1098/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 4
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies when guest access is enabled in Microsoft Teams. Guest access in Teams allows people outside the organization to access teams and channels. An adversary may enable guest access to maintain persistence in an environment.",
+    "false_positives": [
+      "Teams guest access may be enabled by a system or network administrator. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior."
+    ],
+    "from": "now-30m",
+    "index": [
+      "filebeat-*",
+      "logs-o365*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Microsoft 365 Teams Guest Access Enabled",
+    "note": "## Config\n\nThe Microsoft 365 Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:o365.audit and event.provider:(SkypeForBusiness or MicrosoftTeams) and\nevent.category:web and event.action:\"Set-CsTeamsClientConfiguration\" and\no365.audit.Parameters.AllowGuestUser:True and event.outcome:success\n",
+    "references": [
+      "https://docs.microsoft.com/en-us/powershell/module/skype/get-csteamsclientconfiguration?view=skype-ps"
+    ],
+    "risk_score": 47,
+    "rule_id": "5e552599-ddec-4e14-bad1-28aa42404388",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "Microsoft 365",
+      "Continuous Monitoring",
+      "SecOps",
+      "Configuration Audit"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1098",
+            "name": "Account Manipulation",
+            "reference": "https://attack.mitre.org/techniques/T1098/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 4
+  },
+  {
+    "author": [
+      "Austin Songer"
+    ],
+    "description": "Identifies that a user has deleted an unusually large volume of files  as reported by Microsoft Cloud App Security.",
+    "false_positives": [
+      "Users or System Administrator cleaning out folders."
+    ],
+    "from": "now-30m",
+    "index": [
+      "filebeat-*",
+      "logs-o365*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Microsoft 365 Unusual Volume of File Deletion",
+    "note": "## Config\n\nThe Microsoft 365 Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\n",
+    "query": "event.dataset:o365.audit and event.provider:SecurityComplianceCenter and event.category:web and event.action:\"Unusual volume of file deletion\" and event.outcome:success\n",
+    "references": [
+      "https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy",
+      "https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference"
+    ],
+    "risk_score": 47,
+    "rule_id": "b2951150-658f-4a60-832f-a00d1e6c6745",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "Microsoft 365",
+      "Continuous Monitoring",
+      "SecOps",
+      "Configuration Audit"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0040",
+          "name": "Impact",
+          "reference": "https://attack.mitre.org/tactics/TA0040/"
+        },
+        "technique": [
+          {
+            "id": "T1485",
+            "name": "Data Destruction",
+            "reference": "https://attack.mitre.org/techniques/T1485/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 1
+  },
+  {
+    "author": [
+      "Austin Songer"
+    ],
+    "description": "Identifies when a user has been restricted from sending email due to exceeding sending limits of the service policies per the Security Compliance Center.",
+    "false_positives": [
+      "A user sending emails using personal distribution folders may trigger the event."
+    ],
+    "from": "now-30m",
+    "index": [
+      "filebeat-*",
+      "logs-o365*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Microsoft 365 User Restricted from Sending Email",
+    "note": "## Config\n\nThe Microsoft 365 Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\n",
+    "query": "event.dataset:o365.audit and event.provider:SecurityComplianceCenter and event.category:web and event.action:\"User restricted from sending email\" and event.outcome:success\n",
+    "references": [
+      "https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy",
+      "https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference"
+    ],
+    "risk_score": 47,
+    "rule_id": "0136b315-b566-482f-866c-1d8e2477ba16",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "Microsoft 365",
+      "Continuous Monitoring",
+      "SecOps",
+      "Configuration Audit"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0001",
+          "name": "Initial Access",
+          "reference": "https://attack.mitre.org/tactics/TA0001/"
+        },
+        "technique": [
+          {
+            "id": "T1078",
+            "name": "Valid Accounts",
+            "reference": "https://attack.mitre.org/techniques/T1078/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "An instance of MSBuild, the Microsoft Build Engine, loaded DLLs (dynamically linked libraries) responsible for Windows credential management. This technique is sometimes used for credential dumping.",
+    "false_positives": [
+      "The Build Engine is commonly used by Windows developers but use by non-engineers is unusual."
+    ],
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Microsoft Build Engine Loading Windows Credential Libraries",
+    "query": "sequence by process.entity_id\n [process where event.type == \"start\" and (process.name : \"MSBuild.exe\" or process.pe.original_file_name == \"MSBuild.exe\")]\n [library where dll.name : (\"vaultcli.dll\", \"SAMLib.DLL\")]\n",
+    "risk_score": 73,
+    "rule_id": "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae5",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Credential Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0006",
+          "name": "Credential Access",
+          "reference": "https://attack.mitre.org/tactics/TA0006/"
+        },
+        "technique": [
+          {
+            "id": "T1003",
+            "name": "OS Credential Dumping",
+            "reference": "https://attack.mitre.org/techniques/T1003/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 8
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "An instance of MSBuild, the Microsoft Build Engine, started a PowerShell script or the Visual C# Command Line Compiler. This technique is sometimes used to deploy a malicious payload using the Build Engine.",
+    "false_positives": [
+      "The Build Engine is commonly used by Windows developers but use by non-engineers is unusual. If a build system triggers this rule it can be exempted by process, user or host name."
+    ],
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Microsoft Build Engine Started an Unusual Process",
+    "query": "process where event.type in (\"start\", \"process_started\") and\n  process.parent.name : \"MSBuild.exe\" and\n  process.name : (\"csc.exe\", \"iexplore.exe\", \"powershell.exe\")\n",
+    "references": [
+      "https://blog.talosintelligence.com/2020/02/building-bypass-with-msbuild.html"
+    ],
+    "risk_score": 21,
+    "rule_id": "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae6",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1027",
+            "name": "Obfuscated Files or Information",
+            "reference": "https://attack.mitre.org/techniques/T1027/",
+            "subtechnique": [
+              {
+                "id": "T1027.004",
+                "name": "Compile After Delivery",
+                "reference": "https://attack.mitre.org/techniques/T1027/004/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 8
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "An instance of MSBuild, the Microsoft Build Engine, was started by a script or the Windows command interpreter. This behavior is unusual and is sometimes used by malicious payloads.",
+    "false_positives": [
+      "The Build Engine is commonly used by Windows developers but use by non-engineers is unusual."
+    ],
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Microsoft Build Engine Started by a Script Process",
+    "query": "process where event.type == \"start\" and\n  (process.name : \"MSBuild.exe\" or process.pe.original_file_name == \"MSBuild.exe\") and\n  process.parent.name : (\"cmd.exe\", \"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\", \"cscript.exe\", \"wscript.exe\", \"mshta.exe\")\n",
+    "risk_score": 21,
+    "rule_id": "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae2",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1127",
+            "name": "Trusted Developer Utilities Proxy Execution",
+            "reference": "https://attack.mitre.org/techniques/T1127/",
+            "subtechnique": [
+              {
+                "id": "T1127.001",
+                "name": "MSBuild",
+                "reference": "https://attack.mitre.org/techniques/T1127/001/"
+              }
+            ]
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0002",
+          "name": "Execution",
+          "reference": "https://attack.mitre.org/tactics/TA0002/"
+        },
+        "technique": []
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 10
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "An instance of MSBuild, the Microsoft Build Engine, was started by Explorer or the WMI (Windows Management Instrumentation) subsystem. This behavior is unusual and is sometimes used by malicious payloads.",
+    "false_positives": [
+      "The Build Engine is commonly used by Windows developers but use by non-engineers is unusual."
+    ],
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Microsoft Build Engine Started by a System Process",
+    "query": "process where event.type in (\"start\", \"process_started\") and\n  process.name : \"MSBuild.exe\" and\n  process.parent.name : (\"explorer.exe\", \"wmiprvse.exe\")\n",
+    "risk_score": 47,
+    "rule_id": "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae3",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1127",
+            "name": "Trusted Developer Utilities Proxy Execution",
+            "reference": "https://attack.mitre.org/techniques/T1127/",
+            "subtechnique": [
+              {
+                "id": "T1127.001",
+                "name": "MSBuild",
+                "reference": "https://attack.mitre.org/techniques/T1127/001/"
+              }
+            ]
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0002",
+          "name": "Execution",
+          "reference": "https://attack.mitre.org/tactics/TA0002/"
+        },
+        "technique": []
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 9
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "An instance of MSBuild, the Microsoft Build Engine, was started by Excel or Word. This is unusual behavior for the Build Engine and could have been caused by an Excel or Word document executing a malicious script payload.",
+    "false_positives": [
+      "The Build Engine is commonly used by Windows developers but use by non-engineers is unusual. It is quite unusual for this program to be started by an Office application like Word or Excel."
+    ],
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Microsoft Build Engine Started by an Office Application",
+    "query": "process where event.type in (\"start\", \"process_started\") and\n  process.name : \"MSBuild.exe\" and\n  process.parent.name : (\"eqnedt32.exe\",\n                         \"excel.exe\",\n                         \"fltldr.exe\",\n                         \"msaccess.exe\",\n                         \"mspub.exe\",\n                         \"outlook.exe\",\n                         \"powerpnt.exe\",\n                         \"winword.exe\" )\n",
+    "references": [
+      "https://blog.talosintelligence.com/2020/02/building-bypass-with-msbuild.html"
+    ],
+    "risk_score": 73,
+    "rule_id": "c5dc3223-13a2-44a2-946c-e9dc0aa0449c",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1127",
+            "name": "Trusted Developer Utilities Proxy Execution",
+            "reference": "https://attack.mitre.org/techniques/T1127/",
+            "subtechnique": [
+              {
+                "id": "T1127.001",
+                "name": "MSBuild",
+                "reference": "https://attack.mitre.org/techniques/T1127/001/"
+              }
+            ]
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0002",
+          "name": "Execution",
+          "reference": "https://attack.mitre.org/tactics/TA0002/"
+        },
+        "technique": []
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 9
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "An instance of MSBuild, the Microsoft Build Engine, was started after being renamed. This is uncommon behavior and may indicate an attempt to run unnoticed or undetected.",
+    "false_positives": [
+      "The Build Engine is commonly used by Windows developers but use by non-engineers is unusual."
+    ],
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Microsoft Build Engine Using an Alternate Name",
+    "query": "process where event.type in (\"start\", \"process_started\") and\n  process.pe.original_file_name == \"MSBuild.exe\" and\n  not process.name : \"MSBuild.exe\"\n",
+    "risk_score": 21,
+    "rule_id": "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae4",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1036",
+            "name": "Masquerading",
+            "reference": "https://attack.mitre.org/techniques/T1036/",
+            "subtechnique": [
+              {
+                "id": "T1036.003",
+                "name": "Rename System Utilities",
+                "reference": "https://attack.mitre.org/techniques/T1036/003/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 9
+  },
+  {
+    "author": [
+      "Elastic",
+      "Austin Songer"
+    ],
+    "description": "Identifies suspicious processes being spawned by the Microsoft Exchange Server Unified Messaging (UM) service. This activity has been observed exploiting CVE-2021-26857.",
+    "false_positives": [
+      "Legitimate processes may be spawned from the Microsoft Exchange Server Unified Messaging (UM) service. If known processes are causing false positives, they can be exempted from the rule."
+    ],
+    "from": "now-9m",
+    "index": [
+      "logs-endpoint.events.*",
+      "winlogbeat-*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Microsoft Exchange Server UM Spawning Suspicious Processes",
+    "query": "process where event.type == \"start\" and\n  process.parent.name : (\"UMService.exe\", \"UMWorkerProcess.exe\") and\n    not process.name : (\"werfault.exe\", \"wermgr.exe\")\n",
+    "references": [
+      "https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers",
+      "https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities"
+    ],
+    "risk_score": 47,
+    "rule_id": "483c4daf-b0c6-49e0-adf3-0bfa93231d6b",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Initial Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0001",
+          "name": "Initial Access",
+          "reference": "https://attack.mitre.org/tactics/TA0001/"
+        },
+        "technique": [
+          {
+            "id": "T1190",
+            "name": "Exploit Public-Facing Application",
+            "reference": "https://attack.mitre.org/techniques/T1190/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic",
+      "Austin Songer"
+    ],
+    "description": "Identifies suspicious files being written by the Microsoft Exchange Server Unified Messaging (UM) service. This activity has been observed exploiting CVE-2021-26858.",
+    "false_positives": [
+      "Files generated during installation will generate a lot of noise, so the rule should only be enabled after the fact.",
+      "This rule was tuned using the following baseline: https://raw.githubusercontent.com/microsoft/CSS-Exchange/main/Security/Baselines/baseline_15.2.792.5.csv from Microsoft. Depending on version, consult https://github.com/microsoft/CSS-Exchange/tree/main/Security/Baselines to help determine normalcy."
+    ],
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Microsoft Exchange Server UM Writing Suspicious Files",
+    "note": "## Triage and analysis\n\nPositive hits can be checked against the established Microsoft [baselines](https://github.com/microsoft/CSS-Exchange/tree/main/Security/Baselines).\n\nMicrosoft highly recommends that the best course of action is patching, but this may not protect already compromised systems\nfrom existing intrusions. Other tools for detecting and mitigating can be found within their Exchange support\n[repository](https://github.com/microsoft/CSS-Exchange/tree/main/Security)\n",
+    "query": "file where event.type == \"creation\" and\n  process.name : (\"UMWorkerProcess.exe\", \"umservice.exe\") and\n  file.extension : (\"php\", \"jsp\", \"js\", \"aspx\", \"asmx\", \"asax\", \"cfm\", \"shtml\") and\n  (\n    file.path : \"?:\\\\inetpub\\\\wwwroot\\\\aspnet_client\\\\*\" or\n\n    (file.path : \"?:\\\\*\\\\Microsoft\\\\Exchange Server*\\\\FrontEnd\\\\HttpProxy\\\\owa\\\\auth\\\\*\" and\n       not (file.path : \"?:\\\\*\\\\Microsoft\\\\Exchange Server*\\\\FrontEnd\\\\HttpProxy\\\\owa\\\\auth\\\\version\\\\*\" or\n            file.name : (\"errorFE.aspx\", \"expiredpassword.aspx\", \"frowny.aspx\", \"GetIdToken.htm\", \"logoff.aspx\",\n                        \"logon.aspx\", \"OutlookCN.aspx\", \"RedirSuiteServiceProxy.aspx\", \"signout.aspx\"))) or\n\n    (file.path : \"?:\\\\*\\\\Microsoft\\\\Exchange Server*\\\\FrontEnd\\\\HttpProxy\\\\ecp\\\\auth\\\\*\" and\n       not file.name : \"TimeoutLogoff.aspx\")\n  )\n",
+    "references": [
+      "https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers",
+      "https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities"
+    ],
+    "risk_score": 47,
+    "rule_id": "6cd1779c-560f-4b68-a8f1-11009b27fe63",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Initial Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0001",
+          "name": "Initial Access",
+          "reference": "https://attack.mitre.org/tactics/TA0001/"
+        },
+        "technique": [
+          {
+            "id": "T1190",
+            "name": "Exploit Public-Facing Application",
+            "reference": "https://attack.mitre.org/techniques/T1190/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 2
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies suspicious processes being spawned by the Microsoft Exchange Server worker process (w3wp). This activity may indicate exploitation activity or access to an existing web shell backdoor.",
+    "from": "now-9m",
+    "index": [
+      "logs-endpoint.events.*",
+      "winlogbeat-*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Microsoft Exchange Worker Spawning Suspicious Processes",
+    "query": "process where event.type == \"start\" and\n  process.parent.name : \"w3wp.exe\" and process.parent.args : \"MSExchange*AppPool\" and\n  (process.name : (\"cmd.exe\", \"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\") or\n  process.pe.original_file_name in (\"cmd.exe\", \"powershell.exe\", \"pwsh.dll\", \"powershell_ise.exe\"))\n",
+    "references": [
+      "https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers",
+      "https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities",
+      "https://discuss.elastic.co/t/detection-and-response-for-hafnium-activity/266289"
+    ],
+    "risk_score": 73,
+    "rule_id": "f81ee52c-297e-46d9-9205-07e66931df26",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Initial Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0001",
+          "name": "Initial Access",
+          "reference": "https://attack.mitre.org/tactics/TA0001/"
+        },
+        "technique": [
+          {
+            "id": "T1190",
+            "name": "Exploit Public-Facing Application",
+            "reference": "https://attack.mitre.org/techniques/T1190/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 2
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies use of aspnet_regiis to decrypt Microsoft IIS connection strings. An attacker with Microsoft IIS web server access via a webshell or alike can decrypt and dump any hardcoded connection strings, such as the MSSQL service account password using aspnet_regiis command.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "max_signals": 33,
+    "name": "Microsoft IIS Connection Strings Decryption",
+    "query": "process where event.type in (\"start\", \"process_started\") and\n  (process.name : \"aspnet_regiis.exe\" or process.pe.original_file_name == \"aspnet_regiis.exe\") and\n  process.args : \"connectionStrings\" and process.args : \"-pdf\"\n",
+    "references": [
+      "https://blog.netspi.com/decrypting-iis-passwords-to-break-out-of-the-dmz-part-1/",
+      "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/greenbug-espionage-telco-south-asia"
+    ],
+    "risk_score": 73,
+    "rule_id": "c25e9c87-95e1-4368-bfab-9fd34cf867ec",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Credential Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0006",
+          "name": "Credential Access",
+          "reference": "https://attack.mitre.org/tactics/TA0006/"
+        },
+        "technique": [
+          {
+            "id": "T1003",
+            "name": "OS Credential Dumping",
+            "reference": "https://attack.mitre.org/techniques/T1003/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 4
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the Internet Information Services (IIS) command-line tool, AppCmd, being used to list passwords. An attacker with IIS web server access via a web shell can decrypt and dump the IIS AppPool service account password using AppCmd.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "max_signals": 33,
+    "name": "Microsoft IIS Service Account Password Dumped",
+    "query": "process where event.type in (\"start\", \"process_started\") and\n   (process.name : \"appcmd.exe\" or process.pe.original_file_name == \"appcmd.exe\") and \n   process.args : \"/list\" and process.args : \"/text*password\"\n",
+    "references": [
+      "https://blog.netspi.com/decrypting-iis-passwords-to-break-out-of-the-dmz-part-1/"
+    ],
+    "risk_score": 73,
+    "rule_id": "0564fb9d-90b9-4234-a411-82a546dc1343",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Credential Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0006",
+          "name": "Credential Access",
+          "reference": "https://attack.mitre.org/tactics/TA0006/"
+        },
+        "technique": [
+          {
+            "id": "T1003",
+            "name": "OS Credential Dumping",
+            "reference": "https://attack.mitre.org/techniques/T1003/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 4
+  },
+  {
+    "author": [
+      "Austin Songer"
+    ],
+    "description": "Identifies when one or more features on Microsoft Defender are disabled. Adversaries may disable or tamper Microsoft Defender features to evade detection and conceal malicious behavior.",
+    "false_positives": [
+      "Legitimate Windows Defender configuration changes"
+    ],
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Microsoft Windows Defender Tampering",
+    "query": "registry where event.type in (\"creation\", \"change\") and\n  (registry.path : \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\PUAProtection\" and\n  registry.data.strings : \"0\") or\n  (registry.path : \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender Security Center\\\\App and Browser protection\\\\DisallowExploitProtectionOverride\" and\n  registry.data.strings : \"1\") or\n  (registry.path : \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\DisableAntiSpyware\" and\n  registry.data.strings : \"1\") or\n  (registry.path : \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\Features\\\\TamperProtection\" and\n  registry.data.strings : \"0\") or\n  (registry.path : \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\Real-Time Protection\\\\DisableRealtimeMonitoring\" and\n  registry.data.strings : \"1\") or\n  (registry.path : \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\Real-Time Protection\\\\DisableIntrusionPreventionSystem\" and\n  registry.data.strings : \"1\") or\n  (registry.path : \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\Real-Time Protection\\\\DisableScriptScanning\" and\n  registry.data.strings : \"1\") or\n  (registry.path : \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\Windows Defender Exploit Guard\\\\Controlled Folder Access\\\\EnableControlledFolderAccess\" and\n  registry.data.strings : \"0\") or\n  (registry.path : \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\Real-Time Protection\\\\DisableIOAVProtection\" and\n  registry.data.strings : \"1\") or\n  (registry.path : \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\Reporting\\\\DisableEnhancedNotifications\" and\n  registry.data.strings : \"1\") or\n  (registry.path : \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\SpyNet\\\\DisableBlockAtFirstSeen\" and\n  registry.data.strings : \"1\") or\n  (registry.path : \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\SpyNet\\\\SpynetReporting\" and\n  registry.data.strings : \"0\") or\n  (registry.path : \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\SpyNet\\\\SubmitSamplesConsent\" and\n  registry.data.strings : \"0\") or\n  (registry.path : \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\Real-Time Protection\\\\DisableBehaviorMonitoring\" and\n  registry.data.strings : \"1\")\n",
+    "references": [
+      "https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/",
+      "https://www.tenforums.com/tutorials/32236-enable-disable-microsoft-defender-pua-protection-windows-10-a.html",
+      "https://www.tenforums.com/tutorials/104025-turn-off-core-isolation-memory-integrity-windows-10-a.html",
+      "https://www.tenforums.com/tutorials/105533-enable-disable-windows-defender-exploit-protection-settings.html",
+      "https://www.tenforums.com/tutorials/123792-turn-off-tamper-protection-microsoft-defender-antivirus.html",
+      "https://www.tenforums.com/tutorials/51514-turn-off-microsoft-defender-periodic-scanning-windows-10-a.html",
+      "https://www.tenforums.com/tutorials/3569-turn-off-real-time-protection-microsoft-defender-antivirus.html",
+      "https://www.tenforums.com/tutorials/99576-how-schedule-scan-microsoft-defender-antivirus-windows-10-a.html"
+    ],
+    "risk_score": 47,
+    "rule_id": "fe794edd-487f-4a90-b285-3ee54f2af2d3",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1562",
+            "name": "Impair Defenses",
+            "reference": "https://attack.mitre.org/techniques/T1562/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the password log file from the default Mimikatz memssp module.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Mimikatz Memssp Log File Detected",
+    "query": "file where file.name : \"mimilsa.log\" and process.name : \"lsass.exe\"\n",
+    "risk_score": 73,
+    "rule_id": "ebb200e8-adf0-43f8-a0bb-4ee5b5d852c6",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Credential Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0006",
+          "name": "Credential Access",
+          "reference": "https://attack.mitre.org/tactics/TA0006/"
+        },
+        "technique": [
+          {
+            "id": "T1003",
+            "name": "OS Credential Dumping",
+            "reference": "https://attack.mitre.org/techniques/T1003/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 4
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "JScript tries to query the AmsiEnable registry key from the HKEY_USERS registry hive before initializing Antimalware Scan Interface (AMSI). If this key is set to 0, AMSI is not enabled for the JScript process. An adversary can modify this key to disable AMSI protections.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Modification of AmsiEnable Registry Key",
+    "query": "registry where event.type in (\"creation\", \"change\") and\n  registry.path: \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows Script\\\\Settings\\\\AmsiEnable\" and\n  registry.data.strings: \"0\"\n",
+    "references": [
+      "https://hackinparis.com/data/slides/2019/talks/HIP2019-Dominic_Chell-Cracking_The_Perimeter_With_Sharpshooter.pdf",
+      "https://docs.microsoft.com/en-us/windows/win32/amsi/antimalware-scan-interface-portal"
+    ],
+    "risk_score": 73,
+    "rule_id": "f874315d-5188-4b4a-8521-d1c73093a7e4",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1562",
+            "name": "Impair Defenses",
+            "reference": "https://attack.mitre.org/techniques/T1562/",
+            "subtechnique": [
+              {
+                "id": "T1562.001",
+                "name": "Disable or Modify Tools",
+                "reference": "https://attack.mitre.org/techniques/T1562/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 2
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies use of bcdedit.exe to delete boot configuration data. This tactic is sometimes used as by malware or an attacker as a destructive technique.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Modification of Boot Configuration",
+    "query": "process where event.type in (\"start\", \"process_started\") and\n  (process.name : \"bcdedit.exe\" or process.pe.original_file_name == \"bcdedit.exe\") and\n  (process.args : \"/set\" and process.args : \"bootstatuspolicy\" and process.args : \"ignoreallfailures\") or\n  (process.args : \"no\" and process.args : \"recoveryenabled\")\n",
+    "risk_score": 21,
+    "rule_id": "69c251fb-a5d6-4035-b5ec-40438bd829ff",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Impact"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0040",
+          "name": "Impact",
+          "reference": "https://attack.mitre.org/tactics/TA0040/"
+        },
+        "technique": [
+          {
+            "id": "T1490",
+            "name": "Inhibit System Recovery",
+            "reference": "https://attack.mitre.org/techniques/T1490/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 9
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies modification of the dynamic linker preload shared object (ld.so.preload). Adversaries may execute malicious payloads by hijacking the dynamic linker used to load libraries.",
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Modification of Dynamic Linker Preload Shared Object",
+    "query": "event.category:file and not event.type:deletion and file.path:/etc/ld.so.preload\n",
+    "references": [
+      "https://www.anomali.com/blog/rocke-evolves-its-arsenal-with-a-new-malware-family-written-in-golang"
+    ],
+    "risk_score": 47,
+    "rule_id": "717f82c2-7741-4f9b-85b8-d06aeb853f4f",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "Threat Detection",
+      "Privilege Escalation"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0004",
+          "name": "Privilege Escalation",
+          "reference": "https://attack.mitre.org/tactics/TA0004/"
+        },
+        "technique": [
+          {
+            "id": "T1574",
+            "name": "Hijack Execution Flow",
+            "reference": "https://attack.mitre.org/techniques/T1574/",
+            "subtechnique": [
+              {
+                "id": "T1574.006",
+                "name": "Dynamic Linker Hijacking",
+                "reference": "https://attack.mitre.org/techniques/T1574/006/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 2
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies modifications to an environment variable using the built-in launchctl command. Adversaries may execute their own malicious payloads by hijacking certain environment variables to load arbitrary libraries or bypass certain restrictions.",
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Modification of Environment Variable via Launchctl",
+    "query": "event.category:process and event.type:start and\n  process.name:launchctl and\n  process.args:(setenv and not (JAVA*_HOME or\n                                RUNTIME_JAVA_HOME or\n                                DBUS_LAUNCHD_SESSION_BUS_SOCKET or\n                                ANT_HOME or\n                                LG_WEBOS_TV_SDK_HOME or\n                                WEBOS_CLI_TV or\n                                EDEN_ENV)\n                ) and\n  not process.parent.executable:(\"/Applications/NoMachine.app/Contents/Frameworks/bin/nxserver.bin\" or\n                                 \"/usr/local/bin/kr\" or\n                                 \"/Applications/NoMachine.app/Contents/Frameworks/bin/nxserver.bin\" or\n                                 \"/Applications/IntelliJ IDEA CE.app/Contents/jbr/Contents/Home/lib/jspawnhelper\")\n",
+    "references": [
+      "https://github.com/rapid7/metasploit-framework/blob/master//modules/post/osx/escalate/tccbypass.rb"
+    ],
+    "risk_score": 47,
+    "rule_id": "7453e19e-3dbf-4e4e-9ae0-33d6c6ed15e1",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "macOS",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1574",
+            "name": "Hijack Execution Flow",
+            "reference": "https://attack.mitre.org/techniques/T1574/",
+            "subtechnique": [
+              {
+                "id": "T1574.007",
+                "name": "Path Interception by PATH Environment Variable",
+                "reference": "https://attack.mitre.org/techniques/T1574/007/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 2
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Adversaries may modify SSH related binaries for persistence or credential access by patching sensitive functions to enable unauthorized access or by logging SSH credentials for exfiltration.",
+    "false_positives": [
+      "Trusted OpenSSH executable updates. It's recommended to verify the integrity of OpenSSH binary changes."
+    ],
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Modification of OpenSSH Binaries",
+    "query": "event.category:file and event.type:change and \n process.name:* and\n (file.path:(/usr/sbin/sshd or /usr/bin/ssh or /usr/bin/sftp or /usr/bin/scp) or file.name:libkeyutils.so) and\n not process.executable:/usr/bin/dpkg\n",
+    "references": [
+      "https://blog.angelalonso.es/2016/09/anatomy-of-real-linux-intrusion-part-ii.html"
+    ],
+    "risk_score": 47,
+    "rule_id": "0415f22a-2336-45fa-ba07-618a5942e22c",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "Threat Detection",
+      "Credential Access",
+      "Persistence"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1543",
+            "name": "Create or Modify System Process",
+            "reference": "https://attack.mitre.org/techniques/T1543/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0006",
+          "name": "Credential Access",
+          "reference": "https://attack.mitre.org/tactics/TA0006/"
+        },
+        "technique": [
+          {
+            "id": "T1556",
+            "name": "Modify Authentication Process",
+            "reference": "https://attack.mitre.org/techniques/T1556/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies changes to the Safari configuration using the built-in defaults command. Adversaries may attempt to enable or disable certain Safari settings, such as enabling JavaScript from Apple Events to ease in the hijacking of the users browser.",
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Modification of Safari Settings via Defaults Command",
+    "query": "event.category:process and event.type:start and\n  process.name:defaults and process.args:\n    (com.apple.Safari and write and not\n      (\n      UniversalSearchEnabled or\n      SuppressSearchSuggestions or\n      WebKitTabToLinksPreferenceKey or\n      ShowFullURLInSmartSearchField or\n      com.apple.Safari.ContentPageGroupIdentifier.WebKit2TabsToLinks\n      )\n    )\n",
+    "references": [
+      "https://objectivebythesea.com/v2/talks/OBTS_v2_Zohar.pdf"
+    ],
+    "risk_score": 47,
+    "rule_id": "6482255d-f468-45ea-a5b3-d3a7de1331ae",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "macOS",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1562",
+            "name": "Impair Defenses",
+            "reference": "https://attack.mitre.org/techniques/T1562/",
+            "subtechnique": [
+              {
+                "id": "T1562.001",
+                "name": "Disable or Modify Tools",
+                "reference": "https://attack.mitre.org/techniques/T1562/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Adversaries may modify the standard authentication module for persistence via patching the normal authorization process or modifying the login configuration to allow unauthorized access or elevate privileges.",
+    "false_positives": [
+      "Trusted system module updates or allowed Pluggable Authentication Module (PAM) daemon configuration changes."
+    ],
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Modification of Standard Authentication Module or Configuration",
+    "query": "event.category:file and event.type:change and \n  (file.name:pam_*.so or file.path:(/etc/pam.d/* or /private/etc/pam.d/*)) and \n  process.executable:\n    (* and \n      not \n      (\n        /bin/yum or \n        \"/usr/sbin/pam-auth-update\" or \n        /usr/libexec/packagekitd or \n        /usr/bin/dpkg or \n        /usr/bin/vim or \n        /usr/libexec/xpcproxy or \n        /usr/bin/bsdtar or \n        /usr/local/bin/brew or\n        /usr/bin/rsync or\n        /usr/bin/yum or\n        /var/lib/docker/*/bin/yum or\n        /var/lib/docker/*/bin/dpkg or\n        ./merged/var/lib/docker/*/bin/dpkg or\n        \"/System/Library/PrivateFrameworks/PackageKit.framework/Versions/A/XPCServices/package_script_service.xpc/Contents/MacOS/package_script_service\"\n      )\n    ) and\n  not file.path:\n         (\n           /tmp/snap.rootfs_*/pam_*.so or\n           /tmp/newroot/lib/*/pam_*.so or\n           /private/var/folders/*/T/com.apple.fileprovider.ArchiveService/TemporaryItems/*/lib/security/pam_*.so or\n           /tmp/newroot/usr/lib64/security/pam_*.so\n         )\n",
+    "references": [
+      "https://github.com/zephrax/linux-pam-backdoor",
+      "https://github.com/eurialo/pambd",
+      "http://0x90909090.blogspot.com/2016/06/creating-backdoor-in-pam-in-5-line-of.html",
+      "https://www.trendmicro.com/en_us/research/19/i/skidmap-linux-malware-uses-rootkit-capabilities-to-hide-cryptocurrency-mining-payload.html"
+    ],
+    "risk_score": 47,
+    "rule_id": "93f47b6f-5728-4004-ba00-625083b3dcb0",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "macOS",
+      "Linux",
+      "Threat Detection",
+      "Credential Access",
+      "Persistence"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1543",
+            "name": "Create or Modify System Process",
+            "reference": "https://attack.mitre.org/techniques/T1543/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0006",
+          "name": "Credential Access",
+          "reference": "https://attack.mitre.org/tactics/TA0006/"
+        },
+        "technique": [
+          {
+            "id": "T1556",
+            "name": "Modify Authentication Process",
+            "reference": "https://attack.mitre.org/techniques/T1556/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 2
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies attempts to modify the WDigest security provider in the registry to force the user's password to be stored in clear text in memory. This behavior can be indicative of an adversary attempting to weaken the security configuration of an endpoint. Once the UseLogonCredential value is modified, the adversary may attempt to dump clear text passwords from memory.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Modification of WDigest Security Provider",
+    "query": "registry where event.type in (\"creation\", \"change\") and\n  registry.path:\"HKLM\\\\SYSTEM\\\\*ControlSet*\\\\Control\\\\SecurityProviders\\\\WDigest\\\\UseLogonCredential\" and\n  registry.data.strings:\"1\"\n",
+    "references": [
+      "https://www.csoonline.com/article/3438824/how-to-detect-and-halt-credential-theft-via-windows-wdigest.html",
+      "https://www.praetorian.com/blog/mitigating-mimikatz-wdigest-cleartext-credential-theft?edition=2019"
+    ],
+    "risk_score": 73,
+    "rule_id": "d703a5af-d5b0-43bd-8ddb-7a5d500b7da5",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Credential Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0006",
+          "name": "Credential Access",
+          "reference": "https://attack.mitre.org/tactics/TA0006/"
+        },
+        "technique": [
+          {
+            "id": "T1003",
+            "name": "OS Credential Dumping",
+            "reference": "https://attack.mitre.org/techniques/T1003/",
+            "subtechnique": [
+              {
+                "id": "T1003.001",
+                "name": "LSASS Memory",
+                "reference": "https://attack.mitre.org/techniques/T1003/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Detects attempts to modify or delete a sign on policy for an Okta application. An adversary may attempt to modify or delete the sign on policy for an Okta application in order to remove or weaken an organization's security controls.",
+    "false_positives": [
+      "Consider adding exceptions to this rule to filter false positives if sign on policies for Okta applications are regularly modified or deleted in your organization."
+    ],
+    "index": [
+      "filebeat-*",
+      "logs-okta*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Modification or Removal of an Okta Application Sign-On Policy",
+    "note": "## Config\n\nThe Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:okta.system and event.action:(application.policy.sign_on.update or application.policy.sign_on.rule.delete)\n",
+    "references": [
+      "https://help.okta.com/en/prod/Content/Topics/Security/App_Based_Signon.htm",
+      "https://developer.okta.com/docs/reference/api/system-log/",
+      "https://developer.okta.com/docs/reference/api/event-types/"
+    ],
+    "risk_score": 47,
+    "rule_id": "cd16fb10-0261-46e8-9932-a0336278cdbe",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Identity",
+      "Okta",
+      "Continuous Monitoring",
+      "SecOps",
+      "Identity and Access"
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 6
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the use of net.exe to mount a WebDav or hidden remote share. This may indicate lateral movement or preparation for data exfiltration.",
+    "from": "now-9m",
+    "index": [
+      "logs-endpoint.events.*",
+      "winlogbeat-*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Mounting Hidden or WebDav Remote Shares",
+    "query": "process where event.type in (\"start\", \"process_started\") and\n ((process.name : \"net.exe\" or process.pe.original_file_name == \"net.exe\") or ((process.name : \"net1.exe\" or process.pe.original_file_name == \"net1.exe\") and\n not process.parent.name : \"net.exe\")) and\n process.args : \"use\" and\n /* including hidden and webdav based online shares such as onedrive  */\n process.args : (\"\\\\\\\\*\\\\*$*\", \"\\\\\\\\*@SSL\\\\*\", \"http*\") and\n /* excluding shares deletion operation */\n not process.args : \"/d*\"\n",
+    "risk_score": 21,
+    "rule_id": "c4210e1c-64f2-4f48-b67e-b5a8ffe3aa14",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Lateral Movement"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0008",
+          "name": "Lateral Movement",
+          "reference": "https://attack.mitre.org/tactics/TA0008/"
+        },
+        "technique": [
+          {
+            "id": "T1021",
+            "name": "Remote Services",
+            "reference": "https://attack.mitre.org/techniques/T1021/",
+            "subtechnique": [
+              {
+                "id": "T1021.002",
+                "name": "SMB/Windows Admin Shares",
+                "reference": "https://attack.mitre.org/techniques/T1021/002/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 3
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies MsBuild.exe making outbound network connections. This may indicate adversarial activity as MsBuild is often leveraged by adversaries to execute code and evade detection.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "MsBuild Making Network Connections",
+    "query": "sequence by process.entity_id\n  [process where process.name : \"MSBuild.exe\" and event.type == \"start\"]\n  [network where process.name : \"MSBuild.exe\" and\n     not cidrmatch(destination.ip, \"127.0.0.1\", \"::1\")]\n",
+    "risk_score": 47,
+    "rule_id": "0e79980b-4250-4a50-a509-69294c14e84b",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1127",
+            "name": "Trusted Developer Utilities Proxy Execution",
+            "reference": "https://attack.mitre.org/techniques/T1127/",
+            "subtechnique": [
+              {
+                "id": "T1127.001",
+                "name": "MSBuild",
+                "reference": "https://attack.mitre.org/techniques/T1127/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "type": "eql",
+    "version": 8
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies Mshta.exe making outbound network connections. This may indicate adversarial activity, as Mshta is often leveraged by adversaries to execute malicious scripts and evade detection.",
+    "from": "now-20m",
+    "index": [
+      "logs-endpoint.events.*",
+      "winlogbeat-*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Mshta Making Network Connections",
+    "query": "sequence by process.entity_id with maxspan=10m\n  [process where event.type in (\"start\", \"process_started\") and process.name : \"mshta.exe\" and\n     not process.parent.name : \"Microsoft.ConfigurationManagement.exe\" and\n     not (process.parent.executable : \"C:\\\\Amazon\\\\Amazon Assistant\\\\amazonAssistantService.exe\" or\n          process.parent.executable : \"C:\\\\TeamViewer\\\\TeamViewer.exe\") and\n     not process.args : \"ADSelfService_Enroll.hta\"]\n  [network where process.name : \"mshta.exe\"]\n",
+    "risk_score": 21,
+    "rule_id": "c2d90150-0133-451c-a783-533e736c12d7",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1218",
+            "name": "Signed Binary Proxy Execution",
+            "reference": "https://attack.mitre.org/techniques/T1218/",
+            "subtechnique": [
+              {
+                "id": "T1218.005",
+                "name": "Mshta",
+                "reference": "https://attack.mitre.org/techniques/T1218/005/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "type": "eql",
+    "version": 5
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies when multi-factor authentication (MFA) is disabled for an Azure user account. An adversary may disable MFA for a user account in order to weaken the authentication requirements for the account.",
+    "from": "now-25m",
+    "index": [
+      "filebeat-*",
+      "logs-azure*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Multi-Factor Authentication Disabled for an Azure User",
+    "note": "## Config\n\nThe Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:azure.auditlogs and azure.auditlogs.operation_name:\"Disable Strong Authentication\" and event.outcome:(Success or success)\n",
+    "risk_score": 47,
+    "rule_id": "dafa3235-76dc-40e2-9f71-1773b96d24cf",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "Azure",
+      "Continuous Monitoring",
+      "SecOps",
+      "Identity and Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1098",
+            "name": "Account Manipulation",
+            "reference": "https://attack.mitre.org/techniques/T1098/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 5
+  },
+  {
+    "author": [
+      "Elastic",
+      "Austin Songer"
+    ],
+    "description": "Identifies a copy operation of the Active Directory Domain Database (ntds.dit) or Security Account Manager (SAM) files. Those files contain sensitive information including hashed domain and/or local credentials.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "max_signals": 33,
+    "name": "NTDS or SAM Database File Copied",
+    "query": "process where event.type in (\"start\", \"process_started\") and\n  (\n    (process.pe.original_file_name in (\"Cmd.Exe\", \"PowerShell.EXE\", \"XCOPY.EXE\") and\n       process.args : (\"copy\", \"xcopy\", \"Copy-Item\", \"move\", \"cp\", \"mv\")\n    ) or\n    (process.pe.original_file_name : \"esentutl.exe\" and process.args : (\"*/y*\", \"*/vss*\", \"*/d*\"))\n  ) and\n  process.args : (\"*\\\\ntds.dit\", \"*\\\\config\\\\SAM\", \"\\\\*\\\\GLOBALROOT\\\\Device\\\\HarddiskVolumeShadowCopy*\\\\*\", \"*/system32/config/SAM*\")\n",
+    "references": [
+      "https://thedfirreport.com/2020/11/23/pysa-mespinoza-ransomware/",
+      "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.002/T1003.002.md#atomic-test-3---esentutlexe-sam-copy"
+    ],
+    "risk_score": 73,
+    "rule_id": "3bc6deaa-fbd4-433a-ae21-3e892f95624f",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Credential Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0006",
+          "name": "Credential Access",
+          "reference": "https://attack.mitre.org/tactics/TA0006/"
+        },
+        "technique": [
+          {
+            "id": "T1003",
+            "name": "OS Credential Dumping",
+            "reference": "https://attack.mitre.org/techniques/T1003/",
+            "subtechnique": [
+              {
+                "id": "T1003.002",
+                "name": "Security Account Manager",
+                "reference": "https://attack.mitre.org/techniques/T1003/002/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 5
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the SYSTEM account using an account discovery utility. This could be a sign of discovery activity after an adversary has achieved privilege escalation.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Net command via SYSTEM account",
+    "query": "process where event.type in (\"start\", \"process_started\") and \n  user.id in (\"S-1-5-18\", \"S-1-5-19\", \"S-1-5-20\") and\n  process.name : \"whoami.exe\" or\n  (process.name : \"net1.exe\" and not process.parent.name : \"net.exe\")\n",
+    "risk_score": 21,
+    "rule_id": "2856446a-34e6-435b-9fb5-f8f040bfa7ed",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Discovery"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0007",
+          "name": "Discovery",
+          "reference": "https://attack.mitre.org/tactics/TA0007/"
+        },
+        "technique": [
+          {
+            "id": "T1033",
+            "name": "System Owner/User Discovery",
+            "reference": "https://attack.mitre.org/techniques/T1033/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 8
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "A netcat process is engaging in network activity on a Linux host. Netcat is often used as a persistence mechanism by exporting a reverse shell or by serving a shell on a listening port. Netcat is also sometimes used for data exfiltration.",
+    "false_positives": [
+      "Netcat is a dual-use tool that can be used for benign or malicious activity. Netcat is included in some Linux distributions so its presence is not necessarily suspicious. Some normal use of this program, while uncommon, may originate from scripts, automation tools, and frameworks."
+    ],
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Netcat Network Activity",
+    "query": "sequence by process.entity_id\n  [process where (process.name == \"nc\" or process.name == \"ncat\" or process.name == \"netcat\" or\n                  process.name == \"netcat.openbsd\" or process.name == \"netcat.traditional\") and\n     event.type == \"start\"]\n  [network where (process.name == \"nc\" or process.name == \"ncat\" or process.name == \"netcat\" or\n                  process.name == \"netcat.openbsd\" or process.name == \"netcat.traditional\")]\n",
+    "references": [
+      "http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet",
+      "https://www.sans.org/security-resources/sec560/netcat_cheat_sheet_v1.pdf",
+      "https://en.wikipedia.org/wiki/Netcat"
+    ],
+    "risk_score": 47,
+    "rule_id": "adb961e0-cb74-42a0-af9e-29fc41f88f5f",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "Threat Detection"
+    ],
+    "type": "eql",
+    "version": 6
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies certutil.exe making a network connection. Adversaries could abuse certutil.exe to download a certificate, or malware, from a remote URL.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Network Connection via Certutil",
+    "query": "sequence by process.entity_id\n  [process where process.name : \"certutil.exe\" and event.type == \"start\"]\n  [network where process.name : \"certutil.exe\" and\n    not cidrmatch(destination.ip, \"10.0.0.0/8\", \"127.0.0.0/8\", \"169.254.0.0/16\", \"172.16.0.0/12\", \"192.0.0.0/24\",\n                                  \"192.0.0.0/29\", \"192.0.0.8/32\", \"192.0.0.9/32\", \"192.0.0.10/32\", \"192.0.0.170/32\",\n                                  \"192.0.0.171/32\", \"192.0.2.0/24\", \"192.31.196.0/24\", \"192.52.193.0/24\",\n                                  \"192.168.0.0/16\", \"192.88.99.0/24\", \"224.0.0.0/4\", \"100.64.0.0/10\", \"192.175.48.0/24\",\n                                  \"198.18.0.0/15\", \"198.51.100.0/24\", \"203.0.113.0/24\", \"240.0.0.0/4\", \"::1\",\n                                  \"FE80::/10\", \"FF00::/8\")]\n",
+    "references": [
+      "https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml"
+    ],
+    "risk_score": 21,
+    "rule_id": "3838e0e3-1850-4850-a411-2e8c5ba40ba8",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Command and Control"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0011",
+          "name": "Command and Control",
+          "reference": "https://attack.mitre.org/tactics/TA0011/"
+        },
+        "technique": [
+          {
+            "id": "T1105",
+            "name": "Ingress Tool Transfer",
+            "reference": "https://attack.mitre.org/techniques/T1105/"
+          }
+        ]
+      }
+    ],
+    "type": "eql",
+    "version": 6
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Compiled HTML files (.chm) are commonly distributed as part of the Microsoft HTML Help system. Adversaries may conceal malicious code in a CHM file and deliver it to a victim for execution. CHM content is loaded by the HTML Help executable program (hh.exe).",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Network Connection via Compiled HTML File",
+    "query": "sequence by process.entity_id\n  [process where process.name : \"hh.exe\" and event.type == \"start\"]\n  [network where process.name : \"hh.exe\" and\n     not cidrmatch(destination.ip, \"10.0.0.0/8\", \"127.0.0.0/8\", \"169.254.0.0/16\", \"172.16.0.0/12\", \"192.0.0.0/24\",\n       \"192.0.0.0/29\", \"192.0.0.8/32\", \"192.0.0.9/32\", \"192.0.0.10/32\", \"192.0.0.170/32\", \"192.0.0.171/32\",\n       \"192.0.2.0/24\", \"192.31.196.0/24\", \"192.52.193.0/24\", \"192.168.0.0/16\", \"192.88.99.0/24\", \"224.0.0.0/4\",\n       \"100.64.0.0/10\", \"192.175.48.0/24\",\"198.18.0.0/15\", \"198.51.100.0/24\", \"203.0.113.0/24\", \"240.0.0.0/4\", \"::1\",\n       \"FE80::/10\", \"FF00::/8\")]\n",
+    "references": [
+      "https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml"
+    ],
+    "risk_score": 21,
+    "rule_id": "b29ee2be-bf99-446c-ab1a-2dc0183394b8",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Execution"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0002",
+          "name": "Execution",
+          "reference": "https://attack.mitre.org/tactics/TA0002/"
+        },
+        "technique": [
+          {
+            "id": "T1204",
+            "name": "User Execution",
+            "reference": "https://attack.mitre.org/techniques/T1204/",
+            "subtechnique": [
+              {
+                "id": "T1204.002",
+                "name": "Malicious File",
+                "reference": "https://attack.mitre.org/techniques/T1204/002/"
+              }
+            ]
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1218",
+            "name": "Signed Binary Proxy Execution",
+            "reference": "https://attack.mitre.org/techniques/T1218/",
+            "subtechnique": [
+              {
+                "id": "T1218.001",
+                "name": "Compiled HTML File",
+                "reference": "https://attack.mitre.org/techniques/T1218/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "type": "eql",
+    "version": 9
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies msxsl.exe making a network connection. This may indicate adversarial activity as msxsl.exe is often leveraged by adversaries to execute malicious scripts and evade detection.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Network Connection via MsXsl",
+    "query": "sequence by process.entity_id\n  [process where process.name : \"msxsl.exe\" and event.type == \"start\"]\n  [network where process.name : \"msxsl.exe\" and\n     not cidrmatch(destination.ip, \"10.0.0.0/8\", \"127.0.0.0/8\", \"169.254.0.0/16\", \"172.16.0.0/12\", \"192.0.0.0/24\",\n       \"192.0.0.0/29\", \"192.0.0.8/32\", \"192.0.0.9/32\", \"192.0.0.10/32\", \"192.0.0.170/32\", \"192.0.0.171/32\",\n       \"192.0.2.0/24\", \"192.31.196.0/24\", \"192.52.193.0/24\", \"192.168.0.0/16\", \"192.88.99.0/24\", \"224.0.0.0/4\",\n       \"100.64.0.0/10\", \"192.175.48.0/24\",\"198.18.0.0/15\", \"198.51.100.0/24\", \"203.0.113.0/24\", \"240.0.0.0/4\", \"::1\",\n       \"FE80::/10\", \"FF00::/8\")]\n",
+    "references": [
+      "https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml"
+    ],
+    "risk_score": 21,
+    "rule_id": "b86afe07-0d98-4738-b15d-8d7465f95ff5",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1220",
+            "name": "XSL Script Processing",
+            "reference": "https://attack.mitre.org/techniques/T1220/"
+          }
+        ]
+      }
+    ],
+    "type": "eql",
+    "version": 7
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the native Windows tools regsvr32.exe, regsvr64.exe, RegSvcs.exe, or RegAsm.exe making a network connection. This may be indicative of an attacker bypassing allowlists or running arbitrary scripts via a signed Microsoft binary.",
+    "false_positives": [
+      "Security testing may produce events like this. Activity of this kind performed by non-engineers and ordinary users is unusual."
+    ],
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Network Connection via Registration Utility",
+    "query": "sequence by process.entity_id\n  [process where event.type == \"start\" and\n   process.name : (\"regsvr32.exe\", \"RegAsm.exe\", \"RegSvcs.exe\") and\n   not (\n         user.id == \"S-1-5-18\" and\n         (process.parent.name : \"msiexec.exe\" or process.parent.executable : (\"C:\\\\Program Files (x86)\\\\*.exe\", \"C:\\\\Program Files\\\\*.exe\"))\n       )\n   ]\n  [network where process.name : (\"regsvr32.exe\", \"RegAsm.exe\", \"RegSvcs.exe\")  and\n   not cidrmatch(destination.ip, \"10.0.0.0/8\", \"127.0.0.0/8\", \"169.254.0.0/16\", \"172.16.0.0/12\", \"192.0.0.0/24\",\n       \"192.0.0.0/29\", \"192.0.0.8/32\", \"192.0.0.9/32\", \"192.0.0.10/32\", \"192.0.0.170/32\", \"192.0.0.171/32\",\n       \"192.0.2.0/24\", \"192.31.196.0/24\", \"192.52.193.0/24\", \"192.168.0.0/16\", \"192.88.99.0/24\", \"224.0.0.0/4\",\n       \"100.64.0.0/10\", \"192.175.48.0/24\",\"198.18.0.0/15\", \"198.51.100.0/24\", \"203.0.113.0/24\", \"240.0.0.0/4\", \"::1\",\n       \"FE80::/10\", \"FF00::/8\") and network.protocol != \"dns\"]\n",
+    "references": [
+      "https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml"
+    ],
+    "risk_score": 21,
+    "rule_id": "fb02b8d3-71ee-4af1-bacd-215d23f17efa",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Execution"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0002",
+          "name": "Execution",
+          "reference": "https://attack.mitre.org/tactics/TA0002/"
+        },
+        "technique": []
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1218",
+            "name": "Signed Binary Proxy Execution",
+            "reference": "https://attack.mitre.org/techniques/T1218/",
+            "subtechnique": [
+              {
+                "id": "T1218.010",
+                "name": "Regsvr32",
+                "reference": "https://attack.mitre.org/techniques/T1218/010/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "type": "eql",
+    "version": 9
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Binaries signed with trusted digital certificates can execute on Windows systems protected by digital signature validation. Adversaries may use these binaries to 'live off the land' and execute malicious files that could bypass application allowlists and signature validation.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Network Connection via Signed Binary",
+    "query": "sequence by process.entity_id\n  [process where (process.name : \"expand.exe\" or process.name : \"extrac32.exe\" or\n                 process.name : \"ieexec.exe\" or process.name : \"makecab.exe\") and\n                 event.type == \"start\"]\n  [network where (process.name : \"expand.exe\" or process.name : \"extrac32.exe\" or\n                 process.name : \"ieexec.exe\" or process.name : \"makecab.exe\") and\n    not cidrmatch(destination.ip,\n      \"10.0.0.0/8\", \"127.0.0.0/8\", \"169.254.0.0/16\", \"172.16.0.0/12\", \"192.0.0.0/24\", \"192.0.0.0/29\", \"192.0.0.8/32\",\n      \"192.0.0.9/32\", \"192.0.0.10/32\", \"192.0.0.170/32\", \"192.0.0.171/32\", \"192.0.2.0/24\", \"192.31.196.0/24\",\n      \"192.52.193.0/24\", \"192.168.0.0/16\", \"192.88.99.0/24\", \"224.0.0.0/4\", \"100.64.0.0/10\", \"192.175.48.0/24\",\n      \"198.18.0.0/15\", \"198.51.100.0/24\", \"203.0.113.0/24\", \"240.0.0.0/4\", \"::1\", \"FE80::/10\", \"FF00::/8\")]\n",
+    "references": [
+      "https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml"
+    ],
+    "risk_score": 21,
+    "rule_id": "63e65ec3-43b1-45b0-8f2d-45b34291dc44",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1218",
+            "name": "Signed Binary Proxy Execution",
+            "reference": "https://attack.mitre.org/techniques/T1218/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0002",
+          "name": "Execution",
+          "reference": "https://attack.mitre.org/tactics/TA0002/"
+        },
+        "technique": []
+      }
+    ],
+    "type": "eql",
+    "version": 9
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Adversaries may register a rogue network logon provider module for persistence and/or credential access via intercepting the authentication credentials in clear text during user logon.",
+    "false_positives": [
+      "Authorized third party network logon providers."
+    ],
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Network Logon Provider Registry Modification",
+    "query": "registry where registry.data.strings != null and\n registry.path : \"HKLM\\\\SYSTEM\\\\*ControlSet*\\\\Services\\\\*\\\\NetworkProvider\\\\ProviderPath\" and\n /* Excluding default NetworkProviders RDPNP, LanmanWorkstation and webclient. */\n not ( user.id : \"S-1-5-18\" and\n       registry.data.strings in\n                (\"%SystemRoot%\\\\System32\\\\ntlanman.dll\",\n                 \"%SystemRoot%\\\\System32\\\\drprov.dll\",\n                 \"%SystemRoot%\\\\System32\\\\davclnt.dll\")\n      )\n",
+    "references": [
+      "https://github.com/gtworek/PSBits/tree/master/PasswordStealing/NPPSpy",
+      "https://docs.microsoft.com/en-us/windows/win32/api/npapi/nf-npapi-nplogonnotify"
+    ],
+    "risk_score": 47,
+    "rule_id": "54c3d186-0461-4dc3-9b33-2dc5c7473936",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Persistence",
+      "Credential Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0006",
+          "name": "Credential Access",
+          "reference": "https://attack.mitre.org/tactics/TA0006/"
+        },
+        "technique": [
+          {
+            "id": "T1556",
+            "name": "Modify Authentication Process",
+            "reference": "https://attack.mitre.org/techniques/T1556/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1543",
+            "name": "Create or Modify System Process",
+            "reference": "https://attack.mitre.org/techniques/T1543/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 1
+  },
+  {
+    "anomaly_threshold": 75,
+    "author": [
+      "Elastic"
+    ],
+    "description": "A machine learning job detected a rare destination country name in the network logs. This can be due to initial access, persistence, command-and-control, or exfiltration activity. For example, when a user clicks on a link in a phishing email or opens a malicious document, a request may be sent to download and run a payload from a server in a country which does not normally appear in network traffic or business work-flows. Malware instances and persistence mechanisms may communicate with command-and-control (C2) infrastructure in their country of origin, which may be an unusual destination country for the source network.",
+    "false_positives": [
+      "Business workflows that occur very occasionally, and involve a business relationship with an organization in a country that does not routinely appear in network events, can trigger this alert. A new business workflow with an organization in a country with which no workflows previously existed may trigger this alert - although the model will learn that the new destination country is no longer anomalous as the activity becomes ongoing. Business travelers who roam to many countries for brief periods may trigger this alert."
+    ],
+    "from": "now-30m",
+    "interval": "15m",
+    "license": "Elastic License v2",
+    "machine_learning_job_id": "rare_destination_country",
+    "name": "Network Traffic to Rare Destination Country",
+    "references": [
+      "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"
+    ],
+    "risk_score": 21,
+    "rule_id": "35f86980-1fb1-4dff-b311-3be941549c8d",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Network",
+      "Threat Detection",
+      "ML"
+    ],
+    "type": "machine_learning",
+    "version": 2
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the use of the Exchange PowerShell cmdlet, Set-CASMailbox, to add a new ActiveSync allowed device. Adversaries may target user email to collect sensitive information.",
+    "false_positives": [
+      "Legitimate exchange system administration activity."
+    ],
+    "from": "now-9m",
+    "index": [
+      "logs-endpoint.events.*",
+      "winlogbeat-*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "New ActiveSyncAllowedDeviceID Added via PowerShell",
+    "query": "process where event.type in (\"start\", \"process_started\") and\n  process.name: (\"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\") and process.args : \"Set-CASMailbox*ActiveSyncAllowedDeviceIDs*\"\n",
+    "references": [
+      "https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/",
+      "https://docs.microsoft.com/en-us/powershell/module/exchange/set-casmailbox?view=exchange-ps"
+    ],
+    "risk_score": 47,
+    "rule_id": "ce64d965-6cb0-466d-b74f-8d2c76f47f05",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Persistence"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1098",
+            "name": "Account Manipulation",
+            "reference": "https://attack.mitre.org/techniques/T1098/",
+            "subtechnique": [
+              {
+                "id": "T1098.002",
+                "name": "Exchange Email Delegate Permissions",
+                "reference": "https://attack.mitre.org/techniques/T1098/002/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 6
+  },
+  {
+    "author": [
+      "Austin Songer"
+    ],
+    "description": "Identifies a new or modified federation domain, which can be used to create a trust between O365 and an external identity provider.",
+    "index": [
+      "filebeat-*",
+      "logs-o365*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "New or Modified Federation Domain",
+    "note": "## Config\n\nThe Microsoft 365 Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:(\"Set-AcceptedDomain\" or \n\"Set-MsolDomainFederationSettings\" or \"Add-FederatedDomain\" or \"New-AcceptedDomain\" or \"Remove-AcceptedDomain\" or \"Remove-FederatedDomain\") and \nevent.outcome:success\n",
+    "references": [
+      "https://docs.microsoft.com/en-us/powershell/module/exchange/remove-accepteddomain?view=exchange-ps",
+      "https://docs.microsoft.com/en-us/powershell/module/exchange/remove-federateddomain?view=exchange-ps",
+      "https://docs.microsoft.com/en-us/powershell/module/exchange/new-accepteddomain?view=exchange-ps",
+      "https://docs.microsoft.com/en-us/powershell/module/exchange/add-federateddomain?view=exchange-ps",
+      "https://docs.microsoft.com/en-us/powershell/module/exchange/set-accepteddomain?view=exchange-ps",
+      "https://docs.microsoft.com/en-us/powershell/module/msonline/set-msoldomainfederationsettings?view=azureadps-1.0"
+    ],
+    "risk_score": 21,
+    "rule_id": "684554fc-0777-47ce-8c9b-3d01f198d7f8",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "Microsoft 365",
+      "Continuous Monitoring",
+      "SecOps",
+      "Identity and Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0004",
+          "name": "Privilege Escalation",
+          "reference": "https://attack.mitre.org/tactics/TA0004/"
+        },
+        "technique": [
+          {
+            "id": "T1484",
+            "name": "Domain Policy Modification",
+            "reference": "https://attack.mitre.org/techniques/T1484/",
+            "subtechnique": [
+              {
+                "id": "T1484.002",
+                "name": "Domain Trust Modification",
+                "reference": "https://attack.mitre.org/techniques/T1484/002/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Nping ran on a Linux host. Nping is part of the Nmap tool suite and has the ability to construct raw packets for a wide variety of security testing applications, including denial of service testing.",
+    "false_positives": [
+      "Some normal use of this command may originate from security engineers and network or server administrators, but this is usually not routine or unannounced. Use of `Nping` by non-engineers or ordinary users is uncommon."
+    ],
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Nping Process Activity",
+    "query": "event.category:process and event.type:(start or process_started) and process.name:nping\n",
+    "references": [
+      "https://en.wikipedia.org/wiki/Nmap"
+    ],
+    "risk_score": 47,
+    "rule_id": "0d69150b-96f8-467c-a86d-a67a3378ce77",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "Threat Detection"
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 7
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies NullSessionPipe registry modifications that specify which pipes can be accessed anonymously. This could be indicative of adversary lateral movement preparation by making the added pipe available to everyone.",
+    "from": "now-9m",
+    "index": [
+      "logs-endpoint.events.*",
+      "winlogbeat-*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "NullSessionPipe Registry Modification",
+    "query": "registry where\nregistry.path : \"HKLM\\\\SYSTEM\\\\*ControlSet*\\\\services\\\\LanmanServer\\\\Parameters\\\\NullSessionPipes\" and\nregistry.data.strings != null\n",
+    "references": [
+      "https://www.welivesecurity.com/2019/05/29/turla-powershell-usage/",
+      "https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/network-access-restrict-anonymous-access-to-named-pipes-and-shares"
+    ],
+    "risk_score": 47,
+    "rule_id": "ddab1f5f-7089-44f5-9fda-de5b11322e77",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Lateral Movement"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0008",
+          "name": "Lateral Movement",
+          "reference": "https://attack.mitre.org/tactics/TA0008/"
+        },
+        "technique": [
+          {
+            "id": "T1021",
+            "name": "Remote Services",
+            "reference": "https://attack.mitre.org/techniques/T1021/",
+            "subtechnique": [
+              {
+                "id": "T1021.002",
+                "name": "SMB/Windows Admin Shares",
+                "reference": "https://attack.mitre.org/techniques/T1021/002/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic",
+      "Austin Songer"
+    ],
+    "description": "Identifies accounts with a high number of single sign-on (SSO) logon errors. Excessive logon errors may indicate an attempt to brute force a password or SSO token.",
+    "false_positives": [
+      "Automated processes that attempt to authenticate using expired credentials and unbounded retries may lead to false positives."
+    ],
+    "from": "now-20m",
+    "index": [
+      "filebeat-*",
+      "logs-o365*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "O365 Excessive Single Sign-On Logon Errors",
+    "note": "## Config\n\nThe Microsoft 365 Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:o365.audit and event.provider:AzureActiveDirectory and event.category:authentication and o365.audit.LogonError:\"SsoArtifactInvalidOrExpired\"\n",
+    "risk_score": 73,
+    "rule_id": "2de10e77-c144-4e69-afb7-344e7127abd0",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "Microsoft 365",
+      "Continuous Monitoring",
+      "SecOps",
+      "Identity and Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0006",
+          "name": "Credential Access",
+          "reference": "https://attack.mitre.org/tactics/TA0006/"
+        },
+        "technique": [
+          {
+            "id": "T1110",
+            "name": "Brute Force",
+            "reference": "https://attack.mitre.org/techniques/T1110/"
+          }
+        ]
+      }
+    ],
+    "threshold": {
+      "field": [
+        "user.id"
+      ],
+      "value": 5
+    },
+    "type": "threshold",
+    "version": 3
+  },
+  {
+    "author": [
+      "Elastic",
+      "Austin Songer"
+    ],
+    "description": "Identifies the assignment of rights to accesss content from another mailbox. An adversary may use the compromised account to send messages to other accounts in the network of the target business while creating inbox rules, so messages can evade spam/phishing detection mechanisms.",
+    "false_positives": [
+      "Assignment of rights to a service account."
+    ],
+    "index": [
+      "filebeat-*",
+      "logs-o365*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "O365 Exchange Suspicious Mailbox Right Delegation",
+    "note": "## Config\n\nThe Microsoft 365 Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:o365.audit and event.provider:Exchange and event.action:Add-MailboxPermission and \no365.audit.Parameters.AccessRights:(FullAccess or SendAs or SendOnBehalf) and event.outcome:success\n",
+    "risk_score": 21,
+    "rule_id": "0ce6487d-8069-4888-9ddd-61b52490cebc",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "Microsoft 365",
+      "Continuous Monitoring",
+      "SecOps",
+      "Configuration Audit"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1098",
+            "name": "Account Manipulation",
+            "reference": "https://attack.mitre.org/techniques/T1098/",
+            "subtechnique": [
+              {
+                "id": "T1098.002",
+                "name": "Exchange Email Delegate Permissions",
+                "reference": "https://attack.mitre.org/techniques/T1098/002/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Detects the occurrence of mailbox audit bypass associations. The mailbox audit is responsible for logging specified mailbox events (like accessing a folder or a message or permanently deleting a message). However, actions taken by some authorized accounts, such as accounts used by third-party tools or accounts used for lawful monitoring, can create a large number of mailbox audit log entries and may not be of interest to your organization. Because of this, administrators can create bypass associations, allowing certain accounts to perform their tasks without being logged. Attackers can abuse this allowlist mechanism to conceal actions taken, as the mailbox audit will log no activity done by the account.",
+    "false_positives": [
+      "Legitimate whitelisting of noisy accounts"
+    ],
+    "from": "now-30m",
+    "index": [
+      "filebeat-*",
+      "logs-o365*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "O365 Mailbox Audit Logging Bypass",
+    "note": "## Config\n\nThe Microsoft 365 Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:o365.audit and event.provider:Exchange and event.action:Set-MailboxAuditBypassAssociation and event.outcome:success\n",
+    "references": [
+      "https://twitter.com/misconfig/status/1476144066807140355"
+    ],
+    "risk_score": 47,
+    "rule_id": "675239ea-c1bc-4467-a6d3-b9e2cc7f676d",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "Microsoft 365",
+      "Continuous Monitoring",
+      "SecOps",
+      "Initial Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1562",
+            "name": "Impair Defenses",
+            "reference": "https://attack.mitre.org/techniques/T1562/",
+            "subtechnique": [
+              {
+                "id": "T1562.001",
+                "name": "Disable or Modify Tools",
+                "reference": "https://attack.mitre.org/techniques/T1562/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies a high number of failed Okta user authentication attempts from a single IP address, which could be indicative of a brute force or password spraying attack. An adversary may attempt a brute force or password spraying attack to obtain unauthorized access to user accounts.",
+    "false_positives": [
+      "Automated processes that attempt to authenticate using expired credentials and unbounded retries may lead to false positives."
+    ],
+    "index": [
+      "filebeat-*",
+      "logs-okta*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Okta Brute Force or Password Spraying Attack",
+    "note": "## Config\n\nThe Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:okta.system and event.category:authentication and event.outcome:failure\n",
+    "references": [
+      "https://developer.okta.com/docs/reference/api/system-log/",
+      "https://developer.okta.com/docs/reference/api/event-types/"
+    ],
+    "risk_score": 47,
+    "rule_id": "42bf698b-4738-445b-8231-c834ddefd8a0",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Identity",
+      "Okta",
+      "Continuous Monitoring",
+      "SecOps",
+      "Identity and Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0006",
+          "name": "Credential Access",
+          "reference": "https://attack.mitre.org/tactics/TA0006/"
+        },
+        "technique": [
+          {
+            "id": "T1110",
+            "name": "Brute Force",
+            "reference": "https://attack.mitre.org/techniques/T1110/"
+          }
+        ]
+      }
+    ],
+    "threshold": {
+      "field": [
+        "source.ip"
+      ],
+      "value": 25
+    },
+    "type": "threshold",
+    "version": 5
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the PowerShell process loading the Task Scheduler COM DLL followed by an outbound RPC network connection within a short time period. This may indicate lateral movement or remote discovery via scheduled tasks.",
+    "false_positives": [
+      "Legitimate scheduled tasks may be created during installation of new software."
+    ],
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Outbound Scheduled Task Activity via PowerShell",
+    "query": "sequence by host.id, process.entity_id with maxspan = 5s\n [library where dll.name : \"taskschd.dll\" and process.name : (\"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\")]\n [network where process.name : (\"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\") and destination.port == 135 and not destination.address in (\"127.0.0.1\", \"::1\")]\n",
+    "references": [
+      "https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/"
+    ],
+    "risk_score": 47,
+    "rule_id": "5cd55388-a19c-47c7-8ec4-f41656c2fded",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Execution"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0002",
+          "name": "Execution",
+          "reference": "https://attack.mitre.org/tactics/TA0002/"
+        },
+        "technique": [
+          {
+            "id": "T1053",
+            "name": "Scheduled Task/Job",
+            "reference": "https://attack.mitre.org/techniques/T1053/",
+            "subtechnique": [
+              {
+                "id": "T1053.005",
+                "name": "Scheduled Task",
+                "reference": "https://attack.mitre.org/techniques/T1053/005/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "type": "eql",
+    "version": 4
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies parent process spoofing used to thwart detection. Adversaries may spoof the parent process identifier (PPID) of a new process to evade process-monitoring defenses or to elevate privileges.",
+    "from": "now-9m",
+    "index": [
+      "logs-endpoint.events.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Parent Process PID Spoofing",
+    "query": "/* This rule is compatible with Elastic Endpoint only */\n\nsequence by host.id, user.id with maxspan=5m\n [process where event.type == \"start\" and\n  process.Ext.token.integrity_level_name != \"system\" and\n  (\n    process.pe.original_file_name : (\"winword.exe\", \"excel.exe\", \"outlook.exe\", \"powerpnt.exe\", \"eqnedt32.exe\",\n                                     \"fltldr.exe\", \"mspub.exe\", \"msaccess.exe\", \"powershell.exe\", \"pwsh.exe\",\n                                     \"cscript.exe\", \"wscript.exe\", \"rundll32.exe\", \"regsvr32.exe\", \"msbuild.exe\",\n                                     \"mshta.exe\", \"wmic.exe\", \"cmstp.exe\", \"msxsl.exe\") or\n    process.executable : (\"?:\\\\Users\\\\*.exe\",\n                          \"?:\\\\ProgramData\\\\*.exe\",\n                          \"?:\\\\Windows\\\\Microsoft.NET\\\\*.exe\",\n                          \"?:\\\\Windows\\\\Temp\\\\*.exe\",\n                          \"?:\\\\Windows\\\\Tasks\\\\*\") or\n    process.code_signature.trusted != true\n  )\n  ] by process.pid\n [process where event.type == \"start\" and process.parent.Ext.real.pid > 0 and\n  /* process.parent.Ext.real.pid is only populated if the parent process pid doesn't match */\n  \n  not (process.name : \"msedge.exe\" and process.parent.name : \"sihost.exe\")\n ] by process.parent.Ext.real.pid\n",
+    "references": [
+      "https://blog.didierstevens.com/2017/03/20/"
+    ],
+    "risk_score": 73,
+    "rule_id": "c88d4bd0-5649-4c52-87ea-9be59dbfbcf2",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1134",
+            "name": "Access Token Manipulation",
+            "reference": "https://attack.mitre.org/techniques/T1134/",
+            "subtechnique": [
+              {
+                "id": "T1134.004",
+                "name": "Parent PID Spoofing",
+                "reference": "https://attack.mitre.org/techniques/T1134/004/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "type": "eql",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies use of the Windows file system utility (fsutil.exe ) to gather information about attached peripheral devices and components connected to a computer system.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Peripheral Device Discovery",
+    "query": "process where event.type in (\"start\", \"process_started\") and\n  (process.name : \"fsutil.exe\" or process.pe.original_file_name == \"fsutil.exe\") and \n  process.args : \"fsinfo\" and process.args : \"drives\"\n",
+    "risk_score": 21,
+    "rule_id": "0c7ca5c2-728d-4ad9-b1c5-bbba83ecb1f4",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Discovery"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0007",
+          "name": "Discovery",
+          "reference": "https://attack.mitre.org/tactics/TA0007/"
+        },
+        "technique": [
+          {
+            "id": "T1120",
+            "name": "Peripheral Device Discovery",
+            "reference": "https://attack.mitre.org/techniques/T1120/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 3
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Elastic Endgame detected Permission Theft. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information.",
+    "from": "now-15m",
+    "index": [
+      "endgame-*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "max_signals": 10000,
+    "name": "Permission Theft - Detected - Elastic Endgame",
+    "query": "event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:token_protection_event or endgame.event_subtype_full:token_protection_event)\n",
+    "risk_score": 73,
+    "rule_id": "c3167e1b-f73c-41be-b60b-87f4df707fe3",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Elastic Endgame"
+    ],
+    "type": "query",
+    "version": 7
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Elastic Endgame prevented Permission Theft. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information.",
+    "from": "now-15m",
+    "index": [
+      "endgame-*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "max_signals": 10000,
+    "name": "Permission Theft - Prevented - Elastic Endgame",
+    "query": "event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:token_protection_event or endgame.event_subtype_full:token_protection_event)\n",
+    "risk_score": 47,
+    "rule_id": "453f659e-0429-40b1-bfdb-b6957286e04b",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Elastic Endgame"
+    ],
+    "type": "query",
+    "version": 7
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "An adversary can use the Background Intelligent Transfer Service (BITS) SetNotifyCmdLine method to execute a program that runs after a job finishes transferring data or after a job enters a specified state in order to persist on a system.",
+    "from": "now-9m",
+    "index": [
+      "logs-endpoint.events.*",
+      "winlogbeat-*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Persistence via BITS Job Notify Cmdline",
+    "query": "process where event.type == \"start\" and\n  process.parent.name : \"svchost.exe\" and process.parent.args : \"BITS\" and\n  not process.executable :\n              (\"?:\\\\Windows\\\\System32\\\\WerFaultSecure.exe\",\n               \"?:\\\\Windows\\\\System32\\\\WerFault.exe\",\n               \"?:\\\\Windows\\\\System32\\\\wermgr.exe\",\n               \"?:\\\\WINDOWS\\\\system32\\\\directxdatabaseupdater.exe\")\n",
+    "references": [
+      "https://pentestlab.blog/2019/10/30/persistence-bits-jobs/",
+      "https://docs.microsoft.com/en-us/windows/win32/api/bits1_5/nf-bits1_5-ibackgroundcopyjob2-setnotifycmdline",
+      "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/bitsadmin-setnotifycmdline",
+      "https://www.elastic.co/blog/hunting-for-persistence-using-elastic-security-part-2"
+    ],
+    "risk_score": 47,
+    "rule_id": "c3b915e0-22f3-4bf7-991d-b643513c722f",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Persistence"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1197",
+            "name": "BITS Jobs",
+            "reference": "https://attack.mitre.org/techniques/T1197/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the creation or modification of a DirectoryService PlugIns (dsplug) file. The DirectoryService daemonlaunches on each system boot and automatically reloads after crash. It scans and executes bundles that are located in the DirectoryServices PlugIns folder and can be abused by adversaries to maintain persistence.",
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Persistence via DirectoryService Plugin Modification",
+    "query": "event.category:file and not event.type:deletion and\n  file.path:/Library/DirectoryServices/PlugIns/*.dsplug\n",
+    "references": [
+      "https://blog.chichou.me/2019/11/21/two-macos-persistence-tricks-abusing-plugins/"
+    ],
+    "risk_score": 47,
+    "rule_id": "89fa6cb7-6b53-4de2-b604-648488841ab8",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "macOS",
+      "Threat Detection",
+      "Persistence"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1547",
+            "name": "Boot or Logon Autostart Execution",
+            "reference": "https://attack.mitre.org/techniques/T1547/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "An adversary can establish persistence by modifying an existing macOS dock property list in order to execute a malicious application instead of the intended one when invoked.",
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Persistence via Docker Shortcut Modification",
+    "query": "event.category : file and event.action : modification and \n file.path : /Users/*/Library/Preferences/com.apple.dock.plist and \n not process.name : (xpcproxy or cfprefsd or plutil or jamf or PlistBuddy or InstallerRemotePluginService)\n",
+    "references": [
+      "https://github.com/specterops/presentations/raw/master/Leo%20Pitt/Hey_Im_Still_in_Here_Modern_macOS_Persistence_SO-CON2020.pdf"
+    ],
+    "risk_score": 47,
+    "rule_id": "c81cefcb-82b9-4408-a533-3c3df549e62d",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "macOS",
+      "Threat Detection",
+      "Persistence"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1543",
+            "name": "Create or Modify System Process",
+            "reference": "https://attack.mitre.org/techniques/T1543/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 2
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "A Folder Action script is executed when the folder to which it is attached has items added or removed, or when its window is opened, closed, moved, or resized. Adversaries may abuse this feature to establish persistence by utilizing a malicious script.",
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Persistence via Folder Action Script",
+    "query": "sequence by host.id with maxspan=5s\n [process where event.type in (\"start\", \"process_started\", \"info\") and process.name == \"com.apple.foundation.UserScriptService\"] by process.pid\n [process where event.type in (\"start\", \"process_started\") and process.name in (\"osascript\", \"python\", \"tcl\", \"node\", \"perl\", \"ruby\", \"php\", \"bash\", \"csh\", \"zsh\", \"sh\")] by process.parent.pid\n",
+    "references": [
+      "https://posts.specterops.io/folder-actions-for-persistence-on-macos-8923f222343d"
+    ],
+    "risk_score": 47,
+    "rule_id": "c292fa52-4115-408a-b897-e14f684b3cb7",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "macOS",
+      "Threat Detection",
+      "Execution",
+      "Persistence"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1037",
+            "name": "Boot or Logon Initialization Scripts",
+            "reference": "https://attack.mitre.org/techniques/T1037/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0002",
+          "name": "Execution",
+          "reference": "https://attack.mitre.org/tactics/TA0002/"
+        },
+        "technique": [
+          {
+            "id": "T1059",
+            "name": "Command and Scripting Interpreter",
+            "reference": "https://attack.mitre.org/techniques/T1059/"
+          }
+        ]
+      }
+    ],
+    "type": "eql",
+    "version": 4
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies a persistence mechanism that utilizes the NtSetValueKey native API to create a hidden (null terminated) registry key. An adversary may use this method to hide from system utilities such as the Registry Editor (regedit).",
+    "from": "now-9m",
+    "index": [
+      "logs-endpoint.events.*",
+      "winlogbeat-*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Persistence via Hidden Run Key Detected",
+    "query": "/* Registry Path ends with backslash */\nregistry where /* length(registry.data.strings) > 0 and */\n registry.path : (\"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\\", \n                  \"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\\", \n                  \"HKLM\\\\Software\\\\WOW6432Node\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\\", \n                  \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\\\\", \n                  \"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\\\\")\n",
+    "references": [
+      "https://github.com/outflanknl/SharpHide",
+      "https://github.com/ewhitehats/InvisiblePersistence/blob/master/InvisibleRegValues_Whitepaper.pdf"
+    ],
+    "risk_score": 73,
+    "rule_id": "a9b05c3b-b304-4bf9-970d-acdfaef2944c",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Persistence"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1547",
+            "name": "Boot or Logon Autostart Execution",
+            "reference": "https://attack.mitre.org/techniques/T1547/",
+            "subtechnique": [
+              {
+                "id": "T1547.001",
+                "name": "Registry Run Keys / Startup Folder",
+                "reference": "https://attack.mitre.org/techniques/T1547/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 3
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the creation or modification of a K Desktop Environment (KDE) AutoStart script or desktop file that will execute upon each user logon. Adversaries may abuse this method for persistence.",
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Persistence via KDE AutoStart Script or Desktop File Modification",
+    "query": "file where event.type != \"deletion\" and\n  file.extension in (\"sh\", \"desktop\") and\n  file.path :\n    (\n      \"/home/*/.config/autostart/*\", \"/root/.config/autostart/*\",\n      \"/home/*/.kde/Autostart/*\", \"/root/.kde/Autostart/*\",\n      \"/home/*/.kde4/Autostart/*\", \"/root/.kde4/Autostart/*\",\n      \"/home/*/.kde/share/autostart/*\", \"/root/.kde/share/autostart/*\",\n      \"/home/*/.kde4/share/autostart/*\", \"/root/.kde4/share/autostart/*\",\n      \"/home/*/.local/share/autostart/*\", \"/root/.local/share/autostart/*\",\n      \"/home/*/.config/autostart-scripts/*\", \"/root/.config/autostart-scripts/*\",\n      \"/etc/xdg/autostart/*\", \"/usr/share/autostart/*\"\n    )\n",
+    "references": [
+      "https://userbase.kde.org/System_Settings/Autostart",
+      "https://www.amnesty.org/en/latest/research/2020/09/german-made-finspy-spyware-found-in-egypt-and-mac-and-linux-versions-revealed/",
+      "https://www.intezer.com/blog/research/operation-electrorat-attacker-creates-fake-companies-to-drain-your-crypto-wallets/"
+    ],
+    "risk_score": 47,
+    "rule_id": "e3e904b3-0a8e-4e68-86a8-977a163e21d3",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "Threat Detection",
+      "Persistence"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1547",
+            "name": "Boot or Logon Autostart Execution",
+            "reference": "https://attack.mitre.org/techniques/T1547/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies use of the Defaults command to install a login or logoff hook in MacOS. An adversary may abuse this capability to establish persistence in an environment by inserting code to be executed at login or logout.",
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Persistence via Login or Logout Hook",
+    "query": "process where event.type == \"start\" and\n process.name == \"defaults\" and process.args == \"write\" and process.args in (\"LoginHook\", \"LogoutHook\") and\n not process.args :\n       (\n         \"Support/JAMF/ManagementFrameworkScripts/logouthook.sh\",\n         \"Support/JAMF/ManagementFrameworkScripts/loginhook.sh\",\n         \"/Library/Application Support/JAMF/ManagementFrameworkScripts/logouthook.sh\",\n         \"/Library/Application Support/JAMF/ManagementFrameworkScripts/loginhook.sh\"\n       )\n",
+    "references": [
+      "https://www.virusbulletin.com/uploads/pdf/conference_slides/2014/Wardle-VB2014.pdf",
+      "https://www.manpagez.com/man/1/defaults/"
+    ],
+    "risk_score": 47,
+    "rule_id": "5d0265bf-dea9-41a9-92ad-48a8dcd05080",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "macOS",
+      "Threat Detection",
+      "Persistence"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1037",
+            "name": "Boot or Logon Initialization Scripts",
+            "reference": "https://attack.mitre.org/techniques/T1037/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 4
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Detects attempts to establish persistence on an endpoint by abusing Microsoft Office add-ins.",
+    "from": "now-9m",
+    "index": [
+      "logs-endpoint.events.*",
+      "winlogbeat-*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Persistence via Microsoft Office AddIns",
+    "query": "file where event.type != \"deletion\" and\n file.extension : (\"wll\",\"xll\",\"ppa\",\"ppam\",\"xla\",\"xlam\") and\n file.path :\n    (\n    \"C:\\\\Users\\\\*\\\\AppData\\\\Roaming\\\\Microsoft\\\\Word\\\\Startup\\\\*\",\n    \"C:\\\\Users\\\\*\\\\AppData\\\\Roaming\\\\Microsoft\\\\AddIns\\\\*\",\n    \"C:\\\\Users\\\\*\\\\AppData\\\\Roaming\\\\Microsoft\\\\Excel\\\\XLSTART\\\\*\"\n    )\n",
+    "references": [
+      "https://labs.mwrinfosecurity.com/blog/add-in-opportunities-for-office-persistence/"
+    ],
+    "risk_score": 73,
+    "rule_id": "f44fa4b6-524c-4e87-8d9e-a32599e4fb7c",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Persistence"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1137",
+            "name": "Office Application Startup",
+            "reference": "https://attack.mitre.org/techniques/T1137/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 3
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Detects attempts to establish persistence on an endpoint by installing a rogue Microsoft Outlook VBA Template.",
+    "false_positives": [
+      "A legitimate VBA for Outlook is usually configured interactively via OUTLOOK.EXE."
+    ],
+    "from": "now-9m",
+    "index": [
+      "logs-endpoint.events.*",
+      "winlogbeat-*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Persistence via Microsoft Outlook VBA",
+    "query": "file where event.type != \"deletion\" and\n file.path : \"C:\\\\Users\\\\*\\\\AppData\\\\Roaming\\\\Microsoft\\\\Outlook\\\\VbaProject.OTM\"\n",
+    "references": [
+      "https://www.mdsec.co.uk/2020/11/a-fresh-outlook-on-mail-based-persistence/",
+      "https://www.linkedin.com/pulse/outlook-backdoor-using-vba-samir-b-/"
+    ],
+    "risk_score": 47,
+    "rule_id": "397945f3-d39a-4e6f-8bcb-9656c2031438",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Persistence"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1137",
+            "name": "Office Application Startup",
+            "reference": "https://attack.mitre.org/techniques/T1137/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 3
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "A job can be used to schedule programs or scripts to be executed at a specified date and time. Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code.",
+    "false_positives": [
+      "Legitimate scheduled jobs may be created during installation of new software."
+    ],
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Persistence via Scheduled Job Creation",
+    "query": "file where event.type != \"deletion\" and\n file.path : \"?:\\\\Windows\\\\Tasks\\\\*\" and file.extension : \"job\"\n",
+    "risk_score": 47,
+    "rule_id": "1327384f-00f3-44d5-9a8c-2373ba071e92",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Persistence"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1053",
+            "name": "Scheduled Task/Job",
+            "reference": "https://attack.mitre.org/techniques/T1053/",
+            "subtechnique": [
+              {
+                "id": "T1053.005",
+                "name": "Scheduled Task",
+                "reference": "https://attack.mitre.org/techniques/T1053/005/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 2
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Detects the successful hijack of Microsoft Compatibility Appraiser scheduled task to establish persistence with an integrity level of system.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Persistence via TelemetryController Scheduled Task Hijack",
+    "query": "process where event.type in (\"start\", \"process_started\") and\n  process.parent.name : \"CompatTelRunner.exe\" and process.args : \"-cv*\" and\n  not process.name : (\"conhost.exe\",\n                      \"DeviceCensus.exe\",\n                      \"CompatTelRunner.exe\",\n                      \"DismHost.exe\",\n                      \"rundll32.exe\",\n                      \"powershell.exe\")\n",
+    "references": [
+      "https://www.trustedsec.com/blog/abusing-windows-telemetry-for-persistence/?utm_content=131234033&utm_medium=social&utm_source=twitter&hss_channel=tw-403811306"
+    ],
+    "risk_score": 73,
+    "rule_id": "68921d85-d0dc-48b3-865f-43291ca2c4f2",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Persistence"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1053",
+            "name": "Scheduled Task/Job",
+            "reference": "https://attack.mitre.org/techniques/T1053/",
+            "subtechnique": [
+              {
+                "id": "T1053.005",
+                "name": "Scheduled Task",
+                "reference": "https://attack.mitre.org/techniques/T1053/005/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 6
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies potential hijacking of the Microsoft Update Orchestrator Service to establish persistence with an integrity level of SYSTEM.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Persistence via Update Orchestrator Service Hijack",
+    "query": "process where event.type == \"start\" and\n  process.parent.executable : \"C:\\\\Windows\\\\System32\\\\svchost.exe\" and\n  process.parent.args : \"UsoSvc\" and\n  not process.executable :\n         (\n          \"C:\\\\Windows\\\\System32\\\\UsoClient.exe\",\n          \"C:\\\\Windows\\\\System32\\\\MusNotification.exe\",\n          \"C:\\\\Windows\\\\System32\\\\MusNotificationUx.exe\",\n          \"C:\\\\Windows\\\\System32\\\\MusNotifyIcon.exe\",\n          \"C:\\\\Windows\\\\System32\\\\WerFault.exe\",\n          \"C:\\\\Windows\\\\System32\\\\WerMgr.exe\"\n          )\n",
+    "references": [
+      "https://github.com/irsl/CVE-2020-1313"
+    ],
+    "risk_score": 73,
+    "rule_id": "265db8f5-fc73-4d0d-b434-6483b56372e2",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Persistence"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1543",
+            "name": "Create or Modify System Process",
+            "reference": "https://attack.mitre.org/techniques/T1543/",
+            "subtechnique": [
+              {
+                "id": "T1543.003",
+                "name": "Windows Service",
+                "reference": "https://attack.mitre.org/techniques/T1543/003/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 4
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "An adversary can use Windows Management Instrumentation (WMI) to install event filters, providers, consumers, and bindings that execute code when a defined event occurs. Adversaries may use the capabilities of WMI to subscribe to an event and execute arbitrary code when that event occurs, providing persistence on a system.",
+    "from": "now-9m",
+    "index": [
+      "logs-endpoint.events.*",
+      "winlogbeat-*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Persistence via WMI Event Subscription",
+    "query": "process where event.type in (\"start\", \"process_started\") and\n  (process.name : \"wmic.exe\" or process.pe.original_file_name == \"wmic.exe\") and\n  process.args : \"create\" and\n  process.args : (\"ActiveScriptEventConsumer\", \"CommandLineEventConsumer\")\n",
+    "risk_score": 21,
+    "rule_id": "9b6813a1-daf1-457e-b0e6-0bb4e55b8a4c",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Persistence"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1546",
+            "name": "Event Triggered Execution",
+            "reference": "https://attack.mitre.org/techniques/T1546/",
+            "subtechnique": [
+              {
+                "id": "T1546.003",
+                "name": "Windows Management Instrumentation Event Subscription",
+                "reference": "https://attack.mitre.org/techniques/T1546/003/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 4
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies use of the Windows Management Instrumentation StdRegProv (registry provider) to modify commonly abused registry locations for persistence.",
+    "from": "now-9m",
+    "index": [
+      "logs-endpoint.events.*",
+      "winlogbeat-*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Persistence via WMI Standard Registry Provider",
+    "query": "registry where \n registry.data.strings != null and process.name : \"WmiPrvSe.exe\" and\n registry.path : (\n                  \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\*\",\n                  \"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\*\",\n                  \"HKLM\\\\Software\\\\WOW6432Node\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\*\",\n                  \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\\\*\",\n                  \"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\\\*\",\n                  \"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\*\",\n                  \"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnceEx\\\\*\",\n                  \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\*\",\n                  \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnceEx\\\\*\",\n                  \"HKLM\\\\SYSTEM\\\\*ControlSet*\\\\Services\\\\*\\\\ServiceDLL\",\n                  \"HKLM\\\\SYSTEM\\\\*ControlSet*\\\\Services\\\\*\\\\ImagePath\",\n                  \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\Shell\\\\*\", \n                  \"HKEY_USERS\\\\*\\\\Environment\\\\UserInitMprLogonScript\", \n                  \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows\\\\Load\", \n                  \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\Shell\", \n                  \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\Shell\", \n                  \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Logoff\\\\Script\", \n                  \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Logon\\\\Script\", \n                  \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Shutdown\\\\Script\", \n                  \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Startup\\\\Script\", \n                  \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Ctf\\\\LangBarAddin\\\\*\\\\FilePath\", \n                  \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Internet Explorer\\\\Extensions\\\\*\\\\Exec\", \n                  \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Internet Explorer\\\\Extensions\\\\*\\\\Script\", \n                  \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Command Processor\\\\Autorun\"\n                  )\n",
+    "references": [
+      "https://docs.microsoft.com/en-us/previous-versions/windows/desktop/regprov/stdregprov"
+    ],
+    "risk_score": 73,
+    "rule_id": "70d12c9c-0dbd-4a1a-bc44-1467502c9cf6",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Persistence"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1547",
+            "name": "Boot or Logon Autostart Execution",
+            "reference": "https://attack.mitre.org/techniques/T1547/",
+            "subtechnique": [
+              {
+                "id": "T1547.001",
+                "name": "Registry Run Keys / Startup Folder",
+                "reference": "https://attack.mitre.org/techniques/T1547/001/"
+              }
+            ]
+          },
+          {
+            "id": "T1543",
+            "name": "Create or Modify System Process",
+            "reference": "https://attack.mitre.org/techniques/T1543/",
+            "subtechnique": [
+              {
+                "id": "T1543.003",
+                "name": "Windows Service",
+                "reference": "https://attack.mitre.org/techniques/T1543/003/"
+              }
+            ]
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0002",
+          "name": "Execution",
+          "reference": "https://attack.mitre.org/tactics/TA0002/"
+        },
+        "technique": [
+          {
+            "id": "T1047",
+            "name": "Windows Management Instrumentation",
+            "reference": "https://attack.mitre.org/techniques/T1047/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies script engines creating files in the startup folder, or the creation of script files in the startup folder.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Persistent Scripts in the Startup Directory",
+    "query": "file where event.type != \"deletion\" and user.domain != \"NT AUTHORITY\" and\n  \n  /* detect shortcuts created by wscript.exe or cscript.exe */\n  (file.path : \"C:\\\\*\\\\Programs\\\\Startup\\\\*.lnk\" and\n     process.name : (\"wscript.exe\", \"cscript.exe\")) or\n\n  /* detect vbs or js files created by any process */\n  file.path : (\"C:\\\\*\\\\Programs\\\\Startup\\\\*.vbs\", \n               \"C:\\\\*\\\\Programs\\\\Startup\\\\*.vbe\", \n               \"C:\\\\*\\\\Programs\\\\Startup\\\\*.wsh\", \n               \"C:\\\\*\\\\Programs\\\\Startup\\\\*.wsf\", \n               \"C:\\\\*\\\\Programs\\\\Startup\\\\*.js\")\n",
+    "risk_score": 47,
+    "rule_id": "f7c4dc5a-a58d-491d-9f14-9b66507121c0",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Persistence"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1547",
+            "name": "Boot or Logon Autostart Execution",
+            "reference": "https://attack.mitre.org/techniques/T1547/",
+            "subtechnique": [
+              {
+                "id": "T1547.001",
+                "name": "Registry Run Keys / Startup Folder",
+                "reference": "https://attack.mitre.org/techniques/T1547/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 3
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the creation of a new port forwarding rule. An adversary may abuse this technique to bypass network segmentation restrictions.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Port Forwarding Rule Addition",
+    "query": "registry where registry.path : \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Services\\\\PortProxy\\\\v4tov4\\\\*\"\n",
+    "references": [
+      "https://www.fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html"
+    ],
+    "risk_score": 47,
+    "rule_id": "3535c8bb-3bd5-40f4-ae32-b7cd589d5372",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Command and Control"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0011",
+          "name": "Command and Control",
+          "reference": "https://attack.mitre.org/tactics/TA0011/"
+        },
+        "technique": [
+          {
+            "id": "T1572",
+            "name": "Protocol Tunneling",
+            "reference": "https://attack.mitre.org/techniques/T1572/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 4
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Detects when a user grants permissions to an Azure-registered application or when an administrator grants tenant-wide permissions to an application. An adversary may create an Azure-registered application that requests access to data such as contact information, email, or documents.",
+    "from": "now-25m",
+    "index": [
+      "filebeat-*",
+      "logs-azure*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Possible Consent Grant Attack via Azure-Registered Application",
+    "note": "## Triage and analysis\n\n- In a consent grant attack, an attacker tricks an end user into granting a malicious application consent to access their data, usually via a phishing attack. After the malicious application has been granted consent, it has account-level access to data without the need for an organizational account.\n- Normal remediation steps, like resetting passwords for breached accounts or requiring Multi-Factor Authentication (MFA) on accounts, are not effective against this type of attack, since these are third-party applications and are external to the organization.\n- Security analysts should review the list of trusted applications for any suspicious items.\n\n\n## Config\n\nThe Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:(azure.activitylogs or azure.auditlogs or o365.audit) and \n  (\n    azure.activitylogs.operation_name:\"Consent to application\" or\n    azure.auditlogs.operation_name:\"Consent to application\" or\n    o365.audit.Operation:\"Consent to application.\"\n  ) and\n  event.outcome:(Success or success)\n",
+    "references": [
+      "https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/detect-and-remediate-illicit-consent-grants?view=o365-worldwide"
+    ],
+    "risk_score": 47,
+    "rule_id": "1c6a8c7a-5cb6-4a82-ba27-d5a5b8a40a38",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "Azure",
+      "Continuous Monitoring",
+      "SecOps",
+      "Identity and Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0001",
+          "name": "Initial Access",
+          "reference": "https://attack.mitre.org/tactics/TA0001/"
+        },
+        "technique": [
+          {
+            "id": "T1566",
+            "name": "Phishing",
+            "reference": "https://attack.mitre.org/techniques/T1566/",
+            "subtechnique": [
+              {
+                "id": "T1566.002",
+                "name": "Spearphishing Link",
+                "reference": "https://attack.mitre.org/techniques/T1566/002/"
+              }
+            ]
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0006",
+          "name": "Credential Access",
+          "reference": "https://attack.mitre.org/tactics/TA0006/"
+        },
+        "technique": [
+          {
+            "id": "T1528",
+            "name": "Steal Application Access Token",
+            "reference": "https://attack.mitre.org/techniques/T1528/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 5
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "This rule detects a known command and control pattern in network events. The FIN7 threat group is known to use this command and control technique, while maintaining persistence in their target's network.",
+    "false_positives": [
+      "This rule could identify benign domains that are formatted similarly to FIN7's command and control algorithm. Alerts should be investigated by an analyst to assess the validity of the individual observations."
+    ],
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "filebeat-*",
+      "packetbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "lucene",
+    "license": "Elastic License v2",
+    "name": "Possible FIN7 DGA Command and Control Behavior",
+    "note": "## Triage and analysis\n\nIn the event this rule identifies benign domains in your environment, the `destination.domain` field in the rule can be modified to include those domains. Example: `...AND NOT destination.domain:(zoom.us OR benign.domain1 OR benign.domain2)`.",
+    "query": "event.category:(network OR network_traffic) AND type:(tls OR http) AND network.transport:tcp\nAND destination.domain:/[a-zA-Z]{4,5}\\.(pw|us|club|info|site|top)/ AND NOT destination.domain:zoom.us\n",
+    "references": [
+      "https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html"
+    ],
+    "risk_score": 73,
+    "rule_id": "4a4e23cf-78a2-449c-bac3-701924c269d3",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Network",
+      "Threat Detection",
+      "Command and Control",
+      "Host"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0011",
+          "name": "Command and Control",
+          "reference": "https://attack.mitre.org/tactics/TA0011/"
+        },
+        "technique": [
+          {
+            "id": "T1071",
+            "name": "Application Layer Protocol",
+            "reference": "https://attack.mitre.org/techniques/T1071/"
+          },
+          {
+            "id": "T1568",
+            "name": "Dynamic Resolution",
+            "reference": "https://attack.mitre.org/techniques/T1568/",
+            "subtechnique": [
+              {
+                "id": "T1568.002",
+                "name": "Domain Generation Algorithms",
+                "reference": "https://attack.mitre.org/techniques/T1568/002/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 6
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Detects possible Denial of Service (DoS) attacks against an Okta organization. An adversary may attempt to disrupt an organization's business operations by performing a DoS attack against its Okta service.",
+    "index": [
+      "filebeat-*",
+      "logs-okta*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Possible Okta DoS Attack",
+    "note": "## Config\n\nThe Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:okta.system and event.action:(application.integration.rate_limit_exceeded or system.org.rate_limit.warning or system.org.rate_limit.violation or core.concurrency.org.limit.violation)\n",
+    "references": [
+      "https://developer.okta.com/docs/reference/api/system-log/",
+      "https://developer.okta.com/docs/reference/api/event-types/"
+    ],
+    "risk_score": 47,
+    "rule_id": "e6e3ecff-03dd-48ec-acbd-54a04de10c68",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Identity",
+      "Okta",
+      "Continuous Monitoring",
+      "SecOps",
+      "Monitoring"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0040",
+          "name": "Impact",
+          "reference": "https://attack.mitre.org/tactics/TA0040/"
+        },
+        "technique": [
+          {
+            "id": "T1498",
+            "name": "Network Denial of Service",
+            "reference": "https://attack.mitre.org/techniques/T1498/"
+          },
+          {
+            "id": "T1499",
+            "name": "Endpoint Denial of Service",
+            "reference": "https://attack.mitre.org/techniques/T1499/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 6
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies attempts to add an account to the admin group via the command line. This could be an indication of privilege escalation activity.",
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Potential Admin Group Account Addition",
+    "query": "event.category:process and event.type:(start or process_started) and\n process.name:(dscl or dseditgroup) and process.args:((\"/Groups/admin\" or admin) and (\"-a\" or \"-append\"))\n",
+    "references": [
+      "https://managingosx.wordpress.com/2010/01/14/add-a-user-to-the-admin-group-via-command-line-3-0/"
+    ],
+    "risk_score": 47,
+    "rule_id": "565c2b44-7a21-4818-955f-8d4737967d2e",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "macOS",
+      "Threat Detection",
+      "Privilege Escalation"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0004",
+          "name": "Privilege Escalation",
+          "reference": "https://attack.mitre.org/tactics/TA0004/"
+        },
+        "technique": [
+          {
+            "id": "T1078",
+            "name": "Valid Accounts",
+            "reference": "https://attack.mitre.org/techniques/T1078/",
+            "subtechnique": [
+              {
+                "id": "T1078.003",
+                "name": "Local Accounts",
+                "reference": "https://attack.mitre.org/techniques/T1078/003/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "The Application Shim was created to allow for backward compatibility of software as the operating system codebase changes over time. This Windows functionality has been abused by attackers to stealthily gain persistence and arbitrary code execution in legitimate Windows processes.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Potential Application Shimming via Sdbinst",
+    "query": "process where event.type in (\"start\", \"process_started\") and process.name : \"sdbinst.exe\"\n",
+    "risk_score": 21,
+    "rule_id": "fd4a992d-6130-4802-9ff8-829b89ae801f",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Persistence"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1546",
+            "name": "Event Triggered Execution",
+            "reference": "https://attack.mitre.org/techniques/T1546/",
+            "subtechnique": [
+              {
+                "id": "T1546.011",
+                "name": "Application Shimming",
+                "reference": "https://attack.mitre.org/techniques/T1546/011/"
+              }
+            ]
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0004",
+          "name": "Privilege Escalation",
+          "reference": "https://attack.mitre.org/tactics/TA0004/"
+        },
+        "technique": [
+          {
+            "id": "T1546",
+            "name": "Event Triggered Execution",
+            "reference": "https://attack.mitre.org/techniques/T1546/",
+            "subtechnique": [
+              {
+                "id": "T1546.011",
+                "name": "Application Shimming",
+                "reference": "https://attack.mitre.org/techniques/T1546/011/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 8
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies instances of Internet Explorer (iexplore.exe) being started via the Component Object Model (COM) making unusual network connections. Adversaries could abuse Internet Explorer via COM to avoid suspicious processes making network connections and bypass host-based firewall restrictions.",
+    "false_positives": [
+      "Processes such as MS Office using IEproxy to render HTML content."
+    ],
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Potential Command and Control via Internet Explorer",
+    "query": "sequence by host.id, user.id with maxspan = 5s\n  [library where dll.name : \"IEProxy.dll\" and process.name : (\"rundll32.exe\", \"regsvr32.exe\")]\n  [process where event.type == \"start\" and process.parent.name : \"iexplore.exe\" and process.parent.args : \"-Embedding\"]\n  /* IE started via COM in normal conditions makes few connections, mainly to Microsoft and OCSP related domains, add FPs here */\n  [network where network.protocol == \"dns\" and process.name : \"iexplore.exe\" and\n   not dns.question.name :\n   (\n    \"*.microsoft.com\",\n    \"*.digicert.com\",\n    \"*.msocsp.com\",\n    \"*.windowsupdate.com\",\n    \"*.bing.com\",\n    \"*.identrust.com\",\n    \"*.sharepoint.com\",\n    \"*.office365.com\",\n    \"*.office.com\"\n    )\n  ]\n",
+    "risk_score": 47,
+    "rule_id": "acd611f3-2b93-47b3-a0a3-7723bcc46f6d",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Command and Control"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0011",
+          "name": "Command and Control",
+          "reference": "https://attack.mitre.org/tactics/TA0011/"
+        },
+        "technique": [
+          {
+            "id": "T1071",
+            "name": "Application Layer Protocol",
+            "reference": "https://attack.mitre.org/techniques/T1071/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0002",
+          "name": "Execution",
+          "reference": "https://attack.mitre.org/tactics/TA0002/"
+        },
+        "technique": [
+          {
+            "id": "T1559",
+            "name": "Inter-Process Communication",
+            "reference": "https://attack.mitre.org/techniques/T1559/",
+            "subtechnique": [
+              {
+                "id": "T1559.001",
+                "name": "Component Object Model",
+                "reference": "https://attack.mitre.org/techniques/T1559/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "type": "eql",
+    "version": 4
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the execution of a Chromium based browser with the debugging process argument, which may indicate an attempt to steal authentication cookies. An adversary may steal web application or service session cookies and use them to gain access web applications or Internet services as an authenticated user without needing credentials.",
+    "false_positives": [
+      "Developers performing browsers plugin or extension debugging."
+    ],
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "max_signals": 33,
+    "name": "Potential Cookies Theft via Browser Debugging",
+    "query": "process where event.type in (\"start\", \"process_started\", \"info\") and\n  process.name in (\n             \"Microsoft Edge\",\n             \"chrome.exe\",\n             \"Google Chrome\",\n             \"google-chrome-stable\",\n             \"google-chrome-beta\",\n             \"google-chrome\",\n             \"msedge.exe\") and\n   process.args : (\"--remote-debugging-port=*\", \n                   \"--remote-debugging-targets=*\",  \n                   \"--remote-debugging-pipe=*\") and\n   process.args : \"--user-data-dir=*\" and not process.args:\"--remote-debugging-port=0\"\n",
+    "references": [
+      "https://github.com/defaultnamehere/cookie_crimes",
+      "https://embracethered.com/blog/posts/2020/cookie-crimes-on-mirosoft-edge/",
+      "https://github.com/rapid7/metasploit-framework/blob/master/documentation/modules/post/multi/gather/chrome_cookies.md",
+      "https://posts.specterops.io/hands-in-the-cookie-jar-dumping-cookies-with-chromiums-remote-debugger-port-34c4f468844e"
+    ],
+    "risk_score": 47,
+    "rule_id": "027ff9ea-85e7-42e3-99d2-bbb7069e02eb",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "Windows",
+      "macOS",
+      "Threat Detection",
+      "Credential Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0006",
+          "name": "Credential Access",
+          "reference": "https://attack.mitre.org/tactics/TA0006/"
+        },
+        "technique": [
+          {
+            "id": "T1539",
+            "name": "Steal Web Session Cookie",
+            "reference": "https://attack.mitre.org/techniques/T1539/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies suspicious access to an LSASS handle via DuplicateHandle from an unknown call trace module. This may indicate an attempt to bypass the NtOpenProcess API to evade detection and dump LSASS memory for credential access.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Potential Credential Access via DuplicateHandle in LSASS",
+    "query": "process where event.code == \"10\" and \n\n /* LSASS requesting DuplicateHandle access right to another process */\n process.name : \"lsass.exe\" and winlog.event_data.GrantedAccess == \"0x40\" and\n\n /* call is coming from an unknown executable region */\n winlog.event_data.CallTrace : \"*UNKNOWN*\"\n",
+    "references": [
+      "https://github.com/CCob/MirrorDump"
+    ],
+    "risk_score": 47,
+    "rule_id": "02a4576a-7480-4284-9327-548a806b5e48",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Credential Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0006",
+          "name": "Credential Access",
+          "reference": "https://attack.mitre.org/tactics/TA0006/"
+        },
+        "technique": [
+          {
+            "id": "T1003",
+            "name": "OS Credential Dumping",
+            "reference": "https://attack.mitre.org/techniques/T1003/",
+            "subtechnique": [
+              {
+                "id": "T1003.001",
+                "name": "LSASS Memory",
+                "reference": "https://attack.mitre.org/techniques/T1003/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 2
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies suspicious access to LSASS handle from a call trace pointing to DBGHelp.dll or DBGCore.dll, which both export the MiniDumpWriteDump method that can be used to dump LSASS memory content in preperation for credential access.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Potential Credential Access via LSASS Memory Dump",
+    "query": "process where event.code == \"10\" and\n  winlog.event_data.TargetImage : \"?:\\\\WINDOWS\\\\system32\\\\lsass.exe\" and\n  \n   /* DLLs exporting MiniDumpWriteDump API to create an lsass mdmp*/\n  winlog.event_data.CallTrace : (\"*dbhelp*\", \"*dbgcore*\") and\n  \n   /* case of lsass crashing */\n  not process.executable : (\"?:\\\\Windows\\\\System32\\\\WerFault.exe\", \"?:\\\\Windows\\\\System32\\\\WerFaultSecure.exe\")\n",
+    "references": [
+      "https://www.ired.team/offensive-security/credential-access-and-credential-dumping/dump-credentials-from-lsass-process-without-mimikatz"
+    ],
+    "risk_score": 73,
+    "rule_id": "9960432d-9b26-409f-972b-839a959e79e2",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Credential Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0006",
+          "name": "Credential Access",
+          "reference": "https://attack.mitre.org/tactics/TA0006/"
+        },
+        "technique": [
+          {
+            "id": "T1003",
+            "name": "OS Credential Dumping",
+            "reference": "https://attack.mitre.org/techniques/T1003/",
+            "subtechnique": [
+              {
+                "id": "T1003.001",
+                "name": "LSASS Memory",
+                "reference": "https://attack.mitre.org/techniques/T1003/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies suspicious renamed COMSVCS.DLL Image Load, which exports the MiniDump function that can be used to dump a process memory. This may indicate an attempt to dump LSASS memory while bypassing command line based detection in preparation for credential access.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Potential Credential Access via Renamed COM+ Services DLL",
+    "note": "## Config\n\nYou will need to enable logging of ImageLoads in your Sysmon configuration to include COMSVCS.DLL by Imphash or Original\nFile Name.",
+    "query": "sequence by process.entity_id with maxspan=1m\n [process where event.category == \"process\" and\n    process.name : \"rundll32.exe\"]\n [process where event.category == \"process\" and event.dataset : \"windows.sysmon_operational\" and event.code == \"7\" and\n   (file.pe.original_file_name : \"COMSVCS.DLL\" or file.pe.imphash : \"EADBCCBB324829ACB5F2BBE87E5549A8\") and\n    /* renamed COMSVCS */\n    not file.name : \"COMSVCS.DLL\"]\n",
+    "references": [
+      "https://modexp.wordpress.com/2019/08/30/minidumpwritedump-via-com-services-dll/"
+    ],
+    "risk_score": 73,
+    "rule_id": "c5c9f591-d111-4cf8-baec-c26a39bc31ef",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Credential Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0006",
+          "name": "Credential Access",
+          "reference": "https://attack.mitre.org/tactics/TA0006/"
+        },
+        "technique": [
+          {
+            "id": "T1003",
+            "name": "OS Credential Dumping",
+            "reference": "https://attack.mitre.org/techniques/T1003/",
+            "subtechnique": [
+              {
+                "id": "T1003.001",
+                "name": "LSASS Memory",
+                "reference": "https://attack.mitre.org/techniques/T1003/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the execution of known Windows utilities often abused to dump LSASS memory or the Active Directory database (NTDS.dit) in preparation for credential access.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Potential Credential Access via Windows Utilities",
+    "query": "process where event.type in (\"start\", \"process_started\") and\n/* update here with any new lolbas with dump capability */\n(process.pe.original_file_name == \"procdump\" and process.args : \"-ma\") or\n(process.name : \"ProcessDump.exe\" and not process.parent.executable regex~ \"\"\"C:\\\\Program Files( \\(x86\\))?\\\\Cisco Systems\\\\.*\"\"\") or\n(process.pe.original_file_name == \"WriteMiniDump.exe\" and not process.parent.executable regex~ \"\"\"C:\\\\Program Files( \\(x86\\))?\\\\Steam\\\\.*\"\"\") or\n(process.pe.original_file_name == \"RUNDLL32.EXE\" and (process.args : \"MiniDump*\" or process.command_line : \"*comsvcs.dll*#24*\")) or\n(process.pe.original_file_name == \"RdrLeakDiag.exe\" and process.args : \"/fullmemdmp\") or\n(process.pe.original_file_name == \"SqlDumper.exe\" and process.args : \"0x01100*\") or\n(process.pe.original_file_name == \"TTTracer.exe\" and process.args : \"-dumpFull\" and process.args : \"-attach\") or\n(process.pe.original_file_name == \"ntdsutil.exe\" and process.args : \"create*full*\") or\n(process.pe.original_file_name == \"diskshadow.exe\" and process.args : \"/s\")\n",
+    "references": [
+      "https://lolbas-project.github.io/"
+    ],
+    "risk_score": 73,
+    "rule_id": "00140285-b827-4aee-aa09-8113f58a08f3",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Credential Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0006",
+          "name": "Credential Access",
+          "reference": "https://attack.mitre.org/tactics/TA0006/"
+        },
+        "technique": [
+          {
+            "id": "T1003",
+            "name": "OS Credential Dumping",
+            "reference": "https://attack.mitre.org/techniques/T1003/",
+            "subtechnique": [
+              {
+                "id": "T1003.001",
+                "name": "LSASS Memory",
+                "reference": "https://attack.mitre.org/techniques/T1003/001/"
+              },
+              {
+                "id": "T1003.003",
+                "name": "NTDS",
+                "reference": "https://attack.mitre.org/techniques/T1003/003/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 5
+  },
+  {
+    "author": [
+      "Elastic",
+      "Dennis Perto"
+    ],
+    "description": "Identifies a Windows trusted program that is known to be vulnerable to DLL Search Order Hijacking starting after being renamed or from a non-standard path. This is uncommon behavior and may indicate an attempt to evade defenses via side-loading a malicious DLL within the memory space of one of those processes.",
+    "false_positives": [
+      "Microsoft Antimalware Service Executable installed on non default installation path."
+    ],
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Potential DLL Side-Loading via Microsoft Antimalware Service Executable",
+    "query": "process where event.type == \"start\" and\n  (process.pe.original_file_name == \"MsMpEng.exe\" and not process.name : \"MsMpEng.exe\") or\n  (process.name : \"MsMpEng.exe\" and not\n        process.executable : (\"?:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\*.exe\",\n                              \"?:\\\\Program Files\\\\Windows Defender\\\\*.exe\",\n                              \"?:\\\\Program Files (x86)\\\\Windows Defender\\\\*.exe\",\n                              \"?:\\\\Program Files\\\\Microsoft Security Client\\\\*.exe\",\n                              \"?:\\\\Program Files (x86)\\\\Microsoft Security Client\\\\*.exe\"))\n",
+    "references": [
+      "https://news.sophos.com/en-us/2021/07/04/independence-day-revil-uses-supply-chain-exploit-to-attack-hundreds-of-businesses/"
+    ],
+    "risk_score": 73,
+    "rule_id": "053a0387-f3b5-4ba5-8245-8002cca2bd08",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1574",
+            "name": "Hijack Execution Flow",
+            "reference": "https://attack.mitre.org/techniques/T1574/",
+            "subtechnique": [
+              {
+                "id": "T1574.002",
+                "name": "DLL Side-Loading",
+                "reference": "https://attack.mitre.org/techniques/T1574/002/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 2
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies an instance of a Windows trusted program that is known to be vulnerable to DLL Search Order Hijacking starting after being renamed or from a non-standard path. This is uncommon behavior and may indicate an attempt to evade defenses via side loading a malicious DLL within the memory space of one of those processes.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Potential DLL SideLoading via Trusted Microsoft Programs",
+    "query": "process where event.type == \"start\" and\n  process.pe.original_file_name in (\"WinWord.exe\", \"EXPLORER.EXE\", \"w3wp.exe\", \"DISM.EXE\") and\n  not (process.name : (\"winword.exe\", \"explorer.exe\", \"w3wp.exe\", \"Dism.exe\") or\n         process.executable : (\"?:\\\\Windows\\\\explorer.exe\",\n                               \"?:\\\\Program Files\\\\Microsoft Office\\\\root\\\\Office*\\\\WINWORD.EXE\",\n                               \"?:\\\\Program Files?(x86)\\\\Microsoft Office\\\\root\\\\Office*\\\\WINWORD.EXE\",\n                               \"?:\\\\Windows\\\\System32\\\\Dism.exe\",\n                               \"?:\\\\Windows\\\\SysWOW64\\\\Dism.exe\",\n                               \"?:\\\\Windows\\\\System32\\\\inetsrv\\\\w3wp.exe\")\n         )\n",
+    "risk_score": 73,
+    "rule_id": "1160dcdb-0a0a-4a79-91d8-9b84616edebd",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1036",
+            "name": "Masquerading",
+            "reference": "https://attack.mitre.org/techniques/T1036/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 5
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Iodine is a tool for tunneling Internet protocol version 4 (IPV4) traffic over the DNS protocol to circumvent firewalls, network security groups, and network access lists while evading detection.",
+    "false_positives": [
+      "Normal use of Iodine is uncommon apart from security testing and research. Use by non-security engineers is very uncommon."
+    ],
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Potential DNS Tunneling via Iodine",
+    "query": "event.category:process and event.type:(start or process_started) and process.name:(iodine or iodined)\n",
+    "references": [
+      "https://code.kryo.se/iodine/"
+    ],
+    "risk_score": 73,
+    "rule_id": "041d4d41-9589-43e2-ba13-5680af75ebc2",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "Threat Detection"
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 7
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "This rule identifies a large number (15) of nslookup.exe executions with an explicit query type from the same host. This may indicate command and control activity utilizing the DNS protocol.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Potential DNS Tunneling via NsLookup",
+    "query": "event.category:process and event.type:start and process.name:nslookup.exe and process.args:(-querytype=* or -qt=* or -q=* or -type=*)\n",
+    "references": [
+      "https://unit42.paloaltonetworks.com/dns-tunneling-in-the-wild-overview-of-oilrigs-dns-tunneling/"
+    ],
+    "risk_score": 47,
+    "rule_id": "3a59fc81-99d3-47ea-8cd6-d48d561fca20",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Command and Control"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0011",
+          "name": "Command and Control",
+          "reference": "https://attack.mitre.org/tactics/TA0011/"
+        },
+        "technique": [
+          {
+            "id": "T1071",
+            "name": "Application Layer Protocol",
+            "reference": "https://attack.mitre.org/techniques/T1071/",
+            "subtechnique": [
+              {
+                "id": "T1071.004",
+                "name": "DNS",
+                "reference": "https://attack.mitre.org/techniques/T1071/004/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "threshold": {
+      "field": [
+        "host.id"
+      ],
+      "value": 15
+    },
+    "type": "threshold",
+    "version": 3
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies potential attempts to disable Security-Enhanced Linux (SELinux), which is a Linux kernel security feature to support access control policies. Adversaries may disable security tools to avoid possible detection of their tools and activities.",
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Potential Disabling of SELinux",
+    "query": "event.category:process and event.type:(start or process_started) and process.name:setenforce and process.args:0\n",
+    "risk_score": 47,
+    "rule_id": "eb9eb8ba-a983-41d9-9c93-a1c05112ca5e",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1562",
+            "name": "Impair Defenses",
+            "reference": "https://attack.mitre.org/techniques/T1562/",
+            "subtechnique": [
+              {
+                "id": "T1562.001",
+                "name": "Disable or Modify Tools",
+                "reference": "https://attack.mitre.org/techniques/T1562/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 7
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "The Filter Manager Control Program (fltMC.exe) binary may be abused by adversaries to unload a filter driver and evade defenses.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Potential Evasion via Filter Manager",
+    "query": "process where event.type in (\"start\", \"process_started\") and \n process.name : \"fltMC.exe\" and process.args : \"unload\"\n",
+    "risk_score": 47,
+    "rule_id": "06dceabf-adca-48af-ac79-ffdf4c3b1e9a",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1562",
+            "name": "Impair Defenses",
+            "reference": "https://attack.mitre.org/techniques/T1562/",
+            "subtechnique": [
+              {
+                "id": "T1562.001",
+                "name": "Disable or Modify Tools",
+                "reference": "https://attack.mitre.org/techniques/T1562/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 8
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies attempts to create a local account that will be hidden from the macOS logon window. This may indicate an attempt to evade user attention while maintaining persistence using a separate local account.",
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Potential Hidden Local User Account Creation",
+    "query": "event.category:process and event.type:(start or process_started) and\n process.name:dscl and process.args:(IsHidden and create and (true or 1 or yes))\n",
+    "references": [
+      "https://support.apple.com/en-us/HT203998"
+    ],
+    "risk_score": 47,
+    "rule_id": "41b638a1-8ab6-4f8e-86d9-466317ef2db5",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "macOS",
+      "Threat Detection",
+      "Persistence"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1078",
+            "name": "Valid Accounts",
+            "reference": "https://attack.mitre.org/techniques/T1078/",
+            "subtechnique": [
+              {
+                "id": "T1078.003",
+                "name": "Local Accounts",
+                "reference": "https://attack.mitre.org/techniques/T1078/003/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies use of Bifrost, a known macOS Kerberos pentesting tool, which can be used to dump cached Kerberos tickets or attempt unauthorized authentication techniques such as pass-the-ticket/hash and kerberoasting.",
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Potential Kerberos Attack via Bifrost",
+    "query": "event.category:process and event.type:start and \n process.args:(\"-action\" and (\"-kerberoast\" or askhash or asktgs or asktgt or s4u or (\"-ticket\" and ptt) or (dump and (tickets or keytab))))\n",
+    "references": [
+      "https://github.com/its-a-feature/bifrost"
+    ],
+    "risk_score": 73,
+    "rule_id": "16904215-2c95-4ac8-bf5c-12354e047192",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "macOS",
+      "Threat Detection",
+      "Credential Access",
+      "Lateral Movement"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0008",
+          "name": "Lateral Movement",
+          "reference": "https://attack.mitre.org/tactics/TA0008/"
+        },
+        "technique": [
+          {
+            "id": "T1550",
+            "name": "Use Alternate Authentication Material",
+            "reference": "https://attack.mitre.org/techniques/T1550/",
+            "subtechnique": [
+              {
+                "id": "T1550.003",
+                "name": "Pass the Ticket",
+                "reference": "https://attack.mitre.org/techniques/T1550/003/"
+              }
+            ]
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0006",
+          "name": "Credential Access",
+          "reference": "https://attack.mitre.org/tactics/TA0006/"
+        },
+        "technique": [
+          {
+            "id": "T1558",
+            "name": "Steal or Forge Kerberos Tickets",
+            "reference": "https://attack.mitre.org/techniques/T1558/",
+            "subtechnique": [
+              {
+                "id": "T1558.003",
+                "name": "Kerberoasting",
+                "reference": "https://attack.mitre.org/techniques/T1558/003/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 2
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Adversaries can use the autostart mechanism provided by the Local Security Authority (LSA) authentication packages for privilege escalation or persistence by placing a reference to a binary in the Windows registry. The binary will then be executed by SYSTEM when the authentication packages are loaded.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Potential LSA Authentication Package Abuse",
+    "query": "registry where event.type == \"change\" and\n  registry.path : \"HKLM\\\\SYSTEM\\\\*ControlSet*\\\\Control\\\\Lsa\\\\Authentication Packages\" and\n  /* exclude SYSTEM SID - look for changes by non-SYSTEM user */\n  not user.id : \"S-1-5-18\"\n",
+    "risk_score": 47,
+    "rule_id": "e9abe69b-1deb-4e19-ac4a-5d5ac00f72eb",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Privilege Escalation"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0004",
+          "name": "Privilege Escalation",
+          "reference": "https://attack.mitre.org/tactics/TA0004/"
+        },
+        "technique": [
+          {
+            "id": "T1547",
+            "name": "Boot or Logon Autostart Execution",
+            "reference": "https://attack.mitre.org/techniques/T1547/",
+            "subtechnique": [
+              {
+                "id": "T1547.002",
+                "name": "Authentication Package",
+                "reference": "https://attack.mitre.org/techniques/T1547/002/"
+              }
+            ]
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1547",
+            "name": "Boot or Logon Autostart Execution",
+            "reference": "https://attack.mitre.org/techniques/T1547/",
+            "subtechnique": [
+              {
+                "id": "T1547.002",
+                "name": "Authentication Package",
+                "reference": "https://attack.mitre.org/techniques/T1547/002/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the creation of an LSASS process clone via PssCaptureSnapShot where the parent process is the initial LSASS process instance. This may indicate an attempt to evade detection and dump LSASS memory for credential access.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Potential LSASS Clone Creation via PssCaptureSnapShot",
+    "note": "## Config\n\nThis is meant to run only on datasources using Windows security event 4688 that captures the process clone creation.",
+    "query": "process where event.code:\"4688\" and\n  process.executable : \"?:\\\\Windows\\\\System32\\\\lsass.exe\" and\n  process.parent.executable : \"?:\\\\Windows\\\\System32\\\\lsass.exe\"\n",
+    "references": [
+      "https://www.matteomalvica.com/blog/2019/12/02/win-defender-atp-cred-bypass/",
+      "https://medium.com/@Achilles8284/the-birth-of-a-process-part-2-97c6fb9c42a2"
+    ],
+    "risk_score": 73,
+    "rule_id": "a16612dd-b30e-4d41-86a0-ebe70974ec00",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Credential Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0006",
+          "name": "Credential Access",
+          "reference": "https://attack.mitre.org/tactics/TA0006/"
+        },
+        "technique": [
+          {
+            "id": "T1003",
+            "name": "OS Credential Dumping",
+            "reference": "https://attack.mitre.org/techniques/T1003/",
+            "subtechnique": [
+              {
+                "id": "T1003.001",
+                "name": "LSASS Memory",
+                "reference": "https://attack.mitre.org/techniques/T1003/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies suspicious access to an LSASS handle via PssCaptureSnapShot where two successive process access are performed by the same process and targeting two different instances of LSASS. This may indicate an attempt to evade detection and dump LSASS memory for credential access.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-windows.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Potential LSASS Memory Dump via PssCaptureSnapShot",
+    "note": "## Config\n\nThis is meant to run only on datasources using agents v7.14+ since versions prior to that will be missing the threshold\nrule cardinality feature.",
+    "query": "event.category:process and event.code:10 and\n winlog.event_data.TargetImage:(\"C:\\\\Windows\\\\system32\\\\lsass.exe\" or\n                                 \"c:\\\\Windows\\\\system32\\\\lsass.exe\" or\n                                 \"c:\\\\Windows\\\\System32\\\\lsass.exe\")\n",
+    "references": [
+      "https://www.matteomalvica.com/blog/2019/12/02/win-defender-atp-cred-bypass/",
+      "https://twitter.com/sbousseaden/status/1280619931516747777?lang=en"
+    ],
+    "risk_score": 73,
+    "rule_id": "0f93cb9a-1931-48c2-8cd0-f173fd3e5283",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Credential Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0006",
+          "name": "Credential Access",
+          "reference": "https://attack.mitre.org/tactics/TA0006/"
+        },
+        "technique": [
+          {
+            "id": "T1003",
+            "name": "OS Credential Dumping",
+            "reference": "https://attack.mitre.org/techniques/T1003/",
+            "subtechnique": [
+              {
+                "id": "T1003.001",
+                "name": "LSASS Memory",
+                "reference": "https://attack.mitre.org/techniques/T1003/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "threshold": {
+      "cardinality": [
+        {
+          "field": "winlog.event_data.TargetProcessId",
+          "value": 2
+        }
+      ],
+      "field": [
+        "process.entity_id"
+      ],
+      "value": 2
+    },
+    "timestamp_override": "event.ingested",
+    "type": "threshold",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the creation of a suspicious zip file prepended with special characters. Sandboxed Microsoft Office applications on macOS are allowed to write files that start with special characters, which can be combined with an AutoStart location to achieve sandbox evasion.",
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Potential Microsoft Office Sandbox Evasion",
+    "query": "event.category:file and not event.type:deletion and file.name:~$*.zip\n",
+    "references": [
+      "https://i.blackhat.com/USA-20/Wednesday/us-20-Wardle-Office-Drama-On-macOS.pdf",
+      "https://www.mdsec.co.uk/2018/08/escaping-the-sandbox-microsoft-office-on-macos/",
+      "https://desi-jarvis.medium.com/office365-macos-sandbox-escape-fcce4fa4123c"
+    ],
+    "risk_score": 73,
+    "rule_id": "d22a85c6-d2ad-4cc4-bf7b-54787473669a",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "macOS",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Windows contains accessibility features that may be launched with a key combination before a user has logged in. An adversary can modify the way these programs are launched to get a command prompt or backdoor without logging in to the system.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Potential Modification of Accessibility Binaries",
+    "query": "process where event.type in (\"start\", \"process_started\", \"info\") and\n process.parent.name : (\"Utilman.exe\", \"winlogon.exe\") and user.name == \"SYSTEM\" and\n process.args :\n    (\n    \"C:\\\\Windows\\\\System32\\\\osk.exe\",\n    \"C:\\\\Windows\\\\System32\\\\Magnify.exe\",\n    \"C:\\\\Windows\\\\System32\\\\Narrator.exe\",\n    \"C:\\\\Windows\\\\System32\\\\Sethc.exe\",\n    \"utilman.exe\",\n    \"ATBroker.exe\",\n    \"DisplaySwitch.exe\",\n    \"sethc.exe\"\n    )\n and not process.pe.original_file_name in\n    (\n    \"osk.exe\",\n    \"sethc.exe\",\n    \"utilman2.exe\",\n    \"DisplaySwitch.exe\",\n    \"ATBroker.exe\",\n    \"ScreenMagnifier.exe\",\n    \"SR.exe\",\n    \"Narrator.exe\",\n    \"magnify.exe\",\n    \"MAGNIFY.EXE\"\n    )\n\n/* uncomment once in winlogbeat to avoid bypass with rogue process with matching pe original file name */\n/* and process.code_signature.subject_name == \"Microsoft Windows\" and process.code_signature.status == \"trusted\" */\n",
+    "references": [
+      "https://www.elastic.co/blog/practical-security-engineering-stateful-detection"
+    ],
+    "risk_score": 73,
+    "rule_id": "7405ddf1-6c8e-41ce-818f-48bea6bcaed8",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Persistence"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1546",
+            "name": "Event Triggered Execution",
+            "reference": "https://attack.mitre.org/techniques/T1546/",
+            "subtechnique": [
+              {
+                "id": "T1546.008",
+                "name": "Accessibility Features",
+                "reference": "https://attack.mitre.org/techniques/T1546/008/"
+              }
+            ]
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0004",
+          "name": "Privilege Escalation",
+          "reference": "https://attack.mitre.org/tactics/TA0004/"
+        },
+        "technique": [
+          {
+            "id": "T1546",
+            "name": "Event Triggered Execution",
+            "reference": "https://attack.mitre.org/techniques/T1546/",
+            "subtechnique": [
+              {
+                "id": "T1546.008",
+                "name": "Accessibility Features",
+                "reference": "https://attack.mitre.org/techniques/T1546/008/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 7
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies a Secure Shell (SSH) client or server process creating or writing to a known SSH backdoor log file. Adversaries may modify SSH related binaries for persistence or credential access via patching sensitive functions to enable unauthorized access or to log SSH credentials for exfiltration.",
+    "false_positives": [
+      "Updates to approved and trusted SSH executables can trigger this rule."
+    ],
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Potential OpenSSH Backdoor Logging Activity",
+    "query": "file where event.type == \"change\" and process.executable : (\"/usr/sbin/sshd\", \"/usr/bin/ssh\") and\n  (\n    file.name : (\".*\", \"~*\") or\n    file.extension : (\"in\", \"out\", \"ini\", \"h\", \"gz\", \"so\", \"sock\", \"sync\", \"0\", \"1\", \"2\", \"3\", \"4\", \"5\", \"6\", \"7\", \"8\", \"9\") or\n    file.path : \n    (\n      \"/private/etc/*--\", \n      \"/usr/share/*\", \n      \"/usr/include/*\", \n      \"/usr/local/include/*\", \n      \"/private/tmp/*\", \n      \"/private/var/tmp/*\",\n      \"/usr/tmp/*\", \n      \"/usr/share/man/*\", \n      \"/usr/local/share/*\", \n      \"/usr/lib/*.so.*\", \n      \"/private/etc/ssh/.sshd_auth\",\n      \"/usr/bin/ssd\", \n      \"/private/var/opt/power\", \n      \"/private/etc/ssh/ssh_known_hosts\", \n      \"/private/var/html/lol\", \n      \"/private/var/log/utmp\", \n      \"/private/var/lib\",\n      \"/var/run/sshd/sshd.pid\",\n      \"/var/run/nscd/ns.pid\",\n      \"/var/run/udev/ud.pid\",\n      \"/var/run/udevd.pid\"\n    )\n  )\n",
+    "references": [
+      "https://github.com/eset/malware-ioc/tree/master/sshdoor",
+      "https://www.welivesecurity.com/wp-content/uploads/2021/01/ESET_Kobalos.pdf"
+    ],
+    "risk_score": 73,
+    "rule_id": "f28e2be4-6eca-4349-bdd9-381573730c22",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "Threat Detection",
+      "Persistence",
+      "Credential Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0006",
+          "name": "Credential Access",
+          "reference": "https://attack.mitre.org/tactics/TA0006/"
+        },
+        "technique": [
+          {
+            "id": "T1556",
+            "name": "Modify Authentication Process",
+            "reference": "https://attack.mitre.org/techniques/T1556/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1554",
+            "name": "Compromise Client Software Binary",
+            "reference": "https://attack.mitre.org/techniques/T1554/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies a high number (25) of failed Microsoft 365 user authentication attempts from a single IP address within 30 minutes, which could be indicative of a password spraying attack. An adversary may attempt a password spraying attack to obtain unauthorized access to user accounts.",
+    "false_positives": [
+      "Automated processes that attempt to authenticate using expired credentials and unbounded retries may lead to false positives."
+    ],
+    "from": "now-30m",
+    "index": [
+      "filebeat-*",
+      "logs-o365*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Potential Password Spraying of Microsoft 365 User Accounts",
+    "note": "## Config\n\nThe Microsoft 365 Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:o365.audit and event.provider:(Exchange or AzureActiveDirectory) and event.category:authentication and \nevent.action:(\"UserLoginFailed\" or \"PasswordLogonInitialAuthUsingPassword\") and event.outcome:failure\n",
+    "risk_score": 73,
+    "rule_id": "3efee4f0-182a-40a8-a835-102c68a4175d",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "Microsoft 365",
+      "Continuous Monitoring",
+      "SecOps",
+      "Identity and Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0006",
+          "name": "Credential Access",
+          "reference": "https://attack.mitre.org/tactics/TA0006/"
+        },
+        "technique": [
+          {
+            "id": "T1110",
+            "name": "Brute Force",
+            "reference": "https://attack.mitre.org/techniques/T1110/"
+          }
+        ]
+      }
+    ],
+    "threshold": {
+      "field": [
+        "source.ip"
+      ],
+      "value": 25
+    },
+    "type": "threshold",
+    "version": 4
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies modifications to the Atom desktop text editor Init File. Adversaries may add malicious JavaScript code to the init.coffee file that will be executed upon the Atom application opening.",
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Potential Persistence via Atom Init Script Modification",
+    "query": "event.category:\"file\" and not event.type:\"deletion\" and\n file.path:/Users/*/.atom/init.coffee and not process.name:(Atom or xpcproxy) and not user.name:root\n",
+    "references": [
+      "https://github.com/D00MFist/PersistentJXA/blob/master/AtomPersist.js",
+      "https://flight-manual.atom.io/hacking-atom/sections/the-init-file/"
+    ],
+    "risk_score": 21,
+    "rule_id": "b4449455-f986-4b5a-82ed-e36b129331f7",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "macOS",
+      "Threat Detection",
+      "Persistence"
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the creation or modification of the login window property list (plist). Adversaries may modify plist files to run a program during system boot or user login for persistence.",
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Potential Persistence via Login Hook",
+    "note": "## Triage and analysis\n\nStarting in Mac OS X 10.7 (Lion), users can specify certain applications to be re-opened when a user reboots their machine. This can be abused to establish or maintain persistence on a compromised system.",
+    "query": "event.category:\"file\" and not event.type:\"deletion\" and\n file.name:\"com.apple.loginwindow.plist\" and\n process.name:(* and not (systemmigrationd or DesktopServicesHelper or diskmanagementd or rsync or launchd or cfprefsd or xpcproxy or ManagedClient or MCXCompositor))\n",
+    "references": [
+      "https://github.com/D00MFist/PersistentJXA/blob/master/LoginScript.js"
+    ],
+    "risk_score": 47,
+    "rule_id": "ac412404-57a5-476f-858f-4e8fbb4f48d8",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "macOS",
+      "Threat Detection",
+      "Persistence"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1547",
+            "name": "Boot or Logon Autostart Execution",
+            "reference": "https://attack.mitre.org/techniques/T1547/",
+            "subtechnique": [
+              {
+                "id": "T1547.011",
+                "name": "Plist Modification",
+                "reference": "https://attack.mitre.org/techniques/T1547/011/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 2
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the creation or modification of the default configuration for periodic tasks. Adversaries may abuse periodic tasks to execute malicious code or maintain persistence.",
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Potential Persistence via Periodic Tasks",
+    "query": "event.category:\"file\" and not event.type:\"deletion\" and\n file.path:(/private/etc/periodic/* or /private/etc/defaults/periodic.conf or /private/etc/periodic.conf)\n",
+    "references": [
+      "https://opensource.apple.com/source/crontabs/crontabs-13/private/etc/defaults/periodic.conf.auto.html",
+      "https://www.oreilly.com/library/view/mac-os-x/0596003706/re328.html",
+      "https://github.com/D00MFist/PersistentJXA/blob/master/PeriodicPersist.js"
+    ],
+    "risk_score": 21,
+    "rule_id": "48ec9452-e1fd-4513-a376-10a1a26d2c83",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "macOS",
+      "Threat Detection",
+      "Persistence"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1053",
+            "name": "Scheduled Task/Job",
+            "reference": "https://attack.mitre.org/techniques/T1053/",
+            "subtechnique": [
+              {
+                "id": "T1053.003",
+                "name": "Cron",
+                "reference": "https://attack.mitre.org/techniques/T1053/003/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Windows operating systems are utilizing the time provider architecture in order to obtain accurate time stamps from other network devices or clients in the network. Time providers are implemented in the form of a DLL file which resides in System32 folder. The service W32Time initiates during the startup of Windows and loads w32time.dll. Adversaries may abuse this architecture to establish persistence, specifically by registering and enabling a malicious DLL as a time provider.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Potential Persistence via Time Provider Modification",
+    "query": "registry where event.type:\"change\" and\n  registry.path:\"HKLM\\\\SYSTEM\\\\*ControlSet*\\\\Services\\\\W32Time\\\\TimeProviders\\\\*\" and\n  registry.data.strings:\"*.dll\"\n",
+    "references": [
+      "https://pentestlab.blog/2019/10/22/persistence-time-providers/"
+    ],
+    "risk_score": 47,
+    "rule_id": "14ed1aa9-ebfd-4cf9-a463-0ac59ec55204",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Persistence"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1547",
+            "name": "Boot or Logon Autostart Execution",
+            "reference": "https://attack.mitre.org/techniques/T1547/",
+            "subtechnique": [
+              {
+                "id": "T1547.003",
+                "name": "Time Providers",
+                "reference": "https://attack.mitre.org/techniques/T1547/003/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies port monitor and print processor registry modifications. Adversaries may abuse port monitor and print processors to run malicious DLLs during system boot that will be executed as SYSTEM for privilege escalation and/or persistence, if permissions allow writing a fully-qualified pathname for that DLL.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Potential Port Monitor or Print Processor Registration Abuse",
+    "query": "registry where event.type in (\"creation\", \"change\") and\n  registry.path : (\"HKLM\\\\SYSTEM\\\\*ControlSet*\\\\Control\\\\Print\\\\Monitors\\\\*\",\n    \"HLLM\\\\SYSTEM\\\\*ControlSet*\\\\Control\\\\Print\\\\Environments\\\\Windows*\\\\Print Processors\\\\*\") and\n  registry.data.strings : \"*.dll\" and\n  /* exclude SYSTEM SID - look for changes by non-SYSTEM user */\n  not user.id : \"S-1-5-18\"\n",
+    "references": [
+      "https://www.welivesecurity.com/2020/05/21/no-game-over-winnti-group/"
+    ],
+    "risk_score": 47,
+    "rule_id": "8f3e91c7-d791-4704-80a1-42c160d7aa27",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Privilege Escalation"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0004",
+          "name": "Privilege Escalation",
+          "reference": "https://attack.mitre.org/tactics/TA0004/"
+        },
+        "technique": [
+          {
+            "id": "T1547",
+            "name": "Boot or Logon Autostart Execution",
+            "reference": "https://attack.mitre.org/techniques/T1547/",
+            "subtechnique": [
+              {
+                "id": "T1547.010",
+                "name": "Port Monitors",
+                "reference": "https://attack.mitre.org/techniques/T1547/010/"
+              }
+            ]
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1547",
+            "name": "Boot or Logon Autostart Execution",
+            "reference": "https://attack.mitre.org/techniques/T1547/",
+            "subtechnique": [
+              {
+                "id": "T1547.010",
+                "name": "Port Monitors",
+                "reference": "https://attack.mitre.org/techniques/T1547/010/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Detects attempts to exploit privilege escalation vulnerabilities related to the Print Spooler service. For more information refer to CVE-2021-34527 and verify that the impacted system is investigated.",
+    "from": "now-9m",
+    "index": [
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Potential PrintNightmare Exploit Registry Modification",
+    "query": "/* This rule is not compatible with Sysmon due to schema issues */\n\nregistry where process.name : \"spoolsv.exe\" and\n  (registry.path : \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Control\\\\Print\\\\Environments\\\\Windows*\\\\Drivers\\\\Version-3\\\\mimikatz*\\\\Data File\" or\n  (registry.path : \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Control\\\\Print\\\\Environments\\\\Windows*\\\\Drivers\\\\Version-3\\\\*\\\\Configuration File\" and\n   registry.data.strings : (\"kernelbase.dll\", \"ntdll.dll\", \"kernel32.dll\", \"winhttp.dll\", \"user32.dll\")))\n",
+    "references": [
+      "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527",
+      "https://github.com/afwu/PrintNightmare"
+    ],
+    "risk_score": 73,
+    "rule_id": "6506c9fd-229e-4722-8f0f-69be759afd2a",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Privilege Escalation"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0004",
+          "name": "Privilege Escalation",
+          "reference": "https://attack.mitre.org/tactics/TA0004/"
+        },
+        "technique": [
+          {
+            "id": "T1068",
+            "name": "Exploitation for Privilege Escalation",
+            "reference": "https://attack.mitre.org/techniques/T1068/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Detects the creation or modification of a print driver with an unusual file name. This may indicate attempts to exploit privilege escalation vulnerabilities related to the Print Spooler service. For more information refer to CVE-2021-34527 and verify that the impacted system is investigated.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Potential PrintNightmare File Modification",
+    "query": "/* This rule is compatible with both Sysmon and Elastic Endpoint */\n\nfile where process.name : \"spoolsv.exe\" and \n file.name : (\"kernelbase.dll\", \"ntdll.dll\", \"kernel32.dll\", \"winhttp.dll\", \"user32.dll\") and\n file.path : \"?:\\\\Windows\\\\System32\\\\spool\\\\drivers\\\\x64\\\\3\\\\*\"\n",
+    "references": [
+      "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527",
+      "https://github.com/afwu/PrintNightmare"
+    ],
+    "risk_score": 73,
+    "rule_id": "5e87f165-45c2-4b80-bfa5-52822552c997",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Privilege Escalation"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0004",
+          "name": "Privilege Escalation",
+          "reference": "https://attack.mitre.org/tactics/TA0004/"
+        },
+        "technique": [
+          {
+            "id": "T1068",
+            "name": "Exploitation for Privilege Escalation",
+            "reference": "https://attack.mitre.org/techniques/T1068/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies use of the Secure Copy Protocol (SCP) to copy files locally by abusing the auto addition of the Secure Shell Daemon (sshd) to the authorized application list for Full Disk Access. This may indicate attempts to bypass macOS privacy controls to access sensitive files.",
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Potential Privacy Control Bypass via Localhost Secure Copy",
+    "query": "process where event.type in (\"start\", \"process_started\") and \n process.name:\"scp\" and\n process.args:\"StrictHostKeyChecking=no\" and \n process.command_line:(\"scp *localhost:/*\", \"scp *127.0.0.1:/*\") and\n not process.args:\"vagrant@*127.0.0.1*\"\n",
+    "references": [
+      "https://blog.trendmicro.com/trendlabs-security-intelligence/xcsset-mac-malware-infects-xcode-projects-performs-uxss-attack-on-safari-other-browsers-leverages-zero-day-exploits/"
+    ],
+    "risk_score": 73,
+    "rule_id": "c02c8b9f-5e1d-463c-a1b0-04edcdfe1a3d",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "macOS",
+      "Threat Detection",
+      "Privilege Escalation",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1548",
+            "name": "Abuse Elevation Control Mechanism",
+            "reference": "https://attack.mitre.org/techniques/T1548/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0004",
+          "name": "Privilege Escalation",
+          "reference": "https://attack.mitre.org/tactics/TA0004/"
+        },
+        "technique": [
+          {
+            "id": "T1548",
+            "name": "Abuse Elevation Control Mechanism",
+            "reference": "https://attack.mitre.org/techniques/T1548/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the use of sqlite3 to directly modify the Transparency, Consent, and Control (TCC) SQLite database. This may indicate an attempt to bypass macOS privacy controls, including access to sensitive resources like the system camera, microphone, address book, and calendar.",
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Potential Privacy Control Bypass via TCCDB Modification",
+    "query": "process where event.type in (\"start\", \"process_started\") and process.name : \"sqlite*\" and \n process.args : \"/*/Application Support/com.apple.TCC/TCC.db\"\n",
+    "references": [
+      "https://applehelpwriter.com/2016/08/29/discovering-how-dropbox-hacks-your-mac/",
+      "https://github.com/bp88/JSS-Scripts/blob/master/TCC.db%20Modifier.sh",
+      "https://medium.com/@mattshockl/cve-2020-9934-bypassing-the-os-x-transparency-consent-and-control-tcc-framework-for-4e14806f1de8"
+    ],
+    "risk_score": 47,
+    "rule_id": "eea82229-b002-470e-a9e1-00be38b14d32",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "macOS",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1562",
+            "name": "Impair Defenses",
+            "reference": "https://attack.mitre.org/techniques/T1562/",
+            "subtechnique": [
+              {
+                "id": "T1562.001",
+                "name": "Disable or Modify Tools",
+                "reference": "https://attack.mitre.org/techniques/T1562/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 2
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies a potential exploitation of InstallerTakeOver (CVE-2021-41379) default PoC execution. Successful exploitation allows an unprivileged user to escalate privileges to SYSTEM.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Potential Privilege Escalation via InstallerFileTakeOver",
+    "note": "## Triage and analysis.\n\n### Investigating Potential Priivilege Escalation via InstallerFileTakeOver\n\nInstallerFileTakeOver is a weaponized EoP PoC to the CVE-2021-41379 vulnerability. Upon successful exploitation,\nan unprivileged user will escalate privileges to SYSTEM/NT AUTHORITY.\n\nThis rule detects the default execution of the PoC, which overwrites the `elevation_service.exe` DACL and copy itself\nto the location to escalate privileges. An attacker is able to still take over any file that is not in use (locked), which is outside the scope of this rule.\n\n#### Possible investigation steps:\n\n- Check for the digital signature of the executable\n- Look for additional processes spawned by the process, command lines and network communications.\n- Look for additional alerts involving the host and the user.\n\n### False Positive Analysis\n\n- Verify whether the digital signature exists in the executable, and if it is valid.\n\n### Related Rules\n\n- Suspicious DLL Loaded for Persistence or Privilege Escalation - bfeaf89b-a2a7-48a3-817f-e41829dc61ee\n\n### Response and Remediation\n\n- Immediate response should be taken to validate activity, investigate and potentially isolate activity to prevent further\npost-compromise behavior.\n",
+    "query": "/* This rule is compatible with both Sysmon and Elastic Endpoint */\n\nprocess where event.type == \"start\" and \n    user.id : \"S-1-5-18\" and\n    (\n      (process.name : \"elevation_service.exe\" and \n       not process.pe.original_file_name == \"elevation_service.exe\") or\n\n      (process.parent.name : \"elevation_service.exe\" and \n       process.name : (\"rundll32.exe\", \"cmd.exe\", \"powershell.exe\")) \n    )\n",
+    "references": [
+      "https://github.com/klinix5/InstallerFileTakeOver"
+    ],
+    "risk_score": 73,
+    "rule_id": "58c6d58b-a0d3-412d-b3b8-0981a9400607",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Privilege Escalation"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0004",
+          "name": "Privilege Escalation",
+          "reference": "https://attack.mitre.org/tactics/TA0004/"
+        },
+        "technique": [
+          {
+            "id": "T1068",
+            "name": "Exploitation for Privilege Escalation",
+            "reference": "https://attack.mitre.org/techniques/T1068/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "A sudoers file specifies the commands users or groups can run and from which terminals. Adversaries can take advantage of these configurations to execute commands as other users or spawn processes with higher privileges.",
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Potential Privilege Escalation via Sudoers File Modification",
+    "query": "event.category:process and event.type:start and process.args:(echo and *NOPASSWD*ALL*)\n",
+    "risk_score": 73,
+    "rule_id": "76152ca1-71d0-4003-9e37-0983e12832da",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "macOS",
+      "Threat Detection",
+      "Privilege Escalation"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0004",
+          "name": "Privilege Escalation",
+          "reference": "https://attack.mitre.org/tactics/TA0004/"
+        },
+        "technique": [
+          {
+            "id": "T1548",
+            "name": "Abuse Elevation Control Mechanism",
+            "reference": "https://attack.mitre.org/techniques/T1548/",
+            "subtechnique": [
+              {
+                "id": "T1548.003",
+                "name": "Sudo and Sudo Caching",
+                "reference": "https://attack.mitre.org/techniques/T1548/003/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies process execution followed by a file overwrite of an executable by the same parent process. This may indicate an evasion attempt to execute malicious code in a stealthy way.",
+    "from": "now-9m",
+    "index": [
+      "logs-endpoint.events.*",
+      "winlogbeat-*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Potential Process Herpaderping Attempt",
+    "query": "sequence with maxspan=5s\n   [process where event.type == \"start\" and not process.parent.executable : \"C:\\\\Windows\\\\SoftwareDistribution\\\\*.exe\"] by host.id, process.executable, process.parent.entity_id\n   [file where event.type == \"change\" and event.action == \"overwrite\" and file.extension == \"exe\"] by host.id, file.path, process.entity_id\n",
+    "references": [
+      "https://github.com/jxy-s/herpaderping"
+    ],
+    "risk_score": 73,
+    "rule_id": "ccc55af4-9882-4c67-87b4-449a7ae8079c",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1036",
+            "name": "Masquerading",
+            "reference": "https://attack.mitre.org/techniques/T1036/"
+          }
+        ]
+      }
+    ],
+    "type": "eql",
+    "version": 2
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Detects the use of Windows API functions that are commonly abused by malware and security tools to load malicious code or inject it into remote processes.",
+    "false_positives": [
+      "Legitimate Powershell Scripts that make use of these Functions"
+    ],
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-windows.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Potential Process Injection via PowerShell",
+    "note": "## Triage and analysis.\n\n### Investigating Potential Process Injection via PowerShell\n\nPowerShell is one of the main tools used by system administrators for automation, report routines, and other tasks.\n\nPowerShell also has solid capabilities to make the interaction with the Win32 API in an uncomplicated and reliable way,\nlike the execution of inline C# code, PSReflect, Get-ProcAddress, etc.\n\nRed Team tooling and Malware Developers take advantage of these capabilities to develop stagers and loaders that inject\npayloads directly into the memory, without touching the disk.\n\n#### Possible investigation steps:\n\n- Examine script content that triggered the detection. \n- Investigate script execution chain (parent process tree)\n- Inspect any file or network events from the suspicious powershell host process instance.\n- If the action is suspicious for the user, check for any other activities done by the user in the last 48 hours.\n\n### False Positive Analysis\n\n- Verify whether the script content is malicious/harmful.\n\n### Related Rules\n\n- PowerShell PSReflect Script - 56f2e9b5-4803-4e44-a0a4-a52dc79d57fe\n\n### Response and Remediation\n\n- Immediate response should be taken to validate, investigate, and potentially contain the activity to prevent further\npost-compromise behavior.\n\n## Config\n\nThe 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration > \nAdministrative Templates > \nWindows PowerShell > \nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```\n",
+    "query": "event.category:process and \n  powershell.file.script_block_text : (\n   (VirtualAlloc or VirtualAllocEx or VirtualProtect or LdrLoadDll or LoadLibrary or LoadLibraryA or\n      LoadLibraryEx or GetProcAddress or OpenProcess or OpenProcessToken or AdjustTokenPrivileges) and\n   (WriteProcessMemory or CreateRemoteThread or NtCreateThreadEx or CreateThread or QueueUserAPC or\n      SuspendThread or ResumeThread)\n  )\n",
+    "references": [
+      "https://github.com/EmpireProject/Empire/blob/master/data/module_source/management/Invoke-PSInject.ps1",
+      "https://github.com/EmpireProject/Empire/blob/master/data/module_source/management/Invoke-ReflectivePEInjection.ps1",
+      "https://github.com/BC-SECURITY/Empire/blob/master/empire/server/data/module_source/credentials/Invoke-Mimikatz.ps1"
+    ],
+    "risk_score": 73,
+    "rule_id": "2e29e96a-b67c-455a-afe4-de6183431d0d",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1055",
+            "name": "Process Injection",
+            "reference": "https://attack.mitre.org/techniques/T1055/",
+            "subtechnique": [
+              {
+                "id": "T1055.001",
+                "name": "Dynamic-link Library Injection",
+                "reference": "https://attack.mitre.org/techniques/T1055/001/"
+              },
+              {
+                "id": "T1055.002",
+                "name": "Portable Executable Injection",
+                "reference": "https://attack.mitre.org/techniques/T1055/002/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 2
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the execution of the EarthWorm tunneler. Adversaries may tunnel network communications to and from a victim system within a separate protocol to avoid detection and network filtering, or to enable access to otherwise unreachable systems.",
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Potential Protocol Tunneling via EarthWorm",
+    "query": "process where event.type == \"start\" and\n process.args : \"-s\" and process.args : \"-d\" and process.args : \"rssocks\"\n",
+    "references": [
+      "http://rootkiter.com/EarthWorm/",
+      "https://decoded.avast.io/luigicamastra/apt-group-targeting-governmental-agencies-in-east-asia/"
+    ],
+    "risk_score": 47,
+    "rule_id": "9f1c4ca3-44b5-481d-ba42-32dc215a2769",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "Threat Detection",
+      "Command and Control"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0011",
+          "name": "Command and Control",
+          "reference": "https://attack.mitre.org/tactics/TA0011/"
+        },
+        "technique": [
+          {
+            "id": "T1572",
+            "name": "Protocol Tunneling",
+            "reference": "https://attack.mitre.org/techniques/T1572/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the modification of the Remote Desktop Protocol (RDP) Shadow registry or the execution of processes indicative of an active RDP shadowing session. An adversary may abuse the RDP Shadowing feature to spy on or control other users active RDP sessions.",
+    "from": "now-9m",
+    "index": [
+      "logs-endpoint.events.*",
+      "winlogbeat-*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Potential Remote Desktop Shadowing Activity",
+    "query": "/* Identifies the modification of RDP Shadow registry or\n  the execution of processes indicative of active shadow RDP session */\n\nany where \n  (event.category == \"registry\" and\n     registry.path : \"HKLM\\\\Software\\\\Policies\\\\Microsoft\\\\Windows NT\\\\Terminal Services\\\\Shadow\"\n  ) or\n  (event.category == \"process\" and \n     (process.name : (\"RdpSaUacHelper.exe\", \"RdpSaProxy.exe\") and process.parent.name : \"svchost.exe\") or\n     (process.pe.original_file_name : \"mstsc.exe\" and process.args : \"/shadow:*\")\n  )\n",
+    "references": [
+      "https://bitsadm.in/blog/spying-on-users-using-rdp-shadowing",
+      "https://swarm.ptsecurity.com/remote-desktop-services-shadowing/"
+    ],
+    "risk_score": 73,
+    "rule_id": "c57f8579-e2a5-4804-847f-f2732edc5156",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Lateral Movement"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0008",
+          "name": "Lateral Movement",
+          "reference": "https://attack.mitre.org/tactics/TA0008/"
+        },
+        "technique": [
+          {
+            "id": "T1021",
+            "name": "Remote Services",
+            "reference": "https://attack.mitre.org/techniques/T1021/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies potential use of an SSH utility to establish RDP over a reverse SSH Tunnel. This can be used by attackers to enable routing of network packets that would otherwise not reach their intended destination.",
+    "from": "now-9m",
+    "index": [
+      "logs-endpoint.events.*",
+      "winlogbeat-*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Potential Remote Desktop Tunneling Detected",
+    "query": "process where event.type in (\"start\", \"process_started\") and\n  /* RDP port and usual SSH tunneling related switches in command line */\n  process.args : \"*:3389\" and\n  process.args : (\"-L\", \"-P\", \"-R\", \"-pw\", \"-ssh\")\n",
+    "references": [
+      "https://blog.netspi.com/how-to-access-rdp-over-a-reverse-ssh-tunnel/"
+    ],
+    "risk_score": 73,
+    "rule_id": "76fd43b7-3480-4dd9-8ad7-8bd36bfad92f",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Command and Control"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0011",
+          "name": "Command and Control",
+          "reference": "https://attack.mitre.org/tactics/TA0011/"
+        },
+        "technique": [
+          {
+            "id": "T1572",
+            "name": "Protocol Tunneling",
+            "reference": "https://attack.mitre.org/techniques/T1572/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 4
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the execution of a shell process with suspicious arguments which may be indicative of reverse shell activity.",
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Potential Reverse Shell Activity via Terminal",
+    "query": "process where event.type in (\"start\", \"process_started\") and\n  process.name in (\"sh\", \"bash\", \"zsh\", \"dash\", \"zmodload\") and\n  process.args:(\"*/dev/tcp/*\", \"*/dev/udp/*\", \"zsh/net/tcp\", \"zsh/net/udp\")\n",
+    "references": [
+      "https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md",
+      "https://github.com/WangYihang/Reverse-Shell-Manager",
+      "https://www.netsparker.com/blog/web-security/understanding-reverse-shells/"
+    ],
+    "risk_score": 73,
+    "rule_id": "a1a0375f-22c2-48c0-81a4-7c2d11cc6856",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "macOS",
+      "Threat Detection",
+      "Execution"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0002",
+          "name": "Execution",
+          "reference": "https://attack.mitre.org/tactics/TA0002/"
+        },
+        "technique": [
+          {
+            "id": "T1059",
+            "name": "Command and Scripting Interpreter",
+            "reference": "https://attack.mitre.org/techniques/T1059/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies a high number (20) of macOS SSH KeyGen process executions from the same host. An adversary may attempt a brute force attack to obtain unauthorized access to user accounts.",
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Potential SSH Brute Force Detected",
+    "query": "event.category:process and event.type:start and process.name:\"sshd-keygen-wrapper\" and process.parent.name:launchd\n",
+    "references": [
+      "https://themittenmac.com/detecting-ssh-activity-via-process-monitoring/"
+    ],
+    "risk_score": 47,
+    "rule_id": "ace1e989-a541-44df-93a8-a8b0591b63c0",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "macOS",
+      "Threat Detection",
+      "Credential Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0006",
+          "name": "Credential Access",
+          "reference": "https://attack.mitre.org/tactics/TA0006/"
+        },
+        "technique": [
+          {
+            "id": "T1110",
+            "name": "Brute Force",
+            "reference": "https://attack.mitre.org/techniques/T1110/"
+          }
+        ]
+      }
+    ],
+    "threshold": {
+      "field": [
+        "host.id"
+      ],
+      "value": 20
+    },
+    "type": "threshold",
+    "version": 2
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Detects file name patterns generated by the use of Sysinternals SDelete utility to securely delete a file via multiple file overwrite and rename operations.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Potential Secure File Deletion via SDelete Utility",
+    "note": "## Triage and analysis\n\nVerify process details such as command line and hash to confirm this activity legitimacy.",
+    "query": "file where event.type == \"change\" and file.name : \"*AAA.AAA\"\n",
+    "risk_score": 21,
+    "rule_id": "5aee924b-6ceb-4633-980e-1bde8cdb40c5",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1070",
+            "name": "Indicator Removal on Host",
+            "reference": "https://attack.mitre.org/techniques/T1070/",
+            "subtechnique": [
+              {
+                "id": "T1070.004",
+                "name": "File Deletion",
+                "reference": "https://attack.mitre.org/techniques/T1070/004/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 5
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies potential behavior of SharpRDP, which is a tool that can be used to perform authenticated command execution against a remote target via Remote Desktop Protocol (RDP) for the purposes of lateral movement.",
+    "from": "now-9m",
+    "index": [
+      "logs-endpoint.events.*",
+      "winlogbeat-*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Potential SharpRDP Behavior",
+    "query": "/* Incoming RDP followed by a new RunMRU string value set to cmd, powershell, taskmgr or tsclient, followed by process execution within 1m */\n\nsequence by host.id with maxspan=1m\n  [network where event.type == \"start\" and process.name : \"svchost.exe\" and destination.port == 3389 and \n   network.direction : (\"incoming\", \"ingress\") and network.transport == \"tcp\" and\n   source.ip != \"127.0.0.1\" and source.ip != \"::1\"\n  ]\n\n  [registry where process.name : \"explorer.exe\" and \n   registry.path : (\"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\RunMRU\\\\*\") and\n   registry.data.strings : (\"cmd.exe*\", \"powershell.exe*\", \"taskmgr*\", \"\\\\\\\\tsclient\\\\*.exe\\\\*\")\n  ]\n  \n  [process where event.type in (\"start\", \"process_started\") and\n   (process.parent.name : (\"cmd.exe\", \"powershell.exe\", \"taskmgr.exe\") or process.args : (\"\\\\\\\\tsclient\\\\*.exe\")) and \n   not process.name : \"conhost.exe\"\n   ]\n",
+    "references": [
+      "https://posts.specterops.io/revisiting-remote-desktop-lateral-movement-8fb905cb46c3",
+      "https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES/blob/master/Lateral%20Movement/LM_sysmon_3_12_13_1_SharpRDP.evtx"
+    ],
+    "risk_score": 73,
+    "rule_id": "8c81e506-6e82-4884-9b9a-75d3d252f967",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Lateral Movement"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0008",
+          "name": "Lateral Movement",
+          "reference": "https://attack.mitre.org/tactics/TA0008/"
+        },
+        "technique": [
+          {
+            "id": "T1021",
+            "name": "Remote Services",
+            "reference": "https://attack.mitre.org/techniques/T1021/",
+            "subtechnique": [
+              {
+                "id": "T1021.001",
+                "name": "Remote Desktop Protocol",
+                "reference": "https://attack.mitre.org/techniques/T1021/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "type": "eql",
+    "version": 5
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies suspicious commands executed via a web server, which may suggest a vulnerability and remote shell access.",
+    "false_positives": [
+      "Network monitoring or management products may have a web server component that runs shell commands as part of normal behavior."
+    ],
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Potential Shell via Web Server",
+    "query": "event.category:process and event.type:(start or process_started) and process.name:(bash or dash) and\n  user.name:(apache or nginx or www or \"www-data\")\n",
+    "references": [
+      "https://pentestlab.blog/tag/web-shell/"
+    ],
+    "risk_score": 47,
+    "rule_id": "231876e7-4d1f-4d63-a47c-47dd1acdc1cb",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "Threat Detection",
+      "Persistence"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1505",
+            "name": "Server Software Component",
+            "reference": "https://attack.mitre.org/techniques/T1505/",
+            "subtechnique": [
+              {
+                "id": "T1505.003",
+                "name": "Web Shell",
+                "reference": "https://attack.mitre.org/techniques/T1505/003/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 9
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies suspicious instances of the Windows Error Reporting process (WerFault.exe or Wermgr.exe) with matching command-line and process executable values performing outgoing network connections. This may be indicative of a masquerading attempt to evade suspicious child process behavior detections.",
+    "false_positives": [
+      "Legit Application Crash with rare Werfault commandline value"
+    ],
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Potential Windows Error Manager Masquerading",
+    "query": "sequence by host.id, process.entity_id with maxspan = 5s\n  [process where event.type:\"start\" and process.name : (\"wermgr.exe\", \"WerFault.exe\") and process.args_count == 1]\n  [network where process.name : (\"wermgr.exe\", \"WerFault.exe\") and network.protocol != \"dns\" and\n    network.direction : (\"outgoing\", \"egress\") and destination.ip !=\"::1\" and destination.ip !=\"127.0.0.1\"\n  ]\n",
+    "references": [
+      "https://twitter.com/SBousseaden/status/1235533224337641473",
+      "https://www.hexacorn.com/blog/2019/09/20/werfault-command-line-switches-v0-1/",
+      "https://app.any.run/tasks/26051d84-b68e-4afb-8a9a-76921a271b81/"
+    ],
+    "risk_score": 47,
+    "rule_id": "6ea41894-66c3-4df7-ad6b-2c5074eb3df8",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1036",
+            "name": "Masquerading",
+            "reference": "https://attack.mitre.org/techniques/T1036/"
+          }
+        ]
+      }
+    ],
+    "type": "eql",
+    "version": 4
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Detects the use of Win32 API Functions that can be used to capture user Keystrokes in PowerShell Scripts. Attackers use this technique to capture user input, looking for credentials and/or other valuable data.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-windows.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "PowerShell Keylogging Script",
+    "note": "## Triage and analysis.\n\n### Investigating PowerShell Keylogging Script\n\nPowerShell is one of the main tools used by system administrators for automation, report routines, and other tasks.\n\nAttackers can abuse PowerShell capabilities to capture user Keystrokes with the goal of stealing credentials and other\nvaluable information as Credit Card data and confidential conversations.\n\n#### Possible investigation steps:\n\n- Examine script content that triggered the detection. \n- Investigate script execution chain (parent process tree)\n- Inspect any file or network events from the suspicious powershell host process instance.\n- If the action is suspicious for the user, check for any other activities done by the user in the last 48 hours.\n\n### False Positive Analysis\n\n- Verify whether the script content is malicious/harmful.\n\n### Related Rules\n\n- PowerShell PSReflect Script - 56f2e9b5-4803-4e44-a0a4-a52dc79d57fe\n\n### Response and Remediation\n\n- Immediate response should be taken to validate, investigate, and potentially contain the activity to prevent further\npost-compromise behavior.\n\n## Config\n\nThe 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration > \nAdministrative Templates > \nWindows PowerShell > \nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```\n",
+    "query": "event.category:process and \n  ( \n   powershell.file.script_block_text : (GetAsyncKeyState or NtUserGetAsyncKeyState or GetKeyboardState or Get-Keystrokes) or \n   powershell.file.script_block_text : ((SetWindowsHookA or SetWindowsHookW or SetWindowsHookEx or SetWindowsHookExA or NtUserSetWindowsHookEx) and (GetForegroundWindow or GetWindowTextA or GetWindowTextW or WM_KEYBOARD_LL))\n   )\n",
+    "references": [
+      "https://github.com/EmpireProject/Empire/blob/master/data/module_source/collection/Get-Keystrokes.ps1",
+      "https://github.com/MojtabaTajik/FunnyKeylogger/blob/master/FunnyLogger.ps1"
+    ],
+    "risk_score": 73,
+    "rule_id": "bd2c86a0-8b61-4457-ab38-96943984e889",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Collection"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0009",
+          "name": "Collection",
+          "reference": "https://attack.mitre.org/tactics/TA0009/"
+        },
+        "technique": [
+          {
+            "id": "T1056",
+            "name": "Input Capture",
+            "reference": "https://attack.mitre.org/techniques/T1056/",
+            "subtechnique": [
+              {
+                "id": "T1056.001",
+                "name": "Keylogging",
+                "reference": "https://attack.mitre.org/techniques/T1056/001/"
+              }
+            ]
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0002",
+          "name": "Execution",
+          "reference": "https://attack.mitre.org/tactics/TA0002/"
+        },
+        "technique": [
+          {
+            "id": "T1059",
+            "name": "Command and Scripting Interpreter",
+            "reference": "https://attack.mitre.org/techniques/T1059/",
+            "subtechnique": [
+              {
+                "id": "T1059.001",
+                "name": "PowerShell",
+                "reference": "https://attack.mitre.org/techniques/T1059/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 2
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "This rule detects PowerShell scripts that have capabilities to dump process memory using WindowsErrorReporting or Dbghelp.dll MiniDumpWriteDump. Attackers can use this tooling to dump LSASS and get access to credentials.",
+    "false_positives": [
+      "Powershell Scripts that use this capability for troubleshooting."
+    ],
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-windows.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "PowerShell MiniDump Script",
+    "note": "## Triage and analysis.\n\n### Investigating PowerShell MiniDump Script\n\nPowerShell is one of the main tools used by system administrators for automation, report routines, and other tasks.\n\nProcess Memory Dump capabilities can be abused by attackers to extract credentials from LSASS or to obtain other privileged\ninformation stored in the process memory.\n\n#### Possible investigation steps:\n\n- Examine script content that triggered the detection. \n- Investigate script execution chain (parent process tree)\n- Inspect any file or network events from the suspicious powershell host process instance.\n- If the action is suspicious for the user, check for any other activities done by the user in the last 48 hours.\n\n### False Positive Analysis\n\n- Verify whether the script content is malicious/harmful.\n\n### Related Rules\n\n- PowerShell PSReflect Script - 56f2e9b5-4803-4e44-a0a4-a52dc79d57fe\n- Potential Process Injection via PowerShell - 2e29e96a-b67c-455a-afe4-de6183431d0d\n\n### Response and Remediation\n\n- Immediate response should be taken to validate, investigate, and potentially contain the activity to prevent further\npost-compromise behavior.\n\n## Config\n\nThe 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration > \nAdministrative Templates > \nWindows PowerShell > \nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```\n",
+    "query": "event.category:process and powershell.file.script_block_text:(MiniDumpWriteDump or MiniDumpWithFullMemory or pmuDetirWpmuDiniM)\n",
+    "references": [
+      "https://github.com/PowerShellMafia/PowerSploit/blob/master/Exfiltration/Out-Minidump.ps1",
+      "https://github.com/FuzzySecurity/PowerShell-Suite/blob/master/Get-ProcessMiniDump.ps1",
+      "https://github.com/atc-project/atc-data/blob/master/docs/Logging_Policies/LP_0109_windows_powershell_script_block_log.md"
+    ],
+    "risk_score": 73,
+    "rule_id": "577ec21e-56fe-4065-91d8-45eb8224fe77",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Credential Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0006",
+          "name": "Credential Access",
+          "reference": "https://attack.mitre.org/tactics/TA0006/"
+        },
+        "technique": [
+          {
+            "id": "T1003",
+            "name": "OS Credential Dumping",
+            "reference": "https://attack.mitre.org/techniques/T1003/",
+            "subtechnique": [
+              {
+                "id": "T1003.001",
+                "name": "LSASS Memory",
+                "reference": "https://attack.mitre.org/techniques/T1003/001/"
+              }
+            ]
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0002",
+          "name": "Execution",
+          "reference": "https://attack.mitre.org/tactics/TA0002/"
+        },
+        "technique": [
+          {
+            "id": "T1059",
+            "name": "Command and Scripting Interpreter",
+            "reference": "https://attack.mitre.org/techniques/T1059/",
+            "subtechnique": [
+              {
+                "id": "T1059.001",
+                "name": "PowerShell",
+                "reference": "https://attack.mitre.org/techniques/T1059/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 3
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Detects the use of PSReflect in PowerShell scripts. Attackers leverage PSReflect as a library that enables PowerShell to access win32 API functions.",
+    "false_positives": [
+      "Legitimate Powershell Scripts that make use of PSReflect to access the win32 API"
+    ],
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-windows.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "PowerShell PSReflect Script",
+    "note": "## Triage and analysis\n### Investigating PowerShell PSReflect Script\n\nPowerShell is one of the main tools in the belt of system administrators for automation, report routines, and other tasks.\n\nPSReflect is a library that enables PowerShell to access win32 API functions in an uncomplicated way. It also helps to\ncreate enums and structs easily\u2014all without touching the disk.\n\nAlthough this is an interesting project for every developer and admin out there, it is mainly used in the red team and\nmalware tooling for its capabilities.\n\nDetecting the core implementation of PSReflect means detecting most of the tooling that uses windows API through\nPowerShell, enabling the defender to discover tools being dropped in the environment.\n\n#### Possible investigation steps:\n- Check for additional PowerShell logs that indicate that the script/command was run.\n- Gather the script content that may be split into multiple script blocks, and identify its capabilities.\n- If the action is suspicious for the user, check for any other activities done by the user in the last 48 hours.\n- Look for additional alerts involving the host and the user.\n\n### False Positive Analysis\n- Verify whether the script content is malicious/harmful.\n\n### Related Rules\n- PowerShell Suspicious Discovery Related Windows API Functions - 61ac3638-40a3-44b2-855a-985636ca985e\n- PowerShell Keylogging Script - bd2c86a0-8b61-4457-ab38-96943984e889\n- PowerShell Suspicious Script with Audio Capture Capabilities - 2f2f4939-0b34-40c2-a0a3-844eb7889f43\n- Potential Process Injection via PowerShell - 2e29e96a-b67c-455a-afe4-de6183431d0d\n- PowerShell Reflection Assembly Load - e26f042e-c590-4e82-8e05-41e81bd822ad\n- PowerShell Suspicious Payload Encoded and Compressed - 81fe9dc6-a2d7-4192-a2d8-eed98afc766a\n- PowerShell Suspicious Script with Screenshot Capabilities - 959a7353-1129-4aa7-9084-30746b256a70\n\n### Response and Remediation\n- Immediate response should be taken to validate activity, investigate and potentially isolate activity to prevent further\npost-compromise behavior.\n\n## Config\nThe 'PowerShell Script Block Logging' logging policy is required be configured (Enable).\n\nSteps to implement the logging policy with with Advanced Audit Configuration:\n```\nComputer Configuration > \nAdministrative Templates > \nWindows PowerShell > \nTurn on PowerShell Script Block Logging (Enable)\n```\nSteps to implement the logging policy via registry:\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```\n",
+    "query": "event.category:process and \n  powershell.file.script_block_text:(\n    New-InMemoryModule or\n    Add-Win32Type or\n    psenum or\n    DefineDynamicAssembly or\n    DefineDynamicModule or\n    Reflection.TypeAttributes or\n    Reflection.Emit.OpCodes or\n    Reflection.Emit.CustomAttributeBuilder or\n    Runtime.InteropServices.DllImportAttribute\n  )\n",
+    "references": [
+      "https://github.com/mattifestation/PSReflect/blob/master/PSReflect.psm1",
+      "https://github.com/atc-project/atc-data/blob/master/docs/Logging_Policies/LP_0109_windows_powershell_script_block_log.md"
+    ],
+    "risk_score": 47,
+    "rule_id": "56f2e9b5-4803-4e44-a0a4-a52dc79d57fe",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Execution"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0002",
+          "name": "Execution",
+          "reference": "https://attack.mitre.org/tactics/TA0002/"
+        },
+        "technique": [
+          {
+            "id": "T1059",
+            "name": "Command and Scripting Interpreter",
+            "reference": "https://attack.mitre.org/techniques/T1059/",
+            "subtechnique": [
+              {
+                "id": "T1059.001",
+                "name": "PowerShell",
+                "reference": "https://attack.mitre.org/techniques/T1059/001/"
+              }
+            ]
+          },
+          {
+            "id": "T1106",
+            "name": "Native API",
+            "reference": "https://attack.mitre.org/techniques/T1106/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "This rule detects the use of discovery-related Windows API functions in PowerShell Scripts. Attackers can use these functions to perform various situational awareness related activities, like enumerating users, shares, sessions, domain trusts, groups, etc.",
+    "false_positives": [
+      "Legitimate Powershell Scripts that make use of these Functions"
+    ],
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-windows.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "PowerShell Suspicious Discovery Related Windows API Functions",
+    "note": "## Triage and analysis.\n\n### Investigating PowerShell Suspicious Discovery Related Windows API Functions\n\nPowerShell is one of the main tools used by system administrators for automation, report routines, and other tasks.\n\nAttackers can use PowerShell to interact with the Win32 API to bypass file based AntiVirus detections, using libraries\nlike PSReflect or Get-ProcAddress Cmdlet.\n\n#### Possible investigation steps:\n\n- Examine script content that triggered the detection. \n- Investigate script execution chain (parent process tree).\n- Inspect any file or network events from the suspicious powershell host process instance.\n- If the action is suspicious for the user, check for any other activities done by the user in the last 48 hours.\n\n### False Positive Analysis\n\n- Verify whether the script content is malicious/harmful.\n\n### Related Rules\n\n- PowerShell PSReflect Script - 56f2e9b5-4803-4e44-a0a4-a52dc79d57fe\n\n### Response and Remediation\n\n- Immediate response should be taken to validate, investigate, and potentially contain the activity to prevent further\npost-compromise behavior.\n\n## Config\n\nThe 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration > \nAdministrative Templates > \nWindows PowerShell > \nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```\n",
+    "query": "event.category:process and \n  powershell.file.script_block_text : (\n    NetShareEnum or\n    NetWkstaUserEnum or\n    NetSessionEnum or\n    NetLocalGroupEnum or\n    NetLocalGroupGetMembers or\n    DsGetSiteName or\n    DsEnumerateDomainTrusts or\n    WTSEnumerateSessionsEx or\n    WTSQuerySessionInformation or\n    LsaGetLogonSessionData or\n    QueryServiceObjectSecurity\n  )\n",
+    "references": [
+      "https://github.com/BC-SECURITY/Empire/blob/9259e5106986847d2bb770c4289c0c0f1adf2344/data/module_source/situational_awareness/network/powerview.ps1#L21413",
+      "https://github.com/atc-project/atc-data/blob/master/docs/Logging_Policies/LP_0109_windows_powershell_script_block_log.md"
+    ],
+    "risk_score": 47,
+    "rule_id": "61ac3638-40a3-44b2-855a-985636ca985e",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Discovery"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0007",
+          "name": "Discovery",
+          "reference": "https://attack.mitre.org/tactics/TA0007/"
+        },
+        "technique": [
+          {
+            "id": "T1135",
+            "name": "Network Share Discovery",
+            "reference": "https://attack.mitre.org/techniques/T1135/"
+          },
+          {
+            "id": "T1069",
+            "name": "Permission Groups Discovery",
+            "reference": "https://attack.mitre.org/techniques/T1069/",
+            "subtechnique": [
+              {
+                "id": "T1069.001",
+                "name": "Local Groups",
+                "reference": "https://attack.mitre.org/techniques/T1069/001/"
+              }
+            ]
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0002",
+          "name": "Execution",
+          "reference": "https://attack.mitre.org/tactics/TA0002/"
+        },
+        "technique": [
+          {
+            "id": "T1059",
+            "name": "Command and Scripting Interpreter",
+            "reference": "https://attack.mitre.org/techniques/T1059/",
+            "subtechnique": [
+              {
+                "id": "T1059.001",
+                "name": "PowerShell",
+                "reference": "https://attack.mitre.org/techniques/T1059/001/"
+              }
+            ]
+          },
+          {
+            "id": "T1106",
+            "name": "Native API",
+            "reference": "https://attack.mitre.org/techniques/T1106/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 3
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the use of .Net functionality for decompression and base64 decoding combined in PowerShell scripts, which Malware and security tools heavily use to deobfuscate payloads and load them directly in memory to bypass defenses.",
+    "false_positives": [
+      "Legitimate PowerShell Scripts which makes use of compression and encoding"
+    ],
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-windows.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "PowerShell Suspicious Payload Encoded and Compressed",
+    "query": "event.category:process and \n  powershell.file.script_block_text : (\n    (System.IO.Compression.DeflateStream or System.IO.Compression.GzipStream or IO.Compression.DeflateStream or IO.Compression.GzipStream) and\n    FromBase64String\n  )\n",
+    "risk_score": 47,
+    "rule_id": "81fe9dc6-a2d7-4192-a2d8-eed98afc766a",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1140",
+            "name": "Deobfuscate/Decode Files or Information",
+            "reference": "https://attack.mitre.org/techniques/T1140/"
+          },
+          {
+            "id": "T1027",
+            "name": "Obfuscated Files or Information",
+            "reference": "https://attack.mitre.org/techniques/T1027/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0002",
+          "name": "Execution",
+          "reference": "https://attack.mitre.org/tactics/TA0002/"
+        },
+        "technique": [
+          {
+            "id": "T1059",
+            "name": "Command and Scripting Interpreter",
+            "reference": "https://attack.mitre.org/techniques/T1059/",
+            "subtechnique": [
+              {
+                "id": "T1059.001",
+                "name": "PowerShell",
+                "reference": "https://attack.mitre.org/techniques/T1059/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Detects PowerShell scripts that can record audio, a common feature in popular post-exploitation tooling.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-windows.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "PowerShell Suspicious Script with Audio Capture Capabilities",
+    "note": "## Triage and analysis.\n\n### Investigating PowerShell Suspicious Script with Audio Capture Capabilities\n\nPowerShell is one of the main tools used by system administrators for automation, report routines, and other tasks.\n\nAttackers can use PowerShell to interact with the Windows API and capture audio from input devices connected to the\ncomputer.\n\n#### Possible investigation steps:\n\n- Examine script content that triggered the detection. \n- Investigate script execution chain (parent process tree)\n- Inspect any file or network events from the suspicious powershell host process instance.\n- If the action is suspicious for the user, check for any other activities done by the user in the last 48 hours.\n\n### False Positive Analysis\n\n- Verify whether the script content is malicious/harmful.\n\n### Related Rules\n\n- PowerShell PSReflect Script - 56f2e9b5-4803-4e44-a0a4-a52dc79d57fe\n- Potential Process Injection via PowerShell - 2e29e96a-b67c-455a-afe4-de6183431d0d\n\n### Response and Remediation\n\n- Immediate response should be taken to validate, investigate, and potentially contain the activity to prevent further\npost-compromise behavior.\n\n## Config\n\nThe 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration > \nAdministrative Templates > \nWindows PowerShell > \nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```\n",
+    "query": "event.category:process and \n  powershell.file.script_block_text : (\n    Get-MicrophoneAudio or (waveInGetNumDevs and mciSendStringA)\n  )\n",
+    "references": [
+      "https://github.com/PowerShellMafia/PowerSploit/blob/master/Exfiltration/Get-MicrophoneAudio.ps1"
+    ],
+    "risk_score": 47,
+    "rule_id": "2f2f4939-0b34-40c2-a0a3-844eb7889f43",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Collection"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0009",
+          "name": "Collection",
+          "reference": "https://attack.mitre.org/tactics/TA0009/"
+        },
+        "technique": [
+          {
+            "id": "T1123",
+            "name": "Audio Capture",
+            "reference": "https://attack.mitre.org/techniques/T1123/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0002",
+          "name": "Execution",
+          "reference": "https://attack.mitre.org/tactics/TA0002/"
+        },
+        "technique": [
+          {
+            "id": "T1059",
+            "name": "Command and Scripting Interpreter",
+            "reference": "https://attack.mitre.org/techniques/T1059/",
+            "subtechnique": [
+              {
+                "id": "T1059.001",
+                "name": "PowerShell",
+                "reference": "https://attack.mitre.org/techniques/T1059/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 3
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Detects PowerShell Scripts that can take screenshots, which is a common feature in post-exploitation kits and RATs (Remote Access Tools).",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-windows.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "PowerShell Suspicious Script with Screenshot Capabilities",
+    "query": "event.category:process and \n  powershell.file.script_block_text : (\n    CopyFromScreen and\n    (System.Drawing.Bitmap or Drawing.Bitmap)\n  )\n",
+    "references": [
+      "https://docs.microsoft.com/en-us/dotnet/api/system.drawing.graphics.copyfromscreen"
+    ],
+    "risk_score": 47,
+    "rule_id": "959a7353-1129-4aa7-9084-30746b256a70",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Collection"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0009",
+          "name": "Collection",
+          "reference": "https://attack.mitre.org/tactics/TA0009/"
+        },
+        "technique": [
+          {
+            "id": "T1113",
+            "name": "Screen Capture",
+            "reference": "https://attack.mitre.org/techniques/T1113/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0002",
+          "name": "Execution",
+          "reference": "https://attack.mitre.org/tactics/TA0002/"
+        },
+        "technique": [
+          {
+            "id": "T1059",
+            "name": "Command and Scripting Interpreter",
+            "reference": "https://attack.mitre.org/techniques/T1059/",
+            "subtechnique": [
+              {
+                "id": "T1059.001",
+                "name": "PowerShell",
+                "reference": "https://attack.mitre.org/techniques/T1059/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies a privilege escalation attempt via named pipe impersonation. An adversary may abuse this technique by utilizing a framework such Metasploit's meterpreter getsystem command.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Privilege Escalation via Named Pipe Impersonation",
+    "query": "process where event.type in (\"start\", \"process_started\") and\n process.pe.original_file_name in (\"Cmd.Exe\", \"PowerShell.EXE\") and \n process.args : \"echo\" and process.args : \">\" and process.args : \"\\\\\\\\.\\\\pipe\\\\*\"\n",
+    "references": [
+      "https://www.ired.team/offensive-security/privilege-escalation/windows-namedpipes-privilege-escalation"
+    ],
+    "risk_score": 73,
+    "rule_id": "3ecbdc9e-e4f2-43fa-8cca-63802125e582",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Privilege Escalation"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0004",
+          "name": "Privilege Escalation",
+          "reference": "https://attack.mitre.org/tactics/TA0004/"
+        },
+        "technique": [
+          {
+            "id": "T1134",
+            "name": "Access Token Manipulation",
+            "reference": "https://attack.mitre.org/techniques/T1134/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 3
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies a privilege escalation attempt via rogue named pipe impersonation. An adversary may abuse this technique by masquerading as a known named pipe and manipulating a privileged process to connect to it.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Privilege Escalation via Rogue Named Pipe Impersonation",
+    "note": "## Config\n\nNamed Pipe Creation Events need to be enabled within the Sysmon configuration by including the following settings:\n`condition equal \"contains\" and keyword equal \"pipe\"`\n",
+    "query": "file where event.action : \"Pipe Created*\" and\n /* normal sysmon named pipe creation events truncate the pipe keyword */\n  file.name : \"\\\\*\\\\Pipe\\\\*\"\n",
+    "references": [
+      "https://itm4n.github.io/printspoofer-abusing-impersonate-privileges/",
+      "https://github.com/zcgonvh/EfsPotato",
+      "https://twitter.com/SBousseaden/status/1429530155291193354"
+    ],
+    "risk_score": 73,
+    "rule_id": "76ddb638-abf7-42d5-be22-4a70b0bf7241",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Privilege Escalation"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0004",
+          "name": "Privilege Escalation",
+          "reference": "https://attack.mitre.org/tactics/TA0004/"
+        },
+        "technique": [
+          {
+            "id": "T1134",
+            "name": "Access Token Manipulation",
+            "reference": "https://attack.mitre.org/techniques/T1134/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies modifications to the root crontab file. Adversaries may overwrite this file to gain code execution with root privileges by exploiting privileged file write or move related vulnerabilities.",
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Privilege Escalation via Root Crontab File Modification",
+    "query": "event.category:file and not event.type:deletion and\n file.path:/private/var/at/tabs/root and not process.executable:/usr/bin/crontab\n",
+    "references": [
+      "https://phoenhex.re/2017-06-09/pwn2own-diskarbitrationd-privesc",
+      "https://www.exploit-db.com/exploits/42146"
+    ],
+    "risk_score": 73,
+    "rule_id": "0ff84c42-873d-41a2-a4ed-08d74d352d01",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "macOS",
+      "Threat Detection",
+      "Privilege Escalation"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0004",
+          "name": "Privilege Escalation",
+          "reference": "https://attack.mitre.org/tactics/TA0004/"
+        },
+        "technique": [
+          {
+            "id": "T1053",
+            "name": "Scheduled Task/Job",
+            "reference": "https://attack.mitre.org/techniques/T1053/",
+            "subtechnique": [
+              {
+                "id": "T1053.003",
+                "name": "Cron",
+                "reference": "https://attack.mitre.org/techniques/T1053/003/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies a privilege escalation attempt via a rogue Windows directory (Windir) environment variable. This is a known primitive that is often combined with other vulnerabilities to elevate privileges.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Privilege Escalation via Windir Environment Variable",
+    "query": "registry where registry.path : (\"HKEY_USERS\\\\*\\\\Environment\\\\windir\", \"HKEY_USERS\\\\*\\\\Environment\\\\systemroot\") and \n not registry.data.strings : (\"C:\\\\windows\", \"%SystemRoot%\")\n",
+    "references": [
+      "https://www.tiraniddo.dev/2017/05/exploiting-environment-variables-in.html"
+    ],
+    "risk_score": 73,
+    "rule_id": "d563aaba-2e72-462b-8658-3e5ea22db3a6",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Privilege Escalation"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0004",
+          "name": "Privilege Escalation",
+          "reference": "https://attack.mitre.org/tactics/TA0004/"
+        },
+        "technique": [
+          {
+            "id": "T1574",
+            "name": "Hijack Execution Flow",
+            "reference": "https://attack.mitre.org/techniques/T1574/",
+            "subtechnique": [
+              {
+                "id": "T1574.007",
+                "name": "Path Interception by PATH Environment Variable",
+                "reference": "https://attack.mitre.org/techniques/T1574/007/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 3
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Compiled HTML files (.chm) are commonly distributed as part of the Microsoft HTML Help system. Adversaries may conceal malicious code in a CHM file and deliver it to a victim for execution. CHM content is loaded by the HTML Help executable program (hh.exe).",
+    "false_positives": [
+      "The HTML Help executable program (hh.exe) runs whenever a user clicks a compiled help (.chm) file or menu item that opens the help file inside the Help Viewer. This is not always malicious, but adversaries may abuse this technology to conceal malicious code."
+    ],
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Process Activity via Compiled HTML File",
+    "query": "process where event.type in (\"start\", \"process_started\") and \n process.parent.name : \"hh.exe\" and \n process.name : (\"mshta.exe\", \"cmd.exe\", \"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\", \"cscript.exe\", \"wscript.exe\")\n",
+    "risk_score": 47,
+    "rule_id": "e3343ab9-4245-4715-b344-e11c56b0a47f",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Execution"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0002",
+          "name": "Execution",
+          "reference": "https://attack.mitre.org/tactics/TA0002/"
+        },
+        "technique": [
+          {
+            "id": "T1204",
+            "name": "User Execution",
+            "reference": "https://attack.mitre.org/techniques/T1204/",
+            "subtechnique": [
+              {
+                "id": "T1204.002",
+                "name": "Malicious File",
+                "reference": "https://attack.mitre.org/techniques/T1204/002/"
+              }
+            ]
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1218",
+            "name": "Signed Binary Proxy Execution",
+            "reference": "https://attack.mitre.org/techniques/T1218/",
+            "subtechnique": [
+              {
+                "id": "T1218.001",
+                "name": "Compiled HTML File",
+                "reference": "https://attack.mitre.org/techniques/T1218/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 10
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies process execution from suspicious default Windows directories. This is sometimes done by adversaries to hide malware in trusted paths.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Process Execution from an Unusual Directory",
+    "query": "process where event.type in (\"start\", \"process_started\", \"info\") and\n /* add suspicious execution paths here */\nprocess.executable : (\"C:\\\\PerfLogs\\\\*.exe\",\"C:\\\\Users\\\\Public\\\\*.exe\",\"C:\\\\Users\\\\Default\\\\*.exe\",\"C:\\\\Windows\\\\Tasks\\\\*.exe\",\"C:\\\\Intel\\\\*.exe\",\"C:\\\\AMD\\\\Temp\\\\*.exe\",\"C:\\\\Windows\\\\AppReadiness\\\\*.exe\",\n\"C:\\\\Windows\\\\ServiceState\\\\*.exe\",\"C:\\\\Windows\\\\security\\\\*.exe\",\"C:\\\\Windows\\\\IdentityCRL\\\\*.exe\",\"C:\\\\Windows\\\\Branding\\\\*.exe\",\"C:\\\\Windows\\\\csc\\\\*.exe\",\n \"C:\\\\Windows\\\\DigitalLocker\\\\*.exe\",\"C:\\\\Windows\\\\en-US\\\\*.exe\",\"C:\\\\Windows\\\\wlansvc\\\\*.exe\",\"C:\\\\Windows\\\\Prefetch\\\\*.exe\",\"C:\\\\Windows\\\\Fonts\\\\*.exe\",\n \"C:\\\\Windows\\\\diagnostics\\\\*.exe\",\"C:\\\\Windows\\\\TAPI\\\\*.exe\",\"C:\\\\Windows\\\\INF\\\\*.exe\",\"C:\\\\Windows\\\\System32\\\\Speech\\\\*.exe\",\"C:\\\\windows\\\\tracing\\\\*.exe\",\n \"c:\\\\windows\\\\IME\\\\*.exe\",\"c:\\\\Windows\\\\Performance\\\\*.exe\",\"c:\\\\windows\\\\intel\\\\*.exe\",\"c:\\\\windows\\\\ms\\\\*.exe\",\"C:\\\\Windows\\\\dot3svc\\\\*.exe\",\"C:\\\\Windows\\\\ServiceProfiles\\\\*.exe\",\n \"C:\\\\Windows\\\\panther\\\\*.exe\",\"C:\\\\Windows\\\\RemotePackages\\\\*.exe\",\"C:\\\\Windows\\\\OCR\\\\*.exe\",\"C:\\\\Windows\\\\appcompat\\\\*.exe\",\"C:\\\\Windows\\\\apppatch\\\\*.exe\",\"C:\\\\Windows\\\\addins\\\\*.exe\",\n \"C:\\\\Windows\\\\Setup\\\\*.exe\",\"C:\\\\Windows\\\\Help\\\\*.exe\",\"C:\\\\Windows\\\\SKB\\\\*.exe\",\"C:\\\\Windows\\\\Vss\\\\*.exe\",\"C:\\\\Windows\\\\Web\\\\*.exe\",\"C:\\\\Windows\\\\servicing\\\\*.exe\",\"C:\\\\Windows\\\\CbsTemp\\\\*.exe\",\n \"C:\\\\Windows\\\\Logs\\\\*.exe\",\"C:\\\\Windows\\\\WaaS\\\\*.exe\",\"C:\\\\Windows\\\\twain_32\\\\*.exe\",\"C:\\\\Windows\\\\ShellExperiences\\\\*.exe\",\"C:\\\\Windows\\\\ShellComponents\\\\*.exe\",\"C:\\\\Windows\\\\PLA\\\\*.exe\",\n \"C:\\\\Windows\\\\Migration\\\\*.exe\",\"C:\\\\Windows\\\\debug\\\\*.exe\",\"C:\\\\Windows\\\\Cursors\\\\*.exe\",\"C:\\\\Windows\\\\Containers\\\\*.exe\",\"C:\\\\Windows\\\\Boot\\\\*.exe\",\"C:\\\\Windows\\\\bcastdvr\\\\*.exe\",\n \"C:\\\\Windows\\\\assembly\\\\*.exe\",\"C:\\\\Windows\\\\TextInput\\\\*.exe\",\"C:\\\\Windows\\\\security\\\\*.exe\",\"C:\\\\Windows\\\\schemas\\\\*.exe\",\"C:\\\\Windows\\\\SchCache\\\\*.exe\",\"C:\\\\Windows\\\\Resources\\\\*.exe\",\n \"C:\\\\Windows\\\\rescache\\\\*.exe\",\"C:\\\\Windows\\\\Provisioning\\\\*.exe\",\"C:\\\\Windows\\\\PrintDialog\\\\*.exe\",\"C:\\\\Windows\\\\PolicyDefinitions\\\\*.exe\",\"C:\\\\Windows\\\\media\\\\*.exe\",\n \"C:\\\\Windows\\\\Globalization\\\\*.exe\",\"C:\\\\Windows\\\\L2Schemas\\\\*.exe\",\"C:\\\\Windows\\\\LiveKernelReports\\\\*.exe\",\"C:\\\\Windows\\\\ModemLogs\\\\*.exe\",\"C:\\\\Windows\\\\ImmersiveControlPanel\\\\*.exe\") and\n not process.name : (\"SpeechUXWiz.exe\",\"SystemSettings.exe\",\"TrustedInstaller.exe\",\"PrintDialog.exe\",\"MpSigStub.exe\",\"LMS.exe\",\"mpam-*.exe\")\n /* uncomment once in winlogbeat */\n /* and not (process.code_signature.subject_name == \"Microsoft Corporation\" and process.code_signature.trusted == true) */\n",
+    "risk_score": 47,
+    "rule_id": "ebfe1448-7fac-4d59-acea-181bd89b1f7f",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Execution"
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 3
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Elastic Endgame detected Process Injection. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information.",
+    "from": "now-15m",
+    "index": [
+      "endgame-*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "max_signals": 10000,
+    "name": "Process Injection - Detected - Elastic Endgame",
+    "query": "event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:kernel_shellcode_event or endgame.event_subtype_full:kernel_shellcode_event)\n",
+    "risk_score": 73,
+    "rule_id": "80c52164-c82a-402c-9964-852533d58be1",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Elastic Endgame"
+    ],
+    "type": "query",
+    "version": 7
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Elastic Endgame prevented Process Injection. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information.",
+    "from": "now-15m",
+    "index": [
+      "endgame-*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "max_signals": 10000,
+    "name": "Process Injection - Prevented - Elastic Endgame",
+    "query": "event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:kernel_shellcode_event or endgame.event_subtype_full:kernel_shellcode_event)\n",
+    "risk_score": 47,
+    "rule_id": "990838aa-a953-4f3e-b3cb-6ddf7584de9e",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Elastic Endgame"
+    ],
+    "type": "query",
+    "version": 7
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "An instance of MSBuild, the Microsoft Build Engine, created a thread in another process. This technique is sometimes used to evade detection or elevate privileges.",
+    "false_positives": [
+      "The Build Engine is commonly used by Windows developers but use by non-engineers is unusual."
+    ],
+    "index": [
+      "winlogbeat-*",
+      "logs-windows.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Process Injection by the Microsoft Build Engine",
+    "query": "process.name:MSBuild.exe and event.action:\"CreateRemoteThread detected (rule: CreateRemoteThread)\"\n",
+    "risk_score": 21,
+    "rule_id": "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae9",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1055",
+            "name": "Process Injection",
+            "reference": "https://attack.mitre.org/techniques/T1055/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0004",
+          "name": "Privilege Escalation",
+          "reference": "https://attack.mitre.org/tactics/TA0004/"
+        },
+        "technique": [
+          {
+            "id": "T1055",
+            "name": "Process Injection",
+            "reference": "https://attack.mitre.org/techniques/T1055/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 5
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies a process termination event quickly followed by the deletion of its executable file. Malware tools and other non-native files dropped or created on a system by an adversary may leave traces to indicate to what occurred. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.",
+    "from": "now-9m",
+    "index": [
+      "logs-endpoint.events.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Process Termination followed by Deletion",
+    "query": "sequence by host.id with maxspan=5s\n   [process where event.type == \"end\" and \n    process.code_signature.trusted == false and\n    not process.executable : (\"C:\\\\Windows\\\\SoftwareDistribution\\\\*.exe\", \"C:\\\\Windows\\\\WinSxS\\\\*.exe\")\n   ] by process.executable\n   [file where event.type == \"deletion\" and file.extension : (\"exe\", \"scr\", \"com\")] by file.path\n",
+    "risk_score": 47,
+    "rule_id": "09443c92-46b3-45a4-8f25-383b028b258d",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1070",
+            "name": "Indicator Removal on Host",
+            "reference": "https://attack.mitre.org/techniques/T1070/",
+            "subtechnique": [
+              {
+                "id": "T1070.004",
+                "name": "File Deletion",
+                "reference": "https://attack.mitre.org/techniques/T1070/004/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "type": "eql",
+    "version": 3
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies execution from a directory masquerading as the Windows Program Files directories. These paths are trusted and usually host trusted third party programs. An adversary may leverage masquerading, along with low privileges to bypass detections whitelisting those folders.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Program Files Directory Masquerading",
+    "query": "process where event.type == \"start\" and\n process.executable : \"C:\\\\*Program*Files*\\\\*.exe\" and\n not process.executable : (\"C:\\\\Program Files\\\\*.exe\", \"C:\\\\Program Files (x86)\\\\*.exe\", \"C:\\\\Users\\\\*.exe\", \"C:\\\\ProgramData\\\\*.exe\")\n",
+    "risk_score": 47,
+    "rule_id": "32c5cf9c-2ef8-4e87-819e-5ccb7cd18b14",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1036",
+            "name": "Masquerading",
+            "reference": "https://attack.mitre.org/techniques/T1036/",
+            "subtechnique": [
+              {
+                "id": "T1036.005",
+                "name": "Match Legitimate Name or Location",
+                "reference": "https://attack.mitre.org/techniques/T1036/005/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 5
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the use of osascript to execute scripts via standard input that may prompt a user with a rogue dialog for credentials.",
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Prompt for Credentials with OSASCRIPT",
+    "query": "process where event.type in (\"start\", \"process_started\") and process.name : \"osascript\" and\n process.command_line : \"osascript*display dialog*password*\"\n",
+    "references": [
+      "https://github.com/EmpireProject/EmPyre/blob/master/lib/modules/collection/osx/prompt.py",
+      "https://ss64.com/osx/osascript.html"
+    ],
+    "risk_score": 73,
+    "rule_id": "38948d29-3d5d-42e3-8aec-be832aaaf8eb",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "macOS",
+      "Threat Detection",
+      "Credential Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0006",
+          "name": "Credential Access",
+          "reference": "https://attack.mitre.org/tactics/TA0006/"
+        },
+        "technique": [
+          {
+            "id": "T1056",
+            "name": "Input Capture",
+            "reference": "https://attack.mitre.org/techniques/T1056/",
+            "subtechnique": [
+              {
+                "id": "T1056.002",
+                "name": "GUI Input Capture",
+                "reference": "https://attack.mitre.org/techniques/T1056/002/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 3
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies use of the SysInternals tool PsExec.exe making a network connection. This could be an indication of lateral movement.",
+    "false_positives": [
+      "PsExec is a dual-use tool that can be used for benign or malicious activity. It's important to baseline your environment to determine the amount of noise to expect from this tool."
+    ],
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "PsExec Network Connection",
+    "query": "sequence by process.entity_id\n  [process where process.name : \"PsExec.exe\" and event.type == \"start\"]\n  [network where process.name : \"PsExec.exe\"]\n",
+    "risk_score": 21,
+    "rule_id": "55d551c6-333b-4665-ab7e-5d14a59715ce",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Execution"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0002",
+          "name": "Execution",
+          "reference": "https://attack.mitre.org/tactics/TA0002/"
+        },
+        "technique": [
+          {
+            "id": "T1569",
+            "name": "System Services",
+            "reference": "https://attack.mitre.org/techniques/T1569/",
+            "subtechnique": [
+              {
+                "id": "T1569.002",
+                "name": "Service Execution",
+                "reference": "https://attack.mitre.org/techniques/T1569/002/"
+              }
+            ]
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0008",
+          "name": "Lateral Movement",
+          "reference": "https://attack.mitre.org/tactics/TA0008/"
+        },
+        "technique": []
+      }
+    ],
+    "type": "eql",
+    "version": 7
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "This rule detects network events that may indicate the use of RDP traffic from the Internet. RDP is commonly used by system administrators to remotely control a system for maintenance or to use shared resources. It should almost never be directly exposed to the Internet, as it is frequently targeted and exploited by threat actors as an initial access or backdoor vector.",
+    "false_positives": [
+      "Some network security policies allow RDP directly from the Internet but usage that is unfamiliar to server or network owners can be unexpected and suspicious. RDP services may be exposed directly to the Internet in some networks such as cloud environments. In such cases, only RDP gateways, bastions or jump servers may be expected expose RDP directly to the Internet and can be exempted from this rule. RDP may be required by some work-flows such as remote access and support for specialized software products and servers. Such work-flows are usually known and not unexpected."
+    ],
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "filebeat-*",
+      "packetbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "RDP (Remote Desktop Protocol) from the Internet",
+    "query": "event.category:(network or network_traffic) and network.transport:tcp and (destination.port:3389 or event.dataset:zeek.rdp) and\n  not source.ip:(\n    10.0.0.0/8 or\n    127.0.0.0/8 or\n    169.254.0.0/16 or\n    172.16.0.0/12 or\n    192.0.0.0/24 or\n    192.0.0.0/29 or\n    192.0.0.8/32 or\n    192.0.0.9/32 or\n    192.0.0.10/32 or\n    192.0.0.170/32 or\n    192.0.0.171/32 or\n    192.0.2.0/24 or\n    192.31.196.0/24 or\n    192.52.193.0/24 or\n    192.168.0.0/16 or\n    192.88.99.0/24 or\n    224.0.0.0/4 or\n    100.64.0.0/10 or\n    192.175.48.0/24 or\n    198.18.0.0/15 or\n    198.51.100.0/24 or\n    203.0.113.0/24 or\n    240.0.0.0/4 or\n    \"::1\" or\n    \"FE80::/10\" or\n    \"FF00::/8\"\n  ) and\n  destination.ip:(\n    10.0.0.0/8 or\n    172.16.0.0/12 or\n    192.168.0.0/16\n  )\n",
+    "references": [
+      "https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml"
+    ],
+    "risk_score": 47,
+    "rule_id": "8c1bdde8-4204-45c0-9e0c-c85ca3902488",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Network",
+      "Threat Detection",
+      "Command and Control",
+      "Host"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0011",
+          "name": "Command and Control",
+          "reference": "https://attack.mitre.org/tactics/TA0011/"
+        },
+        "technique": []
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0008",
+          "name": "Lateral Movement",
+          "reference": "https://attack.mitre.org/tactics/TA0008/"
+        },
+        "technique": [
+          {
+            "id": "T1021",
+            "name": "Remote Services",
+            "reference": "https://attack.mitre.org/techniques/T1021/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0001",
+          "name": "Initial Access",
+          "reference": "https://attack.mitre.org/tactics/TA0001/"
+        },
+        "technique": [
+          {
+            "id": "T1190",
+            "name": "Exploit Public-Facing Application",
+            "reference": "https://attack.mitre.org/techniques/T1190/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 11
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies registry write modifications to enable Remote Desktop Protocol (RDP) access. This could be indicative of adversary lateral movement preparation.",
+    "from": "now-9m",
+    "index": [
+      "logs-endpoint.events.*",
+      "winlogbeat-*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "RDP Enabled via Registry",
+    "query": "registry where\nregistry.path : \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Control\\\\Terminal Server\\\\fDenyTSConnections\" and\nregistry.data.strings == \"0\" and not (process.name : \"svchost.exe\" and user.domain == \"NT AUTHORITY\") and\nnot process.executable : \"C:\\\\Windows\\\\System32\\\\SystemPropertiesRemote.exe\"\n",
+    "risk_score": 47,
+    "rule_id": "58aa72ca-d968-4f34-b9f7-bea51d75eb50",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Lateral Movement"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0008",
+          "name": "Lateral Movement",
+          "reference": "https://attack.mitre.org/tactics/TA0008/"
+        },
+        "technique": [
+          {
+            "id": "T1021",
+            "name": "Remote Services",
+            "reference": "https://attack.mitre.org/techniques/T1021/",
+            "subtechnique": [
+              {
+                "id": "T1021.001",
+                "name": "Remote Desktop Protocol",
+                "reference": "https://attack.mitre.org/techniques/T1021/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 4
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "This rule detects network events that may indicate the use of RPC traffic from the Internet. RPC is commonly used by system administrators to remotely control a system for maintenance or to use shared resources. It should almost never be directly exposed to the Internet, as it is frequently targeted and exploited by threat actors as an initial access or backdoor vector.",
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "filebeat-*",
+      "packetbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "RPC (Remote Procedure Call) from the Internet",
+    "query": "event.category:(network or network_traffic) and network.transport:tcp and (destination.port:135 or event.dataset:zeek.dce_rpc) and\n  not source.ip:(\n    10.0.0.0/8 or\n    127.0.0.0/8 or\n    169.254.0.0/16 or\n    172.16.0.0/12 or\n    192.0.0.0/24 or\n    192.0.0.0/29 or\n    192.0.0.8/32 or\n    192.0.0.9/32 or\n    192.0.0.10/32 or\n    192.0.0.170/32 or\n    192.0.0.171/32 or\n    192.0.2.0/24 or\n    192.31.196.0/24 or\n    192.52.193.0/24 or\n    192.168.0.0/16 or\n    192.88.99.0/24 or\n    224.0.0.0/4 or\n    100.64.0.0/10 or\n    192.175.48.0/24 or\n    198.18.0.0/15 or\n    198.51.100.0/24 or\n    203.0.113.0/24 or\n    240.0.0.0/4 or\n    \"::1\" or\n    \"FE80::/10\" or\n    \"FF00::/8\"\n  ) and\n  destination.ip:(\n    10.0.0.0/8 or\n    172.16.0.0/12 or\n    192.168.0.0/16\n  )\n",
+    "references": [
+      "https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml"
+    ],
+    "risk_score": 73,
+    "rule_id": "143cb236-0956-4f42-a706-814bcaa0cf5a",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Network",
+      "Threat Detection",
+      "Initial Access",
+      "Host"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0001",
+          "name": "Initial Access",
+          "reference": "https://attack.mitre.org/tactics/TA0001/"
+        },
+        "technique": [
+          {
+            "id": "T1190",
+            "name": "Exploit Public-Facing Application",
+            "reference": "https://attack.mitre.org/techniques/T1190/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 11
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "This rule detects network events that may indicate the use of RPC traffic to the Internet. RPC is commonly used by system administrators to remotely control a system for maintenance or to use shared resources. It should almost never be directly exposed to the Internet, as it is frequently targeted and exploited by threat actors as an initial access or backdoor vector.",
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "filebeat-*",
+      "packetbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "RPC (Remote Procedure Call) to the Internet",
+    "query": "event.category:(network or network_traffic) and network.transport:tcp and (destination.port:135 or event.dataset:zeek.dce_rpc) and\n  source.ip:(\n    10.0.0.0/8 or\n    172.16.0.0/12 or\n    192.168.0.0/16\n  ) and\n  not destination.ip:(\n    10.0.0.0/8 or\n    127.0.0.0/8 or\n    169.254.0.0/16 or\n    172.16.0.0/12 or\n    192.0.0.0/24 or\n    192.0.0.0/29 or\n    192.0.0.8/32 or\n    192.0.0.9/32 or\n    192.0.0.10/32 or\n    192.0.0.170/32 or\n    192.0.0.171/32 or\n    192.0.2.0/24 or\n    192.31.196.0/24 or\n    192.52.193.0/24 or\n    192.168.0.0/16 or\n    192.88.99.0/24 or\n    224.0.0.0/4 or\n    100.64.0.0/10 or\n    192.175.48.0/24 or\n    198.18.0.0/15 or\n    198.51.100.0/24 or\n    203.0.113.0/24 or\n    240.0.0.0/4 or\n    \"::1\" or\n    \"FE80::/10\" or\n    \"FF00::/8\"\n  )\n",
+    "references": [
+      "https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml"
+    ],
+    "risk_score": 73,
+    "rule_id": "32923416-763a-4531-bb35-f33b9232ecdb",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Network",
+      "Threat Detection",
+      "Initial Access",
+      "Host"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0001",
+          "name": "Initial Access",
+          "reference": "https://attack.mitre.org/tactics/TA0001/"
+        },
+        "technique": [
+          {
+            "id": "T1190",
+            "name": "Exploit Public-Facing Application",
+            "reference": "https://attack.mitre.org/techniques/T1190/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 11
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Elastic Endgame detected ransomware. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information.",
+    "from": "now-15m",
+    "index": [
+      "endgame-*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "max_signals": 10000,
+    "name": "Ransomware - Detected - Elastic Endgame",
+    "query": "event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:ransomware_event or endgame.event_subtype_full:ransomware_event)\n",
+    "risk_score": 99,
+    "rule_id": "8cb4f625-7743-4dfb-ae1b-ad92be9df7bd",
+    "severity": "critical",
+    "tags": [
+      "Elastic",
+      "Elastic Endgame"
+    ],
+    "type": "query",
+    "version": 8
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Elastic Endgame prevented ransomware. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information.",
+    "from": "now-15m",
+    "index": [
+      "endgame-*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "max_signals": 10000,
+    "name": "Ransomware - Prevented - Elastic Endgame",
+    "query": "event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:ransomware_event or endgame.event_subtype_full:ransomware_event)\n",
+    "risk_score": 73,
+    "rule_id": "e3c5d5cb-41d5-4206-805c-f30561eae3ac",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Elastic Endgame"
+    ],
+    "type": "query",
+    "version": 8
+  },
+  {
+    "anomaly_threshold": 50,
+    "author": [
+      "Elastic"
+    ],
+    "description": "A machine learning job detected an unusual error in a CloudTrail message. These can be byproducts of attempted or successful persistence, privilege escalation, defense evasion, discovery, lateral movement, or collection.",
+    "false_positives": [
+      "Rare and unusual errors may indicate an impending service failure state. Rare and unusual user error activity can also be due to manual troubleshooting or reconfiguration attempts by insufficiently privileged users, bugs in cloud automation scripts or workflows, or changes to IAM privileges."
+    ],
+    "from": "now-2h",
+    "interval": "15m",
+    "license": "Elastic License v2",
+    "machine_learning_job_id": "rare_error_code",
+    "name": "Rare AWS Error Code",
+    "note": "## Config\n\nThe AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\n\n## Triage and analysis\n\nInvestigating Unusual CloudTrail Error Activity ###\nDetection alerts from this rule indicate a rare and unusual error code that was associated with the response to an AWS API command or method call. Here are some possible avenues of investigation:\n- Examine the history of the error. Has it manifested before? If the error, which is visible in the `aws.cloudtrail.error_code field`, only manifested recently, it might be related to recent changes in an automation module or script.\n- Examine the request parameters. These may provide indications as to the nature of the task being performed when the error occurred. Is the error related to unsuccessful attempts to enumerate or access objects, data, or secrets? If so, this can sometimes be a byproduct of discovery, privilege escalation, or lateral movement attempts.\n- Consider the user as identified by the `user.name` field. Is this activity part of an expected workflow for the user context? Examine the user identity in the `aws.cloudtrail.user_identity.arn` field and the access key ID in the `aws.cloudtrail.user_identity.access_key_id` field, which can help identify the precise user context. The user agent details in the `user_agent.original` field may also indicate what kind of a client made the request.\n- Consider the source IP address and geolocation for the calling user who issued the command. Do they look normal for the calling user? If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts, or could it be sourcing from an EC2 instance that's not under your control? If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance?",
+    "references": [
+      "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"
+    ],
+    "risk_score": 21,
+    "rule_id": "19de8096-e2b0-4bd8-80c9-34a820813fff",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "AWS",
+      "ML"
+    ],
+    "type": "machine_learning",
+    "version": 7
+  },
+  {
+    "anomaly_threshold": 75,
+    "author": [
+      "Elastic"
+    ],
+    "description": "A machine learning job found an unusual user name in the authentication logs. An unusual user name is one way of detecting credentialed access by means of a new or dormant user account. An inactive user account (because the user has left the organization) that becomes active may be due to credentialed access using a compromised account password. Threat actors will sometimes also create new users as a means of persisting in a compromised web application.",
+    "false_positives": [
+      "User accounts that are rarely active, such as a site reliability engineer (SRE) or developer logging into a production server for troubleshooting, may trigger this alert. Under some conditions, a newly created user account may briefly trigger this alert while the model is learning."
+    ],
+    "from": "now-30m",
+    "interval": "15m",
+    "license": "Elastic License v2",
+    "machine_learning_job_id": "auth_rare_user",
+    "name": "Rare User Logon",
+    "references": [
+      "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"
+    ],
+    "risk_score": 21,
+    "rule_id": "138c5dd5-838b-446e-b1ac-c995c7f8108a",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Authentication",
+      "Threat Detection",
+      "ML"
+    ],
+    "type": "machine_learning",
+    "version": 3
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Detects attempts to maintain persistence by creating registry keys using AppCert DLLs. AppCert DLLs are loaded by every process using the common API functions to create processes.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Registry Persistence via AppCert DLL",
+    "query": "registry where\n/* uncomment once stable length(bytes_written_string) > 0 and */\n  registry.path : \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Control\\\\Session Manager\\\\AppCertDLLs\\\\*\"\n",
+    "risk_score": 47,
+    "rule_id": "513f0ffd-b317-4b9c-9494-92ce861f22c7",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Persistence"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1546",
+            "name": "Event Triggered Execution",
+            "reference": "https://attack.mitre.org/techniques/T1546/",
+            "subtechnique": [
+              {
+                "id": "T1546.009",
+                "name": "AppCert DLLs",
+                "reference": "https://attack.mitre.org/techniques/T1546/009/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 3
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Attackers may maintain persistence by creating registry keys using AppInit DLLs. AppInit DLLs are loaded by every process using the common library, user32.dll.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Registry Persistence via AppInit DLL",
+    "query": "registry where\n   registry.path : (\"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows\\\\AppInit_Dlls\", \n                    \"HKLM\\\\SOFTWARE\\\\Wow6432Node\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows\\\\AppInit_Dlls\") and\n   not process.executable : (\"C:\\\\Windows\\\\System32\\\\msiexec.exe\", \n                             \"C:\\\\Windows\\\\SysWOW64\\\\msiexec.exe\", \n                             \"C:\\\\Program Files\\\\Commvault\\\\ContentStore*\\\\Base\\\\cvd.exe\",\n                             \"C:\\\\Program Files (x86)\\\\Commvault\\\\ContentStore*\\\\Base\\\\cvd.exe\")\n",
+    "risk_score": 47,
+    "rule_id": "d0e159cf-73e9-40d1-a9ed-077e3158a855",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Persistence"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1546",
+            "name": "Event Triggered Execution",
+            "reference": "https://attack.mitre.org/techniques/T1546/",
+            "subtechnique": [
+              {
+                "id": "T1546.010",
+                "name": "AppInit DLLs",
+                "reference": "https://attack.mitre.org/techniques/T1546/010/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 3
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies use of the network shell utility (netsh.exe) to enable inbound Remote Desktop Protocol (RDP) connections in the Windows Firewall.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Remote Desktop Enabled in Windows Firewall",
+    "query": "process where event.type in (\"start\", \"process_started\") and\n (process.name : \"netsh.exe\" or process.pe.original_file_name == \"netsh.exe\") and\n process.args : (\"localport=3389\", \"RemoteDesktop\", \"group=\\\"remote desktop\\\"\") and\n process.args : (\"action=allow\", \"enable=Yes\", \"enable\")\n",
+    "risk_score": 47,
+    "rule_id": "074464f9-f30d-4029-8c03-0ed237fffec7",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1562",
+            "name": "Impair Defenses",
+            "reference": "https://attack.mitre.org/techniques/T1562/",
+            "subtechnique": [
+              {
+                "id": "T1562.004",
+                "name": "Disable or Modify System Firewall",
+                "reference": "https://attack.mitre.org/techniques/T1562/004/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 4
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the execution of a file that was created by the virtual system process. This may indicate lateral movement via network file shares.",
+    "from": "now-9m",
+    "index": [
+      "logs-endpoint.events.*",
+      "winlogbeat-*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Remote Execution via File Shares",
+    "query": "sequence with maxspan=1m\n  [file where event.type in (\"creation\", \"change\") and process.pid == 4 and file.extension : \"exe\"] by host.id, file.path\n  [process where event.type in (\"start\", \"process_started\")] by host.id, process.executable\n",
+    "references": [
+      "https://blog.menasec.net/2020/08/new-trick-to-detect-lateral-movement.html"
+    ],
+    "risk_score": 47,
+    "rule_id": "ab75c24b-2502-43a0-bf7c-e60e662c811e",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Lateral Movement"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0008",
+          "name": "Lateral Movement",
+          "reference": "https://attack.mitre.org/tactics/TA0008/"
+        },
+        "technique": [
+          {
+            "id": "T1021",
+            "name": "Remote Services",
+            "reference": "https://attack.mitre.org/techniques/T1021/",
+            "subtechnique": [
+              {
+                "id": "T1021.002",
+                "name": "SMB/Windows Admin Shares",
+                "reference": "https://attack.mitre.org/techniques/T1021/002/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "type": "eql",
+    "version": 2
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies a remote file copy attempt to a hidden network share. This may indicate lateral movement or data staging activity.",
+    "from": "now-9m",
+    "index": [
+      "logs-endpoint.events.*",
+      "winlogbeat-*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Remote File Copy to a Hidden Share",
+    "query": "process where event.type in (\"start\", \"process_started\") and\n  process.name : (\"cmd.exe\", \"powershell.exe\", \"robocopy.exe\", \"xcopy.exe\") and \n  process.args : (\"copy*\", \"move*\", \"cp\", \"mv\") and process.args : \"*$*\"\n",
+    "risk_score": 47,
+    "rule_id": "fa01341d-6662-426b-9d0c-6d81e33c8a9d",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Lateral Movement"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0008",
+          "name": "Lateral Movement",
+          "reference": "https://attack.mitre.org/tactics/TA0008/"
+        },
+        "technique": [
+          {
+            "id": "T1021",
+            "name": "Remote Services",
+            "reference": "https://attack.mitre.org/techniques/T1021/",
+            "subtechnique": [
+              {
+                "id": "T1021.002",
+                "name": "SMB/Windows Admin Shares",
+                "reference": "https://attack.mitre.org/techniques/T1021/002/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 3
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies an executable or script file remotely downloaded via a TeamViewer transfer session.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Remote File Copy via TeamViewer",
+    "query": "file where event.type == \"creation\" and process.name : \"TeamViewer.exe\" and\n  file.extension : (\"exe\", \"dll\", \"scr\", \"com\", \"bat\", \"ps1\", \"vbs\", \"vbe\", \"js\", \"wsh\", \"hta\")\n",
+    "references": [
+      "https://blog.menasec.net/2019/11/hunting-for-suspicious-use-of.html"
+    ],
+    "risk_score": 47,
+    "rule_id": "b25a7df2-120a-4db2-bd3f-3e4b86b24bee",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Command and Control"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0011",
+          "name": "Command and Control",
+          "reference": "https://attack.mitre.org/tactics/TA0011/"
+        },
+        "technique": [
+          {
+            "id": "T1105",
+            "name": "Ingress Tool Transfer",
+            "reference": "https://attack.mitre.org/techniques/T1105/"
+          },
+          {
+            "id": "T1219",
+            "name": "Remote Access Software",
+            "reference": "https://attack.mitre.org/techniques/T1219/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 5
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the desktopimgdownldr utility being used to download a remote file. An adversary may use desktopimgdownldr to download arbitrary files as an alternative to certutil.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Remote File Download via Desktopimgdownldr Utility",
+    "query": "process where event.type in (\"start\", \"process_started\") and\n  (process.name : \"desktopimgdownldr.exe\" or process.pe.original_file_name == \"desktopimgdownldr.exe\") and\n  process.args : \"/lockscreenurl:http*\"\n",
+    "references": [
+      "https://labs.sentinelone.com/living-off-windows-land-a-new-native-file-downldr/"
+    ],
+    "risk_score": 47,
+    "rule_id": "15c0b7a7-9c34-4869-b25b-fa6518414899",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Command and Control"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0011",
+          "name": "Command and Control",
+          "reference": "https://attack.mitre.org/tactics/TA0011/"
+        },
+        "technique": [
+          {
+            "id": "T1105",
+            "name": "Ingress Tool Transfer",
+            "reference": "https://attack.mitre.org/techniques/T1105/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 5
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the Windows Defender configuration utility (MpCmdRun.exe) being used to download a remote file.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Remote File Download via MpCmdRun",
+    "note": "## Triage and analysis\n\n### Investigating Remote File Download via MpCmdRun\nVerify details such as the parent process, URL reputation, and downloaded file details. Additionally, `MpCmdRun` logs this information in the Appdata Temp folder in `MpCmdRun.log`.",
+    "query": "process where event.type == \"start\" and\n  (process.name : \"MpCmdRun.exe\" or process.pe.original_file_name == \"MpCmdRun.exe\") and\n   process.args : \"-DownloadFile\" and process.args : \"-url\" and process.args : \"-path\"\n",
+    "references": [
+      "https://twitter.com/mohammadaskar2/status/1301263551638761477",
+      "https://www.bleepingcomputer.com/news/microsoft/microsoft-defender-can-ironically-be-used-to-download-malware/"
+    ],
+    "risk_score": 47,
+    "rule_id": "c6453e73-90eb-4fe7-a98c-cde7bbfc504a",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Command and Control"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0011",
+          "name": "Command and Control",
+          "reference": "https://attack.mitre.org/tactics/TA0011/"
+        },
+        "technique": [
+          {
+            "id": "T1105",
+            "name": "Ingress Tool Transfer",
+            "reference": "https://attack.mitre.org/techniques/T1105/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 5
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies powershell.exe being used to download an executable file from an untrusted remote destination.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Remote File Download via PowerShell",
+    "query": "sequence by host.id, process.entity_id with maxspan=30s\n  [network where process.name : (\"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\") and network.protocol == \"dns\" and\n   not dns.question.name : (\"localhost\", \"*.microsoft.com\", \"*.azureedge.net\", \"*.powershellgallery.com\", \"*.windowsupdate.com\", \"metadata.google.internal\") and \n   not user.domain : \"NT AUTHORITY\"]\n    [file where process.name : \"powershell.exe\" and event.type == \"creation\" and file.extension : (\"exe\", \"dll\", \"ps1\", \"bat\") and \n   not file.name : \"__PSScriptPolicy*.ps1\"]\n",
+    "risk_score": 47,
+    "rule_id": "33f306e8-417c-411b-965c-c2812d6d3f4d",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Command and Control"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0011",
+          "name": "Command and Control",
+          "reference": "https://attack.mitre.org/tactics/TA0011/"
+        },
+        "technique": [
+          {
+            "id": "T1105",
+            "name": "Ingress Tool Transfer",
+            "reference": "https://attack.mitre.org/techniques/T1105/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0002",
+          "name": "Execution",
+          "reference": "https://attack.mitre.org/tactics/TA0002/"
+        },
+        "technique": [
+          {
+            "id": "T1059",
+            "name": "Command and Scripting Interpreter",
+            "reference": "https://attack.mitre.org/techniques/T1059/",
+            "subtechnique": [
+              {
+                "id": "T1059.001",
+                "name": "PowerShell",
+                "reference": "https://attack.mitre.org/techniques/T1059/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "type": "eql",
+    "version": 3
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies built-in Windows script interpreters (cscript.exe or wscript.exe) being used to download an executable file from a remote destination.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Remote File Download via Script Interpreter",
+    "query": "sequence by host.id, process.entity_id\n  [network where process.name : (\"wscript.exe\", \"cscript.exe\") and network.protocol != \"dns\" and\n   network.direction : (\"outgoing\", \"egress\") and network.type == \"ipv4\" and destination.ip != \"127.0.0.1\"\n  ]\n  [file where event.type == \"creation\" and file.extension : (\"exe\", \"dll\")]\n",
+    "risk_score": 47,
+    "rule_id": "1d276579-3380-4095-ad38-e596a01bc64f",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Command and Control"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0011",
+          "name": "Command and Control",
+          "reference": "https://attack.mitre.org/tactics/TA0011/"
+        },
+        "technique": [
+          {
+            "id": "T1105",
+            "name": "Ingress Tool Transfer",
+            "reference": "https://attack.mitre.org/techniques/T1105/"
+          }
+        ]
+      }
+    ],
+    "type": "eql",
+    "version": 3
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Detects use of the systemsetup command to enable remote SSH Login.",
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Remote SSH Login Enabled via systemsetup Command",
+    "query": "event.category:process and event.type:(start or process_started) and\n process.name:systemsetup and\n process.args:(\"-setremotelogin\" and on)\n",
+    "references": [
+      "https://documents.trendmicro.com/assets/pdf/XCSSET_Technical_Brief.pdf",
+      "https://ss64.com/osx/systemsetup.html",
+      "https://support.apple.com/guide/remote-desktop/about-systemsetup-apd95406b8d/mac"
+    ],
+    "risk_score": 47,
+    "rule_id": "5ae4e6f8-d1bf-40fa-96ba-e29645e1e4dc",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "macOS",
+      "Threat Detection",
+      "Lateral Movement"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0008",
+          "name": "Lateral Movement",
+          "reference": "https://attack.mitre.org/tactics/TA0008/"
+        },
+        "technique": [
+          {
+            "id": "T1021",
+            "name": "Remote Services",
+            "reference": "https://attack.mitre.org/techniques/T1021/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 3
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies remote scheduled task creations on a target host. This could be indicative of adversary lateral movement.",
+    "from": "now-9m",
+    "index": [
+      "logs-endpoint.events.*",
+      "winlogbeat-*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Remote Scheduled Task Creation",
+    "note": "## Triage and analysis\n\n### Investigating Creation of Remote Scheduled Tasks\n\n[Scheduled tasks](https://docs.microsoft.com/en-us/windows/win32/taskschd/about-the-task-scheduler) are a great mechanism used for persistence and executing programs. These features can\nbe used remotely for a variety of legitimate reasons, but at the same time used by malware and adversaries.\nWhen investigating scheduled tasks that have been set-up remotely, one of the first methods should be determining the\noriginal intent behind the configuration and verify if the activity is tied to benign behavior such as software installations or any kind\nof network administrator work. One objective for these alerts is to understand the configured action within the scheduled\ntask, this is captured within the registry event data for this rule and can be base64 decoded to view the value.\n\n#### Possible investigation steps:\n- Review the base64 encoded tasks actions registry value to investigate the task configured action.\n- Determine if task is related to legitimate or benign behavior based on the corresponding process or program tied to the\nscheduled task.\n- Further examination should include both the source and target machines where host-based artifacts and network logs\nshould be reviewed further around the time window of the creation of the scheduled task.\n\n### False Positive Analysis\n- There is a high possibility of benign activity tied to the creation of remote scheduled tasks as it is a general feature\nwithin Windows and used for legitimate purposes for a wide range of activity. Any kind of context should be found to\nfurther understand the source of the activity and determine the intent based on the scheduled task contents.\n\n### Related Rules\n- Service Command Lateral Movement\n- Remotely Started Services via RPC\n\n### Response and Remediation\n- This behavior represents post-exploitation actions such as persistence or lateral movement, immediate response should\nbe taken to review and investigate the activity and potentially isolate involved machines to prevent further post-compromise\nbehavior.\n- Remove scheduled task and any other related artifacts to the activity.\n- Review privileged account management and user account management settings such as implementing GPO policies to further\nrestrict activity or configure settings that only allow Administrators to create remote scheduled tasks.\n",
+    "query": "/* Task Scheduler service incoming connection followed by TaskCache registry modification  */\n\nsequence by host.id, process.entity_id with maxspan = 1m\n   [network where process.name : \"svchost.exe\" and\n   network.direction : (\"incoming\", \"ingress\") and source.port >= 49152 and destination.port >= 49152 and\n   source.ip != \"127.0.0.1\" and source.ip != \"::1\"\n   ]\n   [registry where registry.path : \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Schedule\\\\TaskCache\\\\Tasks\\\\*\\\\Actions\"]\n",
+    "risk_score": 47,
+    "rule_id": "954ee7c8-5437-49ae-b2d6-2960883898e9",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Lateral Movement"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0008",
+          "name": "Lateral Movement",
+          "reference": "https://attack.mitre.org/tactics/TA0008/"
+        },
+        "technique": [
+          {
+            "id": "T1021",
+            "name": "Remote Services",
+            "reference": "https://attack.mitre.org/techniques/T1021/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0002",
+          "name": "Execution",
+          "reference": "https://attack.mitre.org/tactics/TA0002/"
+        },
+        "technique": [
+          {
+            "id": "T1053",
+            "name": "Scheduled Task/Job",
+            "reference": "https://attack.mitre.org/techniques/T1053/",
+            "subtechnique": [
+              {
+                "id": "T1053.005",
+                "name": "Scheduled Task",
+                "reference": "https://attack.mitre.org/techniques/T1053/005/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "type": "eql",
+    "version": 6
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Discovery of remote system information using built-in commands, which may be used to mover laterally.",
+    "from": "now-9m",
+    "index": [
+      "logs-endpoint.events.*",
+      "winlogbeat-*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Remote System Discovery Commands",
+    "query": "process where event.type in (\"start\", \"process_started\") and\n  (process.name : \"nbtstat.exe\" and process.args : (\"-n\", \"-s\")) or\n  (process.name : \"arp.exe\" and process.args : \"-a\")\n",
+    "risk_score": 21,
+    "rule_id": "0635c542-1b96-4335-9b47-126582d2c19a",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Discovery"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0007",
+          "name": "Discovery",
+          "reference": "https://attack.mitre.org/tactics/TA0007/"
+        },
+        "technique": [
+          {
+            "id": "T1018",
+            "name": "Remote System Discovery",
+            "reference": "https://attack.mitre.org/techniques/T1018/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 3
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies remote execution of Windows services over remote procedure call (RPC). This could be indicative of lateral movement, but will be noisy if commonly done by administrators.\"",
+    "from": "now-9m",
+    "index": [
+      "logs-endpoint.events.*",
+      "winlogbeat-*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Remotely Started Services via RPC",
+    "query": "sequence with maxspan=1s\n   [network where process.name : \"services.exe\" and\n      network.direction : (\"incoming\", \"ingress\") and network.transport == \"tcp\" and \n      source.port >= 49152 and destination.port >= 49152 and source.ip != \"127.0.0.1\" and source.ip != \"::1\"\n   ] by host.id, process.entity_id\n\n   [process where event.type in (\"start\", \"process_started\") and process.parent.name : \"services.exe\" and \n       not (process.name : \"svchost.exe\" and process.args : \"tiledatamodelsvc\") and \n       not (process.name : \"msiexec.exe\" and process.args : \"/V\")\n   \n    /* uncomment if psexec is noisy in your environment */\n    /* and not process.name : \"PSEXESVC.exe\" */\n   ] by host.id, process.parent.entity_id\n",
+    "risk_score": 47,
+    "rule_id": "aa9a274d-6b53-424d-ac5e-cb8ca4251650",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Lateral Movement"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0008",
+          "name": "Lateral Movement",
+          "reference": "https://attack.mitre.org/tactics/TA0008/"
+        },
+        "technique": [
+          {
+            "id": "T1021",
+            "name": "Remote Services",
+            "reference": "https://attack.mitre.org/techniques/T1021/"
+          }
+        ]
+      }
+    ],
+    "type": "eql",
+    "version": 4
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies a suspicious AutoIt process execution. Malware written as an AutoIt script tends to rename the AutoIt executable to avoid detection.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Renamed AutoIt Scripts Interpreter",
+    "query": "process where event.type in (\"start\", \"process_started\", \"info\") and\n  process.pe.original_file_name : \"AutoIt*.exe\" and not process.name : \"AutoIt*.exe\"\n",
+    "risk_score": 47,
+    "rule_id": "2e1e835d-01e5-48ca-b9fc-7a61f7f11902",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1036",
+            "name": "Masquerading",
+            "reference": "https://attack.mitre.org/techniques/T1036/",
+            "subtechnique": [
+              {
+                "id": "T1036.003",
+                "name": "Rename System Utilities",
+                "reference": "https://attack.mitre.org/techniques/T1036/003/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 5
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Detects a Roshal Archive (RAR) file or PowerShell script downloaded from the internet by an internal host. Gaining initial access to a system and then downloading encoded or encrypted tools to move laterally is a common practice for adversaries as a way to protect their more valuable tools and tactics, techniques, and procedures (TTPs). This may be atypical behavior for a managed network and can be indicative of malware, exfiltration, or command and control.",
+    "false_positives": [
+      "Downloading RAR or PowerShell files from the Internet may be expected for certain systems. This rule should be tailored to either exclude systems as sources or destinations in which this behavior is expected."
+    ],
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "filebeat-*",
+      "packetbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Roshal Archive (RAR) or PowerShell File Downloaded from the Internet",
+    "note": "## Threat intel\n\nThis activity has been observed in FIN7 campaigns.",
+    "query": "event.category:(network or network_traffic) and network.protocol:http and\n  (url.extension:(ps1 or rar) or url.path:(*.ps1 or *.rar)) and\n    not destination.ip:(\n      10.0.0.0/8 or\n      127.0.0.0/8 or\n      169.254.0.0/16 or\n      172.16.0.0/12 or\n      192.0.0.0/24 or\n      192.0.0.0/29 or\n      192.0.0.8/32 or\n      192.0.0.9/32 or\n      192.0.0.10/32 or\n      192.0.0.170/32 or\n      192.0.0.171/32 or\n      192.0.2.0/24 or\n      192.31.196.0/24 or\n      192.52.193.0/24 or\n      192.168.0.0/16 or\n      192.88.99.0/24 or\n      224.0.0.0/4 or\n      100.64.0.0/10 or\n      192.175.48.0/24 or\n      198.18.0.0/15 or\n      198.51.100.0/24 or\n      203.0.113.0/24 or\n      240.0.0.0/4 or\n      \"::1\" or\n      \"FE80::/10\" or\n      \"FF00::/8\"\n    ) and\n    source.ip:(\n      10.0.0.0/8 or\n      172.16.0.0/12 or\n      192.168.0.0/16\n    )\n",
+    "references": [
+      "https://www.fireeye.com/blog/threat-research/2017/04/fin7-phishing-lnk.html",
+      "https://www.justice.gov/opa/press-release/file/1084361/download",
+      "https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml"
+    ],
+    "risk_score": 47,
+    "rule_id": "ff013cb4-274d-434a-96bb-fe15ddd3ae92",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Network",
+      "Threat Detection",
+      "Command and Control",
+      "Host"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0011",
+          "name": "Command and Control",
+          "reference": "https://attack.mitre.org/tactics/TA0011/"
+        },
+        "technique": [
+          {
+            "id": "T1105",
+            "name": "Ingress Tool Transfer",
+            "reference": "https://attack.mitre.org/techniques/T1105/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 9
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies modifications to the registered Subject Interface Package (SIP) providers. SIP providers are used by the Windows cryptographic system to validate file signatures on the system. This may be an attempt to bypass signature validation checks or inject code into critical processes.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "SIP Provider Modification",
+    "query": "registry where event.type:\"change\" and\n  registry.path: (\n    \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Cryptography\\\\OID\\\\EncodingType 0\\\\CryptSIPDllPutSignedDataMsg\\\\{*}\\\\Dll\",\n    \"HKLM\\\\SOFTWARE\\\\WOW6432Node\\\\Microsoft\\\\Cryptography\\\\OID\\\\EncodingType 0\\\\CryptSIPDllPutSignedDataMsg\\\\{*}\\\\Dll\",\n    \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Cryptography\\\\Providers\\\\Trust\\\\FinalPolicy\\\\{*}\\\\$Dll\",\n    \"HKLM\\\\SOFTWARE\\\\WOW6432Node\\\\Microsoft\\\\Cryptography\\\\Providers\\\\Trust\\\\FinalPolicy\\\\{*}\\\\$Dll\"\n    ) and\n  registry.data.strings:\"*.dll\"\n",
+    "references": [
+      "https://github.com/mattifestation/PoCSubjectInterfacePackage"
+    ],
+    "risk_score": 47,
+    "rule_id": "f2c7b914-eda3-40c2-96ac-d23ef91776ca",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1553",
+            "name": "Subvert Trust Controls",
+            "reference": "https://attack.mitre.org/techniques/T1553/",
+            "subtechnique": [
+              {
+                "id": "T1553.003",
+                "name": "SIP and Trust Provider Hijacking",
+                "reference": "https://attack.mitre.org/techniques/T1553/003/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "This rule detects network events that may indicate the use of Windows file sharing (also called SMB or CIFS) traffic to the Internet. SMB is commonly used within networks to share files, printers, and other system resources amongst trusted systems. It should almost never be directly exposed to the Internet, as it is frequently targeted and exploited by threat actors as an initial access or backdoor vector or for data exfiltration.",
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "filebeat-*",
+      "packetbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "SMB (Windows File Sharing) Activity to the Internet",
+    "query": "event.category:(network or network_traffic) and network.transport:tcp and (destination.port:(139 or 445) or event.dataset:zeek.smb) and\n  source.ip:(\n    10.0.0.0/8 or\n    172.16.0.0/12 or\n    192.168.0.0/16\n  ) and\n  not destination.ip:(\n    10.0.0.0/8 or\n    127.0.0.0/8 or\n    169.254.0.0/16 or\n    172.16.0.0/12 or\n    192.0.0.0/24 or\n    192.0.0.0/29 or\n    192.0.0.8/32 or\n    192.0.0.9/32 or\n    192.0.0.10/32 or\n    192.0.0.170/32 or\n    192.0.0.171/32 or\n    192.0.2.0/24 or\n    192.31.196.0/24 or\n    192.52.193.0/24 or\n    192.168.0.0/16 or\n    192.88.99.0/24 or\n    224.0.0.0/4 or\n    100.64.0.0/10 or\n    192.175.48.0/24 or\n    198.18.0.0/15 or\n    198.51.100.0/24 or\n    203.0.113.0/24 or\n    240.0.0.0/4 or\n    \"::1\" or\n    \"FE80::/10\" or\n    \"FF00::/8\"\n  )\n",
+    "references": [
+      "https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml"
+    ],
+    "risk_score": 73,
+    "rule_id": "c82b2bd8-d701-420c-ba43-f11a155b681a",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Network",
+      "Threat Detection",
+      "Initial Access",
+      "Host"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0001",
+          "name": "Initial Access",
+          "reference": "https://attack.mitre.org/tactics/TA0001/"
+        },
+        "technique": [
+          {
+            "id": "T1190",
+            "name": "Exploit Public-Facing Application",
+            "reference": "https://attack.mitre.org/techniques/T1190/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0010",
+          "name": "Exfiltration",
+          "reference": "https://attack.mitre.org/tactics/TA0010/"
+        },
+        "technique": [
+          {
+            "id": "T1048",
+            "name": "Exfiltration Over Alternative Protocol",
+            "reference": "https://attack.mitre.org/techniques/T1048/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 11
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "This rule detects events that may indicate use of SMTP on TCP port 26. This port is commonly used by several popular mail transfer agents to deconflict with the default SMTP port 25. This port has also been used by a malware family called BadPatch for command and control of Windows systems.",
+    "false_positives": [
+      "Servers that process email traffic may cause false positives and should be excluded from this rule as this is expected behavior."
+    ],
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "filebeat-*",
+      "packetbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "SMTP on Port 26/TCP",
+    "query": "event.category:(network or network_traffic) and network.transport:tcp and (destination.port:26 or (event.dataset:zeek.smtp and destination.port:26))\n",
+    "references": [
+      "https://unit42.paloaltonetworks.com/unit42-badpatch/",
+      "https://isc.sans.edu/forums/diary/Next+up+whats+up+with+TCP+port+26/25564/"
+    ],
+    "risk_score": 21,
+    "rule_id": "d7e62693-aab9-4f66-a21a-3d79ecdd603d",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Network",
+      "Threat Detection",
+      "Command and Control",
+      "Host"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0011",
+          "name": "Command and Control",
+          "reference": "https://attack.mitre.org/tactics/TA0011/"
+        },
+        "technique": []
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0010",
+          "name": "Exfiltration",
+          "reference": "https://attack.mitre.org/tactics/TA0010/"
+        },
+        "technique": [
+          {
+            "id": "T1048",
+            "name": "Exfiltration Over Alternative Protocol",
+            "reference": "https://attack.mitre.org/techniques/T1048/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 8
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "The Secure Shell (SSH) authorized_keys file specifies which users are allowed to log into a server using public key authentication. Adversaries may modify it to maintain persistence on a victim host by adding their own public key(s).",
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "SSH Authorized Keys File Modification",
+    "query": "event.category:file and event.type:(change or creation) and \n file.name:(\"authorized_keys\" or \"authorized_keys2\") and \n not process.executable:\n             (/Library/Developer/CommandLineTools/usr/bin/git or \n              /usr/local/Cellar/maven/*/libexec/bin/mvn or \n              /Library/Java/JavaVirtualMachines/jdk*.jdk/Contents/Home/bin/java or \n              /usr/bin/vim or \n              /usr/local/Cellar/coreutils/*/bin/gcat or \n              /usr/bin/bsdtar or\n              /usr/bin/nautilus or \n              /usr/bin/scp or\n              /usr/bin/touch or \n              /var/lib/docker/*)\n",
+    "risk_score": 47,
+    "rule_id": "2215b8bd-1759-4ffa-8ab8-55c8e6b32e7f",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "macOS",
+      "Threat Detection",
+      "Persistence"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1098",
+            "name": "Account Manipulation",
+            "reference": "https://attack.mitre.org/techniques/T1098/",
+            "subtechnique": [
+              {
+                "id": "T1098.004",
+                "name": "SSH Authorized Keys",
+                "reference": "https://attack.mitre.org/techniques/T1098/004/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "The malware known as SUNBURST targets the SolarWind's Orion business software for command and control. This rule detects post-exploitation command and control activity of the SUNBURST backdoor.",
+    "from": "now-9m",
+    "index": [
+      "logs-endpoint.events.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "SUNBURST Command and Control Activity",
+    "note": "## Triage and analysis\n\nThe SUNBURST malware attempts to hide within the Orion Improvement Program (OIP) network traffic. As this rule detects post-exploitation network traffic, investigations into this should be prioritized.",
+    "query": "network where event.type == \"protocol\" and network.protocol == \"http\" and\n  process.name : (\"ConfigurationWizard.exe\",\n                  \"NetFlowService.exe\",\n                  \"NetflowDatabaseMaintenance.exe\",\n                  \"SolarWinds.Administration.exe\",\n                  \"SolarWinds.BusinessLayerHost.exe\",\n                  \"SolarWinds.BusinessLayerHostx64.exe\",\n                  \"SolarWinds.Collector.Service.exe\",\n                  \"SolarwindsDiagnostics.exe\") and\n  (http.request.body.content : \"*/swip/Upload.ashx*\" and http.request.body.content : (\"POST*\", \"PUT*\")) or\n  (http.request.body.content : (\"*/swip/SystemDescription*\", \"*/swip/Events*\") and http.request.body.content : (\"GET*\", \"HEAD*\")) and\n  not http.request.body.content : \"*solarwinds.com*\"\n",
+    "references": [
+      "https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html"
+    ],
+    "risk_score": 73,
+    "rule_id": "22599847-5d13-48cb-8872-5796fee8692b",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Command and Control"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0011",
+          "name": "Command and Control",
+          "reference": "https://attack.mitre.org/tactics/TA0011/"
+        },
+        "technique": [
+          {
+            "id": "T1071",
+            "name": "Application Layer Protocol",
+            "reference": "https://attack.mitre.org/techniques/T1071/",
+            "subtechnique": [
+              {
+                "id": "T1071.001",
+                "name": "Web Protocols",
+                "reference": "https://attack.mitre.org/techniques/T1071/001/"
+              }
+            ]
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0001",
+          "name": "Initial Access",
+          "reference": "https://attack.mitre.org/tactics/TA0001/"
+        },
+        "technique": [
+          {
+            "id": "T1195",
+            "name": "Supply Chain Compromise",
+            "reference": "https://attack.mitre.org/techniques/T1195/",
+            "subtechnique": [
+              {
+                "id": "T1195.002",
+                "name": "Compromise Software Supply Chain",
+                "reference": "https://attack.mitre.org/techniques/T1195/002/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 4
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "A scheduled task was created by a Windows script via cscript.exe, wscript.exe or powershell.exe. This can be abused by an adversary to establish persistence.",
+    "false_positives": [
+      "Legitimate scheduled tasks may be created during installation of new software."
+    ],
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Scheduled Task Created by a Windows Script",
+    "note": "## Triage and analysis\n\nDecode the base64 encoded Tasks Actions registry value to investigate the task's configured action.",
+    "query": "sequence by host.id with maxspan = 30s\n  [library where dll.name : \"taskschd.dll\" and process.name : (\"cscript.exe\", \"wscript.exe\", \"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\")]\n  [registry where registry.path : \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Schedule\\\\TaskCache\\\\Tasks\\\\*\\\\Actions\"]\n",
+    "risk_score": 47,
+    "rule_id": "689b9d57-e4d5-4357-ad17-9c334609d79a",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Persistence"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1053",
+            "name": "Scheduled Task/Job",
+            "reference": "https://attack.mitre.org/techniques/T1053/",
+            "subtechnique": [
+              {
+                "id": "T1053.005",
+                "name": "Scheduled Task",
+                "reference": "https://attack.mitre.org/techniques/T1053/005/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "type": "eql",
+    "version": 5
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Detects the modification of Group Policy Object attributes to execute a scheduled task in the objects controlled by the GPO.",
+    "index": [
+      "winlogbeat-*",
+      "logs-system.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Scheduled Task Execution at Scale via GPO",
+    "note": "## Triage and analysis\n\n### Investigating Scheduled Task Execution at Scale via GPO\n\nGroup Policy Objects can be used by attackers to execute Scheduled Tasks at scale to compromise Objects controlled by a given GPO,\nthis is done by changing the contents of the `<GPOPath>\\Machine\\Preferences\\ScheduledTasks\\ScheduledTasks.xml` file.\n\n#### Possible investigation steps:\n- This attack abuses a legitimate mechanism of the Active Directory, so it is important to determine whether the activity is legitimate\nand the administrator is authorized to perform this operation.\n- Retrieve the contents of the `ScheduledTasks.xml` file, check the `<Command>` and `<Arguments>` XML tags for any potentially malicious\ncommands and binaries.\n- If the action is suspicious for the user, check for any other activities done by the user in the last 48 hours.\n\n### False Positive Analysis\n- Verify if the execution is allowed and done under change management, and if the execution is legitimate.\n\n### Related Rules\n- Group Policy Abuse for Privilege Addition\n- Startup/Logon Script added to Group Policy Object\n\n### Response and Remediation\n- Immediate response should be taken to validate activity, investigate and potentially isolate activity to prevent further\npost-compromise behavior.\n\n## Config\n\nThe 'Audit Detailed File Share' audit policy is required be configured (Success Failure).\nSteps to implement the logging policy with with Advanced Audit Configuration:\n```\nComputer Configuration > \nPolicies > \nWindows Settings > \nSecurity Settings > \nAdvanced Audit Policies Configuration > \nAudit Policies > \nObject Access > \nAudit Detailed File Share (Success,Failure)\n```\n\nThe 'Audit Directory Service Changes' audit policy is required be configured (Success Failure).\nSteps to implement the logging policy with with Advanced Audit Configuration:\n```\nComputer Configuration > \nPolicies > \nWindows Settings > \nSecurity Settings > \nAdvanced Audit Policies Configuration > \nAudit Policies > \nDS Access > \nAudit Directory Service Changes (Success,Failure)\n```\n",
+    "query": "(event.code: \"5136\" and winlog.event_data.AttributeLDAPDisplayName:(\"gPCMachineExtensionNames\" or \"gPCUserExtensionNames\") and \n   winlog.event_data.AttributeValue:(*CAB54552-DEEA-4691-817E-ED4A4D1AFC72* and *AADCED64-746C-4633-A97C-D61349046527*)) \nor\n(event.code: \"5145\" and winlog.event_data.ShareName: \"\\\\\\\\*\\\\SYSVOL\" and winlog.event_data.RelativeTargetName: *ScheduledTasks.xml and\n  (message: WriteData or winlog.event_data.AccessList: *%%4417*))\n",
+    "references": [
+      "https://github.com/atc-project/atc-data/blob/master/docs/Logging_Policies/LP_0025_windows_audit_directory_service_changes.md",
+      "https://github.com/atc-project/atc-data/blob/f2bbb51ecf68e2c9f488e3c70dcdd3df51d2a46b/docs/Logging_Policies/LP_0029_windows_audit_detailed_file_share.md",
+      "https://labs.f-secure.com/tools/sharpgpoabuse",
+      "https://twitter.com/menasec1/status/1106899890377052160",
+      "https://github.com/SigmaHQ/sigma/blob/master/rules/windows/builtin/win_gpo_scheduledtasks.yml"
+    ],
+    "risk_score": 47,
+    "rule_id": "15a8ba77-1c13-4274-88fe-6bd14133861e",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Privilege Escalation",
+      "Active Directory"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0004",
+          "name": "Privilege Escalation",
+          "reference": "https://attack.mitre.org/tactics/TA0004/"
+        },
+        "technique": [
+          {
+            "id": "T1053",
+            "name": "Scheduled Task/Job",
+            "reference": "https://attack.mitre.org/techniques/T1053/",
+            "subtechnique": [
+              {
+                "id": "T1053.005",
+                "name": "Scheduled Task",
+                "reference": "https://attack.mitre.org/techniques/T1053/005/"
+              }
+            ]
+          },
+          {
+            "id": "T1484",
+            "name": "Domain Policy Modification",
+            "reference": "https://attack.mitre.org/techniques/T1484/",
+            "subtechnique": [
+              {
+                "id": "T1484.001",
+                "name": "Group Policy Modification",
+                "reference": "https://attack.mitre.org/techniques/T1484/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies attempts to enable the Windows scheduled tasks AT command via the registry. Attackers may use this method to move laterally or persist locally. The AT command has been deprecated since Windows 8 and Windows Server 2012, but still exists for backwards compatibility.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Scheduled Tasks AT Command Enabled",
+    "query": "registry where \n registry.path : \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Schedule\\\\Configuration\\\\EnableAt\" and registry.data.strings == \"1\"\n",
+    "references": [
+      "https://docs.microsoft.com/en-us/windows/win32/cimwin32prov/win32-scheduledjob"
+    ],
+    "risk_score": 47,
+    "rule_id": "9aa0e1f6-52ce-42e1-abb3-09657cee2698",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1562",
+            "name": "Impair Defenses",
+            "reference": "https://attack.mitre.org/techniques/T1562/",
+            "subtechnique": [
+              {
+                "id": "T1562.001",
+                "name": "Disable or Modify Tools",
+                "reference": "https://attack.mitre.org/techniques/T1562/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 3
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies when a screensaver plist file is modified by an unexpected process. An adversary can maintain persistence on a macOS endpoint by creating a malicious screensaver (.saver) file and configuring the screensaver plist file to execute code each time the screensaver is activated.",
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Screensaver Plist File Modified by Unexpected Process",
+    "note": "## Triage and analysis\n\n- Analyze the plist file modification event to identify whether the change was expected or not\n- Investigate the process that modified the plist file for malicious code or other suspicious behavior\n- Identify if any suspicious or known malicious screensaver (.saver) files were recently written to or modified on the host",
+    "query": "file where event.type != \"deletion\" and\n  file.name: \"com.apple.screensaver.*.plist\" and\n  file.path : (\n    \"/Users/*/Library/Preferences/ByHost/*\",\n    \"/Library/Managed Preferences/*\",\n    \"/System/Library/Preferences/*\"\n    ) and\n  /* Filter OS processes modifying screensaver plist files */\n  not process.executable : (\n    \"/usr/sbin/cfprefsd\",\n    \"/usr/libexec/xpcproxy\",\n    \"/System/Library/CoreServices/ManagedClient.app/Contents/Resources/MCXCompositor\",\n    \"/System/Library/CoreServices/ManagedClient.app/Contents/MacOS/ManagedClient\"\n    )\n",
+    "references": [
+      "https://posts.specterops.io/saving-your-access-d562bf5bf90b",
+      "https://github.com/D00MFist/PersistentJXA"
+    ],
+    "risk_score": 47,
+    "rule_id": "e6e8912f-283f-4d0d-8442-e0dcaf49944b",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "macOS",
+      "Threat Detection",
+      "Persistence"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1546",
+            "name": "Event Triggered Execution",
+            "reference": "https://attack.mitre.org/techniques/T1546/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Windows Credential Manager allows you to create, view, or delete saved credentials for signing into websites, connected applications, and networks. An adversary may abuse this to list or dump credentials stored in the Credential Manager for saved usernames and passwords. This may also be performed in preparation of lateral movement.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Searching for Saved Credentials via VaultCmd",
+    "query": "process where event.type in (\"start\", \"process_started\") and\n  (process.pe.original_file_name:\"vaultcmd.exe\" or process.name:\"vaultcmd.exe\") and\n  process.args:\"/list*\"\n",
+    "references": [
+      "https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16",
+      "https://rastamouse.me/blog/rdp-jump-boxes/"
+    ],
+    "risk_score": 47,
+    "rule_id": "be8afaed-4bcd-4e0a-b5f9-5562003dde81",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Credential Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0006",
+          "name": "Credential Access",
+          "reference": "https://attack.mitre.org/tactics/TA0006/"
+        },
+        "technique": [
+          {
+            "id": "T1003",
+            "name": "OS Credential Dumping",
+            "reference": "https://attack.mitre.org/techniques/T1003/"
+          },
+          {
+            "id": "T1555",
+            "name": "Credentials from Password Stores",
+            "reference": "https://attack.mitre.org/techniques/T1555/",
+            "subtechnique": [
+              {
+                "id": "T1555.004",
+                "name": "Windows Credential Manager",
+                "reference": "https://attack.mitre.org/techniques/T1555/004/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 2
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the use of Windows Management Instrumentation Command (WMIC) to discover certain System Security Settings such as AntiVirus or Host Firewall details.",
+    "from": "now-9m",
+    "index": [
+      "logs-endpoint.events.*",
+      "winlogbeat-*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Security Software Discovery using WMIC",
+    "query": "process where event.type in (\"start\", \"process_started\") and\n   (process.name:\"wmic.exe\" or process.pe.original_file_name:\"wmic.exe\") and\n    process.args:\"/namespace:\\\\\\\\root\\\\SecurityCenter2\" and process.args:\"Get\"\n",
+    "risk_score": 47,
+    "rule_id": "6ea55c81-e2ba-42f2-a134-bccf857ba922",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Discovery"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0007",
+          "name": "Discovery",
+          "reference": "https://attack.mitre.org/tactics/TA0007/"
+        },
+        "technique": [
+          {
+            "id": "T1518",
+            "name": "Software Discovery",
+            "reference": "https://attack.mitre.org/techniques/T1518/",
+            "subtechnique": [
+              {
+                "id": "T1518.001",
+                "name": "Security Software Discovery",
+                "reference": "https://attack.mitre.org/techniques/T1518/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 4
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the use of the grep command to discover known third-party macOS and Linux security tools, such as Antivirus or Host Firewall details.",
+    "false_positives": [
+      "Endpoint Security installers, updaters and post installation verification scripts."
+    ],
+    "from": "now-9m",
+    "index": [
+      "logs-endpoint.events.*",
+      "auditbeat-*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Security Software Discovery via Grep",
+    "query": "process where event.type == \"start\" and\nprocess.name : \"grep\" and user.id != \"0\" and\n not process.parent.executable : \"/Library/Application Support/*\" and\n   process.args :\n         (\"Little Snitch*\",\n          \"Avast*\",\n          \"Avira*\",\n          \"ESET*\",\n          \"BlockBlock*\",\n          \"360Sec*\",\n          \"LuLu*\",\n          \"KnockKnock*\",\n          \"kav\",\n          \"KIS\",\n          \"RTProtectionDaemon*\",\n          \"Malware*\",\n          \"VShieldScanner*\",\n          \"WebProtection*\",\n          \"webinspectord*\",\n          \"McAfee*\",\n          \"isecespd*\",\n          \"macmnsvc*\",\n          \"masvc*\",\n          \"kesl*\",\n          \"avscan*\",\n          \"guard*\",\n          \"rtvscand*\",\n          \"symcfgd*\",\n          \"scmdaemon*\",\n          \"symantec*\",\n          \"sophos*\",\n          \"osquery*\",\n          \"elastic-endpoint*\"\n          ) and\n   not (process.args : \"Avast\" and process.args : \"Passwords\")\n",
+    "risk_score": 47,
+    "rule_id": "870aecc0-cea4-4110-af3f-e02e9b373655",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "macOS",
+      "Linux",
+      "Threat Detection",
+      "Discovery"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0007",
+          "name": "Discovery",
+          "reference": "https://attack.mitre.org/tactics/TA0007/"
+        },
+        "technique": [
+          {
+            "id": "T1518",
+            "name": "Software Discovery",
+            "reference": "https://attack.mitre.org/techniques/T1518/",
+            "subtechnique": [
+              {
+                "id": "T1518.001",
+                "name": "Security Software Discovery",
+                "reference": "https://attack.mitre.org/techniques/T1518/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 2
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the use of a compression utility to collect known files containing sensitive information, such as credentials and system configurations.",
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Sensitive Files Compression",
+    "query": "event.category:process and event.type:start and\n  process.name:(zip or tar or gzip or hdiutil or 7z) and\n  process.args:\n    (\n      /root/.ssh/id_rsa or\n      /root/.ssh/id_rsa.pub or\n      /root/.ssh/id_ed25519 or\n      /root/.ssh/id_ed25519.pub or\n      /root/.ssh/authorized_keys or\n      /root/.ssh/authorized_keys2 or\n      /root/.ssh/known_hosts or\n      /root/.bash_history or\n      /etc/hosts or\n      /home/*/.ssh/id_rsa or\n      /home/*/.ssh/id_rsa.pub or\n      /home/*/.ssh/id_ed25519 or\n      /home/*/.ssh/id_ed25519.pub or\n      /home/*/.ssh/authorized_keys or\n      /home/*/.ssh/authorized_keys2 or\n      /home/*/.ssh/known_hosts or\n      /home/*/.bash_history or\n      /root/.aws/credentials or\n      /root/.aws/config or\n      /home/*/.aws/credentials or\n      /home/*/.aws/config or\n      /root/.docker/config.json or\n      /home/*/.docker/config.json or\n      /etc/group or\n      /etc/passwd or\n      /etc/shadow or\n      /etc/gshadow\n    )\n",
+    "references": [
+      "https://www.trendmicro.com/en_ca/research/20/l/teamtnt-now-deploying-ddos-capable-irc-bot-tntbotinger.html"
+    ],
+    "risk_score": 47,
+    "rule_id": "6b84d470-9036-4cc0-a27c-6d90bbfe81ab",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "Threat Detection",
+      "Collection",
+      "Credential Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0006",
+          "name": "Credential Access",
+          "reference": "https://attack.mitre.org/tactics/TA0006/"
+        },
+        "technique": [
+          {
+            "id": "T1552",
+            "name": "Unsecured Credentials",
+            "reference": "https://attack.mitre.org/techniques/T1552/",
+            "subtechnique": [
+              {
+                "id": "T1552.001",
+                "name": "Credentials In Files",
+                "reference": "https://attack.mitre.org/techniques/T1552/001/"
+              }
+            ]
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0009",
+          "name": "Collection",
+          "reference": "https://attack.mitre.org/tactics/TA0009/"
+        },
+        "technique": [
+          {
+            "id": "T1560",
+            "name": "Archive Collected Data",
+            "reference": "https://attack.mitre.org/techniques/T1560/",
+            "subtechnique": [
+              {
+                "id": "T1560.001",
+                "name": "Archive via Utility",
+                "reference": "https://attack.mitre.org/techniques/T1560/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies use of sc.exe to create, modify, or start services on remote hosts. This could be indicative of adversary lateral movement but will be noisy if commonly done by admins.",
+    "from": "now-9m",
+    "index": [
+      "logs-endpoint.events.*",
+      "winlogbeat-*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Service Command Lateral Movement",
+    "query": "sequence by process.entity_id with maxspan = 1m\n  [process where event.type in (\"start\", \"process_started\") and\n     (process.name : \"sc.exe\" or process.pe.original_file_name : \"sc.exe\") and\n      process.args : \"\\\\\\\\*\" and process.args : (\"binPath=*\", \"binpath=*\") and\n      process.args : (\"create\", \"config\", \"failure\", \"start\")]\n  [network where process.name : \"sc.exe\" and destination.ip != \"127.0.0.1\"]\n",
+    "risk_score": 21,
+    "rule_id": "d61cbcf8-1bc1-4cff-85ba-e7b21c5beedc",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Lateral Movement"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0008",
+          "name": "Lateral Movement",
+          "reference": "https://attack.mitre.org/tactics/TA0008/"
+        },
+        "technique": [
+          {
+            "id": "T1021",
+            "name": "Remote Services",
+            "reference": "https://attack.mitre.org/techniques/T1021/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1543",
+            "name": "Create or Modify System Process",
+            "reference": "https://attack.mitre.org/techniques/T1543/",
+            "subtechnique": [
+              {
+                "id": "T1543.003",
+                "name": "Windows Service",
+                "reference": "https://attack.mitre.org/techniques/T1543/003/"
+              }
+            ]
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0002",
+          "name": "Execution",
+          "reference": "https://attack.mitre.org/tactics/TA0002/"
+        },
+        "technique": [
+          {
+            "id": "T1569",
+            "name": "System Services",
+            "reference": "https://attack.mitre.org/techniques/T1569/",
+            "subtechnique": [
+              {
+                "id": "T1569.002",
+                "name": "Service Execution",
+                "reference": "https://attack.mitre.org/techniques/T1569/002/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "type": "eql",
+    "version": 3
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies Service Control (sc.exe) spawning from script interpreter processes to create, modify, or start services. This could be indicative of adversary lateral movement but will be noisy if commonly done by admins.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Service Control Spawned via Script Interpreter",
+    "query": "process where event.type == \"start\" and\n  (process.name : \"sc.exe\" or process.pe.original_file_name == \"sc.exe\") and\n  process.parent.name : (\"cmd.exe\", \"wscript.exe\", \"rundll32.exe\", \"regsvr32.exe\",\n                         \"wmic.exe\", \"mshta.exe\",\"powershell.exe\", \"pwsh.exe\") and\n  process.args:(\"config\", \"create\", \"start\", \"delete\", \"stop\", \"pause\") and\n  /* exclude SYSTEM SID - look for service creations by non-SYSTEM user */\n  not user.id : \"S-1-5-18\"\n",
+    "risk_score": 21,
+    "rule_id": "e8571d5f-bea1-46c2-9f56-998de2d3ed95",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Lateral Movement"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0008",
+          "name": "Lateral Movement",
+          "reference": "https://attack.mitre.org/tactics/TA0008/"
+        },
+        "technique": [
+          {
+            "id": "T1021",
+            "name": "Remote Services",
+            "reference": "https://attack.mitre.org/techniques/T1021/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 9
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "An adversary may add the setuid or setgid bit to a file or directory in order to run a file with the privileges of the owning user or group. An adversary can take advantage of this to either do a shell escape or exploit a vulnerability in an application with the setuid or setgid bit to get code running in a different user\u2019s context. Additionally, adversaries can use this mechanism on their own malware to make sure they're able to execute in elevated contexts in the future.",
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "lucene",
+    "license": "Elastic License v2",
+    "max_signals": 33,
+    "name": "Setuid / Setgid Bit Set via chmod",
+    "query": "event.category:process AND event.type:(start OR process_started) AND\n process.name:chmod AND process.args:(\"+s\" OR \"u+s\" OR /4[0-9]{3}/ OR g+s OR /2[0-9]{3}/) AND\n NOT process.args:\n           (\n             /.*\\/Applications\\/VirtualBox.app\\/.+/ OR\n             /\\/usr\\/local\\/lib\\/python.+/ OR\n             /\\/var\\/folders\\/.+\\/FP.*nstallHelper/ OR\n             /\\/Library\\/Filesystems\\/.+/ OR\n             /\\/usr\\/lib\\/virtualbox\\/.+/ OR\n             /\\/Library\\/Application.*/ OR\n             \"/run/postgresql\" OR\n             \"/var/crash\" OR\n             \"/var/run/postgresql\" OR\n             /\\/usr\\/bin\\/.+/ OR /\\/usr\\/local\\/share\\/.+/ OR\n             /\\/Applications\\/.+/ OR /\\/usr\\/libexec\\/.+/ OR\n             \"/var/metrics\" OR /\\/var\\/lib\\/dpkg\\/.+/ OR\n             /\\/run\\/log\\/journal\\/.*/ OR\n             \\/Users\\/*\\/.minikube\\/bin\\/docker-machine-driver-hyperkit\n           ) AND\n NOT process.parent.executable:\n           (\n             /\\/var\\/lib\\/docker\\/.+/ OR\n             \"/System/Library/PrivateFrameworks/PackageKit.framework/Versions/A/XPCServices/package_script_service.xpc/Contents/MacOS/package_script_service\" OR\n             \"/var/lib/dpkg/info/whoopsie.postinst\"\n           )\n",
+    "risk_score": 21,
+    "rule_id": "8a1b0278-0f9a-487d-96bd-d4833298e87a",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "macOS",
+      "Threat Detection",
+      "Privilege Escalation"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0004",
+          "name": "Privilege Escalation",
+          "reference": "https://attack.mitre.org/tactics/TA0004/"
+        },
+        "technique": [
+          {
+            "id": "T1548",
+            "name": "Abuse Elevation Control Mechanism",
+            "reference": "https://attack.mitre.org/techniques/T1548/",
+            "subtechnique": [
+              {
+                "id": "T1548.001",
+                "name": "Setuid and Setgid",
+                "reference": "https://attack.mitre.org/techniques/T1548/001/"
+              }
+            ]
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": []
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 8
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the execution of the shell process (sh) via scripting (JXA or AppleScript). Adversaries may use the doShellScript functionality in JXA or do shell script in AppleScript to execute system commands.",
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Shell Execution via Apple Scripting",
+    "query": "sequence by host.id with maxspan=5s\n [process where event.type in (\"start\", \"process_started\", \"info\") and process.name == \"osascript\"] by process.pid\n [process where event.type in (\"start\", \"process_started\") and process.name == \"sh\" and process.args == \"-c\"] by process.parent.pid\n",
+    "references": [
+      "https://developer.apple.com/library/archive/technotes/tn2065/_index.html",
+      "https://objectivebythesea.com/v2/talks/OBTS_v2_Thomas.pdf"
+    ],
+    "risk_score": 47,
+    "rule_id": "d461fac0-43e8-49e2-85ea-3a58fe120b4f",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "macOS",
+      "Threat Detection",
+      "Execution"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0002",
+          "name": "Execution",
+          "reference": "https://attack.mitre.org/tactics/TA0002/"
+        },
+        "technique": [
+          {
+            "id": "T1059",
+            "name": "Command and Scripting Interpreter",
+            "reference": "https://attack.mitre.org/techniques/T1059/"
+          }
+        ]
+      }
+    ],
+    "type": "eql",
+    "version": 3
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies files written to or modified in the startup folder by commonly abused processes. Adversaries may use this technique to maintain persistence.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Shortcut File Written or Modified for Persistence",
+    "query": "file where event.type != \"deletion\" and\n  user.domain != \"NT AUTHORITY\" and\n  file.path : (\"C:\\\\Users\\\\*\\\\AppData\\\\Roaming\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\\\\*\", \n               \"C:\\\\ProgramData\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\StartUp\\\\*\") and\n  process.name : (\"cmd.exe\",\n                  \"powershell.exe\",\n                  \"wmic.exe\",\n                  \"mshta.exe\",\n                  \"pwsh.exe\",\n                  \"cscript.exe\",\n                  \"wscript.exe\",\n                  \"regsvr32.exe\",\n                  \"RegAsm.exe\",\n                  \"rundll32.exe\",\n                  \"EQNEDT32.EXE\",\n                  \"WINWORD.EXE\",\n                  \"EXCEL.EXE\",\n                  \"POWERPNT.EXE\",\n                  \"MSPUB.EXE\",\n                  \"MSACCESS.EXE\",\n                  \"iexplore.exe\",\n                  \"InstallUtil.exe\")\n",
+    "risk_score": 47,
+    "rule_id": "440e2db4-bc7f-4c96-a068-65b78da59bde",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Persistence"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1547",
+            "name": "Boot or Logon Autostart Execution",
+            "reference": "https://attack.mitre.org/techniques/T1547/",
+            "subtechnique": [
+              {
+                "id": "T1547.001",
+                "name": "Registry Run Keys / Startup Folder",
+                "reference": "https://attack.mitre.org/techniques/T1547/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 3
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies changes to the SoftwareUpdate preferences using the built-in defaults command. Adversaries may abuse this in an attempt to disable security updates.",
+    "false_positives": [
+      "Authorized SoftwareUpdate Settings Changes"
+    ],
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "SoftwareUpdate Preferences Modification",
+    "query": "event.category:process and event.type:(start or process_started) and\n process.name:defaults and \n process.args:(write and \"-bool\" and (com.apple.SoftwareUpdate or /Library/Preferences/com.apple.SoftwareUpdate.plist) and not (TRUE or true))\n",
+    "references": [
+      "https://blog.checkpoint.com/2017/07/13/osxdok-refuses-go-away-money/"
+    ],
+    "risk_score": 47,
+    "rule_id": "f683dcdf-a018-4801-b066-193d4ae6c8e5",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "macOS",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1562",
+            "name": "Impair Defenses",
+            "reference": "https://attack.mitre.org/techniques/T1562/",
+            "subtechnique": [
+              {
+                "id": "T1562.001",
+                "name": "Disable or Modify Tools",
+                "reference": "https://attack.mitre.org/techniques/T1562/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies a SolarWinds binary modifying the start type of a service to be disabled. An adversary may abuse this technique to manipulate relevant security services.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "SolarWinds Process Disabling Services via Registry",
+    "query": "registry where registry.path : \"HKLM\\\\SYSTEM\\\\*ControlSet*\\\\Services\\\\*\\\\Start\" and registry.data.strings == \"4\" and\n process.name : (\n     \"SolarWinds.BusinessLayerHost*.exe\", \n     \"ConfigurationWizard*.exe\", \n     \"NetflowDatabaseMaintenance*.exe\", \n     \"NetFlowService*.exe\", \n     \"SolarWinds.Administration*.exe\", \n     \"SolarWinds.Collector.Service*.exe\" , \n     \"SolarwindsDiagnostics*.exe\")\n",
+    "references": [
+      "https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html"
+    ],
+    "risk_score": 47,
+    "rule_id": "b9960fef-82c6-4816-befa-44745030e917",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1562",
+            "name": "Impair Defenses",
+            "reference": "https://attack.mitre.org/techniques/T1562/",
+            "subtechnique": [
+              {
+                "id": "T1562.001",
+                "name": "Disable or Modify Tools",
+                "reference": "https://attack.mitre.org/techniques/T1562/001/"
+              }
+            ]
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0001",
+          "name": "Initial Access",
+          "reference": "https://attack.mitre.org/tactics/TA0001/"
+        },
+        "technique": [
+          {
+            "id": "T1195",
+            "name": "Supply Chain Compromise",
+            "reference": "https://attack.mitre.org/techniques/T1195/",
+            "subtechnique": [
+              {
+                "id": "T1195.002",
+                "name": "Compromise Software Supply Chain",
+                "reference": "https://attack.mitre.org/techniques/T1195/002/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 3
+  },
+  {
+    "anomaly_threshold": 50,
+    "author": [
+      "Elastic"
+    ],
+    "description": "A machine learning job detected a significant spike in the rate of a particular error in the CloudTrail messages. Spikes in error messages may accompany attempts at privilege escalation, lateral movement, or discovery.",
+    "false_positives": [
+      "Spikes in error message activity can also be due to bugs in cloud automation scripts or workflows; changes to cloud automation scripts or workflows; adoption of new services; changes in the way services are used; or changes to IAM privileges."
+    ],
+    "from": "now-60m",
+    "interval": "15m",
+    "license": "Elastic License v2",
+    "machine_learning_job_id": "high_distinct_count_error_message",
+    "name": "Spike in AWS Error Messages",
+    "note": "## Config\n\nThe AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\n\n## Triage and analysis\n\n### Investigating Spikes in CloudTrail Errors\n\nCloudTrail logging provides visibility on actions taken within an AWS environment. By monitoring these events and understanding\nwhat is considered normal behavior within an organization, suspicious or malicious activity can be spotted when deviations\nare observed. This example rule triggers from a large spike in the number of CloudTrail log messages that contain a\nparticular error message. The error message in question was associated with the response to an AWS API command or method call,\nthis has the potential to uncover unknown threats or activity.\n\n#### Possible investigation steps:\n- Examine the history of the error. Has it manifested before? If the error, which is visible in the `aws.cloudtrail.error_message` field, only manifested recently, it might be related to recent changes in an automation module or script.\n- Examine the request parameters. These may provide indications as to the nature of the task being performed when the error occurred. Is the error related to unsuccessful attempts to enumerate or access objects, data, or secrets? If so, this can sometimes be a byproduct of discovery, privilege escalation or lateral movement attempts.\n- Consider the user as identified by the `user.name field`. Is this activity part of an expected workflow for the user context? Examine the user identity in the `aws.cloudtrail.user_identity.arn` field and the access key ID in the `aws.cloudtrail.user_identity.access_key_id` field, which can help identify the precise user context. The user agent details in the `user_agent.original` field may also indicate what kind of a client made the request.\n- Consider the source IP address and geolocation for the calling user who issued the command. Do they look normal for the calling user? If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts, or could it be sourcing from an EC2 instance that's not under your control? If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance?\n\n### False Positive Analysis\n- This rule has the possibility to produce false positives based on unexpected activity occurring such as bugs or recent\nchanges to automation modules or scripting.\n- Adoption of new services or implementing new functionality to scripts may generate false positives\n\n### Related Rules\n- Unusual AWS Command for a User\n- Rare AWS Error Code\n\n### Response and Remediation\n- If activity is observed as suspicious or malicious, immediate response should be looked into rotating and deleting AWS IAM access keys\n- Validate if any unauthorized new users were created, remove these accounts and request password resets for other IAM users\n- Look into enabling multi-factor authentication for users\n- Follow security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS\n",
+    "references": [
+      "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"
+    ],
+    "risk_score": 21,
+    "rule_id": "78d3d8d9-b476-451d-a9e0-7a5addd70670",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "AWS",
+      "ML"
+    ],
+    "type": "machine_learning",
+    "version": 7
+  },
+  {
+    "anomaly_threshold": 75,
+    "author": [
+      "Elastic"
+    ],
+    "description": "A machine learning job found an unusually large spike in authentication failure events. This can be due to password spraying, user enumeration or brute force activity and may be a precursor to account takeover or credentialed access.",
+    "false_positives": [
+      "A misconfigured service account can trigger this alert. A password change on an account used by an email client can trigger this alert. Security test cycles that include brute force or password spraying activities may trigger this alert."
+    ],
+    "from": "now-30m",
+    "interval": "15m",
+    "license": "Elastic License v2",
+    "machine_learning_job_id": "auth_high_count_logon_fails",
+    "name": "Spike in Failed Logon Events",
+    "references": [
+      "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"
+    ],
+    "risk_score": 21,
+    "rule_id": "99dcf974-6587-4f65-9252-d866a3fdfd9c",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Authentication",
+      "Threat Detection",
+      "ML"
+    ],
+    "type": "machine_learning",
+    "version": 2
+  },
+  {
+    "anomaly_threshold": 75,
+    "author": [
+      "Elastic"
+    ],
+    "description": "A machine learning job detected an unusually large spike in network traffic that was denied by network access control lists (ACLs) or firewall rules. Such a burst of denied traffic is usually caused by either 1) a mis-configured application or firewall or 2) suspicious or malicious activity. Unsuccessful attempts at network transit, in order to connect to command-and-control (C2), or engage in data exfiltration, may produce a burst of failed connections. This could also be due to unusually large amounts of reconnaissance or enumeration traffic. Denial-of-service attacks or traffic floods may also produce such a surge in traffic.",
+    "false_positives": [
+      "A misconfgured network application or firewall may trigger this alert. Security scans or test cycles may trigger this alert."
+    ],
+    "from": "now-30m",
+    "interval": "15m",
+    "license": "Elastic License v2",
+    "machine_learning_job_id": "high_count_network_denies",
+    "name": "Spike in Firewall Denies",
+    "references": [
+      "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"
+    ],
+    "risk_score": 21,
+    "rule_id": "eaa77d63-9679-4ce3-be25-3ba8b795e5fa",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Network",
+      "Threat Detection",
+      "ML"
+    ],
+    "type": "machine_learning",
+    "version": 2
+  },
+  {
+    "anomaly_threshold": 75,
+    "author": [
+      "Elastic"
+    ],
+    "description": "A machine learning job found an unusually large spike in successful authentication events. This can be due to password spraying, user enumeration or brute force activity.",
+    "false_positives": [
+      "Build servers and CI systems can sometimes trigger this alert. Security test cycles that include brute force or password spraying activities may trigger this alert."
+    ],
+    "from": "now-30m",
+    "interval": "15m",
+    "license": "Elastic License v2",
+    "machine_learning_job_id": "auth_high_count_logon_events",
+    "name": "Spike in Logon Events",
+    "references": [
+      "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"
+    ],
+    "risk_score": 21,
+    "rule_id": "d7d5c059-c19a-4a96-8ae3-41496ef3bcf9",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Authentication",
+      "Threat Detection",
+      "ML"
+    ],
+    "type": "machine_learning",
+    "version": 1
+  },
+  {
+    "anomaly_threshold": 75,
+    "author": [
+      "Elastic"
+    ],
+    "description": "A machine learning job found an unusually large spike in successful authentication events from a particular source IP address. This can be due to password spraying, user enumeration or brute force activity.",
+    "false_positives": [
+      "Build servers and CI systems can sometimes trigger this alert. Security test cycles that include brute force or password spraying activities may trigger this alert."
+    ],
+    "from": "now-30m",
+    "interval": "15m",
+    "license": "Elastic License v2",
+    "machine_learning_job_id": "auth_high_count_logon_events_for_a_source_ip",
+    "name": "Spike in Logon Events from a Source IP",
+    "references": [
+      "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"
+    ],
+    "risk_score": 21,
+    "rule_id": "e26aed74-c816-40d3-a810-48d6fbd8b2fd",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Authentication",
+      "Threat Detection",
+      "ML"
+    ],
+    "type": "machine_learning",
+    "version": 2
+  },
+  {
+    "anomaly_threshold": 75,
+    "author": [
+      "Elastic"
+    ],
+    "description": "A machine learning job detected an unusually large spike in network traffic. Such a burst of traffic, if not caused by a surge in business activity, can be due to suspicious or malicious activity. Large-scale data exfiltration may produce a burst of network traffic; this could also be due to unusually large amounts of reconnaissance or enumeration traffic. Denial-of-service attacks or traffic floods may also produce such a surge in traffic.",
+    "false_positives": [
+      "Business workflows that occur very occasionally, and involve an unusual surge in network traffic, can trigger this alert. A new business workflow or a surge in business activity may trigger this alert. A misconfigured network application or firewall may trigger this alert."
+    ],
+    "from": "now-30m",
+    "interval": "15m",
+    "license": "Elastic License v2",
+    "machine_learning_job_id": "high_count_network_events",
+    "name": "Spike in Network Traffic",
+    "references": [
+      "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"
+    ],
+    "risk_score": 21,
+    "rule_id": "b240bfb8-26b7-4e5e-924e-218144a3fa71",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Network",
+      "Threat Detection",
+      "ML"
+    ],
+    "type": "machine_learning",
+    "version": 3
+  },
+  {
+    "anomaly_threshold": 75,
+    "author": [
+      "Elastic"
+    ],
+    "description": "A machine learning job detected an unusually large spike in network activity to one destination country in the network logs. This could be due to unusually large amounts of reconnaissance or enumeration traffic. Data exfiltration activity may also produce such a surge in traffic to a destination country which does not normally appear in network traffic or business work-flows. Malware instances and persistence mechanisms may communicate with command-and-control (C2) infrastructure in their country of origin, which may be an unusual destination country for the source network.",
+    "false_positives": [
+      "Business workflows that occur very occasionally, and involve an unusual surge in network traffic to one destination country, can trigger this alert. A new business workflow or a surge in business activity in a particular country may trigger this alert. Business travelers who roam to many countries for brief periods may trigger this alert if they engage in volumetric network activity."
+    ],
+    "from": "now-30m",
+    "interval": "15m",
+    "license": "Elastic License v2",
+    "machine_learning_job_id": "high_count_by_destination_country",
+    "name": "Spike in Network Traffic To a Country",
+    "references": [
+      "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"
+    ],
+    "risk_score": 21,
+    "rule_id": "c7db5533-ca2a-41f6-a8b0-ee98abe0f573",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Network",
+      "Threat Detection",
+      "ML"
+    ],
+    "type": "machine_learning",
+    "version": 2
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies files written or modified in the startup folder by unsigned processes. Adversaries may abuse this technique to maintain persistence in an environment.",
+    "from": "now-9m",
+    "index": [
+      "logs-endpoint.events.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Startup Folder Persistence via Unsigned Process",
+    "query": "sequence by host.id, process.entity_id with maxspan=5s\n  [process where event.type in (\"start\", \"process_started\") and process.code_signature.trusted == false and\n  /* suspicious paths can be added here  */\n   process.executable : (\"C:\\\\Users\\\\*.exe\", \n                         \"C:\\\\ProgramData\\\\*.exe\", \n                         \"C:\\\\Windows\\\\Temp\\\\*.exe\", \n                         \"C:\\\\Windows\\\\Tasks\\\\*.exe\", \n                         \"C:\\\\Intel\\\\*.exe\", \n                         \"C:\\\\PerfLogs\\\\*.exe\")\n   ]\n   [file where event.type != \"deletion\" and user.domain != \"NT AUTHORITY\" and\n    file.path : (\"C:\\\\Users\\\\*\\\\AppData\\\\Roaming\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\\\\*\", \n                 \"C:\\\\ProgramData\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\StartUp\\\\*\")\n   ]\n",
+    "risk_score": 41,
+    "rule_id": "2fba96c0-ade5-4bce-b92f-a5df2509da3f",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Persistence"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1547",
+            "name": "Boot or Logon Autostart Execution",
+            "reference": "https://attack.mitre.org/techniques/T1547/",
+            "subtechnique": [
+              {
+                "id": "T1547.001",
+                "name": "Registry Run Keys / Startup Folder",
+                "reference": "https://attack.mitre.org/techniques/T1547/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "type": "eql",
+    "version": 2
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies run key or startup key registry modifications. In order to survive reboots and other system interrupts, attackers will modify run keys within the registry or leverage startup folder items as a form of persistence.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Startup or Run Key Registry Modification",
+    "query": "registry where registry.data.strings != null and\n registry.path : (\n     /* Machine Hive */\n     \"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\*\", \n     \"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\*\", \n     \"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnceEx\\\\*\",\n     \"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\\\*\", \n     \"HKLM\\\\Software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\Shell\\\\*\",   \n     /* Users Hive */\n     \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\*\", \n     \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\*\", \n     \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnceEx\\\\*\",\n     \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\\\*\", \n     \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\Shell\\\\*\"\n     ) and\n  /* add common legitimate changes without being too restrictive as this is one of the most abused AESPs */\n  not registry.data.strings : \"ctfmon.exe /n\" and\n  not (registry.value : \"Application Restart #*\" and process.name : \"csrss.exe\") and\n  user.id not in (\"S-1-5-18\", \"S-1-5-19\", \"S-1-5-20\") and\n  not registry.data.strings : (\"?:\\\\Program Files\\\\*.exe\", \"?:\\\\Program Files (x86)\\\\*.exe\") and\n  not process.executable : (\"?:\\\\Windows\\\\System32\\\\msiexec.exe\", \"?:\\\\Windows\\\\SysWOW64\\\\msiexec.exe\") and\n  not (process.name : \"OneDriveSetup.exe\" and\n       registry.value : (\"Delete Cached Standalone Update Binary\", \"Delete Cached Update Binary\", \"amd64\", \"Uninstall *\") and\n       registry.data.strings : \"?:\\\\Windows\\\\system32\\\\cmd.exe /q /c * \\\"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Microsoft\\\\OneDrive\\\\*\\\"\")\n",
+    "risk_score": 21,
+    "rule_id": "97fc44d3-8dae-4019-ae83-298c3015600f",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Persistence"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1547",
+            "name": "Boot or Logon Autostart Execution",
+            "reference": "https://attack.mitre.org/techniques/T1547/",
+            "subtechnique": [
+              {
+                "id": "T1547.001",
+                "name": "Registry Run Keys / Startup Folder",
+                "reference": "https://attack.mitre.org/techniques/T1547/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 4
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Detects the modification of Group Policy Objects (GPO) to add a startup/logon script to users or computer objects.",
+    "false_positives": [
+      "Legitimate Administrative Activity"
+    ],
+    "index": [
+      "winlogbeat-*",
+      "logs-system.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Startup/Logon Script added to Group Policy Object",
+    "note": "## Triage and analysis\n\n### Investigating Scheduled Task Execution at Scale via GPO\n\nGroup Policy Objects can be used by attackers as a mechanism for an attacker to instruct an arbitrarily large group of clients to\nexecute specified commands at Startup, Logon, Shutdown, and Logoff. This is done by creating/modifying the `scripts.ini` or \n`psscripts.ini` files. The scripts are stored in the following path: `<GPOPath>\\Machine\\Scripts\\`, `<GPOPath>\\User\\Scripts\\`\n\n#### Possible investigation steps:\n- This attack abuses a legitimate mechanism of the Active Directory, so it is important to determine whether the activity is legitimate\nand the administrator is authorized to perform this operation.\n- Retrieve the contents of the script file, check for any potentially malicious commands and binaries.\n- If the action is suspicious for the user, check for any other activities done by the user in the last 48 hours.\n\n### False Positive Analysis\n- Verify if the execution is allowed and done under change management, and legitimate.\n\n### Related Rules\n- Group Policy Abuse for Privilege Addition - b9554892-5e0e-424b-83a0-5aef95aa43bf\n- Scheduled Task Execution at Scale via GPO - 15a8ba77-1c13-4274-88fe-6bd14133861e\n\n### Response and Remediation\n- Immediate response should be taken to validate activity, investigate and potentially isolate activity to prevent further\npost-compromise behavior.\n\n## Config\n\nThe 'Audit Detailed File Share' audit policy is required be configured (Success Failure).\nSteps to implement the logging policy with with Advanced Audit Configuration:\n```\nComputer Configuration > \nPolicies > \nWindows Settings > \nSecurity Settings > \nAdvanced Audit Policies Configuration > \nAudit Policies > \nObject Access > \nAudit Detailed File Share (Success,Failure)\n```\n\nThe 'Audit Directory Service Changes' audit policy is required be configured (Success Failure).\nSteps to implement the logging policy with with Advanced Audit Configuration:\n```\nComputer Configuration > \nPolicies > \nWindows Settings > \nSecurity Settings > \nAdvanced Audit Policies Configuration > \nAudit Policies > \nDS Access > \nAudit Directory Service Changes (Success,Failure)\n```\n",
+    "query": "(\n event.code:5136 and winlog.event_data.AttributeLDAPDisplayName:(gPCMachineExtensionNames or gPCUserExtensionNames) and\n   winlog.event_data.AttributeValue:(*42B5FAAE-6536-11D2-AE5A-0000F87571E3* and\n                                      (*40B66650-4972-11D1-A7CA-0000F87571E3* or *40B6664F-4972-11D1-A7CA-0000F87571E3*))\n)\nor\n(\n event.code:5145 and winlog.event_data.ShareName:\\\\\\\\*\\\\SYSVOL and\n   winlog.event_data.RelativeTargetName:(*\\\\scripts.ini or *\\\\psscripts.ini) and\n   (message:WriteData or winlog.event_data.AccessList:*%%4417*)\n)\n",
+    "references": [
+      "https://github.com/atc-project/atc-data/blob/master/docs/Logging_Policies/LP_0025_windows_audit_directory_service_changes.md",
+      "https://github.com/atc-project/atc-data/blob/f2bbb51ecf68e2c9f488e3c70dcdd3df51d2a46b/docs/Logging_Policies/LP_0029_windows_audit_detailed_file_share.md",
+      "https://labs.f-secure.com/tools/sharpgpoabuse"
+    ],
+    "risk_score": 47,
+    "rule_id": "16fac1a1-21ee-4ca6-b720-458e3855d046",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Privilege Escalation",
+      "Active Directory"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0004",
+          "name": "Privilege Escalation",
+          "reference": "https://attack.mitre.org/tactics/TA0004/"
+        },
+        "technique": [
+          {
+            "id": "T1547",
+            "name": "Boot or Logon Autostart Execution",
+            "reference": "https://attack.mitre.org/techniques/T1547/"
+          },
+          {
+            "id": "T1484",
+            "name": "Domain Policy Modification",
+            "reference": "https://attack.mitre.org/techniques/T1484/",
+            "subtechnique": [
+              {
+                "id": "T1484.001",
+                "name": "Group Policy Modification",
+                "reference": "https://attack.mitre.org/techniques/T1484/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Strace runs in a privileged context and can be used to escape restrictive environments by instantiating a shell in order to elevate privileges or move laterally.",
+    "false_positives": [
+      "Strace is a dual-use tool that can be used for benign or malicious activity. Some normal use of this command may originate from developers or SREs engaged in debugging or system call tracing."
+    ],
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Strace Process Activity",
+    "query": "event.category:process and event.type:(start or process_started) and process.name:strace\n",
+    "references": [
+      "https://en.wikipedia.org/wiki/Strace"
+    ],
+    "risk_score": 21,
+    "rule_id": "d6450d4e-81c6-46a3-bd94-079886318ed5",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "Threat Detection"
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 7
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Adversaries may create or modify the Sublime application plugins or scripts to execute a malicious payload each time the Sublime application is started.",
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Sublime Plugin or Application Script Modification",
+    "query": "file where event.type in (\"change\", \"creation\") and file.extension : \"py\" and\n  file.path : \n    (\n      \"/Users/*/Library/Application Support/Sublime Text*/Packages/*.py\", \n      \"/Applications/Sublime Text.app/Contents/MacOS/sublime.py\"\n    ) and\n  not process.executable : \n    (\n      \"/Applications/Sublime Text*.app/Contents/MacOS/Sublime Text*\", \n      \"/usr/local/Cellar/git/*/bin/git\", \n      \"/usr/libexec/xpcproxy\", \n      \"/System/Library/PrivateFrameworks/DesktopServicesPriv.framework/Versions/A/Resources/DesktopServicesHelper\", \n      \"/Applications/Sublime Text.app/Contents/MacOS/plugin_host\"\n    )\n",
+    "references": [
+      "https://posts.specterops.io/persistent-jxa-66e1c3cd1cf5"
+    ],
+    "risk_score": 21,
+    "rule_id": "88817a33-60d3-411f-ba79-7c905d865b2a",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "macOS",
+      "Threat Detection",
+      "Persistence"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1554",
+            "name": "Compromise Client Software Binary",
+            "reference": "https://attack.mitre.org/techniques/T1554/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the attempted use of a heap-based buffer overflow vulnerability for the Sudo binary in Unix-like systems (CVE-2021-3156). Successful exploitation allows an unprivileged user to escalate to the root user.",
+    "false_positives": [
+      "This rule could generate false positives if the process arguments leveraged by the exploit are shared by custom scripts using the Sudo or Sudoedit binaries. Only Sudo versions 1.8.2 through 1.8.31p2 and 1.9.0 through 1.9.5p1 are affected; if those versions are not present on the endpoint, this could be a false positive."
+    ],
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Sudo Heap-Based Buffer Overflow Attempt",
+    "query": "event.category:process and event.type:start and\n  process.name:(sudo or sudoedit) and\n  process.args:(*\\\\ and (\"-i\" or \"-s\"))\n",
+    "references": [
+      "https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-3156",
+      "https://blog.qualys.com/vulnerabilities-research/2021/01/26/cve-2021-3156-heap-based-buffer-overflow-in-sudo-baron-samedit",
+      "https://www.bleepingcomputer.com/news/security/latest-macos-big-sur-also-has-sudo-root-privilege-escalation-flaw",
+      "https://www.sudo.ws/alerts/unescape_overflow.html"
+    ],
+    "risk_score": 73,
+    "rule_id": "f37f3054-d40b-49ac-aa9b-a786c74c58b8",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "macOS",
+      "Threat Detection",
+      "Privilege Escalation"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0004",
+          "name": "Privilege Escalation",
+          "reference": "https://attack.mitre.org/tactics/TA0004/"
+        },
+        "technique": [
+          {
+            "id": "T1068",
+            "name": "Exploitation for Privilege Escalation",
+            "reference": "https://attack.mitre.org/techniques/T1068/"
+          }
+        ]
+      }
+    ],
+    "threshold": {
+      "field": [
+        "host.hostname"
+      ],
+      "value": 100
+    },
+    "type": "threshold",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "A sudoers file specifies the commands that users or groups can run and from which terminals. Adversaries can take advantage of these configurations to execute commands as other users or spawn processes with higher privileges.",
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Sudoers File Modification",
+    "query": "event.category:file and event.type:change and file.path:(/etc/sudoers* or /private/etc/sudoers*)\n",
+    "risk_score": 47,
+    "rule_id": "931e25a5-0f5e-4ae0-ba0d-9e94eff7e3a4",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "macOS",
+      "Threat Detection",
+      "Privilege Escalation"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0004",
+          "name": "Privilege Escalation",
+          "reference": "https://attack.mitre.org/tactics/TA0004/"
+        },
+        "technique": [
+          {
+            "id": "T1548",
+            "name": "Abuse Elevation Control Mechanism",
+            "reference": "https://attack.mitre.org/techniques/T1548/",
+            "subtechnique": [
+              {
+                "id": "T1548.003",
+                "name": "Sudo and Sudo Caching",
+                "reference": "https://attack.mitre.org/techniques/T1548/003/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 7
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies suspicious .NET code execution. connections.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Suspicious .NET Code Compilation",
+    "query": "process where event.type in (\"start\", \"process_started\") and\n  process.name : (\"csc.exe\", \"vbc.exe\") and\n  process.parent.name : (\"wscript.exe\", \"mshta.exe\", \"cscript.exe\", \"wmic.exe\", \"svchost.exe\", \"rundll32.exe\", \"cmstp.exe\", \"regsvr32.exe\")\n",
+    "risk_score": 47,
+    "rule_id": "201200f1-a99b-43fb-88ed-f65a45c4972c",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1027",
+            "name": "Obfuscated Files or Information",
+            "reference": "https://attack.mitre.org/techniques/T1027/",
+            "subtechnique": [
+              {
+                "id": "T1027.004",
+                "name": "Compile After Delivery",
+                "reference": "https://attack.mitre.org/techniques/T1027/004/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 5
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "This rule detects the use of Reflection.Assembly to load PEs and DLLs in memory in Powershell Scripts. Attackers use this method to load executables and DLLs without writing to the disk, bypassing security solutions.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-windows.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Suspicious .NET Reflection via PowerShell",
+    "query": "event.category:process and \n  powershell.file.script_block_text : (\n    \"[System.Reflection.Assembly]::Load\" or\n    \"[Reflection.Assembly]::Load\"\n  )\n",
+    "references": [
+      "https://docs.microsoft.com/en-us/dotnet/api/system.reflection.assembly.load"
+    ],
+    "risk_score": 73,
+    "rule_id": "e26f042e-c590-4e82-8e05-41e81bd822ad",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1055",
+            "name": "Process Injection",
+            "reference": "https://attack.mitre.org/techniques/T1055/",
+            "subtechnique": [
+              {
+                "id": "T1055.001",
+                "name": "Dynamic-link Library Injection",
+                "reference": "https://attack.mitre.org/techniques/T1055/001/"
+              },
+              {
+                "id": "T1055.002",
+                "name": "Portable Executable Injection",
+                "reference": "https://attack.mitre.org/techniques/T1055/002/"
+              }
+            ]
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0002",
+          "name": "Execution",
+          "reference": "https://attack.mitre.org/tactics/TA0002/"
+        },
+        "technique": [
+          {
+            "id": "T1059",
+            "name": "Command and Scripting Interpreter",
+            "reference": "https://attack.mitre.org/techniques/T1059/",
+            "subtechnique": [
+              {
+                "id": "T1059.001",
+                "name": "PowerShell",
+                "reference": "https://attack.mitre.org/techniques/T1059/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Detects when a user reports suspicious activity for their Okta account. These events should be investigated, as they can help security teams identify when an adversary is attempting to gain access to their network.",
+    "false_positives": [
+      "A user may report suspicious activity on their Okta account in error."
+    ],
+    "index": [
+      "filebeat-*",
+      "logs-okta*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Suspicious Activity Reported by Okta User",
+    "note": "## Config\n\nThe Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:okta.system and event.action:user.account.report_suspicious_activity_by_enduser\n",
+    "references": [
+      "https://developer.okta.com/docs/reference/api/system-log/",
+      "https://developer.okta.com/docs/reference/api/event-types/"
+    ],
+    "risk_score": 47,
+    "rule_id": "f994964f-6fce-4d75-8e79-e16ccc412588",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Identity",
+      "Okta",
+      "Continuous Monitoring",
+      "SecOps",
+      "Monitoring"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0001",
+          "name": "Initial Access",
+          "reference": "https://attack.mitre.org/tactics/TA0001/"
+        },
+        "technique": [
+          {
+            "id": "T1078",
+            "name": "Valid Accounts",
+            "reference": "https://attack.mitre.org/techniques/T1078/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1078",
+            "name": "Valid Accounts",
+            "reference": "https://attack.mitre.org/techniques/T1078/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0004",
+          "name": "Privilege Escalation",
+          "reference": "https://attack.mitre.org/tactics/TA0004/"
+        },
+        "technique": [
+          {
+            "id": "T1078",
+            "name": "Valid Accounts",
+            "reference": "https://attack.mitre.org/techniques/T1078/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1078",
+            "name": "Valid Accounts",
+            "reference": "https://attack.mitre.org/techniques/T1078/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 6
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the execution of the Automator Workflows process followed by a network connection from it's XPC service. Adversaries may drop a custom workflow template that hosts malicious JavaScript for Automation (JXA) code as an alternative to using osascript.",
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Suspicious Automator Workflows Execution",
+    "query": "sequence by host.id with maxspan=30s\n [process where event.type in (\"start\", \"process_started\") and process.name == \"automator\"]\n [network where process.name:\"com.apple.automator.runner\"]\n",
+    "references": [
+      "https://posts.specterops.io/persistent-jxa-66e1c3cd1cf5"
+    ],
+    "risk_score": 47,
+    "rule_id": "5d9f8cfc-0d03-443e-a167-2b0597ce0965",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "macOS",
+      "Threat Detection",
+      "Execution"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0002",
+          "name": "Execution",
+          "reference": "https://attack.mitre.org/tactics/TA0002/"
+        },
+        "technique": [
+          {
+            "id": "T1059",
+            "name": "Command and Scripting Interpreter",
+            "reference": "https://attack.mitre.org/techniques/T1059/"
+          }
+        ]
+      }
+    ],
+    "type": "eql",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the execution of a suspicious browser child process. Adversaries may gain access to a system through a user visiting a website over the normal course of browsing. With this technique, the user's web browser is typically targeted for exploitation.",
+    "from": "now-9m",
+    "index": [
+      "logs-endpoint.events.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Suspicious Browser Child Process",
+    "query": "process where event.type in (\"start\", \"process_started\") and\n  process.parent.name : (\"Google Chrome\", \"Google Chrome Helper*\", \"firefox\", \"Opera\", \"Safari\", \"com.apple.WebKit.WebContent\", \"Microsoft Edge\") and\n  process.name : (\"sh\", \"bash\", \"dash\", \"ksh\", \"tcsh\", \"zsh\", \"curl\", \"wget\", \"python*\", \"perl*\", \"php*\", \"osascript\", \"pwsh\") and \n  process.command_line != null and \n  not process.args : \n    ( \n      \"/Library/Application Support/Microsoft/MAU*/Microsoft AutoUpdate.app/Contents/MacOS/msupdate\", \n      \"hw.model\", \n      \"IOPlatformExpertDevice\", \n      \"/Volumes/Google Chrome/Google Chrome.app/Contents/Frameworks/*/Resources/install.sh\",\n      \"--defaults-torrc\", \n      \"Chrome.app\", \n      \"Framework.framework/Versions/*/Resources/keystone_promote_preflight.sh\", \n      \"/Users/*/Library/Application Support/Google/Chrome/recovery/*/ChromeRecovery\", \n      \"$DISPLAY\", \n      \"GIO_LAUNCHED_DESKTOP_FILE_PID=$$\"\n    )\n",
+    "references": [
+      "https://objective-see.com/blog/blog_0x43.html",
+      "https://fr.slideshare.net/codeblue_jp/cb19-recent-apt-attack-on-crypto-exchange-employees-by-heungsoo-kang"
+    ],
+    "risk_score": 73,
+    "rule_id": "080bc66a-5d56-4d1f-8071-817671716db9",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "macOS",
+      "Threat Detection",
+      "Initial Access",
+      "Execution"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0002",
+          "name": "Execution",
+          "reference": "https://attack.mitre.org/tactics/TA0002/"
+        },
+        "technique": [
+          {
+            "id": "T1203",
+            "name": "Exploitation for Client Execution",
+            "reference": "https://attack.mitre.org/techniques/T1203/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0001",
+          "name": "Initial Access",
+          "reference": "https://attack.mitre.org/tactics/TA0001/"
+        },
+        "technique": [
+          {
+            "id": "T1189",
+            "name": "Drive-by Compromise",
+            "reference": "https://attack.mitre.org/techniques/T1189/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies suspicious modifications of the calendar file by an unusual process. Adversaries may create a custom calendar notification procedure to execute a malicious program at a recurring interval to establish persistence.",
+    "false_positives": [
+      "Trusted applications for managing calendars and reminders."
+    ],
+    "from": "now-9m",
+    "index": [
+      "logs-endpoint.events.*",
+      "auditbeat-*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Suspicious Calendar File Modification",
+    "query": "event.category:file and event.action:modification and\n  file.path:/Users/*/Library/Calendars/*.calendar/Events/*.ics and\n  process.executable:\n  (* and not \n    (\n      /System/Library/* or \n      /System/Applications/Calendar.app/Contents/MacOS/* or \n      /usr/libexec/xpcproxy or \n      /sbin/launchd or \n      /Applications/*\n    )\n  )\n",
+    "references": [
+      "https://labs.f-secure.com/blog/operationalising-calendar-alerts-persistence-on-macos",
+      "https://github.com/FSecureLABS/CalendarPersist",
+      "https://github.com/D00MFist/PersistentJXA/blob/master/CalendarPersist.js"
+    ],
+    "risk_score": 47,
+    "rule_id": "cb71aa62-55c8-42f0-b0dd-afb0bb0b1f51",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "macOS",
+      "Threat Detection",
+      "Persistence"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1546",
+            "name": "Event Triggered Execution",
+            "reference": "https://attack.mitre.org/techniques/T1546/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic",
+      "Austin Songer"
+    ],
+    "description": "Identifies suspicious commands being used with certutil.exe. CertUtil is a native Windows component which is part of Certificate Services. CertUtil is often abused by attackers to live off the land for stealthier command and control or data exfiltration.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Suspicious CertUtil Commands",
+    "query": "process where event.type == \"start\" and\n  (process.name : \"certutil.exe\" or process.pe.original_file_name == \"CertUtil.exe\") and \n  process.args : (\"?decode\", \"?encode\", \"?urlcache\", \"?verifyctl\", \"?encodehex\", \"?decodehex\", \"?exportPFX\")\n",
+    "references": [
+      "https://twitter.com/Moriarty_Meng/status/984380793383370752",
+      "https://twitter.com/egre55/status/1087685529016193025",
+      "https://www.sysadmins.lv/blog-en/certutil-tips-and-tricks-working-with-x509-file-format.aspx",
+      "https://docs.microsoft.com/en-us/archive/blogs/pki/basic-crl-checking-with-certutil"
+    ],
+    "risk_score": 47,
+    "rule_id": "fd70c98a-c410-42dc-a2e3-761c71848acf",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1140",
+            "name": "Deobfuscate/Decode Files or Information",
+            "reference": "https://attack.mitre.org/techniques/T1140/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 10
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Detects attempts to exploit privilege escalation vulnerabilities related to the Adobe Acrobat Reader PrivilegedHelperTool responsible for installing updates. For more information, refer to CVE-2020-9615, CVE-2020-9614 and CVE-2020-9613 and verify that the impacted system is patched.",
+    "false_positives": [
+      "Trusted system or Adobe Acrobat Related processes."
+    ],
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Suspicious Child Process of Adobe Acrobat Reader Update Service",
+    "query": "event.category:process and event.type:(start or process_started) and\n  process.parent.name:com.adobe.ARMDC.SMJobBlessHelper and\n  user.name:root and\n  not process.executable: (/Library/PrivilegedHelperTools/com.adobe.ARMDC.SMJobBlessHelper or\n                           /usr/bin/codesign or\n                           /private/var/folders/zz/*/T/download/ARMDCHammer or\n                           /usr/sbin/pkgutil or\n                           /usr/bin/shasum or\n                           /usr/bin/perl* or\n                           /usr/sbin/spctl or\n                           /usr/sbin/installer)\n",
+    "references": [
+      "https://rekken.github.io/2020/05/14/Security-Flaws-in-Adobe-Acrobat-Reader-Allow-Malicious-Program-to-Gain-Root-on-macOS-Silently/"
+    ],
+    "risk_score": 73,
+    "rule_id": "f85ce03f-d8a8-4c83-acdc-5c8cd0592be7",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "macOS",
+      "Threat Detection",
+      "Privilege Escalation"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0004",
+          "name": "Privilege Escalation",
+          "reference": "https://attack.mitre.org/tactics/TA0004/"
+        },
+        "technique": [
+          {
+            "id": "T1068",
+            "name": "Exploitation for Privilege Escalation",
+            "reference": "https://attack.mitre.org/techniques/T1068/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies suspicious command execution (cmd) via Windows Management Instrumentation (WMI) on a remote host. This could be indicative of adversary lateral movement.",
+    "from": "now-9m",
+    "index": [
+      "logs-endpoint.events.*",
+      "winlogbeat-*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Suspicious Cmd Execution via WMI",
+    "query": "process where event.type in (\"start\", \"process_started\") and\n process.parent.name : \"WmiPrvSE.exe\" and process.name : \"cmd.exe\" and\n process.args : \"\\\\\\\\127.0.0.1\\\\*\" and process.args : (\"2>&1\", \"1>\")\n",
+    "risk_score": 47,
+    "rule_id": "12f07955-1674-44f7-86b5-c35da0a6f41a",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Execution"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0002",
+          "name": "Execution",
+          "reference": "https://attack.mitre.org/tactics/TA0002/"
+        },
+        "technique": [
+          {
+            "id": "T1047",
+            "name": "Windows Management Instrumentation",
+            "reference": "https://attack.mitre.org/techniques/T1047/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 3
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the loading of a non Microsoft signed DLL that is missing on a default Windows install (phantom DLL) or one that can be loaded from a different location by a native Windows process. This may be abused to persist or elevate privileges via privileged file write vulnerabilities.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Suspicious DLL Loaded for Persistence or Privilege Escalation",
+    "query": "library where dll.name :\n  (\n  \"wlbsctrl.dll\",\n  \"wbemcomn.dll\",\n  \"WptsExtensions.dll\",\n  \"Tsmsisrv.dll\",\n  \"TSVIPSrv.dll\",\n  \"Msfte.dll\",\n  \"wow64log.dll\",\n  \"WindowsCoreDeviceInfo.dll\",\n  \"Ualapi.dll\",\n  \"wlanhlp.dll\",\n  \"phoneinfo.dll\",\n  \"EdgeGdi.dll\",\n  \"cdpsgshims.dll\",\n  \"windowsperformancerecordercontrol.dll\",\n  \"diagtrack_win.dll\"\n  ) and \nnot (dll.code_signature.subject_name : (\"Microsoft Windows\", \"Microsoft Corporation\") and dll.code_signature.status : \"trusted\")\n",
+    "references": [
+      "https://itm4n.github.io/windows-dll-hijacking-clarified/",
+      "http://remoteawesomethoughts.blogspot.com/2019/05/windows-10-task-schedulerservice.html",
+      "https://googleprojectzero.blogspot.com/2018/04/windows-exploitation-tricks-exploiting.html",
+      "https://shellz.club/edgegdi-dll-for-persistence-and-lateral-movement/",
+      "https://windows-internals.com/faxing-your-way-to-system/",
+      "http://waleedassar.blogspot.com/2013/01/wow64logdll.html"
+    ],
+    "risk_score": 73,
+    "rule_id": "bfeaf89b-a2a7-48a3-817f-e41829dc61ee",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Persistence",
+      "Privilege Escalation"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0004",
+          "name": "Privilege Escalation",
+          "reference": "https://attack.mitre.org/tactics/TA0004/"
+        },
+        "technique": [
+          {
+            "id": "T1574",
+            "name": "Hijack Execution Flow",
+            "reference": "https://attack.mitre.org/techniques/T1574/",
+            "subtechnique": [
+              {
+                "id": "T1574.002",
+                "name": "DLL Side-Loading",
+                "reference": "https://attack.mitre.org/techniques/T1574/002/"
+              }
+            ]
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1574",
+            "name": "Hijack Execution Flow",
+            "reference": "https://attack.mitre.org/techniques/T1574/",
+            "subtechnique": [
+              {
+                "id": "T1574.001",
+                "name": "DLL Search Order Hijacking",
+                "reference": "https://attack.mitre.org/techniques/T1574/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 2
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the execution of a suspicious child process of the Event Monitor Daemon (emond). Adversaries may abuse this service by writing a rule to execute commands when a defined event occurs, such as system start up or user authentication.",
+    "from": "now-9m",
+    "index": [
+      "logs-endpoint.events.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Suspicious Emond Child Process",
+    "query": "process where event.type in (\"start\", \"process_started\") and\n process.parent.name : \"emond\" and\n process.name : (\n   \"bash\",\n   \"dash\",\n   \"sh\",\n   \"tcsh\",\n   \"csh\",\n   \"zsh\",\n   \"ksh\",\n   \"fish\",\n   \"Python\",\n   \"python*\",\n   \"perl*\",\n   \"php*\",\n   \"osascript\",\n   \"pwsh\",\n   \"curl\",\n   \"wget\",\n   \"cp\",\n   \"mv\",\n   \"touch\",\n   \"echo\",\n   \"base64\",\n   \"launchctl\")\n",
+    "references": [
+      "https://www.xorrior.com/emond-persistence/"
+    ],
+    "risk_score": 47,
+    "rule_id": "3e3d15c6-1509-479a-b125-21718372157e",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "macOS",
+      "Threat Detection",
+      "Persistence"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1546",
+            "name": "Event Triggered Execution",
+            "reference": "https://attack.mitre.org/techniques/T1546/",
+            "subtechnique": [
+              {
+                "id": "T1546.014",
+                "name": "Emond",
+                "reference": "https://attack.mitre.org/techniques/T1546/014/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "A suspicious Endpoint Security parent process was detected. This may indicate a process hollowing or other form of code injection.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Suspicious Endpoint Security Parent Process",
+    "query": "process where event.type in (\"start\", \"process_started\", \"info\") and\n process.name : (\"esensor.exe\", \"elastic-endpoint.exe\") and\n process.parent.executable != null and\n  /* add FPs here */\n not process.parent.executable : (\"C:\\\\Program Files\\\\Elastic\\\\*\", \n                                  \"C:\\\\Windows\\\\System32\\\\services.exe\", \n                                  \"C:\\\\Windows\\\\System32\\\\WerFault*.exe\", \n                                  \"C:\\\\Windows\\\\System32\\\\wermgr.exe\")\n",
+    "risk_score": 47,
+    "rule_id": "b41a13c6-ba45-4bab-a534-df53d0cfed6a",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1036",
+            "name": "Masquerading",
+            "reference": "https://attack.mitre.org/techniques/T1036/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 4
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies process execution with a single character process name. This is often done by adversaries while staging or executing temporary utilities.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Suspicious Execution - Short Program Name",
+    "query": "process where event.type in (\"start\", \"process_started\") and length(process.name) > 0 and\n length(process.name) == 5 and host.os.name == \"Windows\" and length(process.pe.original_file_name) > 5\n",
+    "risk_score": 47,
+    "rule_id": "17c7f6a5-5bc9-4e1f-92bf-13632d24384d",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Execution"
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 3
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies when a script interpreter or signed binary is launched via a non-standard working directory. An attacker may use this technique to evade defenses.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Suspicious Execution from a Mounted Device",
+    "query": "process where event.type == \"start\" and process.executable : \"C:\\\\*\" and\n  (process.working_directory : \"?:\\\\\" and not process.working_directory: \"C:\\\\\") and\n  process.parent.name : \"explorer.exe\" and\n  process.name : (\"rundll32.exe\", \"mshta.exe\", \"powershell.exe\", \"pwsh.exe\", \"cmd.exe\", \"regsvr32.exe\",\n                  \"cscript.exe\", \"wscript.exe\")\n",
+    "references": [
+      "https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/",
+      "https://www.volexity.com/blog/2021/05/27/suspected-apt29-operation-launches-election-fraud-themed-phishing-campaigns/"
+    ],
+    "risk_score": 47,
+    "rule_id": "8a1d4831-3ce6-4859-9891-28931fa6101d",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1218",
+            "name": "Signed Binary Proxy Execution",
+            "reference": "https://attack.mitre.org/techniques/T1218/",
+            "subtechnique": [
+              {
+                "id": "T1218.011",
+                "name": "Rundll32",
+                "reference": "https://attack.mitre.org/techniques/T1218/011/"
+              },
+              {
+                "id": "T1218.005",
+                "name": "Mshta",
+                "reference": "https://attack.mitre.org/techniques/T1218/005/"
+              },
+              {
+                "id": "T1218.010",
+                "name": "Regsvr32",
+                "reference": "https://attack.mitre.org/techniques/T1218/010/"
+              }
+            ]
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0002",
+          "name": "Execution",
+          "reference": "https://attack.mitre.org/tactics/TA0002/"
+        },
+        "technique": [
+          {
+            "id": "T1059",
+            "name": "Command and Scripting Interpreter",
+            "reference": "https://attack.mitre.org/techniques/T1059/",
+            "subtechnique": [
+              {
+                "id": "T1059.001",
+                "name": "PowerShell",
+                "reference": "https://attack.mitre.org/techniques/T1059/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies execution of a suspicious program via scheduled tasks by looking at process lineage and command line usage.",
+    "false_positives": [
+      "Legitimate scheduled tasks running third party software."
+    ],
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Suspicious Execution via Scheduled Task",
+    "query": "process where event.type == \"start\" and\n    /* Schedule service cmdline on Win10+ */\n    process.parent.name : \"svchost.exe\" and process.parent.args : \"Schedule\" and\n    /* add suspicious programs here */\n    process.pe.original_file_name in\n                                (\n                                  \"cscript.exe\",\n                                  \"wscript.exe\",\n                                  \"PowerShell.EXE\",\n                                  \"Cmd.Exe\",\n                                  \"MSHTA.EXE\",\n                                  \"RUNDLL32.EXE\",\n                                  \"REGSVR32.EXE\",\n                                  \"MSBuild.exe\",\n                                  \"InstallUtil.exe\",\n                                  \"RegAsm.exe\",\n                                  \"RegSvcs.exe\",\n                                  \"msxsl.exe\",\n                                  \"CONTROL.EXE\",\n                                  \"EXPLORER.EXE\",\n                                  \"Microsoft.Workflow.Compiler.exe\",\n                                  \"msiexec.exe\"\n                                  ) and\n    /* add suspicious paths here */\n    process.args : (\n       \"C:\\\\Users\\\\*\",\n       \"C:\\\\ProgramData\\\\*\", \n       \"C:\\\\Windows\\\\Temp\\\\*\", \n       \"C:\\\\Windows\\\\Tasks\\\\*\", \n       \"C:\\\\PerfLogs\\\\*\", \n       \"C:\\\\Intel\\\\*\", \n       \"C:\\\\Windows\\\\Debug\\\\*\", \n       \"C:\\\\HP\\\\*\")\n",
+    "risk_score": 47,
+    "rule_id": "5d1d6907-0747-4d5d-9b24-e4a18853dc0a",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Persistence"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1053",
+            "name": "Scheduled Task/Job",
+            "reference": "https://attack.mitre.org/techniques/T1053/",
+            "subtechnique": [
+              {
+                "id": "T1053.005",
+                "name": "Scheduled Task",
+                "reference": "https://attack.mitre.org/techniques/T1053/005/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 4
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies a suspicious Windows explorer child process. Explorer.exe can be abused to launch malicious scripts or executables from a trusted parent process.",
+    "from": "now-9m",
+    "index": [
+      "logs-endpoint.events.*",
+      "winlogbeat-*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Suspicious Explorer Child Process",
+    "query": "process where event.type in (\"start\", \"process_started\") and\n  (\n   process.name : (\"cscript.exe\", \"wscript.exe\", \"powershell.exe\", \"rundll32.exe\", \"cmd.exe\", \"mshta.exe\", \"regsvr32.exe\") or\n   process.pe.original_file_name in (\"cscript.exe\", \"wscript.exe\", \"PowerShell.EXE\", \"RUNDLL32.EXE\", \"Cmd.Exe\", \"MSHTA.EXE\", \"REGSVR32.EXE\")\n  ) and\n  /* Explorer started via DCOM */\n  process.parent.name : \"explorer.exe\" and process.parent.args : \"-Embedding\" and\n  not process.parent.args:\n          (\n            /* Noisy CLSID_SeparateSingleProcessExplorerHost Explorer COM Class IDs   */\n            \"/factory,{5BD95610-9434-43C2-886C-57852CC8A120}\",\n            \"/factory,{ceff45ee-c862-41de-aee2-a022c81eda92}\"\n          )\n",
+    "risk_score": 47,
+    "rule_id": "9a5b4e31-6cde-4295-9ff7-6be1b8567e1b",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Initial Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0001",
+          "name": "Initial Access",
+          "reference": "https://attack.mitre.org/tactics/TA0001/"
+        },
+        "technique": [
+          {
+            "id": "T1566",
+            "name": "Phishing",
+            "reference": "https://attack.mitre.org/techniques/T1566/",
+            "subtechnique": [
+              {
+                "id": "T1566.001",
+                "name": "Spearphishing Attachment",
+                "reference": "https://attack.mitre.org/techniques/T1566/001/"
+              },
+              {
+                "id": "T1566.002",
+                "name": "Spearphishing Link",
+                "reference": "https://attack.mitre.org/techniques/T1566/002/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 4
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the execution of a launchd child process with a hidden file. An adversary can establish persistence by installing a new logon item, launch agent, or daemon that executes upon login.",
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Suspicious Hidden Child Process of Launchd",
+    "query": "event.category:process and event.type:(start or process_started) and\n process.name:.* and process.parent.executable:/sbin/launchd\n",
+    "references": [
+      "https://objective-see.com/blog/blog_0x61.html",
+      "https://www.intezer.com/blog/research/operation-electrorat-attacker-creates-fake-companies-to-drain-your-crypto-wallets/",
+      "https://developer.apple.com/library/archive/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/CreatingLaunchdJobs.html"
+    ],
+    "risk_score": 47,
+    "rule_id": "083fa162-e790-4d85-9aeb-4fea04188adb",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "macOS",
+      "Threat Detection",
+      "Persistence",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1543",
+            "name": "Create or Modify System Process",
+            "reference": "https://attack.mitre.org/techniques/T1543/",
+            "subtechnique": [
+              {
+                "id": "T1543.001",
+                "name": "Launch Agent",
+                "reference": "https://attack.mitre.org/techniques/T1543/001/"
+              }
+            ]
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1564",
+            "name": "Hide Artifacts",
+            "reference": "https://attack.mitre.org/techniques/T1564/",
+            "subtechnique": [
+              {
+                "id": "T1564.001",
+                "name": "Hidden Files and Directories",
+                "reference": "https://attack.mitre.org/techniques/T1564/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies a suspicious image load (taskschd.dll) from Microsoft Office processes. This behavior may indicate adversarial activity where a scheduled task is configured via Windows Component Object Model (COM). This technique can be used to configure persistence and evade monitoring by avoiding the usage of the traditional Windows binary (schtasks.exe) used to manage scheduled tasks.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Suspicious Image Load (taskschd.dll) from MS Office",
+    "query": "library where process.name : (\"WINWORD.EXE\", \"EXCEL.EXE\", \"POWERPNT.EXE\", \"MSPUB.EXE\", \"MSACCESS.EXE\") and\n  event.action : \"load\" and\n  event.category : \"library\" and\n  dll.name : \"taskschd.dll\"\n",
+    "references": [
+      "https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16",
+      "https://www.clearskysec.com/wp-content/uploads/2020/10/Operation-Quicksand.pdf"
+    ],
+    "risk_score": 21,
+    "rule_id": "baa5d22c-5e1c-4f33-bfc9-efa73bb53022",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Persistence"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1053",
+            "name": "Scheduled Task/Job",
+            "reference": "https://attack.mitre.org/techniques/T1053/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 3
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the creation of a suspicious ImagePath value. This could be an indication of an adversary attempting to stealthily persist or escalate privileges through abnormal service creation.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Suspicious ImagePath Service Creation",
+    "query": "registry where registry.path : \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Services\\\\*\\\\ImagePath\" and\n /* add suspicious registry ImagePath values here */\n registry.data.strings : (\"%COMSPEC%*\", \"*\\\\.\\\\pipe\\\\*\")\n",
+    "risk_score": 73,
+    "rule_id": "36a8e048-d888-4f61-a8b9-0f9e2e40f317",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Persistence"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1543",
+            "name": "Create or Modify System Process",
+            "reference": "https://attack.mitre.org/techniques/T1543/",
+            "subtechnique": [
+              {
+                "id": "T1543.003",
+                "name": "Windows Service",
+                "reference": "https://attack.mitre.org/techniques/T1543/003/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 3
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies suspicious child processes of the Java interpreter process. This may indicate an attempt to execute a malicious JAR file or an exploitation attempt via a JAVA specific vulnerability.",
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Suspicious JAVA Child Process",
+    "query": "process where event.type in (\"start\", \"process_started\") and\n  process.parent.name : \"java\" and\n  process.name : (\"sh\", \"bash\", \"dash\", \"ksh\", \"tcsh\", \"zsh\", \"curl\", \"wget\")\n",
+    "references": [
+      "https://www.lunasec.io/docs/blog/log4j-zero-day/",
+      "https://github.com/christophetd/log4shell-vulnerable-app",
+      "https://www.blackhat.com/docs/us-16/materials/us-16-Munoz-A-Journey-From-JNDI-LDAP-Manipulation-To-RCE.pdf"
+    ],
+    "risk_score": 47,
+    "rule_id": "8acb7614-1d92-4359-bfcf-478b6d9de150",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "macOS",
+      "Threat Detection",
+      "Execution"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0002",
+          "name": "Execution",
+          "reference": "https://attack.mitre.org/tactics/TA0002/"
+        },
+        "technique": [
+          {
+            "id": "T1059",
+            "name": "Command and Scripting Interpreter",
+            "reference": "https://attack.mitre.org/techniques/T1059/",
+            "subtechnique": [
+              {
+                "id": "T1059.007",
+                "name": "JavaScript",
+                "reference": "https://attack.mitre.org/techniques/T1059/007/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 3
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies suspicious child processes of frequently targeted Microsoft Office applications (Word, PowerPoint, Excel). These child processes are often launched during exploitation of Office applications or from documents with malicious macros.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Suspicious MS Office Child Process",
+    "query": "process where event.type in (\"start\", \"process_started\") and\n  process.parent.name : (\"eqnedt32.exe\", \"excel.exe\", \"fltldr.exe\", \"msaccess.exe\", \"mspub.exe\", \"powerpnt.exe\", \"winword.exe\") and\n  process.name : (\"Microsoft.Workflow.Compiler.exe\", \"arp.exe\", \"atbroker.exe\", \"bginfo.exe\", \"bitsadmin.exe\", \"cdb.exe\", \"certutil.exe\",\n                \"cmd.exe\", \"cmstp.exe\", \"control.exe\", \"cscript.exe\", \"csi.exe\", \"dnx.exe\", \"dsget.exe\", \"dsquery.exe\", \"forfiles.exe\", \n                \"fsi.exe\", \"ftp.exe\", \"gpresult.exe\", \"hostname.exe\", \"ieexec.exe\", \"iexpress.exe\", \"installutil.exe\", \"ipconfig.exe\", \n                \"mshta.exe\", \"msxsl.exe\", \"nbtstat.exe\", \"net.exe\", \"net1.exe\", \"netsh.exe\", \"netstat.exe\", \"nltest.exe\", \"odbcconf.exe\", \n                \"ping.exe\", \"powershell.exe\", \"pwsh.exe\", \"qprocess.exe\", \"quser.exe\", \"qwinsta.exe\", \"rcsi.exe\", \"reg.exe\", \"regasm.exe\", \n                \"regsvcs.exe\", \"regsvr32.exe\", \"sc.exe\", \"schtasks.exe\", \"systeminfo.exe\", \"tasklist.exe\", \"tracert.exe\", \"whoami.exe\",\n                \"wmic.exe\", \"wscript.exe\", \"xwizard.exe\", \"explorer.exe\", \"rundll32.exe\", \"hh.exe\")\n",
+    "risk_score": 47,
+    "rule_id": "a624863f-a70d-417f-a7d2-7a404638d47f",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Initial Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0001",
+          "name": "Initial Access",
+          "reference": "https://attack.mitre.org/tactics/TA0001/"
+        },
+        "technique": [
+          {
+            "id": "T1566",
+            "name": "Phishing",
+            "reference": "https://attack.mitre.org/techniques/T1566/",
+            "subtechnique": [
+              {
+                "id": "T1566.001",
+                "name": "Spearphishing Attachment",
+                "reference": "https://attack.mitre.org/techniques/T1566/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 9
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies suspicious child processes of Microsoft Outlook. These child processes are often associated with spear phishing activity.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Suspicious MS Outlook Child Process",
+    "query": "process where event.type in (\"start\", \"process_started\") and\n  process.parent.name : \"outlook.exe\" and\n  process.name : (\"Microsoft.Workflow.Compiler.exe\", \"arp.exe\", \"atbroker.exe\", \"bginfo.exe\", \"bitsadmin.exe\",\n                  \"cdb.exe\", \"certutil.exe\", \"cmd.exe\", \"cmstp.exe\", \"cscript.exe\", \"csi.exe\", \"dnx.exe\", \"dsget.exe\",\n                  \"dsquery.exe\", \"forfiles.exe\", \"fsi.exe\", \"ftp.exe\", \"gpresult.exe\", \"hostname.exe\", \"ieexec.exe\",\n                  \"iexpress.exe\", \"installutil.exe\", \"ipconfig.exe\", \"mshta.exe\", \"msxsl.exe\", \"nbtstat.exe\", \"net.exe\",\n                  \"net1.exe\", \"netsh.exe\", \"netstat.exe\", \"nltest.exe\", \"odbcconf.exe\", \"ping.exe\", \"powershell.exe\",\n                  \"pwsh.exe\", \"qprocess.exe\", \"quser.exe\", \"qwinsta.exe\", \"rcsi.exe\", \"reg.exe\", \"regasm.exe\",\n                  \"regsvcs.exe\", \"regsvr32.exe\", \"sc.exe\", \"schtasks.exe\", \"systeminfo.exe\", \"tasklist.exe\",\n                  \"tracert.exe\", \"whoami.exe\", \"wmic.exe\", \"wscript.exe\", \"xwizard.exe\")\n",
+    "risk_score": 21,
+    "rule_id": "32f4675e-6c49-4ace-80f9-97c9259dca2e",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Initial Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0001",
+          "name": "Initial Access",
+          "reference": "https://attack.mitre.org/tactics/TA0001/"
+        },
+        "technique": [
+          {
+            "id": "T1566",
+            "name": "Phishing",
+            "reference": "https://attack.mitre.org/techniques/T1566/",
+            "subtechnique": [
+              {
+                "id": "T1566.001",
+                "name": "Spearphishing Attachment",
+                "reference": "https://attack.mitre.org/techniques/T1566/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 9
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies a suspicious managed code hosting process which could indicate code injection or other form of suspicious code execution.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Suspicious Managed Code Hosting Process",
+    "query": "sequence by process.entity_id with maxspan=5m\n [process where event.type == \"start\" and \n  process.name : (\"wscript.exe\", \"cscript.exe\", \"mshta.exe\", \"wmic.exe\", \"regsvr32.exe\", \"svchost.exe\", \"dllhost.exe\", \"cmstp.exe\")]\n [file where event.type != \"deletion\" and\n  file.name : (\"wscript.exe.log\",\n               \"cscript.exe\",\n               \"mshta.exe.log\",\n               \"wmic.exe.log\",\n               \"svchost.exe.log\",\n               \"dllhost.exe.log\",\n               \"cmstp.exe.log\",\n               \"regsvr32.exe.log\")]\n",
+    "references": [
+      "https://blog.menasec.net/2019/07/interesting-difr-traces-of-net-clr.html"
+    ],
+    "risk_score": 73,
+    "rule_id": "acf738b5-b5b2-4acc-bad9-1e18ee234f40",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1055",
+            "name": "Process Injection",
+            "reference": "https://attack.mitre.org/techniques/T1055/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 4
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies suspicious child processes of PDF reader applications. These child processes are often launched via exploitation of PDF applications or social engineering.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Suspicious PDF Reader Child Process",
+    "query": "process where event.type in (\"start\", \"process_started\") and\n  process.parent.name : (\"AcroRd32.exe\",\n                         \"Acrobat.exe\",\n                         \"FoxitPhantomPDF.exe\",\n                         \"FoxitReader.exe\") and\n  process.name : (\"arp.exe\", \"dsquery.exe\", \"dsget.exe\", \"gpresult.exe\", \"hostname.exe\", \"ipconfig.exe\", \"nbtstat.exe\",\n                  \"net.exe\", \"net1.exe\", \"netsh.exe\", \"netstat.exe\", \"nltest.exe\", \"ping.exe\", \"qprocess.exe\",\n                  \"quser.exe\", \"qwinsta.exe\", \"reg.exe\", \"sc.exe\", \"systeminfo.exe\", \"tasklist.exe\", \"tracert.exe\",\n                  \"whoami.exe\", \"bginfo.exe\", \"cdb.exe\", \"cmstp.exe\", \"csi.exe\", \"dnx.exe\", \"fsi.exe\", \"ieexec.exe\",\n                  \"iexpress.exe\", \"installutil.exe\", \"Microsoft.Workflow.Compiler.exe\", \"msbuild.exe\", \"mshta.exe\",\n                  \"msxsl.exe\", \"odbcconf.exe\", \"rcsi.exe\", \"regsvr32.exe\", \"xwizard.exe\", \"atbroker.exe\",\n                  \"forfiles.exe\", \"schtasks.exe\", \"regasm.exe\", \"regsvcs.exe\", \"cmd.exe\", \"cscript.exe\",\n                  \"powershell.exe\", \"pwsh.exe\", \"wmic.exe\", \"wscript.exe\", \"bitsadmin.exe\", \"certutil.exe\", \"ftp.exe\")\n",
+    "risk_score": 21,
+    "rule_id": "53a26770-9cbd-40c5-8b57-61d01a325e14",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Execution"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0002",
+          "name": "Execution",
+          "reference": "https://attack.mitre.org/tactics/TA0002/"
+        },
+        "technique": [
+          {
+            "id": "T1204",
+            "name": "User Execution",
+            "reference": "https://attack.mitre.org/techniques/T1204/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 7
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Detects the presence of portable executables (PE) in a PowerShell script by looking for its encoded header. Attackers embed PEs into PowerShell scripts for injecting them into the memory, avoiding defenses by not writing to disk.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-windows.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Suspicious Portable Executable Encoded in Powershell Script",
+    "note": "## Triage and analysis.\n\n### Investigating Suspicious Portable Executable Encoded in Powershell Script\n\nPowerShell is one of the main tools used by system administrators for automation, report routines, and other tasks.\n\nAttackers can abuse PowerShell In-Memory capabilities to inject executables into memory without touching the disk, bypassing\nAntiVirus software. These executables are generally base64 encoded.\n\n#### Possible investigation steps:\n\n- Examine script content that triggered the detection. \n- Investigate script execution chain (parent process tree).\n- Inspect any file or network events from the suspicious powershell host process instance.\n- If the action is suspicious for the user, check for any other activities done by the user in the last 48 hours.\n\n### False Positive Analysis\n\n- Verify whether the script content is malicious/harmful.\n\n### Related Rules\n\n- PowerShell Reflection Assembly Load - e26f042e-c590-4e82-8e05-41e81bd822ad\n- PowerShell Suspicious Payload Encoded and Compressed - 81fe9dc6-a2d7-4192-a2d8-eed98afc766a\n- PowerShell PSReflect Script - 56f2e9b5-4803-4e44-a0a4-a52dc79d57fe\n\n### Response and Remediation\n\n- Immediate response should be taken to validate, investigate, and potentially contain the activity to prevent further\npost-compromise behavior.\n\n## Config\n\nThe 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration > \nAdministrative Templates > \nWindows PowerShell > \nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```\n",
+    "query": "event.category:process and \n  powershell.file.script_block_text : (\n    TVqQAAMAAAAEAAAA\n  )\n",
+    "references": [
+      "https://github.com/atc-project/atc-data/blob/master/docs/Logging_Policies/LP_0109_windows_powershell_script_block_log.md"
+    ],
+    "risk_score": 47,
+    "rule_id": "ad84d445-b1ce-4377-82d9-7c633f28bf9a",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Execution"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0002",
+          "name": "Execution",
+          "reference": "https://attack.mitre.org/tactics/TA0002/"
+        },
+        "technique": [
+          {
+            "id": "T1059",
+            "name": "Command and Scripting Interpreter",
+            "reference": "https://attack.mitre.org/techniques/T1059/",
+            "subtechnique": [
+              {
+                "id": "T1059.001",
+                "name": "PowerShell",
+                "reference": "https://attack.mitre.org/techniques/T1059/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 3
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the PowerShell engine being invoked by unexpected processes. Rather than executing PowerShell functionality with powershell.exe, some attackers do this to operate more stealthily.",
+    "from": "now-9m",
+    "index": [
+      "logs-endpoint.events.*",
+      "winlogbeat-*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Suspicious PowerShell Engine ImageLoad",
+    "query": "library where dll.name : (\"System.Management.Automation.ni.dll\", \"System.Management.Automation.dll\") and\n/* add false positives relevant to your environment here */\nnot process.executable : (\"C:\\\\Windows\\\\System32\\\\RemoteFXvGPUDisablement.exe\", \"C:\\\\Windows\\\\System32\\\\sdiagnhost.exe\") and\nnot process.executable regex~ \"\"\"C:\\\\Program Files( \\(x86\\))?\\\\*\\.exe\"\"\" and\n  not process.name :\n  (\n    \"Altaro.SubAgent.exe\",\n    \"AppV_Manage.exe\",\n    \"azureadconnect.exe\",\n    \"CcmExec.exe\",\n    \"configsyncrun.exe\",\n    \"choco.exe\",\n    \"ctxappvservice.exe\",\n    \"DVLS.Console.exe\",\n    \"edgetransport.exe\",\n    \"exsetup.exe\",\n    \"forefrontactivedirectoryconnector.exe\",\n    \"InstallUtil.exe\",\n    \"JenkinsOnDesktop.exe\",\n    \"Microsoft.EnterpriseManagement.ServiceManager.UI.Console.exe\",\n    \"mmc.exe\",\n    \"mscorsvw.exe\",\n    \"msexchangedelivery.exe\",\n    \"msexchangefrontendtransport.exe\",\n    \"msexchangehmworker.exe\",\n    \"msexchangesubmission.exe\",\n    \"msiexec.exe\",\n    \"MsiExec.exe\",\n    \"noderunner.exe\",\n    \"NServiceBus.Host.exe\",\n    \"NServiceBus.Host32.exe\",\n    \"NServiceBus.Hosting.Azure.HostProcess.exe\",\n    \"OuiGui.WPF.exe\",\n    \"powershell.exe\",\n    \"powershell_ise.exe\",\n    \"pwsh.exe\",\n    \"SCCMCliCtrWPF.exe\",\n    \"ScriptEditor.exe\",\n    \"ScriptRunner.exe\",\n    \"sdiagnhost.exe\",\n    \"servermanager.exe\",\n    \"setup100.exe\",\n    \"ServiceHub.VSDetouredHost.exe\",\n    \"SPCAF.Client.exe\",\n    \"SPCAF.SettingsEditor.exe\",\n    \"SQLPS.exe\",\n    \"telemetryservice.exe\",\n    \"UMWorkerProcess.exe\",\n    \"w3wp.exe\",\n    \"wsmprovhost.exe\"\n  )\n",
+    "risk_score": 47,
+    "rule_id": "852c1f19-68e8-43a6-9dce-340771fe1be3",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Execution"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0002",
+          "name": "Execution",
+          "reference": "https://attack.mitre.org/tactics/TA0002/"
+        },
+        "technique": [
+          {
+            "id": "T1059",
+            "name": "Command and Scripting Interpreter",
+            "reference": "https://attack.mitre.org/techniques/T1059/",
+            "subtechnique": [
+              {
+                "id": "T1059.001",
+                "name": "PowerShell",
+                "reference": "https://attack.mitre.org/techniques/T1059/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 4
+  },
+  {
+    "anomaly_threshold": 50,
+    "author": [
+      "Elastic"
+    ],
+    "description": "A machine learning job detected a PowerShell script with unusual data characteristics, such as obfuscation, that may be a characteristic of malicious PowerShell script text blocks.",
+    "false_positives": [
+      "Certain kinds of security testing may trigger this alert. PowerShell scripts that use high levels of obfuscation or have unusual script block payloads may trigger this alert."
+    ],
+    "from": "now-45m",
+    "interval": "15m",
+    "license": "Elastic License v2",
+    "machine_learning_job_id": "windows_anomalous_script",
+    "name": "Suspicious Powershell Script",
+    "references": [
+      "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"
+    ],
+    "risk_score": 21,
+    "rule_id": "1781d055-5c66-4adf-9d60-fc0fa58337b6",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "ML"
+    ],
+    "type": "machine_learning",
+    "version": 4
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Detects deletion of print driver files by an unusual process. This may indicate a clean up attempt post successful privilege escalation via Print Spooler service related vulnerabilities.",
+    "false_positives": [
+      "Uninstall or manual deletion of a legitimate printing driver files. Verify the printer file metadata such as manufacturer and signature information."
+    ],
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Suspicious Print Spooler File Deletion",
+    "query": "file where event.type : \"deletion\" and\n not process.name : (\"spoolsv.exe\", \"dllhost.exe\", \"explorer.exe\") and\n file.path : \"?:\\\\Windows\\\\System32\\\\spool\\\\drivers\\\\x64\\\\3\\\\*.dll\"\n",
+    "references": [
+      "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527",
+      "https://github.com/afwu/PrintNightmare"
+    ],
+    "risk_score": 47,
+    "rule_id": "c4818812-d44f-47be-aaef-4cfb2f9cc799",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Privilege Escalation"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0004",
+          "name": "Privilege Escalation",
+          "reference": "https://attack.mitre.org/tactics/TA0004/"
+        },
+        "technique": [
+          {
+            "id": "T1068",
+            "name": "Exploitation for Privilege Escalation",
+            "reference": "https://attack.mitre.org/techniques/T1068/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Detects attempts to exploit a privilege escalation vulnerability (CVE-2020-1030) related to the print spooler service. Exploitation involves chaining multiple primitives to load an arbitrary DLL into the print spooler process running as SYSTEM.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Suspicious Print Spooler Point and Print DLL",
+    "query": "sequence by host.id with maxspan=30s\n[registry where\n registry.path : \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Print\\\\Printers\\\\*\\\\SpoolDirectory\" and\n registry.data.strings : \"C:\\\\Windows\\\\System32\\\\spool\\\\drivers\\\\x64\\\\4\"]\n[registry where\n registry.path : \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Print\\\\Printers\\\\*\\\\CopyFiles\\\\Payload\\\\Module\" and\n registry.data.strings : \"C:\\\\Windows\\\\System32\\\\spool\\\\drivers\\\\x64\\\\4\\\\*\"]\n",
+    "references": [
+      "https://www.accenture.com/us-en/blogs/cyber-defense/discovering-exploiting-shutting-down-dangerous-windows-print-spooler-vulnerability",
+      "https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES/blob/master/Privilege%20Escalation/privesc_sysmon_cve_20201030_spooler.evtx",
+      "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2020-1030"
+    ],
+    "risk_score": 73,
+    "rule_id": "bd7eefee-f671-494e-98df-f01daf9e5f17",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Privilege Escalation"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0004",
+          "name": "Privilege Escalation",
+          "reference": "https://attack.mitre.org/tactics/TA0004/"
+        },
+        "technique": [
+          {
+            "id": "T1068",
+            "name": "Exploitation for Privilege Escalation",
+            "reference": "https://attack.mitre.org/techniques/T1068/"
+          }
+        ]
+      }
+    ],
+    "type": "eql",
+    "version": 2
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Detects attempts to exploit privilege escalation vulnerabilities related to the Print Spooler service including CVE-2020-1048 and CVE-2020-1337. .",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Suspicious PrintSpooler SPL File Created",
+    "note": "## Threat intel\n\nRefer to CVEs, CVE-2020-1048 and CVE-2020-1337 for further information on the vulnerability and exploit. Verify that the relevant system is patched.",
+    "query": "file where event.type != \"deletion\" and\n  file.extension : \"spl\" and\n  file.path : \"?:\\\\Windows\\\\System32\\\\spool\\\\PRINTERS\\\\*\" and\n  not process.name : (\"spoolsv.exe\",\n                      \"printfilterpipelinesvc.exe\",\n                      \"PrintIsolationHost.exe\",\n                      \"splwow64.exe\",\n                      \"msiexec.exe\",\n                      \"poqexec.exe\")\n",
+    "references": [
+      "https://safebreach.com/Post/How-we-bypassed-CVE-2020-1048-Patch-and-got-CVE-2020-1337"
+    ],
+    "risk_score": 73,
+    "rule_id": "a7ccae7b-9d2c-44b2-a061-98e5946971fa",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Privilege Escalation"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0004",
+          "name": "Privilege Escalation",
+          "reference": "https://attack.mitre.org/tactics/TA0004/"
+        },
+        "technique": [
+          {
+            "id": "T1068",
+            "name": "Exploitation for Privilege Escalation",
+            "reference": "https://attack.mitre.org/techniques/T1068/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 4
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Detects attempts to exploit privilege escalation vulnerabilities related to the Print Spooler service. For more information refer to the following CVE's - CVE-2020-1048, CVE-2020-1337 and CVE-2020-1300 and verify that the impacted system is patched.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Suspicious PrintSpooler Service Executable File Creation",
+    "query": "file where event.type != \"deletion\" and process.name : \"spoolsv.exe\" and\n  file.extension : (\"exe\", \"dll\") and\n  not file.path : (\"?:\\\\Windows\\\\System32\\\\spool\\\\*\", \"?:\\\\Windows\\\\Temp\\\\*\", \"?:\\\\Users\\\\*\")\n",
+    "references": [
+      "https://voidsec.com/cve-2020-1337-printdemon-is-dead-long-live-printdemon/",
+      "https://www.thezdi.com/blog/2020/7/8/cve-2020-1300-remote-code-execution-through-microsoft-windows-cab-files"
+    ],
+    "risk_score": 73,
+    "rule_id": "5bb4a95d-5a08-48eb-80db-4c3a63ec78a8",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Privilege Escalation"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0004",
+          "name": "Privilege Escalation",
+          "reference": "https://attack.mitre.org/tactics/TA0004/"
+        },
+        "technique": [
+          {
+            "id": "T1068",
+            "name": "Exploitation for Privilege Escalation",
+            "reference": "https://attack.mitre.org/techniques/T1068/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 4
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies suspicious process access events from an unknown memory region. Endpoint security solutions usually hook userland Windows APIs in order to decide if the code that is being executed is malicious or not. It's possible to bypass hooked functions by writing malicious functions that call syscalls directly.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Suspicious Process Access via Direct System Call",
+    "query": "process where event.code == \"10\" and\n length(winlog.event_data.CallTrace) > 0 and\n \n /* Sysmon CallTrace starting with unknown memory module instead of ntdll which host Windows NT Syscalls */\n not winlog.event_data.CallTrace : (\"?:\\\\WINDOWS\\\\SYSTEM32\\\\ntdll.dll*\", \"?:\\\\WINDOWS\\\\SysWOW64\\\\ntdll.dll*\")\n",
+    "references": [
+      "https://twitter.com/SBousseaden/status/1278013896440324096",
+      "https://www.ired.team/offensive-security/defense-evasion/using-syscalls-directly-from-visual-studio-to-bypass-avs-edrs"
+    ],
+    "risk_score": 73,
+    "rule_id": "2dd480be-1263-4d9c-8672-172928f6789a",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1055",
+            "name": "Process Injection",
+            "reference": "https://attack.mitre.org/techniques/T1055/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 2
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies when a process is created and immediately accessed from an unknown memory code region and by the same parent process. This may indicate a code injection or hollowing attempt.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Suspicious Process Creation CallTrace",
+    "query": "sequence by host.id with maxspan=1m\n  [process where event.code == \"1\" and\n   /* sysmon process creation */\n   process.parent.name : (\"winword.exe\", \"excel.exe\", \"outlook.exe\", \"powerpnt.exe\", \"eqnedt32.exe\",\n                          \"fltldr.exe\", \"mspub.exe\", \"msaccess.exe\", \"powershell.exe\", \"pwsh.exe\",\n                          \"cscript.exe\", \"wscript.exe\", \"rundll32.exe\", \"regsvr32.exe\", \"mshta.exe\",\n                          \"wmic.exe\", \"cmstp.exe\", \"msxsl.exe\")] by process.parent.entity_id, process.entity_id\n  [process where event.code == \"10\" and\n   /* Sysmon process access event from unknown module */\n   winlog.event_data.CallTrace : \"*UNKNOWN*\"] by process.entity_id, winlog.event_data.TargetProcessGUID\n",
+    "risk_score": 43,
+    "rule_id": "3ed032b2-45d8-4406-bc79-7ad1eabb2c72",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1055",
+            "name": "Process Injection",
+            "reference": "https://attack.mitre.org/techniques/T1055/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies suspicious psexec activity which is executing from the psexec service that has been renamed, possibly to evade detection.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Suspicious Process Execution via Renamed PsExec Executable",
+    "query": "process where event.type in (\"start\", \"process_started\", \"info\") and\n  process.pe.original_file_name : \"psexesvc.exe\" and not process.name : \"PSEXESVC.exe\"\n",
+    "risk_score": 47,
+    "rule_id": "e2f9fdf5-8076-45ad-9427-41e0e03dc9c2",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Execution"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0002",
+          "name": "Execution",
+          "reference": "https://attack.mitre.org/tactics/TA0002/"
+        },
+        "technique": [
+          {
+            "id": "T1569",
+            "name": "System Services",
+            "reference": "https://attack.mitre.org/techniques/T1569/",
+            "subtechnique": [
+              {
+                "id": "T1569.002",
+                "name": "Service Execution",
+                "reference": "https://attack.mitre.org/techniques/T1569/002/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 4
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies a suspicious Conhost child process which may be an indication of code injection activity.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Suspicious Process from Conhost",
+    "query": "process where event.type in (\"start\", \"process_started\") and\n  process.parent.name : \"conhost.exe\" and\n  not process.executable : (\"?:\\\\Windows\\\\splwow64.exe\", \"?:\\\\Windows\\\\System32\\\\WerFault.exe\", \"?:\\\\Windows\\\\System32\\\\conhost.exe\")\n",
+    "references": [
+      "https://modexp.wordpress.com/2018/09/12/process-injection-user-data/",
+      "https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES/blob/master/Defense%20Evasion/evasion_codeinj_odzhan_conhost_sysmon_10_1.evtx"
+    ],
+    "risk_score": 73,
+    "rule_id": "28896382-7d4f-4d50-9b72-67091901fd26",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1055",
+            "name": "Process Injection",
+            "reference": "https://attack.mitre.org/techniques/T1055/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 4
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies suspicious Image Loading of the Remote Desktop Services ActiveX Client (mstscax), this may indicate the presence of RDP lateral movement capability.",
+    "from": "now-9m",
+    "index": [
+      "logs-endpoint.events.*",
+      "winlogbeat-*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Suspicious RDP ActiveX Client Loaded",
+    "query": "library where dll.name : \"mstscax.dll\" and\n   /* depending on noise in your env add here extra paths  */\n  process.executable :\n    (\n    \"C:\\\\Windows\\\\*\",\n    \"C:\\\\Users\\\\Public\\\\*\",\n    \"C:\\\\Users\\\\Default\\\\*\",\n    \"C:\\\\Intel\\\\*\",\n    \"C:\\\\PerfLogs\\\\*\",\n    \"C:\\\\ProgramData\\\\*\",\n    \"\\\\Device\\\\Mup\\\\*\",\n    \"\\\\\\\\*\"\n    ) and\n    /* add here FPs */\n  not process.executable : (\"C:\\\\Windows\\\\System32\\\\mstsc.exe\", \"C:\\\\Windows\\\\SysWOW64\\\\mstsc.exe\")\n",
+    "references": [
+      "https://posts.specterops.io/revisiting-remote-desktop-lateral-movement-8fb905cb46c3"
+    ],
+    "risk_score": 47,
+    "rule_id": "71c5cb27-eca5-4151-bb47-64bc3f883270",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Lateral Movement"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0008",
+          "name": "Lateral Movement",
+          "reference": "https://attack.mitre.org/tactics/TA0008/"
+        },
+        "technique": [
+          {
+            "id": "T1021",
+            "name": "Remote Services",
+            "reference": "https://attack.mitre.org/techniques/T1021/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 3
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies scrobj.dll loaded into unusual Microsoft processes. This usually means a malicious scriptlet is being executed in the target process.",
+    "from": "now-9m",
+    "index": [
+      "logs-endpoint.events.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Suspicious Script Object Execution",
+    "query": "sequence by process.entity_id with maxspan=2m\n  [process where event.type == \"start\" \n   and (process.code_signature.subject_name in (\"Microsoft Corporation\", \"Microsoft Windows\") and \n   process.code_signature.trusted == true) and\n     not process.executable : (\n       \"?:\\\\Windows\\\\System32\\\\cscript.exe\",\n       \"?:\\\\Windows\\\\SysWOW64\\\\cscript.exe\",\n       \"?:\\\\Program Files (x86)\\\\Internet Explorer\\\\iexplore.exe\",\n       \"?:\\\\Program Files\\\\Internet Explorer\\\\iexplore.exe\",\n       \"?:\\\\Windows\\\\SystemApps\\\\Microsoft.MicrosoftEdge_*\\\\MicrosoftEdge.exe\",\n       \"?:\\\\Windows\\\\system32\\\\msiexec.exe\",\n       \"?:\\\\Windows\\\\SysWOW64\\\\msiexec.exe\",\n       \"?:\\\\Windows\\\\System32\\\\smartscreen.exe\",\n       \"?:\\\\Windows\\\\system32\\\\taskhostw.exe\",\n       \"?:\\\\windows\\\\system32\\\\inetsrv\\\\w3wp.exe\",\n       \"?:\\\\windows\\\\SysWOW64\\\\inetsrv\\\\w3wp.exe\",\n       \"?:\\\\Windows\\\\system32\\\\wscript.exe\",\n       \"?:\\\\Windows\\\\SysWOW64\\\\wscript.exe\",\n       \"?:\\\\Windows\\\\system32\\\\mobsync.exe\",\n       \"?:\\\\Windows\\\\SysWOW64\\\\mobsync.exe\",\n       \"?:\\\\Windows\\\\System32\\\\cmd.exe\",\n       \"?:\\\\Windows\\\\SysWOW64\\\\cmd.exe\")]\n  [library where event.type == \"start\" and dll.name : \"scrobj.dll\"]\n",
+    "risk_score": 47,
+    "rule_id": "4ed678a9-3a4f-41fb-9fea-f85a6e0a0dff",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1218",
+            "name": "Signed Binary Proxy Execution",
+            "reference": "https://attack.mitre.org/techniques/T1218/"
+          }
+        ]
+      }
+    ],
+    "type": "eql",
+    "version": 4
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "A suspicious SolarWinds child process was detected, which may indicate an attempt to execute malicious programs.",
+    "false_positives": [
+      "Trusted SolarWinds child processes, verify process details such as network connections and file writes."
+    ],
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Suspicious SolarWinds Child Process",
+    "query": "process where event.type in (\"start\", \"process_started\") and\n process.parent.name: (\"SolarWinds.BusinessLayerHost.exe\", \"SolarWinds.BusinessLayerHostx64.exe\") and\n not process.name : (\n        \"APMServiceControl*.exe\",\n        \"ExportToPDFCmd*.Exe\",\n        \"SolarWinds.Credentials.Orion.WebApi*.exe\",\n        \"SolarWinds.Orion.Topology.Calculator*.exe\",\n        \"Database-Maint.exe\",\n        \"SolarWinds.Orion.ApiPoller.Service.exe\",\n        \"WerFault.exe\",\n        \"WerMgr.exe\")\n",
+    "references": [
+      "https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html",
+      "https://github.com/fireeye/sunburst_countermeasures/blob/main/rules/SUNBURST/hxioc/SOLARWINDS%20SUSPICIOUS%20CHILD%20PROCESSES%20(METHODOLOGY).ioc"
+    ],
+    "risk_score": 47,
+    "rule_id": "93b22c0a-06a0-4131-b830-b10d5e166ff4",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Execution"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0002",
+          "name": "Execution",
+          "reference": "https://attack.mitre.org/tactics/TA0002/"
+        },
+        "technique": [
+          {
+            "id": "T1106",
+            "name": "Native API",
+            "reference": "https://attack.mitre.org/techniques/T1106/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0001",
+          "name": "Initial Access",
+          "reference": "https://attack.mitre.org/tactics/TA0001/"
+        },
+        "technique": [
+          {
+            "id": "T1195",
+            "name": "Supply Chain Compromise",
+            "reference": "https://attack.mitre.org/techniques/T1195/",
+            "subtechnique": [
+              {
+                "id": "T1195.002",
+                "name": "Compromise Software Supply Chain",
+                "reference": "https://attack.mitre.org/techniques/T1195/002/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 3
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies suspicious startup shell folder modifications to change the default Startup directory in order to bypass detections monitoring file creation in the Windows Startup folder.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Suspicious Startup Shell Folder Modification",
+    "note": "## Triage and analysis\n\n### Investigating Suspicious Startup Shell Activity\n\nTechniques used within malware and by adversaries often leverage the Windows registry to store malicious programs for\npersistence. Startup shell folders are often targeted as they are not as prevalent as normal Startup folder paths so this\nbehavior may evade existing AV/EDR solutions. Another preference is that these programs might run with higher privileges\nwhich can be ideal for an attacker.\n\n#### Possible investigation steps:\n- Review the source process and related file tied to the Windows Registry entry\n- Validate the activity is not related to planned patches, updates, network administrator activity or legitimate software\ninstallations\n- Determine if activity is unique by validating if other machines in same organization have similar entry\n\n### False Positive Analysis\n- There is a high possibility of benign legitimate programs being added to Shell folders. This activity could be based\non new software installations, patches, or any kind of network administrator related activity. Before entering further\ninvestigation, this activity should be validated that is it not related to benign activity\n\n### Related Rules\n- Startup or Run Key Registry Modification\n- Persistent Scripts in the Startup Directory\n\n### Response and Remediation\n- Activity should first be validated as a true positive event if so then immediate response should be taken to review,\ninvestigate and potentially isolate activity to prevent further post-compromise behavior\n- The respective binary or program tied to this persistence method should be further analyzed and reviewed to understand\nit's behavior and capabilities\n- Since this activity is considered post-exploitation behavior, it's important to understand how the behavior was first\ninitialized such as through a macro-enabled document that was attached in a phishing email. By understanding the source\nof the attack, this information can then be used to search for similar indicators on other machines in the same environment.\n",
+    "query": "registry where\n registry.path : (\n     \"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\User Shell Folders\\\\Common Startup\",\n     \"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\Shell Folders\\\\Common Startup\",\n     \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\User Shell Folders\\\\Startup\",\n     \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\Shell Folders\\\\Startup\"\n     ) and\n  registry.data.strings != null and\n  /* Normal Startup Folder Paths */\n  not registry.data.strings : (\n           \"C:\\\\ProgramData\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\",\n           \"%ProgramData%\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\",\n           \"%USERPROFILE%\\\\AppData\\\\Roaming\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\",\n           \"C:\\\\Users\\\\*\\\\AppData\\\\Roaming\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\"\n           )\n",
+    "risk_score": 73,
+    "rule_id": "c8b150f0-0164-475b-a75e-74b47800a9ff",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Persistence"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1547",
+            "name": "Boot or Logon Autostart Execution",
+            "reference": "https://attack.mitre.org/techniques/T1547/",
+            "subtechnique": [
+              {
+                "id": "T1547.001",
+                "name": "Registry Run Keys / Startup Folder",
+                "reference": "https://attack.mitre.org/techniques/T1547/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 2
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies a suspicious image load (wmiutils.dll) from Microsoft Office processes. This behavior may indicate adversarial activity where child processes are spawned via Windows Management Instrumentation (WMI). This technique can be used to execute code and evade traditional parent/child processes spawned from Microsoft Office products.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Suspicious WMI Image Load from MS Office",
+    "query": "library where process.name : (\"WINWORD.EXE\", \"EXCEL.EXE\", \"POWERPNT.EXE\", \"MSPUB.EXE\", \"MSACCESS.EXE\") and\n  event.action : \"load\" and\n  event.category : \"library\" and\n  dll.name : \"wmiutils.dll\"\n",
+    "references": [
+      "https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16"
+    ],
+    "risk_score": 21,
+    "rule_id": "891cb88e-441a-4c3e-be2d-120d99fe7b0d",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Execution"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0002",
+          "name": "Execution",
+          "reference": "https://attack.mitre.org/tactics/TA0002/"
+        },
+        "technique": [
+          {
+            "id": "T1047",
+            "name": "Windows Management Instrumentation",
+            "reference": "https://attack.mitre.org/techniques/T1047/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 4
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies WMIC whitelisting bypass techniques by alerting on suspicious execution of scripts. When WMIC loads scripting libraries it may be indicative of a whitelist bypass.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Suspicious WMIC XSL Script Execution",
+    "query": "sequence by process.entity_id with maxspan = 2m\n[process where event.type in (\"start\", \"process_started\") and\n   (process.name : \"WMIC.exe\" or process.pe.original_file_name : \"wmic.exe\") and\n   process.args : (\"format*:*\", \"/format*:*\", \"*-format*:*\") and\n   not process.command_line : \"* /format:table *\"]\n[library where event.type == \"start\" and dll.name : (\"jscript.dll\", \"vbscript.dll\")]\n",
+    "risk_score": 21,
+    "rule_id": "7f370d54-c0eb-4270-ac5a-9a6020585dc6",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1220",
+            "name": "XSL Script Processing",
+            "reference": "https://attack.mitre.org/techniques/T1220/"
+          }
+        ]
+      }
+    ],
+    "type": "eql",
+    "version": 2
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "A suspicious WerFault child process was detected, which may indicate an attempt to run unnoticed. Verify process details such as command line, network connections, file writes and parent process details as well.",
+    "false_positives": [
+      "Custom Windows error reporting debugger or applications restarted by WerFault after a crash."
+    ],
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Suspicious WerFault Child Process",
+    "query": "process where event.type in (\"start\", \"process_started\") and\n  process.parent.name : \"WerFault.exe\" and\n  not process.name : (\"cofire.exe\",\n                      \"psr.exe\",\n                      \"VsJITDebugger.exe\",\n                      \"TTTracer.exe\",\n                      \"rundll32.exe\",\n                      \"LogiOptionsMgr.exe\") and\n  not process.args : (\"/LOADSAVEDWINDOWS\",\n                      \"/restore\",\n                      \"RestartByRestartManager*\",\n                      \"--restarted\",\n                      \"createdump\",\n                      \"dontsend\",\n                      \"/watson\")\n",
+    "references": [
+      "https://www.hexacorn.com/blog/2019/09/19/silentprocessexit-quick-look-under-the-hood/",
+      "https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES/blob/master/Persistence/persistence_SilentProcessExit_ImageHijack_sysmon_13_1.evtx",
+      "https://blog.menasec.net/2021/01/"
+    ],
+    "risk_score": 47,
+    "rule_id": "ac5012b8-8da8-440b-aaaf-aedafdea2dff",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1036",
+            "name": "Masquerading",
+            "reference": "https://attack.mitre.org/techniques/T1036/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 4
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "A suspicious Zoom child process was detected, which may indicate an attempt to run unnoticed. Verify process details such as command line, network connections, file writes and associated file signature details as well.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Suspicious Zoom Child Process",
+    "query": "process where event.type in (\"start\", \"process_started\", \"info\") and\n process.parent.name : \"Zoom.exe\" and process.name : (\"cmd.exe\", \"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\")\n",
+    "risk_score": 47,
+    "rule_id": "97aba1ef-6034-4bd3-8c1a-1e0996b27afa",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1036",
+            "name": "Masquerading",
+            "reference": "https://attack.mitre.org/techniques/T1036/"
+          },
+          {
+            "id": "T1055",
+            "name": "Process Injection",
+            "reference": "https://attack.mitre.org/techniques/T1055/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 5
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies suspicious child processes of frequently targeted Microsoft Office applications (Word, PowerPoint, and Excel). These child processes are often launched during exploitation of Office applications or by documents with malicious macros.",
+    "from": "now-9m",
+    "index": [
+      "logs-endpoint.events.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Suspicious macOS MS Office Child Process",
+    "query": "process where event.type in (\"start\", \"process_started\") and\n process.parent.name:(\"Microsoft Word\", \"Microsoft PowerPoint\", \"Microsoft Excel\") and\n process.name:\n (\n   \"bash\", \n   \"dash\", \n   \"sh\", \n   \"tcsh\", \n   \"csh\", \n   \"zsh\", \n   \"ksh\", \n   \"fish\", \n   \"python*\", \n   \"perl*\", \n   \"php*\", \n   \"osascript\",\n   \"pwsh\", \n   \"curl\", \n   \"wget\", \n   \"cp\", \n   \"mv\", \n   \"base64\", \n   \"launchctl\"\n  ) and\n  /* noisy false positives related to product version discovery and office errors reporting */\n  not process.args:\n    (\n      \"ProductVersion\",\n      \"hw.model\",\n      \"ioreg\",\n      \"ProductName\",\n      \"ProductUserVisibleVersion\",\n      \"ProductBuildVersion\",\n      \"/Library/Application Support/Microsoft/MERP*/Microsoft Error Reporting.app/Contents/MacOS/Microsoft Error Reporting\"\n    )\n",
+    "references": [
+      "https://blog.malwarebytes.com/cybercrime/2017/02/microsoft-office-macro-malware-targets-macs/"
+    ],
+    "risk_score": 47,
+    "rule_id": "66da12b1-ac83-40eb-814c-07ed1d82b7b9",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "macOS",
+      "Threat Detection",
+      "Initial Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0001",
+          "name": "Initial Access",
+          "reference": "https://attack.mitre.org/tactics/TA0001/"
+        },
+        "technique": [
+          {
+            "id": "T1566",
+            "name": "Phishing",
+            "reference": "https://attack.mitre.org/techniques/T1566/",
+            "subtechnique": [
+              {
+                "id": "T1566.001",
+                "name": "Spearphishing Attachment",
+                "reference": "https://attack.mitre.org/techniques/T1566/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 2
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies a suspicious parent child process relationship with cmd.exe descending from svchost.exe",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Svchost spawning Cmd",
+    "query": "process where event.type in (\"start\", \"process_started\") and\n  process.parent.name : \"svchost.exe\" and process.name : \"cmd.exe\" and \n  not (process.pe.original_file_name == \"Cmd.Exe\" and process.args : \"?:\\\\Program Files\\\\Npcap\\\\CheckStatus.bat??\")\n",
+    "risk_score": 21,
+    "rule_id": "fd7a6052-58fa-4397-93c3-4795249ccfa2",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Execution"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0002",
+          "name": "Execution",
+          "reference": "https://attack.mitre.org/tactics/TA0002/"
+        },
+        "technique": [
+          {
+            "id": "T1059",
+            "name": "Command and Scripting Interpreter",
+            "reference": "https://attack.mitre.org/techniques/T1059/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 8
+  },
+  {
+    "author": [
+      "Austin Songer"
+    ],
+    "description": "Identifies the creation of symbolic links to a shadow copy. Symbolic Links can be used to access files in the shadow copy, including sensitive files that may contain credential information.",
+    "false_positives": [
+      "Legitimate administrative activity related to shadow copies"
+    ],
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Symbolic Link to Shadow Copy Created",
+    "query": "process where event.type in (\"start\", \"process_started\") and\nprocess.pe.original_file_name == \"Cmd.Exe\" and\nprocess.args : \"*mklink*\" and\nprocess.args : \"*\\\\GLOBALROOT\\\\Device\\\\HarddiskVolumeShadowCopy*\"\n",
+    "references": [
+      "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/mklink",
+      "https://2017.zeronights.org/wp-content/uploads/materials/ZN17_Kheirkhabarov_Hunting_for_Credentials_Dumping_in_Windows_Environment.pdf"
+    ],
+    "risk_score": 47,
+    "rule_id": "d117cbb4-7d56-41b4-b999-bdf8c25648a0",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Credential Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0006",
+          "name": "Credential Access",
+          "reference": "https://attack.mitre.org/tactics/TA0006/"
+        },
+        "technique": [
+          {
+            "id": "T1003",
+            "name": "OS Credential Dumping",
+            "reference": "https://attack.mitre.org/techniques/T1003/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the deletion of sensitive Linux system logs. This may indicate an attempt to evade detection or destroy forensic evidence on a system.",
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "System Log File Deletion",
+    "query": "file where event.type == \"deletion\" and \n  file.path : \n    (\n    \"/var/run/utmp\", \n    \"/var/log/wtmp\", \n    \"/var/log/btmp\", \n    \"/var/log/lastlog\", \n    \"/var/log/faillog\",\n    \"/var/log/syslog\", \n    \"/var/log/messages\", \n    \"/var/log/secure\", \n    \"/var/log/auth.log\"\n    )\n",
+    "references": [
+      "https://www.fireeye.com/blog/threat-research/2020/11/live-off-the-land-an-overview-of-unc1945.html"
+    ],
+    "risk_score": 47,
+    "rule_id": "aa895aea-b69c-4411-b110-8d7599634b30",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1070",
+            "name": "Indicator Removal on Host",
+            "reference": "https://attack.mitre.org/techniques/T1070/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 3
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Windows services typically run as SYSTEM and can be used as a privilege escalation opportunity. Malware or penetration testers may run a shell as a service to gain SYSTEM permissions.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "System Shells via Services",
+    "query": "process where event.type in (\"start\", \"process_started\") and\n  process.parent.name : \"services.exe\" and\n  process.name : (\"cmd.exe\", \"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\") and\n  \n  /* Third party FP's */\n  not process.args : \"NVDisplay.ContainerLocalSystem\"\n",
+    "risk_score": 47,
+    "rule_id": "0022d47d-39c7-4f69-a232-4fe9dc7a3acd",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Persistence"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1543",
+            "name": "Create or Modify System Process",
+            "reference": "https://attack.mitre.org/techniques/T1543/",
+            "subtechnique": [
+              {
+                "id": "T1543.003",
+                "name": "Windows Service",
+                "reference": "https://attack.mitre.org/techniques/T1543/003/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 10
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Keychains are the built-in way for macOS to keep track of users' passwords and credentials for many services and features, including Wi-Fi and website passwords, secure notes, certificates, and Kerberos. Adversaries may collect the keychain storage data from a system to acquire credentials.",
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "SystemKey Access via Command Line",
+    "query": "event.category:process and event.type:(start or process_started) and\n  process.args:\"/private/var/db/SystemKey\"\n",
+    "references": [
+      "https://github.com/AlessandroZ/LaZagne/blob/master/Mac/lazagne/softwares/system/chainbreaker.py"
+    ],
+    "risk_score": 73,
+    "rule_id": "d75991f2-b989-419d-b797-ac1e54ec2d61",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "macOS",
+      "Threat Detection",
+      "Credential Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0006",
+          "name": "Credential Access",
+          "reference": "https://attack.mitre.org/tactics/TA0006/"
+        },
+        "technique": [
+          {
+            "id": "T1555",
+            "name": "Credentials from Password Stores",
+            "reference": "https://attack.mitre.org/techniques/T1555/",
+            "subtechnique": [
+              {
+                "id": "T1555.001",
+                "name": "Keychain",
+                "reference": "https://attack.mitre.org/techniques/T1555/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the use of the mount_apfs command to mount the entire file system through Apple File System (APFS) snapshots as read-only and with the noowners flag set. This action enables the adversary to access almost any file in the file system, including all user data and files protected by Apple\u2019s privacy framework (TCC).",
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "TCC Bypass via Mounted APFS Snapshot Access",
+    "query": "event.category : process and event.type : (start or process_started) and process.name : mount_apfs and\n  process.args : (/System/Volumes/Data and noowners)\n",
+    "references": [
+      "https://theevilbit.github.io/posts/cve_2020_9771/"
+    ],
+    "risk_score": 73,
+    "rule_id": "b00bcd89-000c-4425-b94c-716ef67762f6",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "macOS",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1006",
+            "name": "Direct Volume Access",
+            "reference": "https://attack.mitre.org/techniques/T1006/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Adversaries may attempt to clear or disable the Bash command-line history in an attempt to evade detection or forensic investigations.",
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Tampering of Bash Command-Line History",
+    "query": "process where event.type in (\"start\", \"process_started\") and\n (\n  (process.args : (\"rm\", \"echo\") and process.args : (\".bash_history\", \"/root/.bash_history\", \"/home/*/.bash_history\")) or\n  (process.name : \"history\" and process.args : \"-c\") or\n  (process.args : \"export\" and process.args : (\"HISTFILE=/dev/null\", \"HISTFILESIZE=0\")) or\n  (process.args : \"unset\" and process.args : \"HISTFILE\") or\n  (process.args : \"set\" and process.args : \"history\" and process.args : \"+o\")\n )\n",
+    "risk_score": 47,
+    "rule_id": "7bcbb3ac-e533-41ad-a612-d6c3bf666aba",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1070",
+            "name": "Indicator Removal on Host",
+            "reference": "https://attack.mitre.org/techniques/T1070/",
+            "subtechnique": [
+              {
+                "id": "T1070.003",
+                "name": "Clear Command History",
+                "reference": "https://attack.mitre.org/techniques/T1070/003/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 6
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "This rule detects network events that may indicate the use of Telnet traffic. Telnet is commonly used by system administrators to remotely control older or embedded systems using the command line shell. It should almost never be directly exposed to the Internet, as it is frequently targeted and exploited by threat actors as an initial access or backdoor vector. As a plain-text protocol, it may also expose usernames and passwords to anyone capable of observing the traffic.",
+    "false_positives": [
+      "IoT (Internet of Things) devices and networks may use telnet and can be excluded if desired. Some business work-flows may use Telnet for administration of older devices. These often have a predictable behavior. Telnet activity involving an unusual source or destination may be more suspicious. Telnet activity involving a production server that has no known associated Telnet work-flow or business requirement is often suspicious."
+    ],
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "filebeat-*",
+      "packetbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Telnet Port Activity",
+    "query": "event.category:(network or network_traffic) and network.transport:tcp and destination.port:23\n",
+    "risk_score": 47,
+    "rule_id": "34fde489-94b0-4500-a76f-b8a157cf9269",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Network",
+      "Threat Detection",
+      "Command and Control",
+      "Host"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0011",
+          "name": "Command and Control",
+          "reference": "https://attack.mitre.org/tactics/TA0011/"
+        },
+        "technique": []
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0008",
+          "name": "Lateral Movement",
+          "reference": "https://attack.mitre.org/tactics/TA0008/"
+        },
+        "technique": [
+          {
+            "id": "T1021",
+            "name": "Remote Services",
+            "reference": "https://attack.mitre.org/techniques/T1021/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0001",
+          "name": "Initial Access",
+          "reference": "https://attack.mitre.org/tactics/TA0001/"
+        },
+        "technique": [
+          {
+            "id": "T1190",
+            "name": "Exploit Public-Facing Application",
+            "reference": "https://attack.mitre.org/techniques/T1190/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 9
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the deletion of backup files, saved using third-party software, by a process outside of the backup suite. Adversaries may delete Backup files to ensure that recovery from a ransomware attack is less likely.",
+    "false_positives": [
+      "Certain utilities that delete files for disk cleanup or Administrators manually removing backup files."
+    ],
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Third-party Backup Files Deleted via Unexpected Process",
+    "query": "file where event.type == \"deletion\" and\n  (\n  /* Veeam Related Backup Files */\n  (file.extension : (\"VBK\", \"VIB\", \"VBM\") and\n  not process.executable : (\"?:\\\\Windows\\\\Veeam\\\\Backup\\\\*\",\n                            \"?:\\\\Program Files\\\\Veeam\\\\Backup and Replication\\\\*\",\n                            \"?:\\\\Program Files (x86)\\\\Veeam\\\\Backup and Replication\\\\*\")) or\n\n  /* Veritas Backup Exec Related Backup File */\n  (file.extension : \"BKF\" and\n  not process.executable : (\"?:\\\\Program Files\\\\Veritas\\\\Backup Exec\\\\*\",\n                            \"?:\\\\Program Files (x86)\\\\Veritas\\\\Backup Exec\\\\*\"))\n  )\n",
+    "references": [
+      "https://www.advintel.io/post/backup-removal-solutions-from-conti-ransomware-with-love"
+    ],
+    "risk_score": 47,
+    "rule_id": "11ea6bec-ebde-4d71-a8e9-784948f8e3e9",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Impact"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0040",
+          "name": "Impact",
+          "reference": "https://attack.mitre.org/tactics/TA0040/"
+        },
+        "technique": [
+          {
+            "id": "T1490",
+            "name": "Inhibit System Recovery",
+            "reference": "https://attack.mitre.org/techniques/T1490/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 2
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Detects when Okta ThreatInsight identifies a request from a malicious IP address. Investigating requests from IP addresses identified as malicious by Okta ThreatInsight can help security teams monitor for and respond to credential based attacks against their organization, such as brute force and password spraying attacks.",
+    "index": [
+      "filebeat-*",
+      "logs-okta*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Threat Detected by Okta ThreatInsight",
+    "note": "## Config\n\nThe Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:okta.system and event.action:security.threat.detected\n",
+    "references": [
+      "https://developer.okta.com/docs/reference/api/system-log/",
+      "https://developer.okta.com/docs/reference/api/event-types/"
+    ],
+    "risk_score": 47,
+    "rule_id": "6885d2ae-e008-4762-b98a-e8e1cd3a81e9",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Identity",
+      "Okta",
+      "Continuous Monitoring",
+      "SecOps",
+      "Monitoring"
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 6
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "This rule is triggered when indicators from the Threat Intel Filebeat module (v8.x) has a match against local file or network observations.",
+    "from": "now-65m",
+    "index": [
+      "auditbeat-*",
+      "endgame-*",
+      "filebeat-*",
+      "logs-*",
+      "packetbeat-*",
+      "winlogbeat-*"
+    ],
+    "interval": "1h",
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Threat Intel Filebeat Module (v8.x) Indicator Match",
+    "note": "## Triage and Analysis\n\n### Investigating Threat Intel Indicator Matches\n\nThreat Intel indicator match rules allow matching from a local observation such as an endpoint event that records a file\nhash with an entry of a file hash stored within the Threat Intel integrations. Other examples of matches can occur on\nan IP address, registry path, URL and imphash.\n\nThe matches will be based on the incoming last 30 days feed data so it's important to validate the data and review the results by\ninvestigating the associated activity to determine if it requires further investigation.\n\nIf an indicator matches a local observation, the following enriched fields will be generated to identify the indicator, field, and type matched.\n\n- `threat.indicator.matched.atomic` - this identifies the atomic indicator that matched the local observation\n- `threat.indicator.matched.field` - this identifies the indicator field that matched the local observation\n- `threat.indicator.matched.type` - this identifies the indicator type that matched the local observation\n\n#### Possible investigation steps:\n- Investigation should be validated and reviewed based on the data (file hash, registry path, URL, imphash) that was matched\nand viewing the source of that activity.\n- Consider the history of the indicator that was matched. Has it happened before? Is it happening on multiple machines?\nThese kinds of questions can help understand if the activity is related to legitimate behavior.\n- Consider the user and their role within the company, is this something related to their job or work function?\n\n### False Positive Analysis\n- For any matches found, it's important to consider the initial release date of that indicator. Threat intelligence can\nbe a great tool for augmenting existing security processes, while at the same time it should be understood that threat\nintelligence can represent a specific set of activity observed at a point in time. For example, an IP address\nmay have hosted malware observed in a Dridex campaign month ago, but it's possible that IP has been remediated and\nno longer represents any threat.\n- Adversaries often use legitimate tools as network administrators such as `PsExec` or `AdFind`, these tools often find their\nway into indicator lists creating the potential for false positives.\n- It's possible after large and publicly written campaigns, curious employees might end up going directly to attacker infrastructure and generating these rules\n\n### Response and Remediation\n- If suspicious or malicious behavior is observed, immediate response should be taken to isolate activity to prevent further\npost-compromise behavior.\n- One example of a response if a machine matched a command and control IP address would be to add an entry to a network\ndevice such as a firewall or proxy appliance to prevent any outbound activity from leaving that machine.\n- Another example of a response with a malicious file hash match would involve validating if the file was properly quarantined,\nreview current running processes looking for any abnormal activity, and investigating for any other follow-up actions such as persistence or lateral movement\n",
+    "query": "file.hash.*:* or file.pe.imphash:* or source.ip:* or destination.ip:* or url.full:* or registry.path:*\n",
+    "references": [
+      "https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-threatintel.html"
+    ],
+    "risk_score": 99,
+    "rule_id": "699e9fdb-b77c-4c01-995c-1c15019b9c43",
+    "severity": "critical",
+    "tags": [
+      "Elastic",
+      "Windows",
+      "Elastic Endgame",
+      "Network",
+      "Continuous Monitoring",
+      "SecOps",
+      "Monitoring"
+    ],
+    "threat_filters": [
+      {
+        "$state": {
+          "store": "appState"
+        },
+        "meta": {
+          "disabled": false,
+          "key": "event.dataset",
+          "negate": false,
+          "params": {
+            "query": "ti_*"
+          },
+          "type": "phrase"
+        },
+        "query": {
+          "match_phrase": {
+            "event.dataset": "ti_*"
+          }
+        }
+      },
+      {
+        "$state": {
+          "store": "appState"
+        },
+        "meta": {
+          "disabled": false,
+          "key": "event.category",
+          "negate": false,
+          "params": {
+            "query": "threat"
+          },
+          "type": "phrase"
+        },
+        "query": {
+          "match_phrase": {
+            "event.category": "threat"
+          }
+        }
+      },
+      {
+        "$state": {
+          "store": "appState"
+        },
+        "meta": {
+          "disabled": false,
+          "key": "event.kind",
+          "negate": false,
+          "params": {
+            "query": "enrichment"
+          },
+          "type": "phrase"
+        },
+        "query": {
+          "match_phrase": {
+            "event.kind": "enrichment"
+          }
+        }
+      },
+      {
+        "$state": {
+          "store": "appState"
+        },
+        "meta": {
+          "disabled": false,
+          "key": "event.type",
+          "negate": false,
+          "params": {
+            "query": "indicator"
+          },
+          "type": "phrase"
+        },
+        "query": {
+          "match_phrase": {
+            "event.type": "indicator"
+          }
+        }
+      }
+    ],
+    "threat_index": [
+      "filebeat-8*"
+    ],
+    "threat_indicator_path": "threat.indicator",
+    "threat_language": "kuery",
+    "threat_mapping": [
+      {
+        "entries": [
+          {
+            "field": "file.hash.md5",
+            "type": "mapping",
+            "value": "threat.indicator.file.hash.md5"
+          }
+        ]
+      },
+      {
+        "entries": [
+          {
+            "field": "file.hash.sha1",
+            "type": "mapping",
+            "value": "threat.indicator.file.hash.sha1"
+          }
+        ]
+      },
+      {
+        "entries": [
+          {
+            "field": "file.hash.sha256",
+            "type": "mapping",
+            "value": "threat.indicator.file.hash.sha256"
+          }
+        ]
+      },
+      {
+        "entries": [
+          {
+            "field": "file.pe.imphash",
+            "type": "mapping",
+            "value": "threat.indicator.file.pe.imphash"
+          }
+        ]
+      },
+      {
+        "entries": [
+          {
+            "field": "source.ip",
+            "type": "mapping",
+            "value": "threat.indicator.ip"
+          }
+        ]
+      },
+      {
+        "entries": [
+          {
+            "field": "destination.ip",
+            "type": "mapping",
+            "value": "threat.indicator.ip"
+          }
+        ]
+      },
+      {
+        "entries": [
+          {
+            "field": "url.full",
+            "type": "mapping",
+            "value": "threat.indicator.url.full"
+          }
+        ]
+      },
+      {
+        "entries": [
+          {
+            "field": "registry.path",
+            "type": "mapping",
+            "value": "threat.indicator.registry.path"
+          }
+        ]
+      }
+    ],
+    "threat_query": "@timestamp >= \"now-30d\" and event.dataset:ti_* and (threat.indicator.file.hash.*:* or threat.indicator.file.pe.imphash:* or threat.indicator.ip:* or threat.indicator.registry.path:* or threat.indicator.url.full:*)",
+    "timeline_id": "495ad7a7-316e-4544-8a0f-9c098daee76e",
+    "timeline_title": "Generic Threat Match Timeline",
+    "type": "threat_match",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "This rule is triggered when indicators from the Threat Intel integrations has a match against local file or network observations.",
+    "from": "now-65m",
+    "index": [
+      "auditbeat-*",
+      "endgame-*",
+      "filebeat-*",
+      "logs-*",
+      "packetbeat-*",
+      "winlogbeat-*"
+    ],
+    "interval": "1h",
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Threat Intel Indicator Match",
+    "note": "## Triage and Analysis\n\n### Investigating Threat Intel Indicator Matches\n\nThreat Intel indicator match rules allow matching from a local observation such as an endpoint event that records a file\nhash with an entry of a file hash stored within the Threat Intel integrations. Other examples of matches can occur on\nan IP address, registry path, URL and imphash.\n\nThe matches will be based on the incoming last 30 days feed data so it's important to validate the data and review the results by\ninvestigating the associated activity to determine if it requires further investigation.\n\nIf an indicator matches a local observation, the following enriched fields will be generated to identify the indicator, field, and type matched.\n\n- `threat.indicator.matched.atomic` - this identifies the atomic indicator that matched the local observation\n- `threat.indicator.matched.field` - this identifies the indicator field that matched the local observation\n- `threat.indicator.matched.type` - this identifies the indicator type that matched the local observation\n\n#### Possible investigation steps:\n- Investigation should be validated and reviewed based on the data (file hash, registry path, URL, imphash) that was matched\nand viewing the source of that activity.\n- Consider the history of the indicator that was matched. Has it happened before? Is it happening on multiple machines?\nThese kinds of questions can help understand if the activity is related to legitimate behavior.\n- Consider the user and their role within the company, is this something related to their job or work function?\n\n### False Positive Analysis\n- For any matches found, it's important to consider the initial release date of that indicator. Threat intelligence can\nbe a great tool for augmenting existing security processes, while at the same time it should be understood that threat\nintelligence can represent a specific set of activity observed at a point in time. For example, an IP address\nmay have hosted malware observed in a Dridex campaign month ago, but it's possible that IP has been remediated and\nno longer represents any threat.\n- Adversaries often use legitimate tools as network administrators such as `PsExec` or `AdFind`, these tools often find their\nway into indicator lists creating the potential for false positives.\n- It's possible after large and publicly written campaigns, curious employees might end up going directly to attacker infrastructure and generating these rules\n\n### Response and Remediation\n- If suspicious or malicious behavior is observed, immediate response should be taken to isolate activity to prevent further\npost-compromise behavior.\n- One example of a response if a machine matched a command and control IP address would be to add an entry to a network\ndevice such as a firewall or proxy appliance to prevent any outbound activity from leaving that machine.\n- Another example of a response with a malicious file hash match would involve validating if the file was properly quarantined,\nreview current running processes looking for any abnormal activity, and investigating for any other follow-up actions such as persistence or lateral movement\n",
+    "query": "file.hash.*:* or file.pe.imphash:* or source.ip:* or destination.ip:* or url.full:* or registry.path:*\n",
+    "references": [
+      "https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-threatintel.html"
+    ],
+    "risk_score": 99,
+    "rule_id": "0c9a14d9-d65d-486f-9b5b-91e4e6b22bd0",
+    "severity": "critical",
+    "tags": [
+      "Elastic",
+      "Windows",
+      "Elastic Endgame",
+      "Network",
+      "Continuous Monitoring",
+      "SecOps",
+      "Monitoring"
+    ],
+    "threat_filters": [
+      {
+        "$state": {
+          "store": "appState"
+        },
+        "meta": {
+          "disabled": false,
+          "key": "event.dataset",
+          "negate": false,
+          "params": {
+            "query": "ti_*"
+          },
+          "type": "phrase"
+        },
+        "query": {
+          "match_phrase": {
+            "event.dataset": "ti_*"
+          }
+        }
+      },
+      {
+        "$state": {
+          "store": "appState"
+        },
+        "meta": {
+          "disabled": false,
+          "key": "event.category",
+          "negate": false,
+          "params": {
+            "query": "threat"
+          },
+          "type": "phrase"
+        },
+        "query": {
+          "match_phrase": {
+            "event.category": "threat"
+          }
+        }
+      },
+      {
+        "$state": {
+          "store": "appState"
+        },
+        "meta": {
+          "disabled": false,
+          "key": "event.kind",
+          "negate": false,
+          "params": {
+            "query": "enrichment"
+          },
+          "type": "phrase"
+        },
+        "query": {
+          "match_phrase": {
+            "event.kind": "enrichment"
+          }
+        }
+      },
+      {
+        "$state": {
+          "store": "appState"
+        },
+        "meta": {
+          "disabled": false,
+          "key": "event.type",
+          "negate": false,
+          "params": {
+            "query": "indicator"
+          },
+          "type": "phrase"
+        },
+        "query": {
+          "match_phrase": {
+            "event.type": "indicator"
+          }
+        }
+      }
+    ],
+    "threat_index": [
+      "logs-ti_*"
+    ],
+    "threat_indicator_path": "threat.indicator",
+    "threat_language": "kuery",
+    "threat_mapping": [
+      {
+        "entries": [
+          {
+            "field": "file.hash.md5",
+            "type": "mapping",
+            "value": "threat.indicator.file.hash.md5"
+          }
+        ]
+      },
+      {
+        "entries": [
+          {
+            "field": "file.hash.sha1",
+            "type": "mapping",
+            "value": "threat.indicator.file.hash.sha1"
+          }
+        ]
+      },
+      {
+        "entries": [
+          {
+            "field": "file.hash.sha256",
+            "type": "mapping",
+            "value": "threat.indicator.file.hash.sha256"
+          }
+        ]
+      },
+      {
+        "entries": [
+          {
+            "field": "file.pe.imphash",
+            "type": "mapping",
+            "value": "threat.indicator.file.pe.imphash"
+          }
+        ]
+      },
+      {
+        "entries": [
+          {
+            "field": "source.ip",
+            "type": "mapping",
+            "value": "threat.indicator.ip"
+          }
+        ]
+      },
+      {
+        "entries": [
+          {
+            "field": "destination.ip",
+            "type": "mapping",
+            "value": "threat.indicator.ip"
+          }
+        ]
+      },
+      {
+        "entries": [
+          {
+            "field": "url.full",
+            "type": "mapping",
+            "value": "threat.indicator.url.full"
+          }
+        ]
+      },
+      {
+        "entries": [
+          {
+            "field": "registry.path",
+            "type": "mapping",
+            "value": "threat.indicator.registry.path"
+          }
+        ]
+      }
+    ],
+    "threat_query": "@timestamp >= \"now-30d\" and event.dataset:ti_* and (threat.indicator.file.hash.*:* or threat.indicator.file.pe.imphash:* or threat.indicator.ip:* or threat.indicator.registry.path:* or threat.indicator.url.full:*)",
+    "timeline_id": "495ad7a7-316e-4544-8a0f-9c098daee76e",
+    "timeline_title": "Generic Threat Match Timeline",
+    "type": "threat_match",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Timestomping is an anti-forensics technique which is used to modify the timestamps of a file, often to mimic files that are in the same folder.",
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "max_signals": 33,
+    "name": "Timestomping using Touch Command",
+    "query": "process where event.type == \"start\" and\n process.name : \"touch\" and user.id != \"0\" and\n process.args : (\"-r\", \"-t\", \"-a*\",\"-m*\") and\n not process.args : (\"/usr/lib/go-*/bin/go\", \"/usr/lib/dracut/dracut-functions.sh\", \"/tmp/KSInstallAction.*/m/.patch/*\")\n",
+    "risk_score": 47,
+    "rule_id": "b0046934-486e-462f-9487-0d4cf9e429c6",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "macOS",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1070",
+            "name": "Indicator Removal on Host",
+            "reference": "https://attack.mitre.org/techniques/T1070/",
+            "subtechnique": [
+              {
+                "id": "T1070.006",
+                "name": "Timestomp",
+                "reference": "https://attack.mitre.org/techniques/T1070/006/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 4
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies User Account Control (UAC) bypass attempts by abusing an elevated COM Interface to launch a malicious program. Attackers may attempt to bypass UAC to stealthily execute code with elevated permissions.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "UAC Bypass Attempt via Elevated COM Internet Explorer Add-On Installer",
+    "query": "process where event.type in (\"start\", \"process_started\") and\n process.executable : \"C:\\\\*\\\\AppData\\\\*\\\\Temp\\\\IDC*.tmp\\\\*.exe\" and\n process.parent.name : \"ieinstal.exe\" and process.parent.args : \"-Embedding\"\n\n /* uncomment once in winlogbeat */\n /* and not (process.code_signature.subject_name == \"Microsoft Corporation\" and process.code_signature.trusted == true) */\n",
+    "references": [
+      "https://swapcontext.blogspot.com/2020/11/uac-bypasses-from-comautoapprovallist.html"
+    ],
+    "risk_score": 47,
+    "rule_id": "fc7c0fa4-8f03-4b3e-8336-c5feab0be022",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Privilege Escalation"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0004",
+          "name": "Privilege Escalation",
+          "reference": "https://attack.mitre.org/tactics/TA0004/"
+        },
+        "technique": [
+          {
+            "id": "T1548",
+            "name": "Abuse Elevation Control Mechanism",
+            "reference": "https://attack.mitre.org/techniques/T1548/",
+            "subtechnique": [
+              {
+                "id": "T1548.002",
+                "name": "Bypass User Account Control",
+                "reference": "https://attack.mitre.org/techniques/T1548/002/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 4
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies attempts to bypass User Account Control (UAC) via DLL side-loading. Attackers may attempt to bypass UAC to stealthily execute code with elevated permissions.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "UAC Bypass Attempt via Privileged IFileOperation COM Interface",
+    "query": "file where event.type : \"change\" and process.name : \"dllhost.exe\" and\n  /* Known modules names side loaded into process running with high or system integrity level for UAC Bypass, update here for new modules */\n  file.name : (\"wow64log.dll\", \"comctl32.dll\", \"DismCore.dll\", \"OskSupport.dll\", \"duser.dll\", \"Accessibility.ni.dll\") and\n  /* has no impact on rule logic just to avoid OS install related FPs */\n  not file.path : (\"C:\\\\Windows\\\\SoftwareDistribution\\\\*\", \"C:\\\\Windows\\\\WinSxS\\\\*\")\n",
+    "references": [
+      "https://github.com/hfiref0x/UACME"
+    ],
+    "risk_score": 73,
+    "rule_id": "5a14d01d-7ac8-4545-914c-b687c2cf66b3",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Privilege Escalation"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0004",
+          "name": "Privilege Escalation",
+          "reference": "https://attack.mitre.org/tactics/TA0004/"
+        },
+        "technique": [
+          {
+            "id": "T1548",
+            "name": "Abuse Elevation Control Mechanism",
+            "reference": "https://attack.mitre.org/techniques/T1548/",
+            "subtechnique": [
+              {
+                "id": "T1548.002",
+                "name": "Bypass User Account Control",
+                "reference": "https://attack.mitre.org/techniques/T1548/002/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 4
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies an attempt to bypass User Account Control (UAC) by masquerading as a Microsoft trusted Windows directory. Attackers may bypass UAC to stealthily execute code with elevated permissions.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "UAC Bypass Attempt via Windows Directory Masquerading",
+    "query": "process where event.type in (\"start\", \"process_started\") and\n  process.args : (\"C:\\\\Windows \\\\system32\\\\*.exe\", \"C:\\\\Windows \\\\SysWOW64\\\\*.exe\")\n",
+    "references": [
+      "https://medium.com/tenable-techblog/uac-bypass-by-mocking-trusted-directories-24a96675f6e"
+    ],
+    "risk_score": 73,
+    "rule_id": "290aca65-e94d-403b-ba0f-62f320e63f51",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Privilege Escalation"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0004",
+          "name": "Privilege Escalation",
+          "reference": "https://attack.mitre.org/tactics/TA0004/"
+        },
+        "technique": [
+          {
+            "id": "T1548",
+            "name": "Abuse Elevation Control Mechanism",
+            "reference": "https://attack.mitre.org/techniques/T1548/",
+            "subtechnique": [
+              {
+                "id": "T1548.002",
+                "name": "Bypass User Account Control",
+                "reference": "https://attack.mitre.org/techniques/T1548/002/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 4
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies attempts to bypass User Account Control (UAC) by abusing an elevated COM Interface to launch a rogue Windows ClipUp program. Attackers may attempt to bypass UAC to stealthily execute code with elevated permissions.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "UAC Bypass Attempt with IEditionUpgradeManager Elevated COM Interface",
+    "query": "process where event.type in (\"start\", \"process_started\") and process.name : \"Clipup.exe\" and\n  not process.executable : \"C:\\\\Windows\\\\System32\\\\ClipUp.exe\" and process.parent.name : \"dllhost.exe\" and\n  /* CLSID of the Elevated COM Interface IEditionUpgradeManager */\n  process.parent.args : \"/Processid:{BD54C901-076B-434E-B6C7-17C531F4AB41}\"\n",
+    "references": [
+      "https://github.com/hfiref0x/UACME"
+    ],
+    "risk_score": 73,
+    "rule_id": "b90cdde7-7e0d-4359-8bf0-2c112ce2008a",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Privilege Escalation"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0004",
+          "name": "Privilege Escalation",
+          "reference": "https://attack.mitre.org/tactics/TA0004/"
+        },
+        "technique": [
+          {
+            "id": "T1548",
+            "name": "Abuse Elevation Control Mechanism",
+            "reference": "https://attack.mitre.org/techniques/T1548/",
+            "subtechnique": [
+              {
+                "id": "T1548.002",
+                "name": "Bypass User Account Control",
+                "reference": "https://attack.mitre.org/techniques/T1548/002/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 4
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies User Account Control (UAC) bypass via hijacking DiskCleanup Scheduled Task. Attackers bypass UAC to stealthily execute code with elevated permissions.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "UAC Bypass via DiskCleanup Scheduled Task Hijack",
+    "query": "process where event.type == \"start\" and\n process.args : \"/autoclean\" and process.args : \"/d\" and\n not process.executable : (\"C:\\\\Windows\\\\System32\\\\cleanmgr.exe\",\n                           \"C:\\\\Windows\\\\SysWOW64\\\\cleanmgr.exe\",\n                           \"C:\\\\Windows\\\\System32\\\\taskhostw.exe\")\n",
+    "risk_score": 47,
+    "rule_id": "1dcc51f6-ba26-49e7-9ef4-2655abb2361e",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Privilege Escalation"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0004",
+          "name": "Privilege Escalation",
+          "reference": "https://attack.mitre.org/tactics/TA0004/"
+        },
+        "technique": [
+          {
+            "id": "T1548",
+            "name": "Abuse Elevation Control Mechanism",
+            "reference": "https://attack.mitre.org/techniques/T1548/",
+            "subtechnique": [
+              {
+                "id": "T1548.002",
+                "name": "Bypass User Account Control",
+                "reference": "https://attack.mitre.org/techniques/T1548/002/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 6
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies User Account Control (UAC) bypass attempts via the ICMLuaUtil Elevated COM interface. Attackers may attempt to bypass UAC to stealthily execute code with elevated permissions.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "UAC Bypass via ICMLuaUtil Elevated COM Interface",
+    "query": "process where event.type in (\"start\", \"process_started\") and\n process.parent.name == \"dllhost.exe\" and\n process.parent.args in (\"/Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}\", \"/Processid:{D2E7041B-2927-42FB-8E9F-7CE93B6DC937}\") and\n process.pe.original_file_name != \"WerFault.exe\"\n",
+    "risk_score": 73,
+    "rule_id": "68d56fdc-7ffa-4419-8e95-81641bd6f845",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Privilege Escalation"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0004",
+          "name": "Privilege Escalation",
+          "reference": "https://attack.mitre.org/tactics/TA0004/"
+        },
+        "technique": [
+          {
+            "id": "T1548",
+            "name": "Abuse Elevation Control Mechanism",
+            "reference": "https://attack.mitre.org/techniques/T1548/",
+            "subtechnique": [
+              {
+                "id": "T1548.002",
+                "name": "Bypass User Account Control",
+                "reference": "https://attack.mitre.org/techniques/T1548/002/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 4
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies attempts to bypass User Account Control (UAC) by hijacking the Microsoft Management Console (MMC) Windows Firewall snap-in. Attackers bypass UAC to stealthily execute code with elevated permissions.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "UAC Bypass via Windows Firewall Snap-In Hijack",
+    "query": "process where event.type in (\"start\", \"process_started\") and\n process.parent.name == \"mmc.exe\" and\n /* process.Ext.token.integrity_level_name == \"high\" can be added in future for tuning */\n /* args of the Windows Firewall SnapIn */\n  process.parent.args == \"WF.msc\" and process.name != \"WerFault.exe\"\n",
+    "references": [
+      "https://github.com/AzAgarampur/byeintegrity-uac"
+    ],
+    "risk_score": 47,
+    "rule_id": "1178ae09-5aff-460a-9f2f-455cd0ac4d8e",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Privilege Escalation"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0004",
+          "name": "Privilege Escalation",
+          "reference": "https://attack.mitre.org/tactics/TA0004/"
+        },
+        "technique": [
+          {
+            "id": "T1548",
+            "name": "Abuse Elevation Control Mechanism",
+            "reference": "https://attack.mitre.org/techniques/T1548/",
+            "subtechnique": [
+              {
+                "id": "T1548.002",
+                "name": "Bypass User Account Control",
+                "reference": "https://attack.mitre.org/techniques/T1548/002/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 4
+  },
+  {
+    "author": [
+      "Elastic",
+      "Austin Songer"
+    ],
+    "description": "Identifies when an unauthorized access attempt is made by a user for an Okta application.",
+    "index": [
+      "filebeat-*",
+      "logs-okta*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Unauthorized Access to an Okta Application",
+    "note": "## Config\n\nThe Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:okta.system and event.action:app.generic.unauth_app_access_attempt\n",
+    "risk_score": 21,
+    "rule_id": "4edd3e1a-3aa0-499b-8147-4d2ea43b1613",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Identity",
+      "Okta",
+      "Continuous Monitoring",
+      "SecOps",
+      "Identity and Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0001",
+          "name": "Initial Access",
+          "reference": "https://attack.mitre.org/tactics/TA0001/"
+        },
+        "technique": [
+          {
+            "id": "T1078",
+            "name": "Valid Accounts",
+            "reference": "https://attack.mitre.org/techniques/T1078/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": []
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": []
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0004",
+          "name": "Privilege Escalation",
+          "reference": "https://attack.mitre.org/tactics/TA0004/"
+        },
+        "technique": []
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Detects changes to registry persistence keys that are uncommonly used or modified by legitimate programs. This could be an indication of an adversary's attempt to persist in a stealthy manner.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Uncommon Registry Persistence Change",
+    "query": "registry where\n  /* uncomment once stable length(registry.data.strings) > 0 and */\n registry.path : (\n      \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Terminal Server\\\\Install\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\*\",\n      \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Terminal Server\\\\Install\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Runonce\\\\*\",\n      \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows\\\\Load\",\n      \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows\\\\Run\",\n      \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows\\\\IconServiceLib\",\n      \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\Shell\",\n      \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\Shell\",\n      \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\AppSetup\",\n      \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\Taskman\",\n      \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\Userinit\",\n      \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\VmApplet\",\n      \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\\\*\",\n      \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\Shell\",\n      \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Logoff\\\\Script\",\n      \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Logon\\\\Script\",\n      \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Shutdown\\\\Script\",\n      \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Startup\\\\Script\",\n      \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\\\*\",\n      \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\Shell\",\n      \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Logoff\\\\Script\",\n      \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Logon\\\\Script\",\n      \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Shutdown\\\\Script\",\n      \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Startup\\\\Script\",\n      \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Active Setup\\\\Installed Components\\\\*\\\\ShellComponent\",\n      \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows CE Services\\\\AutoStartOnConnect\\\\MicrosoftActiveSync\",\n      \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows CE Services\\\\AutoStartOnDisconnect\\\\MicrosoftActiveSync\",\n      \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Ctf\\\\LangBarAddin\\\\*\\\\FilePath\",\n      \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Internet Explorer\\\\Extensions\\\\*\\\\Exec\",\n      \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Internet Explorer\\\\Extensions\\\\*\\\\Script\",\n      \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Command Processor\\\\Autorun\",\n      \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Ctf\\\\LangBarAddin\\\\*\\\\FilePath\",\n      \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Internet Explorer\\\\Extensions\\\\*\\\\Exec\",\n      \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Internet Explorer\\\\Extensions\\\\*\\\\Script\",\n      \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Command Processor\\\\Autorun\",\n      \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\*\\\\VerifierDlls\",\n      \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\GpExtensions\\\\*\\\\DllName\",\n      \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Control\\\\SafeBoot\\\\AlternateShell\",\n      \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Control\\\\Terminal Server\\\\Wds\\\\rdpwd\\\\StartupPrograms\",\n      \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Control\\\\Terminal Server\\\\WinStations\\\\RDP-Tcp\\\\InitialProgram\",\n      \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Control\\\\Session Manager\\\\BootExecute\",\n      \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Control\\\\Session Manager\\\\SetupExecute\",\n      \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Control\\\\Session Manager\\\\Execute\",\n      \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Control\\\\Session Manager\\\\S0InitialCommand\",\n      \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Control\\\\ServiceControlManagerExtension\",\n      \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Control\\\\BootVerificationProgram\\\\ImagePath\",\n      \"HKLM\\\\SYSTEM\\\\Setup\\\\CmdLine\",\n      \"HKEY_USERS\\\\*\\\\Environment\\\\UserInitMprLogonScript\") and\n      \n not registry.data.strings : (\"C:\\\\Windows\\\\system32\\\\userinit.exe\", \"cmd.exe\", \"C:\\\\Program Files (x86)\\\\*.exe\",\n                              \"C:\\\\Program Files\\\\*.exe\") and\n not (process.name : \"rundll32.exe\" and registry.path : \"*\\\\Software\\\\Microsoft\\\\Internet Explorer\\\\Extensions\\\\*\\\\Script\") and\n not process.executable : (\"C:\\\\Windows\\\\System32\\\\msiexec.exe\",\n                           \"C:\\\\Windows\\\\SysWOW64\\\\msiexec.exe\",\n                           \"C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\Platform\\\\*\\\\MsMpEng.exe\",\n                           \"C:\\\\Program Files\\\\*.exe\",\n                           \"C:\\\\Program Files (x86)\\\\*.exe\")\n",
+    "references": [
+      "https://www.microsoftpressstore.com/articles/article.aspx?p=2762082&seqNum=2"
+    ],
+    "risk_score": 47,
+    "rule_id": "54902e45-3467-49a4-8abc-529f2c8cfb80",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Persistence"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1547",
+            "name": "Boot or Logon Autostart Execution",
+            "reference": "https://attack.mitre.org/techniques/T1547/",
+            "subtechnique": [
+              {
+                "id": "T1547.001",
+                "name": "Registry Run Keys / Startup Folder",
+                "reference": "https://attack.mitre.org/techniques/T1547/001/"
+              }
+            ]
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1112",
+            "name": "Modify Registry",
+            "reference": "https://attack.mitre.org/techniques/T1112/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 4
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies when a child process is spawned by the screensaver engine process, which is consistent with an attacker's malicious payload being executed after the screensaver activated on the endpoint. An adversary can maintain persistence on a macOS endpoint by creating a malicious screensaver (.saver) file and configuring the screensaver plist file to execute code each time the screensaver is activated.",
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Unexpected Child Process of macOS Screensaver Engine",
+    "note": "## Triage and analysis\n\n- Analyze the descendant processes of the ScreenSaverEngine process for malicious code and suspicious behavior such\nas downloading a payload from a server\n- Review the installed and activated screensaver on the host. Triage the screensaver (.saver) file that was triggered to\nidentify whether the file is malicious or not.\n",
+    "query": "process where event.type == \"start\" and process.parent.name == \"ScreenSaverEngine\"\n",
+    "references": [
+      "https://posts.specterops.io/saving-your-access-d562bf5bf90b",
+      "https://github.com/D00MFist/PersistentJXA"
+    ],
+    "risk_score": 47,
+    "rule_id": "48d7f54d-c29e-4430-93a9-9db6b5892270",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "macOS",
+      "Threat Detection",
+      "Persistence"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1546",
+            "name": "Event Triggered Execution",
+            "reference": "https://attack.mitre.org/techniques/T1546/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 1
+  },
+  {
+    "anomaly_threshold": 75,
+    "author": [
+      "Elastic"
+    ],
+    "description": "A machine learning job detected an AWS API command that, while not inherently suspicious or abnormal, is being made by a user context that does not normally use the command. This can be the result of compromised credentials or keys as someone uses a valid account to persist, move laterally, or exfiltrate data.",
+    "false_positives": [
+      "New or unusual user command activity can be due to manual troubleshooting or reconfiguration; changes in cloud automation scripts or workflows; adoption of new services; or changes in the way services are used."
+    ],
+    "from": "now-2h",
+    "interval": "15m",
+    "license": "Elastic License v2",
+    "machine_learning_job_id": "rare_method_for_a_username",
+    "name": "Unusual AWS Command for a User",
+    "note": "## Config\n\nThe AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\n\n## Triage and analysis\n\n### Investigating an Unusual CloudTrail Event\n\nDetection alerts from this rule indicate an AWS API command or method call that is rare and unusual for the calling IAM user. Here are some possible avenues of investigation:\n- Consider the user as identified by the `user.name` field. Is this command part of an expected workflow for the user context? Examine the user identity in the `aws.cloudtrail.user_identity.arn` field and the access key ID in the `aws.cloudtrail.user_identity.access_key_id` field, which can help identify the precise user context. The user agent details in the `user_agent.original` field may also indicate what kind of a client made the request.\n- Consider the source IP address and geolocation for the calling user who issued the command. Do they look normal for the calling user? If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts, or could it be sourcing from an EC2 instance that's not under your control? If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance?\n- Consider the time of day. If the user is a human, not a program or script, did the activity take place during a normal time of day?\n- Examine the history of the command. If the command, which is visible in the `event.action field`, only manifested recently, it might be part of a new automation module or script. If it has a consistent cadence (for example, if it appears in small numbers on a weekly or monthly cadence), it might be part of a housekeeping or maintenance process.\n- Examine the request parameters. These may provide indications as to the source of the program or the nature of the tasks it is performing.",
+    "references": [
+      "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"
+    ],
+    "risk_score": 21,
+    "rule_id": "ac706eae-d5ec-4b14-b4fd-e8ba8086f0e1",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "AWS",
+      "ML"
+    ],
+    "type": "machine_learning",
+    "version": 7
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies a suspicious child process of the Windows virtual system process, which could indicate code injection.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Unusual Child Process from a System Virtual Process",
+    "query": "process where event.type in (\"start\", \"process_started\") and\n  process.parent.pid == 4 and\n  not process.executable : (\"Registry\", \"MemCompression\", \"?:\\\\Windows\\\\System32\\\\smss.exe\")\n",
+    "risk_score": 73,
+    "rule_id": "de9bd7e0-49e9-4e92-a64d-53ade2e66af1",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1055",
+            "name": "Process Injection",
+            "reference": "https://attack.mitre.org/techniques/T1055/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 4
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies an unexpected process spawning from dns.exe, the process responsible for Windows DNS server services, which may indicate activity related to remote code execution or other forms of exploitation.",
+    "false_positives": [
+      "Werfault.exe will legitimately spawn when dns.exe crashes, but the DNS service is very stable and so this is a low occurring event. Denial of Service (DoS) attempts by intentionally crashing the service will also cause werfault.exe to spawn."
+    ],
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Unusual Child Process of dns.exe",
+    "note": "## Triage and analysis\n\n### Investigating Unusual Child Process\nDetection alerts from this rule indicate potential suspicious child processes spawned after exploitation from CVE-2020-1350 (SigRed) has occurred. Here are some possible avenues of investigation:\n- Any suspicious or abnormal child process spawned from dns.exe should be reviewed and investigated with care. It's impossible to predict what an adversary may deploy as the follow-on process after the exploit, but built-in discovery/enumeration utilities should be top of mind (whoami.exe, netstat.exe, systeminfo.exe, tasklist.exe).\n- Built-in Windows programs that contain capabilities used to download and execute additional payloads should also be considered. This is not an exhaustive list, but ideal candidates to start out would be: mshta.exe, powershell.exe, regsvr32.exe, rundll32.exe, wscript.exe, wmic.exe.\n- If the DoS exploit is successful and DNS Server service crashes, be mindful of potential child processes related to werfault.exe occurring.\n- Any subsequent activity following the child process spawned related to execution/network activity should be thoroughly reviewed from the endpoint.",
+    "query": "process where event.type == \"start\" and process.parent.name : \"dns.exe\" and\n  not process.name : \"conhost.exe\"\n",
+    "references": [
+      "https://research.checkpoint.com/2020/resolving-your-way-into-domain-admin-exploiting-a-17-year-old-bug-in-windows-dns-servers/",
+      "https://msrc-blog.microsoft.com/2020/07/14/july-2020-security-update-cve-2020-1350-vulnerability-in-windows-domain-name-system-dns-server/",
+      "https://github.com/maxpl0it/CVE-2020-1350-DoS"
+    ],
+    "risk_score": 73,
+    "rule_id": "8c37dc0e-e3ac-4c97-8aa0-cf6a9122de45",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Initial Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0001",
+          "name": "Initial Access",
+          "reference": "https://attack.mitre.org/tactics/TA0001/"
+        },
+        "technique": [
+          {
+            "id": "T1133",
+            "name": "External Remote Services",
+            "reference": "https://attack.mitre.org/techniques/T1133/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 5
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies child processes of unusual instances of RunDLL32 where the command line parameters were suspicious. Misuse of RunDLL32 could indicate malicious activity.",
+    "from": "now-60m",
+    "index": [
+      "logs-endpoint.events.*",
+      "winlogbeat-*",
+      "logs-windows.*"
+    ],
+    "interval": "30m",
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Unusual Child Processes of RunDLL32",
+    "query": "sequence with maxspan=1h\n  [process where event.type in (\"start\", \"process_started\") and\n     (process.name : \"rundll32.exe\" or process.pe.original_file_name == \"RUNDLL32.EXE\") and\n      process.args_count == 1\n  ] by process.entity_id\n  [process where event.type in (\"start\", \"process_started\") and process.parent.name : \"rundll32.exe\"\n  ] by process.parent.entity_id\n",
+    "risk_score": 21,
+    "rule_id": "f036953a-4615-4707-a1ca-dc53bf69dcd5",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1218",
+            "name": "Signed Binary Proxy Execution",
+            "reference": "https://attack.mitre.org/techniques/T1218/",
+            "subtechnique": [
+              {
+                "id": "T1218.011",
+                "name": "Rundll32",
+                "reference": "https://attack.mitre.org/techniques/T1218/011/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "type": "eql",
+    "version": 4
+  },
+  {
+    "anomaly_threshold": 50,
+    "author": [
+      "Elastic"
+    ],
+    "description": "A machine learning job detected AWS command activity that, while not inherently suspicious or abnormal, is sourcing from a geolocation (city) that is unusual for the command. This can be the result of compromised credentials or keys being used by a threat actor in a different geography than the authorized user(s).",
+    "false_positives": [
+      "New or unusual command and user geolocation activity can be due to manual troubleshooting or reconfiguration; changes in cloud automation scripts or workflows; adoption of new services; expansion into new regions; increased adoption of work from home policies; or users who travel frequently."
+    ],
+    "from": "now-2h",
+    "interval": "15m",
+    "license": "Elastic License v2",
+    "machine_learning_job_id": "rare_method_for_a_city",
+    "name": "Unusual City For an AWS Command",
+    "note": "## Config\n\nThe AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\n\n## Triage and analysis\n\n### Investigating an Unusual CloudTrail Event\nDetection alerts from this rule indicate an AWS API command or method call that is rare and unusual for the geolocation of the source IP address. Here are some possible avenues of investigation:\n- Consider the source IP address and geolocation for the calling user who issued the command. Do they look normal for the calling user? If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts, or could it be sourcing from an EC2 instance that's not under your control? If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance?\n- Consider the user as identified by the `user.name` field. Is this command part of an expected workflow for the user context? Examine the user identity in the `aws.cloudtrail.user_identity.arn` field and the access key ID in the `aws.cloudtrail.user_identity.access_key_id` field, which can help identify the precise user context. The user agent details in the `user_agent.original` field may also indicate what kind of a client made the request.\n- Consider the time of day. If the user is a human, not a program or script, did the activity take place during a normal time of day?\n- Examine the history of the command. If the command, which is visible in the `event.action field`, only manifested recently, it might be part of a new automation module or script. If it has a consistent cadence (for example, if it appears in small numbers on a weekly or monthly cadence), it might be part of a housekeeping or maintenance process.\n- Examine the request parameters. These may provide indications as to the source of the program or the nature of the tasks it is performing.",
+    "references": [
+      "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"
+    ],
+    "risk_score": 21,
+    "rule_id": "809b70d3-e2c3-455e-af1b-2626a5a1a276",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "AWS",
+      "ML"
+    ],
+    "type": "machine_learning",
+    "version": 7
+  },
+  {
+    "anomaly_threshold": 50,
+    "author": [
+      "Elastic"
+    ],
+    "description": "A machine learning job detected AWS command activity that, while not inherently suspicious or abnormal, is sourcing from a geolocation (country) that is unusual for the command. This can be the result of compromised credentials or keys being used by a threat actor in a different geography than the authorized user(s).",
+    "false_positives": [
+      "New or unusual command and user geolocation activity can be due to manual troubleshooting or reconfiguration; changes in cloud automation scripts or workflows; adoption of new services; expansion into new regions; increased adoption of work from home policies; or users who travel frequently."
+    ],
+    "from": "now-2h",
+    "interval": "15m",
+    "license": "Elastic License v2",
+    "machine_learning_job_id": "rare_method_for_a_country",
+    "name": "Unusual Country For an AWS Command",
+    "note": "## Config\n\nThe AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\n\n## Triage and analysis\n\n### Investigating an Unusual Country For an AWS Command\n\nCloudTrail logging provides visibility on actions taken within an AWS environment. By monitoring these events and understanding\nwhat is considered normal behavior within an organization, suspicious or malicious activity can be spotted when deviations\nare observed. This example rule focuses on AWS command activity where the country from the source of the activity has been\nconsidered unusual based on previous history.\n\n#### Possible investigation steps:\n- Consider the source IP address and geolocation for the calling user who issued the command. Do they look normal for the calling user? If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts, or could it be sourcing from an EC2 instance that's not under your control? If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance?\n- Consider the user as identified by the `user.name` field. Is this command part of an expected workflow for the user context? Examine the user identity in the `aws.cloudtrail.user_identity.arn` field and the access key ID in the `aws.cloudtrail.user_identity.access_key_id` field, which can help identify the precise user context. The user agent details in the `user_agent.original` field may also indicate what kind of a client made the request.\n- Consider the time of day. If the user is a human, not a program or script, did the activity take place during a normal time of day?\n- Examine the history of the command. If the command, which is visible in the `event.action field`, only manifested recently, it might be part of a new automation module or script. If it has a consistent cadence (for example, if it appears in small numbers on a weekly or monthly cadence), it might be part of a housekeeping or maintenance process.\n- Examine the request parameters. These may provide indications as to the source of the program or the nature of the tasks it is performing.\n\n### False Positive Analysis\n- False positives can occur if activity is coming from new employees based in a country with no previous history in AWS,\ntherefore it's important to validate the activity listed in the investigation steps above.\n\n### Related Rules\n- Unusual City For an AWS Command\n- Unusual AWS Command for a User\n- Rare AWS Error Code\n\n### Response and Remediation\n- If activity is observed as suspicious or malicious, immediate response should be looked into rotating and deleting AWS IAM access keys\n- Validate if any unauthorized new users were created, remove these accounts and request password resets for other IAM users\n- Look into enabling multi-factor authentication for users\n- Follow security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS\n",
+    "references": [
+      "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"
+    ],
+    "risk_score": 21,
+    "rule_id": "dca28dee-c999-400f-b640-50a081cc0fd1",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "AWS",
+      "ML"
+    ],
+    "type": "machine_learning",
+    "version": 7
+  },
+  {
+    "anomaly_threshold": 50,
+    "author": [
+      "Elastic"
+    ],
+    "description": "A machine learning job detected a rare and unusual DNS query that indicate network activity with unusual DNS domains. This can be due to initial access, persistence, command-and-control, or exfiltration activity. For example, when a user clicks on a link in a phishing email or opens a malicious document, a request may be sent to download and run a payload from an uncommon domain. When malware is already running, it may send requests to an uncommon DNS domain the malware uses for command-and-control communication.",
+    "false_positives": [
+      "A newly installed program or one that runs rarely as part of a monthly or quarterly workflow could trigger this alert. Network activity that occurs rarely, in small quantities, can trigger this alert. Possible examples are browsing technical support or vendor networks sparsely. A user who visits a new or unique web destination may trigger this alert."
+    ],
+    "from": "now-45m",
+    "interval": "15m",
+    "license": "Elastic License v2",
+    "machine_learning_job_id": "packetbeat_rare_dns_question",
+    "name": "Unusual DNS Activity",
+    "references": [
+      "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"
+    ],
+    "risk_score": 21,
+    "rule_id": "746edc4c-c54c-49c6-97a1-651223819448",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Network",
+      "Threat Detection",
+      "ML"
+    ],
+    "type": "machine_learning",
+    "version": 4
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies an unexpected executable file being created or modified by a Windows system critical process, which may indicate activity related to remote code execution or other forms of exploitation.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Unusual Executable File Creation by a System Critical Process",
+    "query": "file where event.type != \"deletion\" and\n  file.extension : (\"exe\", \"dll\") and\n  process.name : (\"smss.exe\",\n                  \"autochk.exe\",\n                  \"csrss.exe\",\n                  \"wininit.exe\",\n                  \"services.exe\",\n                  \"lsass.exe\",\n                  \"winlogon.exe\",\n                  \"userinit.exe\",\n                  \"LogonUI.exe\")\n",
+    "risk_score": 73,
+    "rule_id": "e94262f2-c1e9-4d3f-a907-aeab16712e1a",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1211",
+            "name": "Exploitation for Defense Evasion",
+            "reference": "https://attack.mitre.org/techniques/T1211/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 4
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies suspicious creation of Alternate Data Streams on highly targeted files. This is uncommon for legitimate files and sometimes done by adversaries to hide malware.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Unusual File Creation - Alternate Data Stream",
+    "query": "file where event.type == \"creation\" and\n  file.path : \"C:\\\\*:*\" and\n  not file.path : \"C:\\\\*:zone.identifier*\" and\n  file.extension :\n    (\n      \"pdf\",\n      \"dll\",\n      \"png\",\n      \"exe\",\n      \"dat\",\n      \"com\",\n      \"bat\",\n      \"cmd\",\n      \"sys\",\n      \"vbs\",\n      \"ps1\",\n      \"hta\",\n      \"txt\",\n      \"vbe\",\n      \"js\",\n      \"wsh\",\n      \"docx\",\n      \"doc\",\n      \"xlsx\",\n      \"xls\",\n      \"pptx\",\n      \"ppt\",\n      \"rtf\",\n      \"gif\",\n      \"jpg\",\n      \"png\",\n      \"bmp\",\n      \"img\",\n      \"iso\"\n    )\n",
+    "risk_score": 47,
+    "rule_id": "71bccb61-e19b-452f-b104-79a60e546a95",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1564",
+            "name": "Hide Artifacts",
+            "reference": "https://attack.mitre.org/techniques/T1564/",
+            "subtechnique": [
+              {
+                "id": "T1564.004",
+                "name": "NTFS File Attributes",
+                "reference": "https://attack.mitre.org/techniques/T1564/004/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies an unexpected file being modified by dns.exe, the process responsible for Windows DNS Server services, which may indicate activity related to remote code execution or other forms of exploitation.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Unusual File Modification by dns.exe",
+    "note": "## Triage and analysis\n\n### Investigating Unusual File Write\nDetection alerts from this rule indicate potential unusual/abnormal file writes from the DNS Server service process (`dns.exe`) after exploitation from CVE-2020-1350 (SigRed) has occurred. Here are some possible avenues of investigation:\n- Post-exploitation, adversaries may write additional files or payloads to the system as additional discovery/exploitation/persistence mechanisms.\n- Any suspicious or abnormal files written from `dns.exe` should be reviewed and investigated with care.",
+    "query": "file where process.name : \"dns.exe\" and event.type in (\"creation\", \"deletion\", \"change\") and\n  not file.name : \"dns.log\"\n",
+    "references": [
+      "https://research.checkpoint.com/2020/resolving-your-way-into-domain-admin-exploiting-a-17-year-old-bug-in-windows-dns-servers/",
+      "https://msrc-blog.microsoft.com/2020/07/14/july-2020-security-update-cve-2020-1350-vulnerability-in-windows-domain-name-system-dns-server/"
+    ],
+    "risk_score": 73,
+    "rule_id": "c7ce36c0-32ff-4f9a-bfc2-dcb242bf99f9",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Initial Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0001",
+          "name": "Initial Access",
+          "reference": "https://attack.mitre.org/tactics/TA0001/"
+        },
+        "technique": [
+          {
+            "id": "T1133",
+            "name": "External Remote Services",
+            "reference": "https://attack.mitre.org/techniques/T1133/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 5
+  },
+  {
+    "anomaly_threshold": 75,
+    "author": [
+      "Elastic"
+    ],
+    "description": "A machine learning job detected a user logging in at a time of day that is unusual for the user. This can be due to credentialed access via a compromised account when the user and the threat actor are in different time zones. In addition, unauthorized user activity often takes place during non-business hours.",
+    "false_positives": [
+      "Users working late, or logging in from unusual time zones while traveling, may trigger this rule."
+    ],
+    "from": "now-30m",
+    "interval": "15m",
+    "license": "Elastic License v2",
+    "machine_learning_job_id": "auth_rare_hour_for_a_user",
+    "name": "Unusual Hour for a User to Logon",
+    "references": [
+      "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"
+    ],
+    "risk_score": 21,
+    "rule_id": "745b0119-0560-43ba-860a-7235dd8cee8d",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Authentication",
+      "Threat Detection",
+      "ML"
+    ],
+    "type": "machine_learning",
+    "version": 1
+  },
+  {
+    "anomaly_threshold": 50,
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies Linux processes that do not usually use the network but have unexpected network activity, which can indicate command-and-control, lateral movement, persistence, or data exfiltration activity. A process with unusual network activity can denote process exploitation or injection, where the process is used to run persistence mechanisms that allow a malicious actor remote access or control of the host, data exfiltration, and execution of unauthorized network applications.",
+    "from": "now-45m",
+    "interval": "15m",
+    "license": "Elastic License v2",
+    "machine_learning_job_id": "linux_anomalous_network_activity_ecs",
+    "name": "Unusual Linux Network Activity",
+    "note": "## Triage and analysis\n\n### Investigating Unusual Network Activity\nDetection alerts from this rule indicate the presence of network activity from a Linux process for which network activity is rare and unusual.  Here are some possible avenues of investigation:\n- Consider the IP addresses and ports. Are these used by normal but infrequent network workflows? Are they expected or unexpected?\n- If the destination IP address is remote or external, does it associate with an expected domain, organization or geography? Note: avoid interacting directly with suspected malicious IP addresses.\n- Consider the user as identified by the username field. Is this network activity part of an expected workflow for the user who ran the program?\n- Examine the history of execution. If this process only manifested recently, it might be part of a new software package. If it has a consistent cadence (for example if it runs monthly or quarterly), it might be part of a monthly or quarterly business or maintenance process.\n- Examine the process arguments, title and working directory. These may provide indications as to the source of the program or the nature of the tasks it is performing.",
+    "references": [
+      "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"
+    ],
+    "risk_score": 21,
+    "rule_id": "52afbdc5-db15-485e-bc24-f5707f820c4b",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "Threat Detection",
+      "ML"
+    ],
+    "type": "machine_learning",
+    "version": 6
+  },
+  {
+    "anomaly_threshold": 25,
+    "author": [
+      "Elastic"
+    ],
+    "description": "Looks for commands related to system network connection discovery from an unusual user context. This can be due to uncommon troubleshooting activity or due to a compromised account. A compromised account may be used by a threat actor to engage in system network connection discovery in order to increase their understanding of connected services and systems. This information may be used to shape follow-up behaviors such as lateral movement or additional discovery.",
+    "false_positives": [
+      "Uncommon user command activity can be due to an engineer logging onto a server instance in order to perform manual troubleshooting or reconfiguration."
+    ],
+    "from": "now-45m",
+    "interval": "15m",
+    "license": "Elastic License v2",
+    "machine_learning_job_id": "linux_network_connection_discovery",
+    "name": "Unusual Linux Network Connection Discovery",
+    "risk_score": 21,
+    "rule_id": "c28c4d8c-f014-40ef-88b6-79a1d67cd499",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "Threat Detection",
+      "ML"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0007",
+          "name": "Discovery",
+          "reference": "https://attack.mitre.org/tactics/TA0007/"
+        },
+        "technique": [
+          {
+            "id": "T1049",
+            "name": "System Network Connections Discovery",
+            "reference": "https://attack.mitre.org/techniques/T1049/"
+          }
+        ]
+      }
+    ],
+    "type": "machine_learning",
+    "version": 2
+  },
+  {
+    "anomaly_threshold": 50,
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies unusual destination port activity that can indicate command-and-control, persistence mechanism, or data exfiltration activity. Rarely used destination port activity is generally unusual in Linux fleets, and can indicate unauthorized access or threat actor activity.",
+    "false_positives": [
+      "A newly installed program or one that rarely uses the network could trigger this alert."
+    ],
+    "from": "now-45m",
+    "interval": "15m",
+    "license": "Elastic License v2",
+    "machine_learning_job_id": [
+      "linux_anomalous_network_port_activity_ecs",
+      "v2_linux_anomalous_network_port_activity_ecs"
+    ],
+    "name": "Unusual Linux Network Port Activity",
+    "references": [
+      "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"
+    ],
+    "risk_score": 21,
+    "rule_id": "3c7e32e6-6104-46d9-a06e-da0f8b5795a0",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "Threat Detection",
+      "ML"
+    ],
+    "type": "machine_learning",
+    "version": 5
+  },
+  {
+    "anomaly_threshold": 50,
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies unusual listening ports on Linux instances that can indicate execution of unauthorized services, backdoors, or persistence mechanisms.",
+    "false_positives": [
+      "A newly installed program or one that rarely uses the network could trigger this alert."
+    ],
+    "from": "now-45m",
+    "interval": "15m",
+    "license": "Elastic License v2",
+    "machine_learning_job_id": "linux_anomalous_network_service",
+    "name": "Unusual Linux Network Service",
+    "references": [
+      "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"
+    ],
+    "risk_score": 21,
+    "rule_id": "52afbdc5-db15-596e-bc35-f5707f820c4b",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "Threat Detection",
+      "ML"
+    ],
+    "type": "machine_learning",
+    "version": 4
+  },
+  {
+    "anomaly_threshold": 50,
+    "author": [
+      "Elastic"
+    ],
+    "description": "Looks for anomalous access to the metadata service by an unusual process. The metadata service may be targeted in order to harvest credentials or user data scripts containing secrets.",
+    "false_positives": [
+      "A newly installed program or one that runs very rarely as part of a monthly or quarterly workflow could trigger this detection rule."
+    ],
+    "from": "now-45m",
+    "interval": "15m",
+    "license": "Elastic License v2",
+    "machine_learning_job_id": [
+      "linux_rare_metadata_process",
+      "v2_linux_rare_metadata_process"
+    ],
+    "name": "Unusual Linux Process Calling the Metadata Service",
+    "risk_score": 21,
+    "rule_id": "9d302377-d226-4e12-b54c-1906b5aec4f6",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "Threat Detection",
+      "ML"
+    ],
+    "type": "machine_learning",
+    "version": 3
+  },
+  {
+    "anomaly_threshold": 50,
+    "author": [
+      "Elastic"
+    ],
+    "description": "Looks for commands related to system process discovery from an unusual user context. This can be due to uncommon troubleshooting activity or due to a compromised account. A compromised account may be used by a threat actor to engage in system process discovery in order to increase their understanding of software applications running on a target host or network. This may be a precursor to selection of a persistence mechanism or a method of privilege elevation.",
+    "false_positives": [
+      "Uncommon user command activity can be due to an engineer logging onto a server instance in order to perform manual troubleshooting or reconfiguration."
+    ],
+    "from": "now-45m",
+    "interval": "15m",
+    "license": "Elastic License v2",
+    "machine_learning_job_id": "linux_system_process_discovery",
+    "name": "Unusual Linux Process Discovery Activity",
+    "risk_score": 21,
+    "rule_id": "5c983105-4681-46c3-9890-0c66d05e776b",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "Threat Detection",
+      "ML"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0007",
+          "name": "Discovery",
+          "reference": "https://attack.mitre.org/tactics/TA0007/"
+        },
+        "technique": [
+          {
+            "id": "T1057",
+            "name": "Process Discovery",
+            "reference": "https://attack.mitre.org/techniques/T1057/"
+          }
+        ]
+      }
+    ],
+    "type": "machine_learning",
+    "version": 2
+  },
+  {
+    "anomaly_threshold": 75,
+    "author": [
+      "Elastic"
+    ],
+    "description": "Looks for commands related to system information discovery from an unusual user context. This can be due to uncommon troubleshooting activity or due to a compromised account. A compromised account may be used to engage in system information discovery in order to gather detailed information about system configuration and software versions. This may be a precursor to selection of a persistence mechanism or a method of privilege elevation.",
+    "false_positives": [
+      "Uncommon user command activity can be due to an engineer logging onto a server instance in order to perform manual troubleshooting or reconfiguration."
+    ],
+    "from": "now-45m",
+    "interval": "15m",
+    "license": "Elastic License v2",
+    "machine_learning_job_id": "linux_system_information_discovery",
+    "name": "Unusual Linux System Information Discovery Activity",
+    "risk_score": 21,
+    "rule_id": "d4af3a06-1e0a-48ec-b96a-faf2309fae46",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "Threat Detection",
+      "ML"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0007",
+          "name": "Discovery",
+          "reference": "https://attack.mitre.org/tactics/TA0007/"
+        },
+        "technique": [
+          {
+            "id": "T1082",
+            "name": "System Information Discovery",
+            "reference": "https://attack.mitre.org/techniques/T1082/"
+          }
+        ]
+      }
+    ],
+    "type": "machine_learning",
+    "version": 2
+  },
+  {
+    "anomaly_threshold": 25,
+    "author": [
+      "Elastic"
+    ],
+    "description": "Looks for commands related to system network configuration discovery from an unusual user context. This can be due to uncommon troubleshooting activity or due to a compromised account. A compromised account may be used by a threat actor to engage in system network configuration discovery in order to increase their understanding of connected networks and hosts. This information may be used to shape follow-up behaviors such as lateral movement or additional discovery.",
+    "false_positives": [
+      "Uncommon user command activity can be due to an engineer logging onto a server instance in order to perform manual troubleshooting or reconfiguration."
+    ],
+    "from": "now-45m",
+    "interval": "15m",
+    "license": "Elastic License v2",
+    "machine_learning_job_id": "linux_network_configuration_discovery",
+    "name": "Unusual Linux System Network Configuration Discovery",
+    "risk_score": 21,
+    "rule_id": "f9590f47-6bd5-4a49-bd49-a2f886476fb9",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "Threat Detection",
+      "ML"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0007",
+          "name": "Discovery",
+          "reference": "https://attack.mitre.org/tactics/TA0007/"
+        },
+        "technique": [
+          {
+            "id": "T1016",
+            "name": "System Network Configuration Discovery",
+            "reference": "https://attack.mitre.org/techniques/T1016/"
+          }
+        ]
+      }
+    ],
+    "type": "machine_learning",
+    "version": 2
+  },
+  {
+    "anomaly_threshold": 75,
+    "author": [
+      "Elastic"
+    ],
+    "description": "Looks for commands related to system user or owner discovery from an unusual user context. This can be due to uncommon troubleshooting activity or due to a compromised account. A compromised account may be used to engage in system owner or user discovery in order to identify currently active or primary users of a system. This may be a precursor to additional discovery, credential dumping or privilege elevation activity.",
+    "false_positives": [
+      "Uncommon user command activity can be due to an engineer logging onto a server instance in order to perform manual troubleshooting or reconfiguration."
+    ],
+    "from": "now-45m",
+    "interval": "15m",
+    "license": "Elastic License v2",
+    "machine_learning_job_id": "linux_system_user_discovery",
+    "name": "Unusual Linux System Owner or User Discovery Activity",
+    "risk_score": 21,
+    "rule_id": "59756272-1998-4b8c-be14-e287035c4d10",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "Threat Detection",
+      "ML"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0007",
+          "name": "Discovery",
+          "reference": "https://attack.mitre.org/tactics/TA0007/"
+        },
+        "technique": [
+          {
+            "id": "T1033",
+            "name": "System Owner/User Discovery",
+            "reference": "https://attack.mitre.org/techniques/T1033/"
+          }
+        ]
+      }
+    ],
+    "type": "machine_learning",
+    "version": 2
+  },
+  {
+    "anomaly_threshold": 75,
+    "author": [
+      "Elastic"
+    ],
+    "description": "Looks for anomalous access to the cloud platform metadata service by an unusual user. The metadata service may be targeted in order to harvest credentials or user data scripts containing secrets.",
+    "false_positives": [
+      "A newly installed program, or one that runs under a new or rarely used user context, could trigger this detection rule. Manual interrogation of the metadata service during debugging or troubleshooting could trigger this rule."
+    ],
+    "from": "now-45m",
+    "interval": "15m",
+    "license": "Elastic License v2",
+    "machine_learning_job_id": [
+      "linux_rare_metadata_user",
+      "v2_linux_rare_metadata_user"
+    ],
+    "name": "Unusual Linux User Calling the Metadata Service",
+    "risk_score": 21,
+    "rule_id": "1faec04b-d902-4f89-8aff-92cd9043c16f",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "Threat Detection",
+      "ML"
+    ],
+    "type": "machine_learning",
+    "version": 3
+  },
+  {
+    "anomaly_threshold": 50,
+    "author": [
+      "Elastic"
+    ],
+    "description": "A machine learning job detected activity for a username that is not normally active, which can indicate unauthorized changes, activity by unauthorized users, lateral movement, or compromised credentials. In many organizations, new usernames are not often created apart from specific types of system activities, such as creating new accounts for new employees. These user accounts quickly become active and routine. Events from rarely used usernames can point to suspicious activity. Additionally, automated Linux fleets tend to see activity from rarely used usernames only when personnel log in to make authorized or unauthorized changes, or threat actors have acquired credentials and log in for malicious purposes. Unusual usernames can also indicate pivoting, where compromised credentials are used to try and move laterally from one host to another.",
+    "false_positives": [
+      "Uncommon user activity can be due to an engineer logging onto a server instance in order to perform manual troubleshooting or reconfiguration."
+    ],
+    "from": "now-45m",
+    "interval": "15m",
+    "license": "Elastic License v2",
+    "machine_learning_job_id": [
+      "linux_anomalous_user_name_ecs",
+      "v2_linux_anomalous_user_name_ecs"
+    ],
+    "name": "Unusual Linux Username",
+    "note": "## Triage and analysis\n\n### Investigating an Unusual Linux User\nDetection alerts from this rule indicate activity for a Linux user name that is rare and unusual. Here are some possible avenues of investigation:\n- Consider the user as identified by the username field. Is this program part of an expected workflow for the user who ran this program on this host? Could this be related to troubleshooting or debugging activity by a developer or site reliability engineer?\n- Examine the history of user activity. If this user only manifested recently, it might be a service account for a new software package. If it has a consistent cadence (for example if it runs monthly or quarterly), it might be part of a monthly or quarterly business process.\n- Examine the process arguments, title and working directory. These may provide indications as to the source of the program or the nature of the tasks that the user is performing.",
+    "references": [
+      "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"
+    ],
+    "risk_score": 21,
+    "rule_id": "b347b919-665f-4aac-b9e8-68369bf2340c",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "Threat Detection",
+      "ML"
+    ],
+    "type": "machine_learning",
+    "version": 7
+  },
+  {
+    "anomaly_threshold": 50,
+    "author": [
+      "Elastic"
+    ],
+    "description": "A machine learning job detected an unusual web URL request from a Linux host, which can indicate malware delivery and execution. Wget and cURL are commonly used by Linux programs to download code and data. Most of the time, their usage is entirely normal. Generally, because they use a list of URLs, they repeatedly download from the same locations. However, Wget and cURL are sometimes used to deliver Linux exploit payloads, and threat actors use these tools to download additional software and code. For these reasons, unusual URLs can indicate unauthorized downloads or threat activity.",
+    "false_positives": [
+      "A new and unusual program or artifact download in the course of software upgrades, debugging, or troubleshooting could trigger this alert."
+    ],
+    "from": "now-45m",
+    "interval": "15m",
+    "license": "Elastic License v2",
+    "machine_learning_job_id": "linux_anomalous_network_url_activity_ecs",
+    "name": "Unusual Linux Web Activity",
+    "references": [
+      "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"
+    ],
+    "risk_score": 21,
+    "rule_id": "52afbdc5-db15-485e-bc35-f5707f820c4c",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "Threat Detection",
+      "ML"
+    ],
+    "type": "machine_learning",
+    "version": 4
+  },
+  {
+    "anomaly_threshold": 50,
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies an unusually high number of authentication attempts.",
+    "false_positives": [
+      "Security audits may trigger this alert. Conditions that generate bursts of failed logins, such as misconfigured applications or account lockouts could trigger this alert."
+    ],
+    "from": "now-45m",
+    "interval": "15m",
+    "license": "Elastic License v2",
+    "machine_learning_job_id": "suspicious_login_activity_ecs",
+    "name": "Unusual Login Activity",
+    "references": [
+      "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"
+    ],
+    "risk_score": 21,
+    "rule_id": "4330272b-9724-4bc6-a3ca-f1532b81e5c2",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "Threat Detection",
+      "ML"
+    ],
+    "type": "machine_learning",
+    "version": 4
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies network activity from unexpected system applications. This may indicate adversarial activity as these applications are often leveraged by adversaries to execute code and evade detection.",
+    "from": "now-9m",
+    "index": [
+      "logs-endpoint.events.*",
+      "winlogbeat-*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Unusual Network Activity from a Windows System Binary",
+    "query": "sequence by process.entity_id with maxspan=5m\n  [process where event.type in (\"start\", \"process_started\") and\n\n     /* known applocker bypasses */\n     (process.name : \"bginfo.exe\" or\n      process.name : \"cdb.exe\" or\n      process.name : \"control.exe\" or\n      process.name : \"cmstp.exe\" or\n      process.name : \"csi.exe\" or\n      process.name : \"dnx.exe\" or\n      process.name : \"fsi.exe\" or\n      process.name : \"ieexec.exe\" or\n      process.name : \"iexpress.exe\" or\n      process.name : \"installutil.exe\" or\n      process.name : \"Microsoft.Workflow.Compiler.exe\" or\n      process.name : \"MSBuild.exe\" or\n      process.name : \"msdt.exe\" or\n      process.name : \"mshta.exe\" or\n      process.name : \"msiexec.exe\" or\n      process.name : \"msxsl.exe\" or\n      process.name : \"odbcconf.exe\" or\n      process.name : \"rcsi.exe\" or\n      process.name : \"regsvr32.exe\" or\n      process.name : \"xwizard.exe\")]\n  [network where\n     (process.name : \"bginfo.exe\" or\n      process.name : \"cdb.exe\" or\n      process.name : \"control.exe\" or\n      process.name : \"cmstp.exe\" or\n      process.name : \"csi.exe\" or\n      process.name : \"dnx.exe\" or\n      process.name : \"fsi.exe\" or\n      process.name : \"ieexec.exe\" or\n      process.name : \"iexpress.exe\" or\n      process.name : \"installutil.exe\" or\n      process.name : \"Microsoft.Workflow.Compiler.exe\" or\n      process.name : \"MSBuild.exe\" or\n      process.name : \"msdt.exe\" or\n      process.name : \"mshta.exe\" or\n      process.name : \"msiexec.exe\" or\n      process.name : \"msxsl.exe\" or\n      process.name : \"odbcconf.exe\" or\n      process.name : \"rcsi.exe\" or\n      process.name : \"regsvr32.exe\" or\n      process.name : \"xwizard.exe\")]\n",
+    "risk_score": 21,
+    "rule_id": "1fe3b299-fbb5-4657-a937-1d746f2c711a",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1127",
+            "name": "Trusted Developer Utilities Proxy Execution",
+            "reference": "https://attack.mitre.org/techniques/T1127/"
+          }
+        ]
+      }
+    ],
+    "type": "eql",
+    "version": 2
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies unusual instances of dllhost.exe making outbound network connections. This may indicate adversarial Command and Control activity.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Unusual Network Connection via DllHost",
+    "query": "sequence by host.id, process.entity_id with maxspan=1m\n  [process where event.type in (\"start\", \"process_started\") and process.name : \"dllhost.exe\" and process.args_count == 1]\n  [network where process.name : \"dllhost.exe\" and\n   not cidrmatch(destination.ip, \"10.0.0.0/8\", \"127.0.0.0/8\", \"169.254.0.0/16\", \"172.16.0.0/12\", \"192.0.0.0/24\",\n    \"192.0.0.0/29\", \"192.0.0.8/32\", \"192.0.0.9/32\", \"192.0.0.10/32\", \"192.0.0.170/32\", \"192.0.0.171/32\", \"192.0.2.0/24\",\n    \"192.31.196.0/24\", \"192.52.193.0/24\", \"192.168.0.0/16\", \"192.88.99.0/24\", \"224.0.0.0/4\", \"100.64.0.0/10\",\n    \"192.175.48.0/24\", \"198.18.0.0/15\", \"198.51.100.0/24\", \"203.0.113.0/24\", \"240.0.0.0/4\", \"::1\", \"FE80::/10\",\n    \"FF00::/8\")]\n",
+    "references": [
+      "https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/",
+      "https://www.volexity.com/blog/2021/05/27/suspected-apt29-operation-launches-election-fraud-themed-phishing-campaigns/",
+      "https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml"
+    ],
+    "risk_score": 47,
+    "rule_id": "c7894234-7814-44c2-92a9-f7d851ea246a",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1218",
+            "name": "Signed Binary Proxy Execution",
+            "reference": "https://attack.mitre.org/techniques/T1218/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies unusual instances of rundll32.exe making outbound network connections. This may indicate adversarial Command and Control activity.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Unusual Network Connection via RunDLL32",
+    "query": "sequence by host.id, process.entity_id with maxspan=1m\n  [process where event.type in (\"start\", \"process_started\") and process.name : \"rundll32.exe\" and process.args_count == 1]\n  [network where process.name : \"rundll32.exe\" and\n   not cidrmatch(destination.ip, \"10.0.0.0/8\", \"127.0.0.0/8\", \"169.254.0.0/16\", \"172.16.0.0/12\", \"192.0.0.0/24\",\n       \"192.0.0.0/29\", \"192.0.0.8/32\", \"192.0.0.9/32\", \"192.0.0.10/32\", \"192.0.0.170/32\", \"192.0.0.171/32\",\n       \"192.0.2.0/24\", \"192.31.196.0/24\", \"192.52.193.0/24\", \"192.168.0.0/16\", \"192.88.99.0/24\", \"224.0.0.0/4\",\n       \"100.64.0.0/10\", \"192.175.48.0/24\",\"198.18.0.0/15\", \"198.51.100.0/24\", \"203.0.113.0/24\", \"240.0.0.0/4\", \"::1\",\n       \"FE80::/10\", \"FF00::/8\")]\n",
+    "references": [
+      "https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml"
+    ],
+    "risk_score": 47,
+    "rule_id": "52aaab7b-b51c-441a-89ce-4387b3aea886",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1218",
+            "name": "Signed Binary Proxy Execution",
+            "reference": "https://attack.mitre.org/techniques/T1218/",
+            "subtechnique": [
+              {
+                "id": "T1218.011",
+                "name": "Rundll32",
+                "reference": "https://attack.mitre.org/techniques/T1218/011/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "type": "eql",
+    "version": 10
+  },
+  {
+    "anomaly_threshold": 50,
+    "author": [
+      "Elastic"
+    ],
+    "description": "A machine learning job detected an unusual network destination domain name. This can be due to initial access, persistence, command-and-control, or exfiltration activity. For example, when a user clicks on a link in a phishing email or opens a malicious document, a request may be sent to download and run a payload from an uncommon web server name. When malware is already running, it may send requests to an uncommon DNS domain the malware uses for command-and-control communication.",
+    "false_positives": [
+      "Web activity that occurs rarely in small quantities can trigger this alert. Possible examples are browsing technical support or vendor URLs that are used very sparsely. A user who visits a new and unique web destination may trigger this alert when the activity is sparse. Web applications that generate URLs unique to a transaction may trigger this when they are used sparsely. Web domains can be excluded in cases such as these."
+    ],
+    "from": "now-45m",
+    "interval": "15m",
+    "license": "Elastic License v2",
+    "machine_learning_job_id": "packetbeat_rare_server_domain",
+    "name": "Unusual Network Destination Domain Name",
+    "references": [
+      "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"
+    ],
+    "risk_score": 21,
+    "rule_id": "17e68559-b274-4948-ad0b-f8415bb31126",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Network",
+      "Threat Detection",
+      "ML"
+    ],
+    "type": "machine_learning",
+    "version": 4
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies a suspicious parent child process relationship with cmd.exe descending from an unusual process.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Unusual Parent Process for cmd.exe",
+    "query": "process where event.type in (\"start\", \"process_started\") and\n  process.name : \"cmd.exe\" and\n  process.parent.name : (\"lsass.exe\",\n                         \"csrss.exe\",\n                         \"epad.exe\",\n                         \"regsvr32.exe\",\n                         \"dllhost.exe\",\n                         \"LogonUI.exe\",\n                         \"wermgr.exe\",\n                         \"spoolsv.exe\",\n                         \"jucheck.exe\",\n                         \"jusched.exe\",\n                         \"ctfmon.exe\",\n                         \"taskhostw.exe\",\n                         \"GoogleUpdate.exe\",\n                         \"sppsvc.exe\",\n                         \"sihost.exe\",\n                         \"slui.exe\",\n                         \"SIHClient.exe\",\n                         \"SearchIndexer.exe\",\n                         \"SearchProtocolHost.exe\",\n                         \"FlashPlayerUpdateService.exe\",\n                         \"WerFault.exe\",\n                         \"WUDFHost.exe\",\n                         \"unsecapp.exe\",\n                         \"wlanext.exe\" )\n",
+    "risk_score": 47,
+    "rule_id": "3b47900d-e793-49e8-968f-c90dc3526aa1",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Execution"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0002",
+          "name": "Execution",
+          "reference": "https://attack.mitre.org/tactics/TA0002/"
+        },
+        "technique": [
+          {
+            "id": "T1059",
+            "name": "Command and Scripting Interpreter",
+            "reference": "https://attack.mitre.org/techniques/T1059/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 4
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies Windows programs run from unexpected parent processes. This could indicate masquerading or other strange activity on a system.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Unusual Parent-Child Relationship",
+    "query": "process where event.type in (\"start\", \"process_started\") and\nprocess.parent.name != null and\n (\n   /* suspicious parent processes */\n   (process.name:\"autochk.exe\" and not process.parent.name:\"smss.exe\") or\n   (process.name:(\"fontdrvhost.exe\", \"dwm.exe\") and not process.parent.name:(\"wininit.exe\", \"winlogon.exe\")) or\n   (process.name:(\"consent.exe\", \"RuntimeBroker.exe\", \"TiWorker.exe\") and not process.parent.name:\"svchost.exe\") or\n   (process.name:\"SearchIndexer.exe\" and not process.parent.name:\"services.exe\") or\n   (process.name:\"SearchProtocolHost.exe\" and not process.parent.name:(\"SearchIndexer.exe\", \"dllhost.exe\")) or\n   (process.name:\"dllhost.exe\" and not process.parent.name:(\"services.exe\", \"svchost.exe\")) or\n   (process.name:\"smss.exe\" and not process.parent.name:(\"System\", \"smss.exe\")) or\n   (process.name:\"csrss.exe\" and not process.parent.name:(\"smss.exe\", \"svchost.exe\")) or\n   (process.name:\"wininit.exe\" and not process.parent.name:\"smss.exe\") or\n   (process.name:\"winlogon.exe\" and not process.parent.name:\"smss.exe\") or\n   (process.name:(\"lsass.exe\", \"LsaIso.exe\") and not process.parent.name:\"wininit.exe\") or\n   (process.name:\"LogonUI.exe\" and not process.parent.name:(\"wininit.exe\", \"winlogon.exe\")) or\n   (process.name:\"services.exe\" and not process.parent.name:\"wininit.exe\") or\n   (process.name:\"svchost.exe\" and not process.parent.name:(\"MsMpEng.exe\", \"services.exe\")) or\n   (process.name:\"spoolsv.exe\" and not process.parent.name:\"services.exe\") or\n   (process.name:\"taskhost.exe\" and not process.parent.name:(\"services.exe\", \"svchost.exe\")) or\n   (process.name:\"taskhostw.exe\" and not process.parent.name:(\"services.exe\", \"svchost.exe\")) or\n   (process.name:\"userinit.exe\" and not process.parent.name:(\"dwm.exe\", \"winlogon.exe\")) or\n   (process.name:(\"wmiprvse.exe\", \"wsmprovhost.exe\", \"winrshost.exe\") and not process.parent.name:\"svchost.exe\") or\n   /* suspicious child processes */\n   (process.parent.name:(\"SearchProtocolHost.exe\", \"taskhost.exe\", \"csrss.exe\") and not process.name:(\"werfault.exe\", \"wermgr.exe\", \"WerFaultSecure.exe\")) or\n   (process.parent.name:\"autochk.exe\" and not process.name:(\"chkdsk.exe\", \"doskey.exe\", \"WerFault.exe\")) or\n   (process.parent.name:\"smss.exe\" and not process.name:(\"autochk.exe\", \"smss.exe\", \"csrss.exe\", \"wininit.exe\", \"winlogon.exe\", \"setupcl.exe\", \"WerFault.exe\")) or\n   (process.parent.name:\"wermgr.exe\" and not process.name:(\"WerFaultSecure.exe\", \"wermgr.exe\", \"WerFault.exe\")) or\n   (process.parent.name:\"conhost.exe\" and not process.name:(\"mscorsvw.exe\", \"wermgr.exe\", \"WerFault.exe\", \"WerFaultSecure.exe\"))\n  )\n",
+    "references": [
+      "https://github.com/sbousseaden/Slides/blob/master/Hunting%20MindMaps/PNG/Windows%20Processes%20TH.map.png",
+      "https://www.andreafortuna.org/2017/06/15/standard-windows-processes-a-brief-reference/"
+    ],
+    "risk_score": 47,
+    "rule_id": "35df0dd8-092d-4a83-88c1-5151a804f31b",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Privilege Escalation"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0004",
+          "name": "Privilege Escalation",
+          "reference": "https://attack.mitre.org/tactics/TA0004/"
+        },
+        "technique": [
+          {
+            "id": "T1055",
+            "name": "Process Injection",
+            "reference": "https://attack.mitre.org/techniques/T1055/",
+            "subtechnique": [
+              {
+                "id": "T1055.012",
+                "name": "Process Hollowing",
+                "reference": "https://attack.mitre.org/techniques/T1055/012/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 10
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies processes modifying the services registry key directly, instead of through the expected Windows APIs. This could be an indication of an adversary attempting to stealthily persist through abnormal service creation or modification of an existing service.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Unusual Persistence via Services Registry",
+    "query": "registry where registry.path : (\"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Services\\\\*\\\\ServiceDLL\", \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Services\\\\*\\\\ImagePath\") and\n  not registry.data.strings : (\"?:\\\\windows\\\\system32\\\\Drivers\\\\*.sys\",\n                               \"\\\\SystemRoot\\\\System32\\\\drivers\\\\*.sys\",\n                               \"\\\\??\\\\?:\\\\Windows\\\\system32\\\\Drivers\\\\*.SYS\",\n                               \"system32\\\\DRIVERS\\\\USBSTOR\") and\n  not (process.name : \"procexp??.exe\" and registry.data.strings : \"?:\\\\*\\\\procexp*.sys\") and\n  not process.executable : (\"?:\\\\Program Files\\\\*.exe\",\n                            \"?:\\\\Program Files (x86)\\\\*.exe\",\n                            \"?:\\\\Windows\\\\System32\\\\svchost.exe\",\n                            \"?:\\\\Windows\\\\winsxs\\\\*\\\\TiWorker.exe\",\n                            \"?:\\\\Windows\\\\System32\\\\drvinst.exe\",\n                            \"?:\\\\Windows\\\\System32\\\\services.exe\",\n                            \"?:\\\\Windows\\\\System32\\\\msiexec.exe\",\n                            \"?:\\\\Windows\\\\System32\\\\regsvr32.exe\")\n",
+    "risk_score": 21,
+    "rule_id": "403ef0d3-8259-40c9-a5b6-d48354712e49",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Persistence"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1543",
+            "name": "Create or Modify System Process",
+            "reference": "https://attack.mitre.org/techniques/T1543/",
+            "subtechnique": [
+              {
+                "id": "T1543.003",
+                "name": "Windows Service",
+                "reference": "https://attack.mitre.org/techniques/T1543/003/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 4
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Detects unusual Print Spooler service (spoolsv.exe) child processes. This may indicate an attempt to exploit privilege escalation vulnerabilities related to the Printing Service on Windows.",
+    "false_positives": [
+      "Install or update of a legitimate printing driver. Verify the printer driver file metadata such as manufacturer and signature information."
+    ],
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Unusual Print Spooler Child Process",
+    "query": "process where event.type == \"start\" and\n process.parent.name : \"spoolsv.exe\" and user.id : \"S-1-5-18\" and\n\n /* exclusions for FP control below */\n not process.name : (\"splwow64.exe\", \"PDFCreator.exe\", \"acrodist.exe\", \"spoolsv.exe\", \"msiexec.exe\", \"route.exe\", \"WerFault.exe\") and\n not process.command_line : \"*\\\\WINDOWS\\\\system32\\\\spool\\\\DRIVERS*\" and\n not (process.name : \"net.exe\" and process.command_line : (\"*stop*\", \"*start*\")) and\n not (process.name : (\"cmd.exe\", \"powershell.exe\") and process.command_line : (\"*.spl*\", \"*\\\\program files*\", \"*route add*\")) and\n not (process.name : \"netsh.exe\" and process.command_line : (\"*add portopening*\", \"*rule name*\")) and\n not (process.name : \"regsvr32.exe\" and process.command_line : \"*PrintConfig.dll*\")\n",
+    "references": [
+      "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527",
+      "https://github.com/afwu/PrintNightmare"
+    ],
+    "risk_score": 47,
+    "rule_id": "ee5300a7-7e31-4a72-a258-250abb8b3aa1",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Privilege Escalation"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0004",
+          "name": "Privilege Escalation",
+          "reference": "https://attack.mitre.org/tactics/TA0004/"
+        },
+        "technique": [
+          {
+            "id": "T1068",
+            "name": "Exploitation for Privilege Escalation",
+            "reference": "https://attack.mitre.org/techniques/T1068/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 2
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies processes running in a temporary folder. This is sometimes done by adversaries to hide malware.",
+    "false_positives": [
+      "Build systems, like Jenkins, may start processes in the `/tmp` directory. These can be exempted by name or by username."
+    ],
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Unusual Process Execution - Temp",
+    "query": "event.category:process and event.type:(start or process_started) and process.working_directory:/tmp\n",
+    "risk_score": 47,
+    "rule_id": "df959768-b0c9-4d45-988c-5606a2be8e5a",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "Threat Detection"
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 7
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies processes running from an Alternate Data Stream. This is uncommon for legitimate processes and sometimes done by adversaries to hide malware.",
+    "from": "now-9m",
+    "index": [
+      "logs-endpoint.events.*",
+      "winlogbeat-*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Unusual Process Execution Path - Alternate Data Stream",
+    "query": "process where event.type == \"start\" and\n  process.args : \"?:\\\\*:*\" and process.args_count == 1\n",
+    "risk_score": 47,
+    "rule_id": "4bd1c1af-79d4-4d37-9efa-6e0240640242",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1564",
+            "name": "Hide Artifacts",
+            "reference": "https://attack.mitre.org/techniques/T1564/",
+            "subtechnique": [
+              {
+                "id": "T1564.004",
+                "name": "NTFS File Attributes",
+                "reference": "https://attack.mitre.org/techniques/T1564/004/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 5
+  },
+  {
+    "anomaly_threshold": 50,
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies rare processes that do not usually run on individual hosts, which can indicate execution of unauthorized services, malware, or persistence mechanisms. Processes are considered rare when they only run occasionally as compared with other processes running on the host.",
+    "false_positives": [
+      "A newly installed program or one that runs rarely as part of a monthly or quarterly workflow could trigger this alert."
+    ],
+    "from": "now-45m",
+    "interval": "15m",
+    "license": "Elastic License v2",
+    "machine_learning_job_id": [
+      "rare_process_by_host_linux_ecs",
+      "v2_rare_process_by_host_linux_ecs"
+    ],
+    "name": "Unusual Process For a Linux Host",
+    "note": "## Triage and analysis\n\n### Investigating an Unusual Linux Process\nDetection alerts from this rule indicate the presence of a Linux process that is rare and unusual for the host it ran on. Here are some possible avenues of investigation:\n- Consider the user as identified by the username field. Is this program part of an expected workflow for the user who ran this program on this host?\n- Examine the history of execution. If this process only manifested recently, it might be part of a new software package. If it has a consistent cadence (for example if it runs monthly or quarterly), it might be part of a monthly or quarterly business process.\n- Examine the process arguments, title and working directory. These may provide indications as to the source of the program or the nature of the tasks it is performing.",
+    "references": [
+      "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"
+    ],
+    "risk_score": 21,
+    "rule_id": "46f804f5-b289-43d6-a881-9387cf594f75",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "Threat Detection",
+      "ML"
+    ],
+    "type": "machine_learning",
+    "version": 7
+  },
+  {
+    "anomaly_threshold": 50,
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies rare processes that do not usually run on individual hosts, which can indicate execution of unauthorized services, malware, or persistence mechanisms. Processes are considered rare when they only run occasionally as compared with other processes running on the host.",
+    "false_positives": [
+      "A newly installed program or one that runs rarely as part of a monthly or quarterly workflow could trigger this alert."
+    ],
+    "from": "now-45m",
+    "interval": "15m",
+    "license": "Elastic License v2",
+    "machine_learning_job_id": [
+      "rare_process_by_host_windows_ecs",
+      "v2_rare_process_by_host_windows_ecs"
+    ],
+    "name": "Unusual Process For a Windows Host",
+    "note": "## Triage and analysis\n\n###  Investigating an Unusual Windows Process\n\nSearching for abnormal Windows processes is a good methodology to find potentially malicious activity within a network.\nBy understanding what is commonly run within an environment and developing baselines for legitimate activity can help\nuncover potential malware and suspicious behaviors.\n\n#### Possible investigation steps:\n- Consider the user as identified by the `user.name` field. Is this program part of an expected workflow for the user who ran this program on this host?\n- Examine the history of execution. If this process only manifested recently, it might be part of a new software package. If it has a consistent cadence (for example if it runs monthly or quarterly), it might be part of a monthly or quarterly business process.\n- Examine the process metadata like the values of the Company, Description and Product fields which may indicate whether the program is associated with an expected software vendor or package.\n- Examine arguments and working directory. These may provide indications as to the source of the program or the nature of the tasks it is performing.\n- Consider the same for the parent process. If the parent process is a legitimate system utility or service, this could be related to software updates or system management. If the parent process is something user-facing like an Office application, this process could be more suspicious.\n- If you have file hash values in the event data, and you suspect malware, you can optionally run a search for the file hash to see if the file is identified as malware by anti-malware tools.\n\n### False Positive Analysis\n- Validate the unusual Windows process is not related to new benign software installation activity. If related to\nlegitimate software, this can be done by leveraging the exception workflow in the Kibana Security App or Elasticsearch\nAPI to tune this rule to your environment\n- Try to understand the context of the execution by thinking about the user, machine, or business purpose.  It's possible that a small number of endpoints\nsuch as servers that have very unique software that might appear to be unusual, but satisfy a specific business need.\n\n### Related Rules\n- Anomalous Windows Process Creation\n- Unusual Windows Path Activity\n- Unusual Windows Process Calling the Metadata Service\n\n### Response and Remediation\n- This rule is related to process execution events and should be immediately reviewed and investigated to determine if malicious\n- Based on validation and if malicious, the impacted machine should be isolated and analyzed to determine other post-compromise\nbehavior such as setting up persistence or performing lateral movement.\n- Look into preventive measures such as Windows Defender Application Control and AppLocker to gain better control on\nwhat is allowed to run on Windows infrastructure.\n",
+    "references": [
+      "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"
+    ],
+    "risk_score": 21,
+    "rule_id": "6d448b96-c922-4adb-b51c-b767f1ea5b76",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "ML"
+    ],
+    "type": "machine_learning",
+    "version": 8
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies network activity from unexpected system applications. This may indicate adversarial activity as these applications are often leveraged by adversaries to execute code and evade detection.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Unusual Process Network Connection",
+    "query": "sequence by process.entity_id\n  [process where (process.name : \"Microsoft.Workflow.Compiler.exe\" or\n                  process.name : \"bginfo.exe\" or\n                  process.name : \"cdb.exe\" or\n                  process.name : \"cmstp.exe\" or\n                  process.name : \"csi.exe\" or\n                  process.name : \"dnx.exe\" or\n                  process.name : \"fsi.exe\" or\n                  process.name : \"ieexec.exe\" or\n                  process.name : \"iexpress.exe\" or\n                  process.name : \"odbcconf.exe\" or\n                  process.name : \"rcsi.exe\" or\n                  process.name : \"xwizard.exe\") and\n     event.type == \"start\"]\n  [network where (process.name : \"Microsoft.Workflow.Compiler.exe\" or\n                  process.name : \"bginfo.exe\" or\n                  process.name : \"cdb.exe\" or\n                  process.name : \"cmstp.exe\" or\n                  process.name : \"csi.exe\" or\n                  process.name : \"dnx.exe\" or\n                  process.name : \"fsi.exe\" or\n                  process.name : \"ieexec.exe\" or\n                  process.name : \"iexpress.exe\" or\n                  process.name : \"odbcconf.exe\" or\n                  process.name : \"rcsi.exe\" or\n                  process.name : \"xwizard.exe\")]\n",
+    "risk_score": 21,
+    "rule_id": "610949a1-312f-4e04-bb55-3a79b8c95267",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1127",
+            "name": "Trusted Developer Utilities Proxy Execution",
+            "reference": "https://attack.mitre.org/techniques/T1127/"
+          }
+        ]
+      }
+    ],
+    "type": "eql",
+    "version": 7
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies unusual child processes of Service Host (svchost.exe) that traditionally do not spawn any child processes. This may indicate a code injection or an equivalent form of exploitation.",
+    "false_positives": [
+      "Changes to Windows services or a rarely executed child process."
+    ],
+    "from": "now-9m",
+    "index": [
+      "logs-endpoint.events.*",
+      "winlogbeat-*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Unusual Service Host Child Process - Childless Service",
+    "query": "process where event.type in (\"start\", \"process_started\") and\n     process.parent.name : \"svchost.exe\" and\n\n     /* based on svchost service arguments -s svcname where the service is known to be childless */\n\n    process.parent.args : (\"WdiSystemHost\",\"LicenseManager\",\n      \"StorSvc\",\"CDPSvc\",\"cdbhsvc\",\"BthAvctpSvc\",\"SstpSvc\",\"WdiServiceHost\",\n      \"imgsvc\",\"TrkWks\",\"WpnService\",\"IKEEXT\",\"PolicyAgent\",\"CryptSvc\",\n      \"netprofm\",\"ProfSvc\",\"StateRepository\",\"camsvc\",\"LanmanWorkstation\",\n      \"NlaSvc\",\"EventLog\",\"hidserv\",\"DisplayEnhancementService\",\"ShellHWDetection\",\n      \"AppHostSvc\",\"fhsvc\",\"CscService\",\"PushToInstall\") and\n\n      /* unknown FPs can be added here */\n\n     not process.name : (\"WerFault.exe\",\"WerFaultSecure.exe\",\"wermgr.exe\")\n",
+    "risk_score": 47,
+    "rule_id": "6a8ab9cc-4023-4d17-b5df-1a3e16882ce7",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion",
+      "Privilege Escalation"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0004",
+          "name": "Privilege Escalation",
+          "reference": "https://attack.mitre.org/tactics/TA0004/"
+        },
+        "technique": [
+          {
+            "id": "T1055",
+            "name": "Process Injection",
+            "reference": "https://attack.mitre.org/techniques/T1055/",
+            "subtechnique": [
+              {
+                "id": "T1055.012",
+                "name": "Process Hollowing",
+                "reference": "https://attack.mitre.org/techniques/T1055/012/"
+              }
+            ]
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1055",
+            "name": "Process Injection",
+            "reference": "https://attack.mitre.org/techniques/T1055/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 3
+  },
+  {
+    "anomaly_threshold": 75,
+    "author": [
+      "Elastic"
+    ],
+    "description": "A machine learning job detected a user logging in from an IP address that is unusual for the user. This can be due to credentialed access via a compromised account when the user and the threat actor are in different locations. An unusual source IP address for a username could also be due to lateral movement when a compromised account is used to pivot between hosts.",
+    "false_positives": [
+      "Business travelers who roam to new locations may trigger this alert."
+    ],
+    "from": "now-30m",
+    "interval": "15m",
+    "license": "Elastic License v2",
+    "machine_learning_job_id": "auth_rare_source_ip_for_a_user",
+    "name": "Unusual Source IP for a User to Logon from",
+    "references": [
+      "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"
+    ],
+    "risk_score": 21,
+    "rule_id": "d4b73fa0-9d43-465e-b8bf-50230da6718b",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Authentication",
+      "Threat Detection",
+      "ML"
+    ],
+    "type": "machine_learning",
+    "version": 1
+  },
+  {
+    "anomaly_threshold": 75,
+    "author": [
+      "Elastic"
+    ],
+    "description": "Looks for sudo activity from an unusual user context. An unusual sudo user could be due to troubleshooting activity or it could be a sign of credentialed access via compromised accounts.",
+    "false_positives": [
+      "Uncommon sudo activity can be due to an engineer logging onto a server instance in order to perform manual troubleshooting or reconfiguration."
+    ],
+    "from": "now-45m",
+    "interval": "15m",
+    "license": "Elastic License v2",
+    "machine_learning_job_id": "linux_rare_sudo_user",
+    "name": "Unusual Sudo Activity",
+    "risk_score": 21,
+    "rule_id": "1e9fc667-9ff1-4b33-9f40-fefca8537eb0",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "Threat Detection",
+      "ML"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1548",
+            "name": "Abuse Elevation Control Mechanism",
+            "reference": "https://attack.mitre.org/techniques/T1548/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0004",
+          "name": "Privilege Escalation",
+          "reference": "https://attack.mitre.org/tactics/TA0004/"
+        },
+        "technique": [
+          {
+            "id": "T1548",
+            "name": "Abuse Elevation Control Mechanism",
+            "reference": "https://attack.mitre.org/techniques/T1548/"
+          }
+        ]
+      }
+    ],
+    "type": "machine_learning",
+    "version": 2
+  },
+  {
+    "anomaly_threshold": 50,
+    "author": [
+      "Elastic"
+    ],
+    "description": "A machine learning job detected a rare and unusual URL that indicates unusual web browsing activity. This can be due to initial access, persistence, command-and-control, or exfiltration activity. For example, in a strategic web compromise or watering hole attack, when a trusted website is compromised to target a particular sector or organization, targeted users may receive emails with uncommon URLs for trusted websites. These URLs can be used to download and run a payload. When malware is already running, it may send requests to uncommon URLs on trusted websites the malware uses for command-and-control communication. When rare URLs are observed being requested for a local web server by a remote source, these can be due to web scanning, enumeration or attack traffic, or they can be due to bots and web scrapers which are part of common Internet background traffic.",
+    "false_positives": [
+      "Web activity that occurs rarely in small quantities can trigger this alert. Possible examples are browsing technical support or vendor URLs that are used very sparsely. A user who visits a new and unique web destination may trigger this alert when the activity is sparse. Web applications that generate URLs unique to a transaction may trigger this when they are used sparsely. Web domains can be excluded in cases such as these."
+    ],
+    "from": "now-45m",
+    "interval": "15m",
+    "license": "Elastic License v2",
+    "machine_learning_job_id": "packetbeat_rare_urls",
+    "name": "Unusual Web Request",
+    "references": [
+      "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"
+    ],
+    "risk_score": 21,
+    "rule_id": "91f02f01-969f-4167-8f55-07827ac3acc9",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Network",
+      "Threat Detection",
+      "ML"
+    ],
+    "type": "machine_learning",
+    "version": 4
+  },
+  {
+    "anomaly_threshold": 50,
+    "author": [
+      "Elastic"
+    ],
+    "description": "A machine learning job detected a rare and unusual user agent indicating web browsing activity by an unusual process other than a web browser. This can be due to persistence, command-and-control, or exfiltration activity. Uncommon user agents coming from remote sources to local destinations are often the result of scanners, bots, and web scrapers, which are part of common Internet background traffic. Much of this is noise, but more targeted attacks on websites using tools like Burp or SQLmap can sometimes be discovered by spotting uncommon user agents. Uncommon user agents in traffic from local sources to remote destinations can be any number of things, including harmless programs like weather monitoring or stock-trading programs. However, uncommon user agents from local sources can also be due to malware or scanning activity.",
+    "false_positives": [
+      "Web activity that is uncommon, like security scans, may trigger this alert and may need to be excluded. A new or rarely used program that calls web services may trigger this alert."
+    ],
+    "from": "now-45m",
+    "interval": "15m",
+    "license": "Elastic License v2",
+    "machine_learning_job_id": "packetbeat_rare_user_agent",
+    "name": "Unusual Web User Agent",
+    "references": [
+      "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"
+    ],
+    "risk_score": 21,
+    "rule_id": "91f02f01-969f-4167-8d77-07827ac4cee0",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Network",
+      "Threat Detection",
+      "ML"
+    ],
+    "type": "machine_learning",
+    "version": 4
+  },
+  {
+    "anomaly_threshold": 50,
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies Windows processes that do not usually use the network but have unexpected network activity, which can indicate command-and-control, lateral movement, persistence, or data exfiltration activity. A process with unusual network activity can denote process exploitation or injection, where the process is used to run persistence mechanisms that allow a malicious actor remote access or control of the host, data exfiltration, and execution of unauthorized network applications.",
+    "false_positives": [
+      "A newly installed program or one that rarely uses the network could trigger this alert."
+    ],
+    "from": "now-45m",
+    "interval": "15m",
+    "license": "Elastic License v2",
+    "machine_learning_job_id": [
+      "windows_anomalous_network_activity_ecs",
+      "v2_windows_anomalous_network_activity_ecs"
+    ],
+    "name": "Unusual Windows Network Activity",
+    "note": "## Triage and analysis\n\n### Investigating Unusual Network Activity\nDetection alerts from this rule indicate the presence of network activity from a Windows process for which network activity is very unusual.  Here are some possible avenues of investigation:\n- Consider the IP addresses, protocol and ports. Are these used by normal but infrequent network workflows? Are they expected or unexpected?\n- If the destination IP address is remote or external, does it associate with an expected domain, organization or geography? Note: avoid interacting directly with suspected malicious IP addresses.\n- Consider the user as identified by the username field. Is this network activity part of an expected workflow for the user who ran the program?\n- Examine the history of execution. If this process only manifested recently, it might be part of a new software package. If it has a consistent cadence (for example if it runs monthly or quarterly), it might be part of a monthly or quarterly business process.\n- Examine the process arguments, title and working directory. These may provide indications as to the source of the program or the nature of the tasks it is performing.\n- Consider the same for the parent process. If the parent process is a legitimate system utility or service, this could be related to software updates or system management. If the parent process is something user-facing like an Office application, this process could be more suspicious.\n- If you have file hash values in the event data, and you suspect malware, you can optionally run a search for the file hash to see if the file is identified as malware by anti-malware tools.",
+    "references": [
+      "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"
+    ],
+    "risk_score": 21,
+    "rule_id": "ba342eb2-583c-439f-b04d-1fdd7c1417cc",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "ML"
+    ],
+    "type": "machine_learning",
+    "version": 7
+  },
+  {
+    "anomaly_threshold": 50,
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies processes started from atypical folders in the file system, which might indicate malware execution or persistence mechanisms. In corporate Windows environments, software installation is centrally managed and it is unusual for programs to be executed from user or temporary directories. Processes executed from these locations can denote that a user downloaded software directly from the Internet or a malicious script or macro executed malware.",
+    "false_positives": [
+      "A new and unusual program or artifact download in the course of software upgrades, debugging, or troubleshooting could trigger this alert. Users downloading and running programs from unusual locations, such as temporary directories, browser caches, or profile paths could trigger this alert."
+    ],
+    "from": "now-45m",
+    "interval": "15m",
+    "license": "Elastic License v2",
+    "machine_learning_job_id": [
+      "windows_anomalous_path_activity_ecs",
+      "v2_windows_anomalous_path_activity_ecs"
+    ],
+    "name": "Unusual Windows Path Activity",
+    "references": [
+      "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"
+    ],
+    "risk_score": 21,
+    "rule_id": "445a342e-03fb-42d0-8656-0367eb2dead5",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "ML"
+    ],
+    "type": "machine_learning",
+    "version": 5
+  },
+  {
+    "anomaly_threshold": 50,
+    "author": [
+      "Elastic"
+    ],
+    "description": "Looks for anomalous access to the metadata service by an unusual process. The metadata service may be targeted in order to harvest credentials or user data scripts containing secrets.",
+    "false_positives": [
+      "A newly installed program or one that runs very rarely as part of a monthly or quarterly workflow could trigger this detection rule."
+    ],
+    "from": "now-45m",
+    "interval": "15m",
+    "license": "Elastic License v2",
+    "machine_learning_job_id": [
+      "windows_rare_metadata_process",
+      "v2_windows_rare_metadata_process"
+    ],
+    "name": "Unusual Windows Process Calling the Metadata Service",
+    "risk_score": 21,
+    "rule_id": "abae61a8-c560-4dbd-acca-1e1438bff36b",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "ML"
+    ],
+    "type": "machine_learning",
+    "version": 3
+  },
+  {
+    "anomaly_threshold": 50,
+    "author": [
+      "Elastic"
+    ],
+    "description": "A machine learning job detected an unusual remote desktop protocol (RDP) username, which can indicate account takeover or credentialed persistence using compromised accounts. RDP attacks, such as BlueKeep, also tend to use unusual usernames.",
+    "false_positives": [
+      "Uncommon username activity can be due to an engineer logging onto a server instance in order to perform manual troubleshooting or reconfiguration."
+    ],
+    "from": "now-45m",
+    "interval": "15m",
+    "license": "Elastic License v2",
+    "machine_learning_job_id": "windows_rare_user_type10_remote_login",
+    "name": "Unusual Windows Remote User",
+    "note": "## Triage and analysis\n\n### Investigating an Unusual Windows User\nDetection alerts from this rule indicate activity for a rare and unusual Windows RDP (remote desktop) user. Here are some possible avenues of investigation:\n- Consider the user as identified by the username field. Is the user part of a group who normally logs into Windows hosts using RDP (remote desktop protocol)? Is this logon activity part of an expected workflow for the user?\n- Consider the source of the login. If the source is remote, could this be related to occasional troubleshooting or support activity by a vendor or an employee working remotely?",
+    "references": [
+      "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"
+    ],
+    "risk_score": 21,
+    "rule_id": "1781d055-5c66-4adf-9e93-fc0fa69550c9",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "ML"
+    ],
+    "type": "machine_learning",
+    "version": 5
+  },
+  {
+    "anomaly_threshold": 50,
+    "author": [
+      "Elastic"
+    ],
+    "description": "A machine learning job detected an unusual Windows service, This can indicate execution of unauthorized services, malware, or persistence mechanisms. In corporate Windows environments, hosts do not generally run many rare or unique services. This job helps detect malware and persistence mechanisms that have been installed and run as a service.",
+    "false_positives": [
+      "A newly installed program or one that runs rarely as part of a monthly or quarterly workflow could trigger this alert."
+    ],
+    "from": "now-45m",
+    "interval": "15m",
+    "license": "Elastic License v2",
+    "machine_learning_job_id": "windows_anomalous_service",
+    "name": "Unusual Windows Service",
+    "references": [
+      "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"
+    ],
+    "risk_score": 21,
+    "rule_id": "1781d055-5c66-4adf-9c71-fc0fa58338c7",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "ML"
+    ],
+    "type": "machine_learning",
+    "version": 4
+  },
+  {
+    "anomaly_threshold": 75,
+    "author": [
+      "Elastic"
+    ],
+    "description": "Looks for anomalous access to the cloud platform metadata service by an unusual user. The metadata service may be targeted in order to harvest credentials or user data scripts containing secrets.",
+    "false_positives": [
+      "A newly installed program, or one that runs under a new or rarely used user context, could trigger this detection rule. Manual interrogation of the metadata service during debugging or troubleshooting could trigger this rule."
+    ],
+    "from": "now-45m",
+    "interval": "15m",
+    "license": "Elastic License v2",
+    "machine_learning_job_id": [
+      "windows_rare_metadata_user",
+      "v2_windows_rare_metadata_user"
+    ],
+    "name": "Unusual Windows User Calling the Metadata Service",
+    "risk_score": 21,
+    "rule_id": "df197323-72a8-46a9-a08e-3f5b04a4a97a",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "ML"
+    ],
+    "type": "machine_learning",
+    "version": 3
+  },
+  {
+    "anomaly_threshold": 50,
+    "author": [
+      "Elastic"
+    ],
+    "description": "A machine learning job detected an unusual user context switch, using the runas command or similar techniques, which can indicate account takeover or privilege escalation using compromised accounts. Privilege elevation using tools like runas are more commonly used by domain and network administrators than by regular Windows users.",
+    "false_positives": [
+      "Uncommon user privilege elevation activity can be due to an administrator, help desk technician, or a user performing manual troubleshooting or reconfiguration."
+    ],
+    "from": "now-45m",
+    "interval": "15m",
+    "license": "Elastic License v2",
+    "machine_learning_job_id": "windows_rare_user_runas_event",
+    "name": "Unusual Windows User Privilege Elevation Activity",
+    "references": [
+      "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"
+    ],
+    "risk_score": 21,
+    "rule_id": "1781d055-5c66-4adf-9d82-fc0fa58449c8",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "ML"
+    ],
+    "type": "machine_learning",
+    "version": 4
+  },
+  {
+    "anomaly_threshold": 50,
+    "author": [
+      "Elastic"
+    ],
+    "description": "A machine learning job detected activity for a username that is not normally active, which can indicate unauthorized changes, activity by unauthorized users, lateral movement, or compromised credentials. In many organizations, new usernames are not often created apart from specific types of system activities, such as creating new accounts for new employees. These user accounts quickly become active and routine. Events from rarely used usernames can point to suspicious activity. Additionally, automated Linux fleets tend to see activity from rarely used usernames only when personnel log in to make authorized or unauthorized changes, or threat actors have acquired credentials and log in for malicious purposes. Unusual usernames can also indicate pivoting, where compromised credentials are used to try and move laterally from one host to another.",
+    "false_positives": [
+      "Uncommon user activity can be due to an administrator or help desk technician logging onto a workstation or server in order to perform manual troubleshooting or reconfiguration."
+    ],
+    "from": "now-45m",
+    "interval": "15m",
+    "license": "Elastic License v2",
+    "machine_learning_job_id": [
+      "windows_anomalous_user_name_ecs",
+      "v2_windows_anomalous_user_name_ecs"
+    ],
+    "name": "Unusual Windows Username",
+    "note": "## Triage and analysis\n\n### Investigating an Unusual Windows User\nDetection alerts from this rule indicate activity for a Windows user name that is rare and unusual. Here are some possible avenues of investigation:\n- Consider the user as identified by the username field. Is this program part of an expected workflow for the user who ran this program on this host? Could this be related to occasional troubleshooting or support activity?\n- Examine the history of user activity. If this user only manifested recently, it might be a service account for a new software package. If it has a consistent cadence (for example if it runs monthly or quarterly), it might be part of a monthly or quarterly business process.\n- Examine the process arguments, title and working directory. These may provide indications as to the source of the program or the nature of the tasks that the user is performing.\n- Consider the same for the parent process. If the parent process is a legitimate system utility or service, this could be related to software updates or system management. If the parent process is something user-facing like an Office application, this process could be more suspicious.",
+    "references": [
+      "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"
+    ],
+    "risk_score": 21,
+    "rule_id": "1781d055-5c66-4adf-9c59-fc0fa58336a5",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "ML"
+    ],
+    "type": "machine_learning",
+    "version": 7
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies attempts to create new local users. This is sometimes done by attackers to increase access to a system or domain.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "User Account Creation",
+    "query": "process where event.type in (\"start\", \"process_started\") and\n  process.name : (\"net.exe\", \"net1.exe\") and\n  not process.parent.name : \"net.exe\" and\n  (process.args : \"user\" and process.args : (\"/ad\", \"/add\"))\n",
+    "risk_score": 21,
+    "rule_id": "1aa9181a-492b-4c01-8b16-fa0735786b2b",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Persistence"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1136",
+            "name": "Create Account",
+            "reference": "https://attack.mitre.org/techniques/T1136/",
+            "subtechnique": [
+              {
+                "id": "T1136.001",
+                "name": "Local Account",
+                "reference": "https://attack.mitre.org/techniques/T1136/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 9
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies when a user is added as an owner for an Azure application. An adversary may add a user account as an owner for an Azure application in order to grant additional permissions and modify the application's configuration using another account.",
+    "from": "now-25m",
+    "index": [
+      "filebeat-*",
+      "logs-azure*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "User Added as Owner for Azure Application",
+    "note": "## Config\n\nThe Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:azure.auditlogs and azure.auditlogs.operation_name:\"Add owner to application\" and event.outcome:(Success or success)\n",
+    "risk_score": 21,
+    "rule_id": "774f5e28-7b75-4a58-b94e-41bf060fdd86",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "Azure",
+      "Continuous Monitoring",
+      "SecOps",
+      "Configuration Audit"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1098",
+            "name": "Account Manipulation",
+            "reference": "https://attack.mitre.org/techniques/T1098/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 5
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies when a user is added as an owner for an Azure service principal. The service principal object defines what the application can do in the specific tenant, who can access the application, and what resources the app can access. A service principal object is created when an application is given permission to access resources in a tenant. An adversary may add a user account as an owner for a service principal and use that account in order to define what an application can do in the Azure AD tenant.",
+    "from": "now-25m",
+    "index": [
+      "filebeat-*",
+      "logs-azure*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "User Added as Owner for Azure Service Principal",
+    "note": "## Config\n\nThe Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+    "query": "event.dataset:azure.auditlogs and azure.auditlogs.operation_name:\"Add owner to service principal\" and event.outcome:(Success or success)\n",
+    "references": [
+      "https://docs.microsoft.com/en-us/azure/active-directory/develop/app-objects-and-service-principals"
+    ],
+    "risk_score": 21,
+    "rule_id": "38e5acdd-5f20-4d99-8fe4-f0a1a592077f",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "Azure",
+      "Continuous Monitoring",
+      "SecOps",
+      "Configuration Audit"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1098",
+            "name": "Account Manipulation",
+            "reference": "https://attack.mitre.org/techniques/T1098/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 5
+  },
+  {
+    "author": [
+      "Elastic",
+      "Skoetting"
+    ],
+    "description": "Identifies a user being added to a privileged group in Active Directory. Privileged accounts and groups in Active Directory are those to which powerful rights, privileges, and permissions are granted that allow them to perform nearly any action in Active Directory and on domain-joined systems.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "User Added to Privileged Group in Active Directory",
+    "query": "iam where event.action == \"added-member-to-group\" and\n  group.name : (\"Admin*\",\n                \"Local Administrators\",\n                \"Domain Admins\",\n                \"Enterprise Admins\",\n                \"Backup Admins\",\n                \"Schema Admins\",\n                \"DnsAdmins\",\n                \"Exchange Organization Administrators\")\n",
+    "references": [
+      "https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/appendix-b--privileged-accounts-and-groups-in-active-directory"
+    ],
+    "risk_score": 47,
+    "rule_id": "5cd8e1f7-0050-4afc-b2df-904e40b2f5ae",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Persistence"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1098",
+            "name": "Account Manipulation",
+            "reference": "https://attack.mitre.org/techniques/T1098/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 3
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "This rule detects network events that may indicate the use of VNC traffic from the Internet. VNC is commonly used by system administrators to remotely control a system for maintenance or to use shared resources. It should almost never be directly exposed to the Internet, as it is frequently targeted and exploited by threat actors as an initial access or backdoor vector.",
+    "false_positives": [
+      "VNC connections may be received directly to Linux cloud server instances but such connections are usually made only by engineers. VNC is less common than SSH or RDP but may be required by some work-flows such as remote access and support for specialized software products or servers. Such work-flows are usually known and not unexpected. Usage that is unfamiliar to server or network owners can be unexpected and suspicious."
+    ],
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "filebeat-*",
+      "packetbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "VNC (Virtual Network Computing) from the Internet",
+    "query": "event.category:(network or network_traffic) and network.transport:tcp and destination.port >= 5800 and destination.port <= 5810 and\n  not source.ip:(\n    10.0.0.0/8 or\n    127.0.0.0/8 or\n    169.254.0.0/16 or\n    172.16.0.0/12 or\n    192.0.0.0/24 or\n    192.0.0.0/29 or\n    192.0.0.8/32 or\n    192.0.0.9/32 or\n    192.0.0.10/32 or\n    192.0.0.170/32 or\n    192.0.0.171/32 or\n    192.0.2.0/24 or\n    192.31.196.0/24 or\n    192.52.193.0/24 or\n    192.168.0.0/16 or\n    192.88.99.0/24 or\n    224.0.0.0/4 or\n    100.64.0.0/10 or\n    192.175.48.0/24 or\n    198.18.0.0/15 or\n    198.51.100.0/24 or\n    203.0.113.0/24 or\n    240.0.0.0/4 or\n    \"::1\" or\n    \"FE80::/10\" or\n    \"FF00::/8\"\n  ) and\n  destination.ip:(\n    10.0.0.0/8 or\n    172.16.0.0/12 or\n    192.168.0.0/16\n  )\n",
+    "references": [
+      "https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml"
+    ],
+    "risk_score": 73,
+    "rule_id": "5700cb81-df44-46aa-a5d7-337798f53eb8",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Network",
+      "Threat Detection",
+      "Command and Control",
+      "Host"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0011",
+          "name": "Command and Control",
+          "reference": "https://attack.mitre.org/tactics/TA0011/"
+        },
+        "technique": [
+          {
+            "id": "T1219",
+            "name": "Remote Access Software",
+            "reference": "https://attack.mitre.org/techniques/T1219/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0001",
+          "name": "Initial Access",
+          "reference": "https://attack.mitre.org/tactics/TA0001/"
+        },
+        "technique": [
+          {
+            "id": "T1190",
+            "name": "Exploit Public-Facing Application",
+            "reference": "https://attack.mitre.org/techniques/T1190/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 11
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "This rule detects network events that may indicate the use of VNC traffic to the Internet. VNC is commonly used by system administrators to remotely control a system for maintenance or to use shared resources. It should almost never be directly exposed to the Internet, as it is frequently targeted and exploited by threat actors as an initial access or backdoor vector.",
+    "false_positives": [
+      "VNC connections may be made directly to Linux cloud server instances but such connections are usually made only by engineers. VNC is less common than SSH or RDP but may be required by some work flows such as remote access and support for specialized software products or servers. Such work-flows are usually known and not unexpected. Usage that is unfamiliar to server or network owners can be unexpected and suspicious."
+    ],
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "filebeat-*",
+      "packetbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "VNC (Virtual Network Computing) to the Internet",
+    "query": "event.category:(network or network_traffic) and network.transport:tcp and destination.port >= 5800 and destination.port <= 5810 and\n  source.ip:(\n    10.0.0.0/8 or\n    172.16.0.0/12 or\n    192.168.0.0/16\n  ) and\n  not destination.ip:(\n    10.0.0.0/8 or\n    127.0.0.0/8 or\n    169.254.0.0/16 or\n    172.16.0.0/12 or\n    192.0.0.0/24 or\n    192.0.0.0/29 or\n    192.0.0.8/32 or\n    192.0.0.9/32 or\n    192.0.0.10/32 or\n    192.0.0.170/32 or\n    192.0.0.171/32 or\n    192.0.2.0/24 or\n    192.31.196.0/24 or\n    192.52.193.0/24 or\n    192.168.0.0/16 or\n    192.88.99.0/24 or\n    224.0.0.0/4 or\n    100.64.0.0/10 or\n    192.175.48.0/24 or\n    198.18.0.0/15 or\n    198.51.100.0/24 or\n    203.0.113.0/24 or\n    240.0.0.0/4 or\n    \"::1\" or\n    \"FE80::/10\" or\n    \"FF00::/8\"\n  )\n",
+    "references": [
+      "https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml"
+    ],
+    "risk_score": 47,
+    "rule_id": "3ad49c61-7adc-42c1-b788-732eda2f5abf",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Network",
+      "Threat Detection",
+      "Command and Control",
+      "Host"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0011",
+          "name": "Command and Control",
+          "reference": "https://attack.mitre.org/tactics/TA0011/"
+        },
+        "technique": [
+          {
+            "id": "T1219",
+            "name": "Remote Access Software",
+            "reference": "https://attack.mitre.org/techniques/T1219/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 11
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "An adversary may attempt to get detailed information about the operating system and hardware. This rule identifies common locations used to discover virtual machine hardware by a non-root user. This technique has been used by the Pupy RAT and other malware.",
+    "false_positives": [
+      "Certain tools or automated software may enumerate hardware information. These tools can be exempted via user name or process arguments to eliminate potential noise."
+    ],
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Virtual Machine Fingerprinting",
+    "query": "event.category:process and event.type:(start or process_started) and\n  process.args:(\"/sys/class/dmi/id/bios_version\" or\n                \"/sys/class/dmi/id/product_name\" or\n                \"/sys/class/dmi/id/chassis_vendor\" or\n                \"/proc/scsi/scsi\" or\n                \"/proc/ide/hd0/model\") and\n  not user.name:root\n",
+    "risk_score": 73,
+    "rule_id": "5b03c9fb-9945-4d2f-9568-fd690fee3fba",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "Threat Detection",
+      "Discovery"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0007",
+          "name": "Discovery",
+          "reference": "https://attack.mitre.org/tactics/TA0007/"
+        },
+        "technique": [
+          {
+            "id": "T1082",
+            "name": "System Information Discovery",
+            "reference": "https://attack.mitre.org/techniques/T1082/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 6
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "An adversary may attempt to get detailed information about the operating system and hardware. This rule identifies common locations used to discover virtual machine hardware by a non-root user. This technique has been used by the Pupy RAT and other malware.",
+    "false_positives": [
+      "Certain tools or automated software may enumerate hardware information. These tools can be exempted via user name or process arguments to eliminate potential noise."
+    ],
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Virtual Machine Fingerprinting via Grep",
+    "query": "process where event.type == \"start\" and\n process.name in (\"grep\", \"egrep\") and user.id != \"0\" and\n process.args : (\"parallels*\", \"vmware*\", \"virtualbox*\") and process.args : \"Manufacturer*\" and \n not process.parent.executable in (\"/Applications/Docker.app/Contents/MacOS/Docker\", \"/usr/libexec/kcare/virt-what\")\n",
+    "references": [
+      "https://objective-see.com/blog/blog_0x4F.html"
+    ],
+    "risk_score": 47,
+    "rule_id": "c85eb82c-d2c8-485c-a36f-534f914b7663",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "macOS",
+      "Linux",
+      "Threat Detection",
+      "Discovery"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0007",
+          "name": "Discovery",
+          "reference": "https://attack.mitre.org/tactics/TA0007/"
+        },
+        "technique": [
+          {
+            "id": "T1082",
+            "name": "System Information Discovery",
+            "reference": "https://attack.mitre.org/techniques/T1082/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the execution of macOS built-in commands to connect to an existing Virtual Private Network (VPN).",
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Virtual Private Network Connection Attempt",
+    "query": "process where event.type in (\"start\", \"process_started\") and\n  (\n    (process.name : \"networksetup\" and process.args : \"-connectpppoeservice\") or\n    (process.name : \"scutil\" and process.args : \"--nc\" and process.args : \"start\") or\n    (process.name : \"osascript\" and process.command_line : \"osascript*set VPN to service*\")\n  )\n",
+    "references": [
+      "https://github.com/rapid7/metasploit-framework/blob/master/modules/post/osx/manage/vpn.rb",
+      "https://www.unix.com/man-page/osx/8/networksetup/",
+      "https://superuser.com/questions/358513/start-configured-vpn-from-command-line-osx"
+    ],
+    "risk_score": 21,
+    "rule_id": "15dacaa0-5b90-466b-acab-63435a59701a",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "macOS",
+      "Threat Detection",
+      "Lateral Movement"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0008",
+          "name": "Lateral Movement",
+          "reference": "https://attack.mitre.org/tactics/TA0008/"
+        },
+        "technique": [
+          {
+            "id": "T1021",
+            "name": "Remote Services",
+            "reference": "https://attack.mitre.org/techniques/T1021/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies use of vssadmin.exe for shadow copy deletion or resizing on endpoints. This commonly occurs in tandem with ransomware or other destructive attacks.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Volume Shadow Copy Deleted or Resized via VssAdmin",
+    "query": "process where event.type in (\"start\", \"process_started\") and event.action == \"start\" \n  and (process.name : \"vssadmin.exe\" or process.pe.original_file_name == \"VSSADMIN.EXE\") and\n  process.args in (\"delete\", \"resize\") and process.args : \"shadows*\"\n",
+    "risk_score": 73,
+    "rule_id": "b5ea4bfe-a1b2-421f-9d47-22a75a6f2921",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Impact"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0040",
+          "name": "Impact",
+          "reference": "https://attack.mitre.org/tactics/TA0040/"
+        },
+        "technique": [
+          {
+            "id": "T1490",
+            "name": "Inhibit System Recovery",
+            "reference": "https://attack.mitre.org/techniques/T1490/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 10
+  },
+  {
+    "author": [
+      "Elastic",
+      "Austin Songer"
+    ],
+    "description": "Identifies the use of the Win32_ShadowCopy class and related cmdlets to achieve shadow copy deletion. This commonly occurs in tandem with ransomware or other destructive attacks.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Volume Shadow Copy Deletion via PowerShell",
+    "query": "process where event.type in (\"start\", \"process_started\") and\n  process.name : (\"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\") and \n  process.args : (\"*Get-WmiObject*\", \"*gwmi*\", \"*Get-CimInstance*\", \"*gcim*\") and\n  process.args : (\"*Win32_ShadowCopy*\") and\n  process.args : (\"*.Delete()*\", \"*Remove-WmiObject*\", \"*rwmi*\", \"*Remove-CimInstance*\", \"*rcim*\")\n",
+    "references": [
+      "https://docs.microsoft.com/en-us/previous-versions/windows/desktop/vsswmi/win32-shadowcopy",
+      "https://powershell.one/wmi/root/cimv2/win32_shadowcopy",
+      "https://www.fortinet.com/blog/threat-research/stomping-shadow-copies-a-second-look-into-deletion-methods"
+    ],
+    "risk_score": 73,
+    "rule_id": "d99a037b-c8e2-47a5-97b9-170d076827c4",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Impact"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0040",
+          "name": "Impact",
+          "reference": "https://attack.mitre.org/tactics/TA0040/"
+        },
+        "technique": [
+          {
+            "id": "T1490",
+            "name": "Inhibit System Recovery",
+            "reference": "https://attack.mitre.org/techniques/T1490/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 2
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies use of wmic.exe for shadow copy deletion on endpoints. This commonly occurs in tandem with ransomware or other destructive attacks.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Volume Shadow Copy Deletion via WMIC",
+    "query": "process where event.type in (\"start\", \"process_started\") and\n  (process.name : \"WMIC.exe\" or process.pe.original_file_name == \"wmic.exe\") and\n  process.args : \"delete\" and process.args : \"shadowcopy\"\n",
+    "risk_score": 73,
+    "rule_id": "dc9c1f74-dac3-48e3-b47f-eb79db358f57",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Impact"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0040",
+          "name": "Impact",
+          "reference": "https://attack.mitre.org/tactics/TA0040/"
+        },
+        "technique": [
+          {
+            "id": "T1490",
+            "name": "Inhibit System Recovery",
+            "reference": "https://attack.mitre.org/techniques/T1490/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 10
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies processes executed via Windows Management Instrumentation (WMI) on a remote host. This could be indicative of adversary lateral movement, but could be noisy if administrators use WMI to remotely manage hosts.",
+    "from": "now-9m",
+    "index": [
+      "logs-endpoint.events.*",
+      "winlogbeat-*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "WMI Incoming Lateral Movement",
+    "query": "sequence by host.id with maxspan = 2s\n\n /* Accepted Incoming RPC connection by Winmgmt service */\n\n  [network where process.name : \"svchost.exe\" and network.direction : (\"incoming\", \"ingress\") and\n   source.ip != \"127.0.0.1\" and source.ip != \"::1\" and source.port >= 49152 and destination.port >= 49152\n  ]\n\n  /* Excluding Common FPs Nessus and SCCM */\n\n  [process where event.type in (\"start\", \"process_started\") and process.parent.name : \"WmiPrvSE.exe\" and\n   not process.args : (\"C:\\\\windows\\\\temp\\\\nessus_*.txt\", \n                       \"C:\\\\windows\\\\TEMP\\\\nessus_*.TMP\", \n                       \"C:\\\\Windows\\\\CCM\\\\SystemTemp\\\\*\", \n                       \"C:\\\\Windows\\\\CCMCache\\\\*\", \n                       \"C:\\\\CCM\\\\Cache\\\\*\")\n   ]\n",
+    "risk_score": 47,
+    "rule_id": "f3475224-b179-4f78-8877-c2bd64c26b88",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Lateral Movement"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0008",
+          "name": "Lateral Movement",
+          "reference": "https://attack.mitre.org/tactics/TA0008/"
+        },
+        "technique": []
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0002",
+          "name": "Execution",
+          "reference": "https://attack.mitre.org/tactics/TA0002/"
+        },
+        "technique": [
+          {
+            "id": "T1047",
+            "name": "Windows Management Instrumentation",
+            "reference": "https://attack.mitre.org/techniques/T1047/"
+          }
+        ]
+      }
+    ],
+    "type": "eql",
+    "version": 4
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "A request to a web application server contained no identifying user agent string.",
+    "false_positives": [
+      "Some normal applications and scripts may contain no user agent. Most legitimate web requests from the Internet contain a user agent string. Requests from web browsers almost always contain a user agent string. If the source is unexpected, the user unauthorized, or the request unusual, these may indicate suspicious or malicious activity."
+    ],
+    "filters": [
+      {
+        "$state": {
+          "store": "appState"
+        },
+        "exists": {
+          "field": "user_agent.original"
+        },
+        "meta": {
+          "disabled": false,
+          "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+          "key": "user_agent.original",
+          "negate": true,
+          "type": "exists",
+          "value": "exists"
+        }
+      }
+    ],
+    "index": [
+      "apm-*-transaction*",
+      "traces-apm*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Web Application Suspicious Activity: No User Agent",
+    "query": "url.path:*\n",
+    "references": [
+      "https://en.wikipedia.org/wiki/User_agent"
+    ],
+    "risk_score": 47,
+    "rule_id": "43303fd4-4839-4e48-b2b2-803ab060758d",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "APM"
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 7
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "A POST request to a web application returned a 403 response, which indicates the web application declined to process the request because the action requested was not allowed.",
+    "false_positives": [
+      "Security scans and tests may result in these errors. Misconfigured or buggy applications may produce large numbers of these errors. If the source is unexpected, the user unauthorized, or the request unusual, these may indicate suspicious or malicious activity."
+    ],
+    "index": [
+      "apm-*-transaction*",
+      "traces-apm*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Web Application Suspicious Activity: POST Request Declined",
+    "query": "http.response.status_code:403 and http.request.method:post\n",
+    "references": [
+      "https://en.wikipedia.org/wiki/HTTP_403"
+    ],
+    "risk_score": 47,
+    "rule_id": "a87a4e42-1d82-44bd-b0bf-d9b7f91fb89e",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "APM"
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 8
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "A request to a web application returned a 405 response, which indicates the web application declined to process the request because the HTTP method is not allowed for the resource.",
+    "false_positives": [
+      "Security scans and tests may result in these errors. Misconfigured or buggy applications may produce large numbers of these errors. If the source is unexpected, the user unauthorized, or the request unusual, these may indicate suspicious or malicious activity."
+    ],
+    "index": [
+      "apm-*-transaction*",
+      "traces-apm*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Web Application Suspicious Activity: Unauthorized Method",
+    "query": "http.response.status_code:405\n",
+    "references": [
+      "https://en.wikipedia.org/wiki/HTTP_405"
+    ],
+    "risk_score": 47,
+    "rule_id": "75ee75d8-c180-481c-ba88-ee50129a6aef",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "APM"
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 8
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "This is an example of how to detect an unwanted web client user agent. This search matches the user agent for sqlmap 1.3.11, which is a popular FOSS tool for testing web applications for SQL injection vulnerabilities.",
+    "false_positives": [
+      "This rule does not indicate that a SQL injection attack occurred, only that the `sqlmap` tool was used. Security scans and tests may result in these errors. If the source is not an authorized security tester, this is generally suspicious or malicious activity."
+    ],
+    "index": [
+      "apm-*-transaction*",
+      "traces-apm*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Web Application Suspicious Activity: sqlmap User Agent",
+    "query": "user_agent.original:\"sqlmap/1.3.11#stable (http://sqlmap.org)\"\n",
+    "references": [
+      "http://sqlmap.org/"
+    ],
+    "risk_score": 47,
+    "rule_id": "d49cc73f-7a16-4def-89ce-9fc7127d7820",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "APM"
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 7
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the use of the built-in networksetup command to configure webproxy settings. This may indicate an attempt to hijack web browser traffic for credential access via traffic sniffing or redirection.",
+    "false_positives": [
+      "Legitimate WebProxy Settings Modification"
+    ],
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "WebProxy Settings Modification",
+    "query": "event.category : process and event.type : start and\n process.name : networksetup and process.args : ((\"-setwebproxy\" or \"-setsecurewebproxy\" or \"-setautoproxyurl\") and not (Bluetooth or off)) and\n not process.parent.executable : (\"/Library/PrivilegedHelperTools/com.80pct.FreedomHelper\" or\n                                  \"/Applications/Fiddler Everywhere.app/Contents/Resources/app/out/WebServer/Fiddler.WebUi\" or\n                                  \"/usr/libexec/xpcproxy\")\n",
+    "references": [
+      "https://unit42.paloaltonetworks.com/mac-malware-steals-cryptocurrency-exchanges-cookies/",
+      "https://objectivebythesea.com/v2/talks/OBTS_v2_Zohar.pdf"
+    ],
+    "risk_score": 47,
+    "rule_id": "10a500bb-a28f-418e-ba29-ca4c8d1a9f2f",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "macOS",
+      "Threat Detection",
+      "Credential Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0006",
+          "name": "Credential Access",
+          "reference": "https://attack.mitre.org/tactics/TA0006/"
+        },
+        "technique": [
+          {
+            "id": "T1539",
+            "name": "Steal Web Session Cookie",
+            "reference": "https://attack.mitre.org/techniques/T1539/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 2
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the deletion of WebServer access logs. This may indicate an attempt to evade detection or destroy forensic evidence on a system.",
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "WebServer Access Logs Deleted",
+    "query": "file where event.type == \"deletion\" and\n  file.path : (\"C:\\\\inetpub\\\\logs\\\\LogFiles\\\\*.log\", \n               \"/var/log/apache*/access.log\",\n               \"/etc/httpd/logs/access_log\", \n               \"/var/log/httpd/access_log\", \n               \"/var/www/*/logs/access.log\")\n",
+    "risk_score": 47,
+    "rule_id": "665e7a4f-c58e-4fc6-bc83-87a7572670ac",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "Windows",
+      "macOS",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1070",
+            "name": "Indicator Removal on Host",
+            "reference": "https://attack.mitre.org/techniques/T1070/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 3
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies suspicious commands executed via a web server, which may suggest a vulnerability and remote shell access.",
+    "false_positives": [
+      "Security audits, maintenance, and network administrative scripts may trigger this alert when run under web processes."
+    ],
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Webshell Detection: Script Process Child of Common Web Processes",
+    "note": "## Triage and analysis\n\nDetections should be investigated to identify if the activity corresponds to legitimate activity. As this rule detects post-exploitation process activity, investigations into this should be prioritized.",
+    "query": "process where event.type == \"start\" and\n  process.parent.name : (\"w3wp.exe\", \"httpd.exe\", \"nginx.exe\", \"php.exe\", \"php-cgi.exe\", \"tomcat.exe\") and \n  process.name : (\"cmd.exe\", \"cscript.exe\", \"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\", \"wmic.exe\", \"wscript.exe\")\n",
+    "references": [
+      "https://www.microsoft.com/security/blog/2020/02/04/ghost-in-the-shell-investigating-web-shell-attacks/"
+    ],
+    "risk_score": 73,
+    "rule_id": "2917d495-59bd-4250-b395-c29409b76086",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Persistence"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1505",
+            "name": "Server Software Component",
+            "reference": "https://attack.mitre.org/techniques/T1505/",
+            "subtechnique": [
+              {
+                "id": "T1505.003",
+                "name": "Web Shell",
+                "reference": "https://attack.mitre.org/techniques/T1505/003/"
+              }
+            ]
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0001",
+          "name": "Initial Access",
+          "reference": "https://attack.mitre.org/tactics/TA0001/"
+        },
+        "technique": [
+          {
+            "id": "T1190",
+            "name": "Exploit Public-Facing Application",
+            "reference": "https://attack.mitre.org/techniques/T1190/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 3
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies process execution events where the command line value contains a long sequence of whitespace characters or multiple occurrences of contiguous whitespace. Attackers may attempt to evade signature-based detections by padding their malicious command with unnecessary whitespace characters. These observations should be investigated for malicious behavior.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Whitespace Padding in Process Command Line",
+    "note": "## Triage and analysis\n\n- Analyze the command line of the process in question for evidence of malicious code execution.\n- Review the ancestor and child processes spawned by the process in question for indicators of further malicious code execution.",
+    "query": "process where event.type in (\"start\", \"process_started\") and\n  process.command_line regex \".*[ ]{20,}.*\" or \n  \n  /* this will match on 3 or more separate occurrences of 5+ contiguous whitespace characters */\n  process.command_line regex \".*(.*[ ]{5,}[^ ]*){3,}.*\"\n",
+    "references": [
+      "https://twitter.com/JohnLaTwC/status/1419251082736201737"
+    ],
+    "risk_score": 47,
+    "rule_id": "e0dacebe-4311-4d50-9387-b17e89c2e7fd",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": []
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 4
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies use of whoami.exe which displays user, group, and privileges information for the user who is currently logged on to the local system.",
+    "false_positives": [
+      "Some normal use of this program, at varying levels of frequency, may originate from scripts, automation tools and frameworks. Usage by non-engineers and ordinary users is unusual."
+    ],
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Whoami Process Activity",
+    "query": "process where event.type in (\"start\", \"process_started\") and process.name : \"whoami.exe\"\n",
+    "risk_score": 21,
+    "rule_id": "ef862985-3f13-4262-a686-5f357bbb9bc2",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Discovery"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0007",
+          "name": "Discovery",
+          "reference": "https://attack.mitre.org/tactics/TA0007/"
+        },
+        "technique": [
+          {
+            "id": "T1033",
+            "name": "System Owner/User Discovery",
+            "reference": "https://attack.mitre.org/techniques/T1033/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 7
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "A spoofing vulnerability exists in the way Windows CryptoAPI (Crypt32.dll) validates Elliptic Curve Cryptography (ECC) certificates. An attacker could exploit the vulnerability by using a spoofed code-signing certificate to sign a malicious executable, making it appear the file was from a trusted, legitimate source.",
+    "index": [
+      "winlogbeat-*",
+      "logs-windows.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Windows CryptoAPI Spoofing Vulnerability (CVE-2020-0601 - CurveBall)",
+    "query": "event.provider:\"Microsoft-Windows-Audit-CVE\" and message:\"[CVE-2020-0601]\"\n",
+    "risk_score": 21,
+    "rule_id": "56557cde-d923-4b88-adee-c61b3f3b5dc3",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1553",
+            "name": "Subvert Trust Controls",
+            "reference": "https://attack.mitre.org/techniques/T1553/",
+            "subtechnique": [
+              {
+                "id": "T1553.002",
+                "name": "Code Signing",
+                "reference": "https://attack.mitre.org/techniques/T1553/002/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 6
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies modifications to the Windows Defender registry settings to disable the service or set the service to be started manually.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Windows Defender Disabled via Registry Modification",
+    "note": "## Triage and analysis\n\nDetections should be investigated to identify if the hosts and users are authorized to use this tool. As this rule detects post-exploitation process activity, investigations into this should be prioritized.",
+    "query": "registry where event.type in (\"creation\", \"change\") and\n  ((registry.path:\"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\DisableAntiSpyware\" and\n     registry.data.strings:\"1\") or\n  (registry.path:\"HKLM\\\\System\\\\ControlSet*\\\\Services\\\\WinDefend\\\\Start\" and\n     registry.data.strings in (\"3\", \"4\")))\n",
+    "references": [
+      "https://thedfirreport.com/2020/12/13/defender-control/"
+    ],
+    "risk_score": 21,
+    "rule_id": "2ffa1f1e-b6db-47fa-994b-1512743847eb",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1562",
+            "name": "Impair Defenses",
+            "reference": "https://attack.mitre.org/techniques/T1562/",
+            "subtechnique": [
+              {
+                "id": "T1562.006",
+                "name": "Indicator Blocking",
+                "reference": "https://attack.mitre.org/techniques/T1562/006/"
+              },
+              {
+                "id": "T1562.001",
+                "name": "Disable or Modify Tools",
+                "reference": "https://attack.mitre.org/techniques/T1562/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 3
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies modifications to the Windows Defender configuration settings using PowerShell to add exclusions at the folder directory or process level.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Windows Defender Exclusions Added via PowerShell",
+    "note": "## Triage and analysis\n\n### Investigating Windows Defender Exclusions\n\nMicrosoft Windows Defender is an anti-virus product built-in within Microsoft Windows. Since this software product is\nused to prevent and stop malware, it's important to monitor what specific exclusions are made to the product's configuration\nsettings. These can often be signs of an adversary or malware trying to bypass Windows Defender's capabilities. One of the more\nnotable [examples](https://www.cyberbit.com/blog/endpoint-security/latest-trickbot-variant-has-new-tricks-up-its-sleeve/) was observed in 2018 where Trickbot incorporated mechanisms to disable Windows Defense to avoid detection.\n\n#### Possible investigation steps:\n- With this specific rule, it's completely possible to trigger detections on network administrative activity or benign users\nusing scripting and PowerShell to configure the different exclusions for Windows Defender. Therefore, it's important to\nidentify the source of the activity first and determine if there is any mal-intent behind the events.\n- The actual exclusion such as the process, the file or directory should be reviewed in order to determine the original\nintent behind the exclusion. Is the excluded file or process malicious in nature or is it related to software that needs\nto be legitimately whitelisted from Windows Defender?\n\n### False Positive Analysis\n- This rule has a higher chance to produce false positives based on the nature around configuring exclusions by possibly\na network administrator. In order to validate the activity further, review the specific exclusion made and determine based\non the exclusion of the original intent behind the exclusion. There are often many legitimate reasons why exclusions are made\nwith Windows Defender so it's important to gain context around the exclusion.\n\n### Related Rules\n- Windows Defender Disabled via Registry Modification\n- Disabling Windows Defender Security Settings via PowerShell\n\n### Response and Remediation\n- Since this is related to post-exploitation activity, immediate response should be taken to review, investigate and\npotentially isolate further activity\n- If further analysis showed malicious intent was behind the Defender exclusions, administrators should remove\nthe exclusion and ensure antimalware capability has not been disabled or deleted\n- Exclusion lists for antimalware capabilities should always be routinely monitored for review\n",
+    "query": "process where event.type == \"start\" and\n (process.name : (\"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\") or process.pe.original_file_name in (\"powershell.exe\", \"pwsh.dll\", \"powershell_ise.exe\")) and\n  process.args : (\"*Add-MpPreference*\", \"*Set-MpPreference*\") and\n  process.args : (\"*-Exclusion*\")\n",
+    "references": [
+      "https://www.bitdefender.com/files/News/CaseStudies/study/400/Bitdefender-PR-Whitepaper-MosaicLoader-creat5540-en-EN.pdf"
+    ],
+    "risk_score": 47,
+    "rule_id": "2c17e5d7-08b9-43b2-b58a-0270d65ac85b",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1562",
+            "name": "Impair Defenses",
+            "reference": "https://attack.mitre.org/techniques/T1562/",
+            "subtechnique": [
+              {
+                "id": "T1562.006",
+                "name": "Indicator Blocking",
+                "reference": "https://attack.mitre.org/techniques/T1562/006/"
+              },
+              {
+                "id": "T1562.001",
+                "name": "Disable or Modify Tools",
+                "reference": "https://attack.mitre.org/techniques/T1562/001/"
+              }
+            ]
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0002",
+          "name": "Execution",
+          "reference": "https://attack.mitre.org/tactics/TA0002/"
+        },
+        "technique": [
+          {
+            "id": "T1059",
+            "name": "Command and Scripting Interpreter",
+            "reference": "https://attack.mitre.org/techniques/T1059/",
+            "subtechnique": [
+              {
+                "id": "T1059.001",
+                "name": "PowerShell",
+                "reference": "https://attack.mitre.org/techniques/T1059/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 5
+  },
+  {
+    "author": [
+      "Elastic",
+      "Anabella Cristaldi"
+    ],
+    "description": "Identifies attempts to clear Windows event log stores. This is often done by attackers in an attempt to evade detection or destroy forensic evidence on a system.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-windows.*",
+      "logs-system.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Windows Event Logs Cleared",
+    "query": "event.action:(\"audit-log-cleared\" or \"Log clear\")\n",
+    "risk_score": 21,
+    "rule_id": "45ac4800-840f-414c-b221-53dd36a5aaf7",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1070",
+            "name": "Indicator Removal on Host",
+            "reference": "https://attack.mitre.org/techniques/T1070/",
+            "subtechnique": [
+              {
+                "id": "T1070.001",
+                "name": "Clear Windows Event Logs",
+                "reference": "https://attack.mitre.org/techniques/T1070/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 2
+  },
+  {
+    "author": [
+      "Austin Songer"
+    ],
+    "description": "Identifies when the Windows Firewall is disabled using PowerShell cmdlets, which attackers do to evade network constraints, like internet and network lateral communication restrictions.",
+    "false_positives": [
+      "Windows Firewall can be disabled may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Windows Profile being disabled from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "from": "now-9m",
+    "index": [
+      "logs-endpoint.events.*",
+      "winlogbeat-*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Windows Firewall Disabled via PowerShell",
+    "query": "process where event.action == \"start\" and\n  (process.name : (\"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\") or process.pe.original_file_name == \"PowerShell.EXE\") and\n   process.args : \"*Set-NetFirewallProfile*\" and\n  (process.args : \"*-Enabled*\" and process.args : \"*False*\") and\n  (process.args : \"*-All*\" or process.args : (\"*Public*\", \"*Domain*\", \"*Private*\"))\n",
+    "references": [
+      "https://docs.microsoft.com/en-us/powershell/module/netsecurity/set-netfirewallprofile?view=windowsserver2019-ps",
+      "https://www.tutorialspoint.com/how-to-get-windows-firewall-profile-settings-using-powershell",
+      "http://powershellhelp.space/commands/set-netfirewallrule-psv5.php",
+      "http://woshub.com/manage-windows-firewall-powershell/"
+    ],
+    "risk_score": 47,
+    "rule_id": "f63c8e3c-d396-404f-b2ea-0379d3942d73",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1562",
+            "name": "Impair Defenses",
+            "reference": "https://attack.mitre.org/techniques/T1562/",
+            "subtechnique": [
+              {
+                "id": "T1562.004",
+                "name": "Disable or Modify System Firewall",
+                "reference": "https://attack.mitre.org/techniques/T1562/004/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies attempts to enumerate hosts in a network using the built-in Windows net.exe tool.",
+    "from": "now-9m",
+    "index": [
+      "logs-endpoint.events.*",
+      "winlogbeat-*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Windows Network Enumeration",
+    "query": "process where event.type in (\"start\", \"process_started\") and\n  ((process.name : \"net.exe\" or process.pe.original_file_name == \"net.exe\") or\n   ((process.name : \"net1.exe\" or process.pe.original_file_name == \"net1.exe\") and\n       not process.parent.name : \"net.exe\")) and\n  (process.args : \"view\" or (process.args : \"time\" and process.args : \"\\\\\\\\*\"))\n\n\n  /* expand when ancestry is available\n  and not descendant of [process where event.type == (\"start\", \"process_started\") and process.name : \"cmd.exe\" and\n                           ((process.parent.name : \"userinit.exe\") or\n                            (process.parent.name : \"gpscript.exe\") or\n                            (process.parent.name : \"explorer.exe\" and\n                               process.args : \"C:\\\\*\\\\Start Menu\\\\Programs\\\\Startup\\\\*.bat*\"))]\n  */\n",
+    "risk_score": 47,
+    "rule_id": "7b8bfc26-81d2-435e-965c-d722ee397ef1",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Discovery"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0007",
+          "name": "Discovery",
+          "reference": "https://attack.mitre.org/tactics/TA0007/"
+        },
+        "technique": [
+          {
+            "id": "T1018",
+            "name": "Remote System Discovery",
+            "reference": "https://attack.mitre.org/techniques/T1018/"
+          },
+          {
+            "id": "T1135",
+            "name": "Network Share Discovery",
+            "reference": "https://attack.mitre.org/techniques/T1135/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 4
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies a PowerShell process launched by either cscript.exe or wscript.exe. Observing Windows scripting processes executing a PowerShell script, may be indicative of malicious activity.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Windows Script Executing PowerShell",
+    "query": "process where event.type in (\"start\", \"process_started\") and\n  process.parent.name : (\"cscript.exe\", \"wscript.exe\") and process.name : \"powershell.exe\"\n",
+    "risk_score": 21,
+    "rule_id": "f545ff26-3c94-4fd0-bd33-3c7f95a3a0fc",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Initial Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0001",
+          "name": "Initial Access",
+          "reference": "https://attack.mitre.org/tactics/TA0001/"
+        },
+        "technique": [
+          {
+            "id": "T1566",
+            "name": "Phishing",
+            "reference": "https://attack.mitre.org/techniques/T1566/",
+            "subtechnique": [
+              {
+                "id": "T1566.001",
+                "name": "Spearphishing Attachment",
+                "reference": "https://attack.mitre.org/techniques/T1566/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 9
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies use of the built-in Windows script interpreters (cscript.exe or wscript.exe) being used to execute a process via Windows Management Instrumentation (WMI). This may be indicative of malicious activity.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*",
+      "logs-windows.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "Windows Script Interpreter Executing Process via WMI",
+    "query": "sequence by host.id with maxspan = 5s\n    [library where dll.name : \"wmiutils.dll\" and process.name : (\"wscript.exe\", \"cscript.exe\")]\n    [process where event.type in (\"start\", \"process_started\") and\n     process.parent.name : \"wmiprvse.exe\" and\n     user.domain != \"NT AUTHORITY\" and\n     (process.pe.original_file_name :\n        (\n          \"cscript.exe\",\n          \"wscript.exe\",\n          \"PowerShell.EXE\",\n          \"Cmd.Exe\",\n          \"MSHTA.EXE\",\n          \"RUNDLL32.EXE\",\n          \"REGSVR32.EXE\",\n          \"MSBuild.exe\",\n          \"InstallUtil.exe\",\n          \"RegAsm.exe\",\n          \"RegSvcs.exe\",\n          \"msxsl.exe\",\n          \"CONTROL.EXE\",\n          \"EXPLORER.EXE\",\n          \"Microsoft.Workflow.Compiler.exe\",\n          \"msiexec.exe\"\n        ) or\n      process.executable : (\"C:\\\\Users\\\\*.exe\", \"C:\\\\ProgramData\\\\*.exe\")\n     )\n    ]\n",
+    "risk_score": 47,
+    "rule_id": "b64b183e-1a76-422d-9179-7b389513e74d",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Initial Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0001",
+          "name": "Initial Access",
+          "reference": "https://attack.mitre.org/tactics/TA0001/"
+        },
+        "technique": [
+          {
+            "id": "T1566",
+            "name": "Phishing",
+            "reference": "https://attack.mitre.org/techniques/T1566/",
+            "subtechnique": [
+              {
+                "id": "T1566.001",
+                "name": "Spearphishing Attachment",
+                "reference": "https://attack.mitre.org/techniques/T1566/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "type": "eql",
+    "version": 2
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "This rule identifies Zoom meetings that are created without a passcode. Meetings without a passcode are susceptible to Zoombombing. Zoombombing is carried out by taking advantage of Zoom sessions that are not protected with a passcode. Zoombombing refers to the unwanted, disruptive intrusion, generally by Internet trolls and hackers, into a video conference call. In a typical Zoombombing incident, a teleconferencing session is hijacked by the insertion of material that is lewd, obscene, racist, or antisemitic in nature, typically resulting of the shutdown of the session.",
+    "index": [
+      "filebeat-*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Zoom Meeting with no Passcode",
+    "note": "## Config\n\nThe Zoom Filebeat module or similarly structured data is required to be compatible with this rule.",
+    "query": "event.type:creation and event.module:zoom and event.dataset:zoom.webhook and\n  event.action:meeting.created and not zoom.meeting.password:*\n",
+    "references": [
+      "https://blog.zoom.us/a-message-to-our-users/",
+      "https://www.fbi.gov/contact-us/field-offices/boston/news/press-releases/fbi-warns-of-teleconferencing-and-online-classroom-hijacking-during-covid-19-pandemic"
+    ],
+    "risk_score": 47,
+    "rule_id": "58ac2aa5-6718-427c-a845-5f3ac5af00ba",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Application",
+      "Communication",
+      "Zoom",
+      "Continuous Monitoring",
+      "SecOps",
+      "Configuration Audit"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0001",
+          "name": "Initial Access",
+          "reference": "https://attack.mitre.org/tactics/TA0001/"
+        },
+        "technique": [
+          {
+            "id": "T1190",
+            "name": "Exploit Public-Facing Application",
+            "reference": "https://attack.mitre.org/techniques/T1190/"
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 4
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies when the built in macOS Installer program generates a network event after attempting to install a .pkg file. This activity has been observed being leveraged by malware.",
+    "false_positives": [
+      "Custom organization-specific macOS packages that use .pkg files to run cURL could trigger this rule. If known behavior is causing false positives, it can be excluded from the rule."
+    ],
+    "from": "now-9m",
+    "index": [
+      "logs-endpoint.events.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License v2",
+    "name": "macOS Installer Spawns Network Event",
+    "query": "sequence by process.entity_id with maxspan=1m\n  [process where event.type == \"start\" and host.os.family == \"macos\" and\n    process.parent.executable in (\"/usr/sbin/installer\", \"/System/Library/CoreServices/Installer.app/Contents/MacOS/Installer\") ]\n  [network where not cidrmatch(destination.ip,\n    \"10.0.0.0/8\", \"127.0.0.0/8\", \"169.254.0.0/16\", \"172.16.0.0/12\", \"192.0.0.0/24\", \"192.0.0.0/29\", \"192.0.0.8/32\",\n    \"192.0.0.9/32\", \"192.0.0.10/32\", \"192.0.0.170/32\", \"192.0.0.171/32\", \"192.0.2.0/24\", \"192.31.196.0/24\",\n    \"192.52.193.0/24\", \"192.168.0.0/16\", \"192.88.99.0/24\", \"224.0.0.0/4\", \"100.64.0.0/10\", \"192.175.48.0/24\",\n    \"198.18.0.0/15\", \"198.51.100.0/24\", \"203.0.113.0/24\", \"240.0.0.0/4\", \"::1\", \"FE80::/10\", \"FF00::/8\")]\n",
+    "references": [
+      "https://redcanary.com/blog/clipping-silver-sparrows-wings",
+      "https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml"
+    ],
+    "risk_score": 47,
+    "rule_id": "99239e7d-b0d4-46e3-8609-acafcf99f68c",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "macOS",
+      "Threat Detection",
+      "Execution"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0002",
+          "name": "Execution",
+          "reference": "https://attack.mitre.org/tactics/TA0002/"
+        },
+        "technique": [
+          {
+            "id": "T1059",
+            "name": "Command and Scripting Interpreter",
+            "reference": "https://attack.mitre.org/techniques/T1059/",
+            "subtechnique": [
+              {
+                "id": "T1059.007",
+                "name": "JavaScript",
+                "reference": "https://attack.mitre.org/techniques/T1059/007/"
+              }
+            ]
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0011",
+          "name": "Command and Control",
+          "reference": "https://attack.mitre.org/tactics/TA0011/"
+        },
+        "technique": [
+          {
+            "id": "T1071",
+            "name": "Application Layer Protocol",
+            "reference": "https://attack.mitre.org/techniques/T1071/",
+            "subtechnique": [
+              {
+                "id": "T1071.001",
+                "name": "Web Protocols",
+                "reference": "https://attack.mitre.org/techniques/T1071/001/"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "eql",
+    "version": 3
+  }
+]
\ No newline at end of file