diff --git a/docs/detections/prebuilt-rules/rule-details/adding-hidden-file-attribute-via-attrib.asciidoc b/docs/detections/prebuilt-rules/rule-details/adding-hidden-file-attribute-via-attrib.asciidoc index 64e6f839cc..e76b707ed3 100644 --- a/docs/detections/prebuilt-rules/rule-details/adding-hidden-file-attribute-via-attrib.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/adding-hidden-file-attribute-via-attrib.asciidoc @@ -72,10 +72,10 @@ process.name:attrib.exe and process.args:+h ==== Rule version history Version 4 (7.9.1 release):: -* Formatting only. +* Formatting only Version 3 (7.9.0 release):: -Updated query, changed from: +* Updated query, changed from: + [source, js] ---------------------------------- @@ -84,7 +84,7 @@ process.name:attrib.exe and process.args:+h ---------------------------------- Version 2 (7.7.0 release):: -Updated query, changed from: +* Updated query, changed from: + [source, js] ---------------------------------- diff --git a/docs/detections/prebuilt-rules/rule-details/adobe-hijack-persistence.asciidoc b/docs/detections/prebuilt-rules/rule-details/adobe-hijack-persistence.asciidoc index e3811ef198..3efb639906 100644 --- a/docs/detections/prebuilt-rules/rule-details/adobe-hijack-persistence.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/adobe-hijack-persistence.asciidoc @@ -64,10 +64,10 @@ and not process.name:msiexec.exe ==== Rule version history Version 4 (7.9.1 release):: -* Formatting only. +* Formatting only Version 3 (7.9.0 release):: -Updated query, changed from: +* Updated query, changed from: + [source, js] ---------------------------------- @@ -78,7 +78,7 @@ Reader DC\Reader\AcroCEF\RdrCEF.exe") and event.action:"File created ---------------------------------- Version 2 (7.6.2 release):: -Updated query, changed from: +* Updated query, changed from: + [source, js] ---------------------------------- diff --git a/docs/detections/prebuilt-rules/rule-details/adversary-behavior-detected-elastic-endpoint-security.asciidoc b/docs/detections/prebuilt-rules/rule-details/adversary-behavior-detected-elastic-endpoint-security.asciidoc index 5ea577be68..95b44ba765 100644 --- a/docs/detections/prebuilt-rules/rule-details/adversary-behavior-detected-elastic-endpoint-security.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/adversary-behavior-detected-elastic-endpoint-security.asciidoc @@ -50,11 +50,8 @@ endgame.event_subtype_full:rules_engine_event) Version 3 (7.9.0 release):: * Rule name changed from: Adversary Behavior - Detected - Elastic Endpoint -+ -* Formatting only. - Version 2 (7.7.0 release):: -Updated query, changed from: +* Updated query, changed from: + [source, js] ---------------------------------- diff --git a/docs/detections/prebuilt-rules/rule-details/anomalous-process-for-a-linux-population.asciidoc b/docs/detections/prebuilt-rules/rule-details/anomalous-process-for-a-linux-population.asciidoc index 84a1997634..ef5bc2490a 100644 --- a/docs/detections/prebuilt-rules/rule-details/anomalous-process-for-a-linux-population.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/anomalous-process-for-a-linux-population.asciidoc @@ -67,5 +67,5 @@ performing. ==== Rule version history Version 2 (7.9.0 release):: -* Formatting only. +* Formatting only diff --git a/docs/detections/prebuilt-rules/rule-details/anomalous-process-for-a-windows-population.asciidoc b/docs/detections/prebuilt-rules/rule-details/anomalous-process-for-a-windows-population.asciidoc index 4ff490449d..d1ecc4ba91 100644 --- a/docs/detections/prebuilt-rules/rule-details/anomalous-process-for-a-windows-population.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/anomalous-process-for-a-windows-population.asciidoc @@ -76,5 +76,5 @@ as malware by anti-malware tools. ==== Rule version history Version 2 (7.9.0 release):: -* Formatting only. +* Formatting only diff --git a/docs/detections/prebuilt-rules/rule-details/anomalous-windows-process-creation.asciidoc b/docs/detections/prebuilt-rules/rule-details/anomalous-windows-process-creation.asciidoc index a646cb591f..d6b470783c 100644 --- a/docs/detections/prebuilt-rules/rule-details/anomalous-windows-process-creation.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/anomalous-windows-process-creation.asciidoc @@ -56,5 +56,5 @@ Users running scripts in the course of technical support operations of software ==== Rule version history Version 2 (7.9.0 release):: -* Formatting only. +* Formatting only diff --git a/docs/detections/prebuilt-rules/rule-details/attempt-to-disable-iptables-or-firewall.asciidoc b/docs/detections/prebuilt-rules/rule-details/attempt-to-disable-iptables-or-firewall.asciidoc index a93c3a0a95..fe1f1b3ab2 100644 --- a/docs/detections/prebuilt-rules/rule-details/attempt-to-disable-iptables-or-firewall.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/attempt-to-disable-iptables-or-firewall.asciidoc @@ -67,10 +67,10 @@ and process.args:(firewalld or ip6tables or iptables)) ==== Rule version history Version 3 (7.9.1 release):: -* Formatting only. +* Formatting only Version 2 (7.9.0 release):: -Updated query, changed from: +* Updated query, changed from: + [source, js] ---------------------------------- diff --git a/docs/detections/prebuilt-rules/rule-details/attempt-to-disable-syslog-service.asciidoc b/docs/detections/prebuilt-rules/rule-details/attempt-to-disable-syslog-service.asciidoc index 0fbbe5bb10..cc08b5eb3b 100644 --- a/docs/detections/prebuilt-rules/rule-details/attempt-to-disable-syslog-service.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/attempt-to-disable-syslog-service.asciidoc @@ -65,10 +65,10 @@ and process.args:(syslog or rsyslog or "syslog-ng") ==== Rule version history Version 3 (7.9.1 release):: -* Formatting only. +* Formatting only Version 2 (7.9.0 release):: -Updated query, changed from: +* Updated query, changed from: + [source, js] ---------------------------------- diff --git a/docs/detections/prebuilt-rules/rule-details/base16-or-base32-encoding-decoding-activity.asciidoc b/docs/detections/prebuilt-rules/rule-details/base16-or-base32-encoding-decoding-activity.asciidoc index 84e16883c0..ffebb40bdd 100644 --- a/docs/detections/prebuilt-rules/rule-details/base16-or-base32-encoding-decoding-activity.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/base16-or-base32-encoding-decoding-activity.asciidoc @@ -76,10 +76,10 @@ process.name:(base16 or base32 or base32plain or base32hex) ==== Rule version history Version 3 (7.9.1 release):: -* Formatting only. +* Formatting only Version 2 (7.9.0 release):: -Updated query, changed from: +* Updated query, changed from: + [source, js] ---------------------------------- diff --git a/docs/detections/prebuilt-rules/rule-details/base64-encoding-decoding-activity.asciidoc b/docs/detections/prebuilt-rules/rule-details/base64-encoding-decoding-activity.asciidoc index ab6d619789..3376c38b9c 100644 --- a/docs/detections/prebuilt-rules/rule-details/base64-encoding-decoding-activity.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/base64-encoding-decoding-activity.asciidoc @@ -77,10 +77,10 @@ base64pem) ==== Rule version history Version 3 (7.9.1 release):: -* Formatting only. +* Formatting only Version 2 (7.9.0 release):: -Updated query, changed from: +* Updated query, changed from: + [source, js] ---------------------------------- diff --git a/docs/detections/prebuilt-rules/rule-details/bypass-uac-via-event-viewer.asciidoc b/docs/detections/prebuilt-rules/rule-details/bypass-uac-via-event-viewer.asciidoc index cf73f687eb..47ec5ff180 100644 --- a/docs/detections/prebuilt-rules/rule-details/bypass-uac-via-event-viewer.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/bypass-uac-via-event-viewer.asciidoc @@ -64,10 +64,10 @@ process.executable:("C:\Windows\SysWOW64\mmc.exe" or ==== Rule version history Version 3 (7.9.1 release):: -* Formatting only. +* Formatting only Version 2 (7.9.0 release):: -Updated query, changed from: +* Updated query, changed from: + [source, js] ---------------------------------- diff --git a/docs/detections/prebuilt-rules/rule-details/clearing-windows-event-logs.asciidoc b/docs/detections/prebuilt-rules/rule-details/clearing-windows-event-logs.asciidoc index f32cf1a137..b67f84668f 100644 --- a/docs/detections/prebuilt-rules/rule-details/clearing-windows-event-logs.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/clearing-windows-event-logs.asciidoc @@ -64,10 +64,10 @@ process.name:powershell.exe and process.args:Clear-EventLog ==== Rule version history Version 4 (7.9.1 release):: -* Formatting only. +* Formatting only Version 3 (7.9.0 release):: -Updated query, changed from: +* Updated query, changed from: + [source, js] ---------------------------------- @@ -77,7 +77,7 @@ process.name:powershell.exe and process.args:Clear-EventLog ---------------------------------- Version 2 (7.7.0 release):: -Updated query, changed from: +* Updated query, changed from: + [source, js] ---------------------------------- diff --git a/docs/detections/prebuilt-rules/rule-details/command-prompt-network-connection.asciidoc b/docs/detections/prebuilt-rules/rule-details/command-prompt-network-connection.asciidoc index 199864d0d9..04d10af5c7 100644 --- a/docs/detections/prebuilt-rules/rule-details/command-prompt-network-connection.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/command-prompt-network-connection.asciidoc @@ -77,10 +77,10 @@ process.name:cmd.exe and not destination.ip:(10.0.0.0/8 or ==== Rule version history Version 4 (7.9.1 release):: -* Formatting only. +* Formatting only Version 3 (7.9.0 release):: -Updated query, changed from: +* Updated query, changed from: + [source, js] ---------------------------------- @@ -90,7 +90,7 @@ process.name:cmd.exe and event.action:"Network connection detected ---------------------------------- Version 2 (7.7.0 release):: -Updated query, changed from: +* Updated query, changed from: + [source, js] ---------------------------------- diff --git a/docs/detections/prebuilt-rules/rule-details/connection-to-external-network-via-telnet.asciidoc b/docs/detections/prebuilt-rules/rule-details/connection-to-external-network-via-telnet.asciidoc index cb70982a06..bd7a46b2ca 100644 --- a/docs/detections/prebuilt-rules/rule-details/connection-to-external-network-via-telnet.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/connection-to-external-network-via-telnet.asciidoc @@ -66,10 +66,10 @@ or 172.16.0.0/12 or 192.168.0.0/16 or "FE80::/10" or "::1/128") ==== Rule version history Version 3 (7.9.1 release):: -* Formatting only. +* Formatting only Version 2 (7.9.0 release):: -Updated query, changed from: +* Updated query, changed from: + [source, js] ---------------------------------- diff --git a/docs/detections/prebuilt-rules/rule-details/connection-to-internal-network-via-telnet.asciidoc b/docs/detections/prebuilt-rules/rule-details/connection-to-internal-network-via-telnet.asciidoc index 8551fb6b74..2c39479806 100644 --- a/docs/detections/prebuilt-rules/rule-details/connection-to-internal-network-via-telnet.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/connection-to-internal-network-via-telnet.asciidoc @@ -66,10 +66,10 @@ or 192.168.0.0/16 or "FE80::/10") and not (127.0.0.0/8 or "::1/128")) ==== Rule version history Version 3 (7.9.1 release):: -* Formatting only. +* Formatting only Version 2 (7.9.0 release):: -Updated query, changed from: +* Updated query, changed from: + [source, js] ---------------------------------- diff --git a/docs/detections/prebuilt-rules/rule-details/creation-of-hidden-files-and-directories.asciidoc b/docs/detections/prebuilt-rules/rule-details/creation-of-hidden-files-and-directories.asciidoc index d5ff8a8c74..a2a3f857a4 100644 --- a/docs/detections/prebuilt-rules/rule-details/creation-of-hidden-files-and-directories.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/creation-of-hidden-files-and-directories.asciidoc @@ -83,5 +83,5 @@ process.name:(ls or find) ==== Rule version history Version 2 (7.9.1 release):: -* Formatting only. +* Formatting only diff --git a/docs/detections/prebuilt-rules/rule-details/credential-dumping-detected-elastic-endpoint-security.asciidoc b/docs/detections/prebuilt-rules/rule-details/credential-dumping-detected-elastic-endpoint-security.asciidoc index d8c357e159..071ab66d50 100644 --- a/docs/detections/prebuilt-rules/rule-details/credential-dumping-detected-elastic-endpoint-security.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/credential-dumping-detected-elastic-endpoint-security.asciidoc @@ -50,11 +50,8 @@ endgame.event_subtype_full:cred_theft_event) Version 3 (7.9.0 release):: * Rule name changed from: Credential Dumping - Detected - Elastic Endpoint -+ -* Formatting only. - Version 2 (7.7.0 release):: -Updated query, changed from: +* Updated query, changed from: + [source, js] ---------------------------------- diff --git a/docs/detections/prebuilt-rules/rule-details/credential-dumping-prevented-elastic-endpoint-security.asciidoc b/docs/detections/prebuilt-rules/rule-details/credential-dumping-prevented-elastic-endpoint-security.asciidoc index e8755c5516..7e4782f6ab 100644 --- a/docs/detections/prebuilt-rules/rule-details/credential-dumping-prevented-elastic-endpoint-security.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/credential-dumping-prevented-elastic-endpoint-security.asciidoc @@ -50,11 +50,8 @@ endgame.event_subtype_full:cred_theft_event) Version 3 (7.9.0 release):: * Rule name changed from: Credential Dumping - Prevented - Elastic Endpoint -+ -* Formatting only. - Version 2 (7.7.0 release):: -Updated query, changed from: +* Updated query, changed from: + [source, js] ---------------------------------- diff --git a/docs/detections/prebuilt-rules/rule-details/credential-manipulation-detected-elastic-endpoint-security.asciidoc b/docs/detections/prebuilt-rules/rule-details/credential-manipulation-detected-elastic-endpoint-security.asciidoc index 6caa9c9673..ba912085a6 100644 --- a/docs/detections/prebuilt-rules/rule-details/credential-manipulation-detected-elastic-endpoint-security.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/credential-manipulation-detected-elastic-endpoint-security.asciidoc @@ -51,11 +51,8 @@ endgame.event_subtype_full:token_manipulation_event) Version 3 (7.9.0 release):: * Rule name changed from: Credential Manipulation - Detected - Elastic Endpoint -+ -* Formatting only. - Version 2 (7.7.0 release):: -Updated query, changed from: +* Updated query, changed from: + [source, js] ---------------------------------- diff --git a/docs/detections/prebuilt-rules/rule-details/credential-manipulation-prevented-elastic-endpoint-security.asciidoc b/docs/detections/prebuilt-rules/rule-details/credential-manipulation-prevented-elastic-endpoint-security.asciidoc index 392364e35d..5ad219658b 100644 --- a/docs/detections/prebuilt-rules/rule-details/credential-manipulation-prevented-elastic-endpoint-security.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/credential-manipulation-prevented-elastic-endpoint-security.asciidoc @@ -51,11 +51,8 @@ endgame.event_subtype_full:token_manipulation_event) Version 3 (7.9.0 release):: * Rule name changed from: Credential Manipulation - Prevented - Elastic Endpoint -+ -* Formatting only. - Version 2 (7.7.0 release):: -Updated query, changed from: +* Updated query, changed from: + [source, js] ---------------------------------- diff --git a/docs/detections/prebuilt-rules/rule-details/delete-volume-usn-journal-with-fsutil.asciidoc b/docs/detections/prebuilt-rules/rule-details/delete-volume-usn-journal-with-fsutil.asciidoc index b1dc0bafcb..f5b29dba37 100644 --- a/docs/detections/prebuilt-rules/rule-details/delete-volume-usn-journal-with-fsutil.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/delete-volume-usn-journal-with-fsutil.asciidoc @@ -63,10 +63,10 @@ process.name:fsutil.exe and process.args:(deletejournal and usn) ==== Rule version history Version 4 (7.9.1 release):: -* Formatting only. +* Formatting only Version 3 (7.9.0 release):: -Updated query, changed from: +* Updated query, changed from: + [source, js] ---------------------------------- @@ -75,7 +75,7 @@ process.name:fsutil.exe and process.args:(deletejournal and usn) ---------------------------------- Version 2 (7.7.0 release):: -Updated query, changed from: +* Updated query, changed from: + [source, js] ---------------------------------- diff --git a/docs/detections/prebuilt-rules/rule-details/deleting-backup-catalogs-with-wbadmin.asciidoc b/docs/detections/prebuilt-rules/rule-details/deleting-backup-catalogs-with-wbadmin.asciidoc index c8e7b4c149..bb7e9e7afc 100644 --- a/docs/detections/prebuilt-rules/rule-details/deleting-backup-catalogs-with-wbadmin.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/deleting-backup-catalogs-with-wbadmin.asciidoc @@ -62,10 +62,10 @@ process.name:wbadmin.exe and process.args:(catalog and delete) ==== Rule version history Version 4 (7.9.1 release):: -* Formatting only. +* Formatting only Version 3 (7.9.0 release):: -Updated query, changed from: +* Updated query, changed from: + [source, js] ---------------------------------- @@ -74,7 +74,7 @@ process.name:wbadmin.exe and process.args:(catalog and delete) ---------------------------------- Version 2 (7.7.0 release):: -Updated query, changed from: +* Updated query, changed from: + [source, js] ---------------------------------- diff --git a/docs/detections/prebuilt-rules/rule-details/deletion-of-bash-command-line-history.asciidoc b/docs/detections/prebuilt-rules/rule-details/deletion-of-bash-command-line-history.asciidoc index 907a94e977..b753b2691e 100644 --- a/docs/detections/prebuilt-rules/rule-details/deletion-of-bash-command-line-history.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/deletion-of-bash-command-line-history.asciidoc @@ -63,5 +63,5 @@ process.args:/\/(home\/.{1,255}|root)\/\.bash_history/ ==== Rule version history Version 2 (7.9.1 release):: -* Formatting only. +* Formatting only diff --git a/docs/detections/prebuilt-rules/rule-details/direct-outbound-smb-connection.asciidoc b/docs/detections/prebuilt-rules/rule-details/direct-outbound-smb-connection.asciidoc index ffbebe087f..25693bdeb1 100644 --- a/docs/detections/prebuilt-rules/rule-details/direct-outbound-smb-connection.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/direct-outbound-smb-connection.asciidoc @@ -67,10 +67,10 @@ destination.ip:(127.0.0.1 or "::1") ==== Rule version history Version 4 (7.9.1 release):: -* Formatting only. +* Formatting only Version 3 (7.9.0 release):: -Updated query, changed from: +* Updated query, changed from: + [source, js] ---------------------------------- @@ -80,7 +80,7 @@ destination.ip:(127.0.0.1 or "::1") ---------------------------------- Version 2 (7.7.0 release):: -Updated query, changed from: +* Updated query, changed from: + [source, js] ---------------------------------- diff --git a/docs/detections/prebuilt-rules/rule-details/disable-windows-firewall-rules-via-netsh.asciidoc b/docs/detections/prebuilt-rules/rule-details/disable-windows-firewall-rules-via-netsh.asciidoc index dbf07dbaad..195ba48a3c 100644 --- a/docs/detections/prebuilt-rules/rule-details/disable-windows-firewall-rules-via-netsh.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/disable-windows-firewall-rules-via-netsh.asciidoc @@ -64,10 +64,10 @@ or process.args:(advfirewall and off and state) ==== Rule version history Version 4 (7.9.1 release):: -* Formatting only. +* Formatting only Version 3 (7.9.0 release):: -Updated query, changed from: +* Updated query, changed from: + [source, js] ---------------------------------- @@ -77,7 +77,7 @@ or process.args:(advfirewall and off and state) ---------------------------------- Version 2 (7.7.0 release):: -Updated query, changed from: +* Updated query, changed from: + [source, js] ---------------------------------- diff --git a/docs/detections/prebuilt-rules/rule-details/dns-activity-to-the-internet.asciidoc b/docs/detections/prebuilt-rules/rule-details/dns-activity-to-the-internet.asciidoc index 75d6f2d93a..1377318b6b 100644 --- a/docs/detections/prebuilt-rules/rule-details/dns-activity-to-the-internet.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/dns-activity-to-the-internet.asciidoc @@ -79,7 +79,7 @@ destination.ip:(10.0.0.0/8 or 127.0.0.0/8 or 169.254.169.254/32 or ==== Rule version history Version 4 (7.9.0 release):: -Updated query, changed from: +* Updated query, changed from: + [source, js] ---------------------------------- @@ -90,7 +90,7 @@ or 224.0.0.252 or 255.255.255.255 or "::1" or "ff02::fb") ---------------------------------- Version 3 (7.7.0 release):: -Updated query, changed from: +* Updated query, changed from: + [source, js] ---------------------------------- diff --git a/docs/detections/prebuilt-rules/rule-details/dns-tunneling.asciidoc b/docs/detections/prebuilt-rules/rule-details/dns-tunneling.asciidoc index 76c34ff9b6..e834d63ab4 100644 --- a/docs/detections/prebuilt-rules/rule-details/dns-tunneling.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/dns-tunneling.asciidoc @@ -52,5 +52,5 @@ DNS domains that use large numbers of child domains, such as software or content ==== Rule version history Version 2 (7.9.0 release):: -* Formatting only. +* Formatting only diff --git a/docs/detections/prebuilt-rules/rule-details/encoding-or-decoding-files-via-certutil.asciidoc b/docs/detections/prebuilt-rules/rule-details/encoding-or-decoding-files-via-certutil.asciidoc index 533d145b1a..3083da0a21 100644 --- a/docs/detections/prebuilt-rules/rule-details/encoding-or-decoding-files-via-certutil.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/encoding-or-decoding-files-via-certutil.asciidoc @@ -65,10 +65,10 @@ process.name:certutil.exe and process.args:(-decode or -encode or ==== Rule version history Version 4 (7.9.1 release):: -* Formatting only. +* Formatting only Version 3 (7.9.0 release):: -Updated query, changed from: +* Updated query, changed from: + [source, js] ---------------------------------- @@ -78,7 +78,7 @@ process.name:certutil.exe and process.args:(-decode or -encode or ---------------------------------- Version 2 (7.7.0 release):: -Updated query, changed from: +* Updated query, changed from: + [source, js] ---------------------------------- diff --git a/docs/detections/prebuilt-rules/rule-details/enumeration-of-kernel-modules.asciidoc b/docs/detections/prebuilt-rules/rule-details/enumeration-of-kernel-modules.asciidoc index 101dc910dc..86165d8cd0 100644 --- a/docs/detections/prebuilt-rules/rule-details/enumeration-of-kernel-modules.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/enumeration-of-kernel-modules.asciidoc @@ -69,10 +69,10 @@ modinfo)) ==== Rule version history Version 3 (7.9.1 release):: -* Formatting only. +* Formatting only Version 2 (7.9.0 release):: -Updated query, changed from: +* Updated query, changed from: + [source, js] ---------------------------------- diff --git a/docs/detections/prebuilt-rules/rule-details/execution-via-regsvcs-regasm.asciidoc b/docs/detections/prebuilt-rules/rule-details/execution-via-regsvcs-regasm.asciidoc index 683b403c49..9c5c2e407b 100644 --- a/docs/detections/prebuilt-rules/rule-details/execution-via-regsvcs-regasm.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/execution-via-regsvcs-regasm.asciidoc @@ -74,10 +74,10 @@ process.name:(RegAsm.exe or RegSvcs.exe) ==== Rule version history Version 3 (7.9.1 release):: -* Formatting only. +* Formatting only Version 2 (7.9.0 release):: -Updated query, changed from: +* Updated query, changed from: + [source, js] ---------------------------------- diff --git a/docs/detections/prebuilt-rules/rule-details/exploit-detected-elastic-endpoint-security.asciidoc b/docs/detections/prebuilt-rules/rule-details/exploit-detected-elastic-endpoint-security.asciidoc index 2a7abc2b2e..2620289819 100644 --- a/docs/detections/prebuilt-rules/rule-details/exploit-detected-elastic-endpoint-security.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/exploit-detected-elastic-endpoint-security.asciidoc @@ -50,11 +50,8 @@ endgame.event_subtype_full:exploit_event) Version 3 (7.9.0 release):: * Rule name changed from: Exploit - Detected - Elastic Endpoint -+ -* Formatting only. - Version 2 (7.7.0 release):: -Updated query, changed from: +* Updated query, changed from: + [source, js] ---------------------------------- diff --git a/docs/detections/prebuilt-rules/rule-details/exploit-prevented-elastic-endpoint-security.asciidoc b/docs/detections/prebuilt-rules/rule-details/exploit-prevented-elastic-endpoint-security.asciidoc index ed2023ae34..4c77f613bd 100644 --- a/docs/detections/prebuilt-rules/rule-details/exploit-prevented-elastic-endpoint-security.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/exploit-prevented-elastic-endpoint-security.asciidoc @@ -50,11 +50,8 @@ endgame.event_subtype_full:exploit_event) Version 3 (7.9.0 release):: * Rule name changed from: Exploit - Prevented - Elastic Endpoint -+ -* Formatting only. - Version 2 (7.7.0 release):: -Updated query, changed from: +* Updated query, changed from: + [source, js] ---------------------------------- diff --git a/docs/detections/prebuilt-rules/rule-details/file-deletion-via-shred.asciidoc b/docs/detections/prebuilt-rules/rule-details/file-deletion-via-shred.asciidoc index 38188a14bf..8aecc90f8e 100644 --- a/docs/detections/prebuilt-rules/rule-details/file-deletion-via-shred.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/file-deletion-via-shred.asciidoc @@ -66,10 +66,10 @@ zero") ==== Rule version history Version 3 (7.9.1 release):: -* Formatting only. +* Formatting only Version 2 (7.9.0 release):: -Updated query, changed from: +* Updated query, changed from: + [source, js] ---------------------------------- diff --git a/docs/detections/prebuilt-rules/rule-details/file-permission-modification-in-writable-directory.asciidoc b/docs/detections/prebuilt-rules/rule-details/file-permission-modification-in-writable-directory.asciidoc index 74bc184eec..7dea4ed3e2 100644 --- a/docs/detections/prebuilt-rules/rule-details/file-permission-modification-in-writable-directory.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/file-permission-modification-in-writable-directory.asciidoc @@ -69,10 +69,10 @@ user.name:root ==== Rule version history Version 3 (7.9.1 release):: -* Formatting only. +* Formatting only Version 2 (7.9.0 release):: -Updated query, changed from: +* Updated query, changed from: + [source, js] ---------------------------------- diff --git a/docs/detections/prebuilt-rules/rule-details/ftp-file-transfer-protocol-activity-to-the-internet.asciidoc b/docs/detections/prebuilt-rules/rule-details/ftp-file-transfer-protocol-activity-to-the-internet.asciidoc index 937c63f528..89ed3c9682 100644 --- a/docs/detections/prebuilt-rules/rule-details/ftp-file-transfer-protocol-activity-to-the-internet.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/ftp-file-transfer-protocol-activity-to-the-internet.asciidoc @@ -85,7 +85,7 @@ destination.ip:(10.0.0.0/8 or 127.0.0.0/8 or 172.16.0.0/12 or ==== Rule version history Version 4 (7.9.0 release):: -Updated query, changed from: +* Updated query, changed from: + [source, js] ---------------------------------- @@ -96,7 +96,7 @@ destination.ip:(10.0.0.0/8 or 127.0.0.0/8 or 172.16.0.0/12 or ---------------------------------- Version 3 (7.7.0 release):: -Updated query, changed from: +* Updated query, changed from: + [source, js] ---------------------------------- diff --git a/docs/detections/prebuilt-rules/rule-details/hex-encoding-decoding-activity.asciidoc b/docs/detections/prebuilt-rules/rule-details/hex-encoding-decoding-activity.asciidoc index e0db84a196..5bc7f8e0b9 100644 --- a/docs/detections/prebuilt-rules/rule-details/hex-encoding-decoding-activity.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/hex-encoding-decoding-activity.asciidoc @@ -76,10 +76,10 @@ process.name:(hexdump or od or xxd) ==== Rule version history Version 3 (7.9.1 release):: -* Formatting only. +* Formatting only Version 2 (7.9.0 release):: -Updated query, changed from: +* Updated query, changed from: + [source, js] ---------------------------------- diff --git a/docs/detections/prebuilt-rules/rule-details/hping-process-activity.asciidoc b/docs/detections/prebuilt-rules/rule-details/hping-process-activity.asciidoc index 8c436f2345..efdc066526 100644 --- a/docs/detections/prebuilt-rules/rule-details/hping-process-activity.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/hping-process-activity.asciidoc @@ -59,10 +59,10 @@ process.name:(hping or hping2 or hping3) ==== Rule version history Version 4 (7.9.1 release):: -* Formatting only. +* Formatting only Version 3 (7.9.0 release):: -Updated query, changed from: +* Updated query, changed from: + [source, js] ---------------------------------- @@ -70,7 +70,7 @@ process.name:(hping or hping2 or hping3) and event.action:executed ---------------------------------- Version 2 (7.7.0 release):: -Updated query, changed from: +* Updated query, changed from: + [source, js] ---------------------------------- diff --git a/docs/detections/prebuilt-rules/rule-details/interactive-terminal-spawned-via-perl.asciidoc b/docs/detections/prebuilt-rules/rule-details/interactive-terminal-spawned-via-perl.asciidoc index fc4087bf0d..009b1a4272 100644 --- a/docs/detections/prebuilt-rules/rule-details/interactive-terminal-spawned-via-perl.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/interactive-terminal-spawned-via-perl.asciidoc @@ -64,10 +64,10 @@ process.name:perl and process.args:("exec \"/bin/sh\";" or "exec ==== Rule version history Version 3 (7.9.1 release):: -* Formatting only. +* Formatting only Version 2 (7.9.0 release):: -Updated query, changed from: +* Updated query, changed from: + [source, js] ---------------------------------- diff --git a/docs/detections/prebuilt-rules/rule-details/interactive-terminal-spawned-via-python.asciidoc b/docs/detections/prebuilt-rules/rule-details/interactive-terminal-spawned-via-python.asciidoc index a530eec828..e0f401f30e 100644 --- a/docs/detections/prebuilt-rules/rule-details/interactive-terminal-spawned-via-python.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/interactive-terminal-spawned-via-python.asciidoc @@ -65,10 +65,10 @@ pty.spawn(\"/bin/sh\")" or "import pty; pty.spawn(\"/bin/dash\")" or ==== Rule version history Version 3 (7.9.1 release):: -* Formatting only. +* Formatting only Version 2 (7.9.0 release):: -Updated query, changed from: +* Updated query, changed from: + [source, js] ---------------------------------- diff --git a/docs/detections/prebuilt-rules/rule-details/ipsec-nat-traversal-port-activity.asciidoc b/docs/detections/prebuilt-rules/rule-details/ipsec-nat-traversal-port-activity.asciidoc index 2bd43d30c2..68277e2eb4 100644 --- a/docs/detections/prebuilt-rules/rule-details/ipsec-nat-traversal-port-activity.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/ipsec-nat-traversal-port-activity.asciidoc @@ -70,7 +70,7 @@ and destination.port:4500 ==== Rule version history Version 3 (7.9.0 release):: -Updated query, changed from: +* Updated query, changed from: + [source, js] ---------------------------------- diff --git a/docs/detections/prebuilt-rules/rule-details/irc-internet-relay-chat-protocol-activity-to-the-internet.asciidoc b/docs/detections/prebuilt-rules/rule-details/irc-internet-relay-chat-protocol-activity-to-the-internet.asciidoc index 6ad0a8bc17..f3c08ce81d 100644 --- a/docs/detections/prebuilt-rules/rule-details/irc-internet-relay-chat-protocol-activity-to-the-internet.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/irc-internet-relay-chat-protocol-activity-to-the-internet.asciidoc @@ -81,7 +81,7 @@ destination.ip:(10.0.0.0/8 or 127.0.0.0/8 or 172.16.0.0/12 or ==== Rule version history Version 4 (7.9.0 release):: -Updated query, changed from: +* Updated query, changed from: + [source, js] ---------------------------------- @@ -92,7 +92,7 @@ destination.ip:(10.0.0.0/8 or 127.0.0.0/8 or 172.16.0.0/12 or ---------------------------------- Version 3 (7.7.0 release):: -Updated query, changed from: +* Updated query, changed from: + [source, js] ---------------------------------- diff --git a/docs/detections/prebuilt-rules/rule-details/kernel-module-removal.asciidoc b/docs/detections/prebuilt-rules/rule-details/kernel-module-removal.asciidoc index 0d36263c1c..8b646c099c 100644 --- a/docs/detections/prebuilt-rules/rule-details/kernel-module-removal.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/kernel-module-removal.asciidoc @@ -82,10 +82,10 @@ or "-r"))) ==== Rule version history Version 3 (7.9.1 release):: -* Formatting only. +* Formatting only Version 2 (7.9.0 release):: -Updated query, changed from: +* Updated query, changed from: + [source, js] ---------------------------------- diff --git a/docs/detections/prebuilt-rules/rule-details/local-scheduled-task-commands.asciidoc b/docs/detections/prebuilt-rules/rule-details/local-scheduled-task-commands.asciidoc index da1d85f350..ac41203ff0 100644 --- a/docs/detections/prebuilt-rules/rule-details/local-scheduled-task-commands.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/local-scheduled-task-commands.asciidoc @@ -67,10 +67,10 @@ or -s or /S or /change or /create or /run) ==== Rule version history Version 4 (7.9.1 release):: -* Formatting only. +* Formatting only Version 3 (7.9.0 release):: -Updated query, changed from: +* Updated query, changed from: + [source, js] ---------------------------------- @@ -80,7 +80,7 @@ or -s or /S or /change or /create or /run) ---------------------------------- Version 2 (7.7.0 release):: -Updated query, changed from: +* Updated query, changed from: + [source, js] ---------------------------------- diff --git a/docs/detections/prebuilt-rules/rule-details/local-service-commands.asciidoc b/docs/detections/prebuilt-rules/rule-details/local-service-commands.asciidoc index 16a09e76ed..52575d31ae 100644 --- a/docs/detections/prebuilt-rules/rule-details/local-service-commands.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/local-service-commands.asciidoc @@ -64,10 +64,10 @@ start) ==== Rule version history Version 4 (7.9.1 release):: -* Formatting only. +* Formatting only Version 3 (7.9.0 release):: -Updated query, changed from: +* Updated query, changed from: + [source, js] ---------------------------------- @@ -77,7 +77,7 @@ start) ---------------------------------- Version 2 (7.7.0 release):: -Updated query, changed from: +* Updated query, changed from: + [source, js] ---------------------------------- diff --git a/docs/detections/prebuilt-rules/rule-details/malware-detected-elastic-endpoint-security.asciidoc b/docs/detections/prebuilt-rules/rule-details/malware-detected-elastic-endpoint-security.asciidoc index 255870650d..c1b8d9a794 100644 --- a/docs/detections/prebuilt-rules/rule-details/malware-detected-elastic-endpoint-security.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/malware-detected-elastic-endpoint-security.asciidoc @@ -51,11 +51,8 @@ endgame.event_subtype_full:file_classification_event) Version 3 (7.9.0 release):: * Rule name changed from: Malware - Detected - Elastic Endpoint -+ -* Formatting only. - Version 2 (7.7.0 release):: -Updated query, changed from: +* Updated query, changed from: + [source, js] ---------------------------------- diff --git a/docs/detections/prebuilt-rules/rule-details/malware-prevented-elastic-endpoint-security.asciidoc b/docs/detections/prebuilt-rules/rule-details/malware-prevented-elastic-endpoint-security.asciidoc index f48293dd48..2e8ed3d1ae 100644 --- a/docs/detections/prebuilt-rules/rule-details/malware-prevented-elastic-endpoint-security.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/malware-prevented-elastic-endpoint-security.asciidoc @@ -51,11 +51,8 @@ endgame.event_subtype_full:file_classification_event) Version 3 (7.9.0 release):: * Rule name changed from: Malware - Prevented - Elastic Endpoint -+ -* Formatting only. - Version 2 (7.7.0 release):: -Updated query, changed from: +* Updated query, changed from: + [source, js] ---------------------------------- diff --git a/docs/detections/prebuilt-rules/rule-details/microsoft-build-engine-loading-windows-credential-libraries.asciidoc b/docs/detections/prebuilt-rules/rule-details/microsoft-build-engine-loading-windows-credential-libraries.asciidoc index 3e2926a3e1..d0786af59f 100644 --- a/docs/detections/prebuilt-rules/rule-details/microsoft-build-engine-loading-windows-credential-libraries.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/microsoft-build-engine-loading-windows-credential-libraries.asciidoc @@ -68,10 +68,10 @@ dll.name:(vaultcli.dll or SAMLib.DLL)) and process.name: MSBuild.exe ==== Rule version history Version 3 (7.9.1 release):: -* Formatting only. +* Formatting only Version 2 (7.9.0 release):: -Updated query, changed from: +* Updated query, changed from: + [source, js] ---------------------------------- diff --git a/docs/detections/prebuilt-rules/rule-details/microsoft-build-engine-started-an-unusual-process.asciidoc b/docs/detections/prebuilt-rules/rule-details/microsoft-build-engine-started-an-unusual-process.asciidoc index cd4002aca6..e40a73fd09 100644 --- a/docs/detections/prebuilt-rules/rule-details/microsoft-build-engine-started-an-unusual-process.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/microsoft-build-engine-started-an-unusual-process.asciidoc @@ -72,10 +72,10 @@ iexplore.exe or powershell.exe) ==== Rule version history Version 3 (7.9.1 release):: -* Formatting only. +* Formatting only Version 2 (7.9.0 release):: -Updated query, changed from: +* Updated query, changed from: + [source, js] ---------------------------------- diff --git a/docs/detections/prebuilt-rules/rule-details/microsoft-build-engine-started-by-a-script-process.asciidoc b/docs/detections/prebuilt-rules/rule-details/microsoft-build-engine-started-by-a-script-process.asciidoc index 1788a91fe9..c2812e7b17 100644 --- a/docs/detections/prebuilt-rules/rule-details/microsoft-build-engine-started-by-a-script-process.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/microsoft-build-engine-started-by-a-script-process.asciidoc @@ -78,10 +78,10 @@ powershell.exe or cscript.exe or wscript.exe) ==== Rule version history Version 3 (7.9.1 release):: -* Formatting only. +* Formatting only Version 2 (7.9.0 release):: -Updated query, changed from: +* Updated query, changed from: + [source, js] ---------------------------------- diff --git a/docs/detections/prebuilt-rules/rule-details/microsoft-build-engine-started-by-a-system-process.asciidoc b/docs/detections/prebuilt-rules/rule-details/microsoft-build-engine-started-by-a-system-process.asciidoc index c74ed94b3a..5695b69f24 100644 --- a/docs/detections/prebuilt-rules/rule-details/microsoft-build-engine-started-by-a-system-process.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/microsoft-build-engine-started-by-a-system-process.asciidoc @@ -78,10 +78,10 @@ wmiprvse.exe) ==== Rule version history Version 3 (7.9.1 release):: -* Formatting only. +* Formatting only Version 2 (7.9.0 release):: -Updated query, changed from: +* Updated query, changed from: + [source, js] ---------------------------------- diff --git a/docs/detections/prebuilt-rules/rule-details/microsoft-build-engine-started-by-an-office-application.asciidoc b/docs/detections/prebuilt-rules/rule-details/microsoft-build-engine-started-by-an-office-application.asciidoc index 6bb1145ffd..eeff77f844 100644 --- a/docs/detections/prebuilt-rules/rule-details/microsoft-build-engine-started-by-an-office-application.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/microsoft-build-engine-started-by-an-office-application.asciidoc @@ -83,10 +83,10 @@ powerpnt.exe or winword.exe) ==== Rule version history Version 3 (7.9.1 release):: -* Formatting only. +* Formatting only Version 2 (7.9.0 release):: -Updated query, changed from: +* Updated query, changed from: + [source, js] ---------------------------------- diff --git a/docs/detections/prebuilt-rules/rule-details/microsoft-build-engine-using-an-alternate-name.asciidoc b/docs/detections/prebuilt-rules/rule-details/microsoft-build-engine-using-an-alternate-name.asciidoc index 2a5750dfe2..01b622130c 100644 --- a/docs/detections/prebuilt-rules/rule-details/microsoft-build-engine-using-an-alternate-name.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/microsoft-build-engine-using-an-alternate-name.asciidoc @@ -69,10 +69,10 @@ MSBuild.exe ==== Rule version history Version 3 (7.9.1 release):: -* Formatting only. +* Formatting only Version 2 (7.9.0 release):: -Updated query, changed from: +* Updated query, changed from: + [source, js] ---------------------------------- diff --git a/docs/detections/prebuilt-rules/rule-details/mknod-process-activity.asciidoc b/docs/detections/prebuilt-rules/rule-details/mknod-process-activity.asciidoc index f42bbdbbee..4cf21e1e1b 100644 --- a/docs/detections/prebuilt-rules/rule-details/mknod-process-activity.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/mknod-process-activity.asciidoc @@ -59,10 +59,10 @@ process.name:mknod ==== Rule version history Version 4 (7.9.1 release):: -* Formatting only. +* Formatting only Version 3 (7.9.0 release):: -Updated query, changed from: +* Updated query, changed from: + [source, js] ---------------------------------- @@ -70,7 +70,7 @@ process.name:mknod and event.action:executed ---------------------------------- Version 2 (7.7.0 release):: -Updated query, changed from: +* Updated query, changed from: + [source, js] ---------------------------------- diff --git a/docs/detections/prebuilt-rules/rule-details/modification-of-boot-configuration.asciidoc b/docs/detections/prebuilt-rules/rule-details/modification-of-boot-configuration.asciidoc index 1202460c21..8bb425af53 100644 --- a/docs/detections/prebuilt-rules/rule-details/modification-of-boot-configuration.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/modification-of-boot-configuration.asciidoc @@ -63,10 +63,10 @@ and ignoreallfailures or no and recoveryenabled)) ==== Rule version history Version 3 (7.9.1 release):: -* Formatting only. +* Formatting only Version 2 (7.9.0 release):: -Updated query, changed from: +* Updated query, changed from: + [source, js] ---------------------------------- diff --git a/docs/detections/prebuilt-rules/rule-details/msbuild-making-network-connections.asciidoc b/docs/detections/prebuilt-rules/rule-details/msbuild-making-network-connections.asciidoc index 3e20b1cf86..a56f27e933 100644 --- a/docs/detections/prebuilt-rules/rule-details/msbuild-making-network-connections.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/msbuild-making-network-connections.asciidoc @@ -63,10 +63,10 @@ process.name:MSBuild.exe and not destination.ip:(127.0.0.1 or "::1") ==== Rule version history Version 4 (7.9.1 release):: -* Formatting only. +* Formatting only Version 3 (7.9.0 release):: -Updated query, changed from: +* Updated query, changed from: + [source, js] ---------------------------------- @@ -75,7 +75,7 @@ process.name:MSBuild.exe and not destination.ip:(127.0.0.1 or "::1") ---------------------------------- Version 2 (7.7.0 release):: -Updated query, changed from: +* Updated query, changed from: + [source, js] ---------------------------------- diff --git a/docs/detections/prebuilt-rules/rule-details/net-command-via-system-account.asciidoc b/docs/detections/prebuilt-rules/rule-details/net-command-via-system-account.asciidoc index bf2a2c2ab1..c54d830d67 100644 --- a/docs/detections/prebuilt-rules/rule-details/net-command-via-system-account.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/net-command-via-system-account.asciidoc @@ -64,10 +64,10 @@ process.parent.name:net.exe) and user.name:SYSTEM ==== Rule version history Version 3 (7.9.1 release):: -* Formatting only. +* Formatting only Version 2 (7.9.0 release):: -Updated query, changed from: +* Updated query, changed from: + [source, js] ---------------------------------- diff --git a/docs/detections/prebuilt-rules/rule-details/netcat-network-activity.asciidoc b/docs/detections/prebuilt-rules/rule-details/netcat-network-activity.asciidoc index f0cbaf01de..c54b3d8b9c 100644 --- a/docs/detections/prebuilt-rules/rule-details/netcat-network-activity.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/netcat-network-activity.asciidoc @@ -63,10 +63,10 @@ netcat.traditional) ==== Rule version history Version 4 (7.9.1 release):: -* Formatting only. +* Formatting only Version 3 (7.9.0 release):: -Updated query, changed from: +* Updated query, changed from: + [source, js] ---------------------------------- @@ -76,7 +76,7 @@ socket_opened) ---------------------------------- Version 2 (7.7.0 release):: -Updated query, changed from: +* Updated query, changed from: + [source, js] ---------------------------------- diff --git a/docs/detections/prebuilt-rules/rule-details/network-connection-via-certutil.asciidoc b/docs/detections/prebuilt-rules/rule-details/network-connection-via-certutil.asciidoc index 99c0b9e35d..72149577c0 100644 --- a/docs/detections/prebuilt-rules/rule-details/network-connection-via-certutil.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/network-connection-via-certutil.asciidoc @@ -63,10 +63,10 @@ process.name:certutil.exe and not destination.ip:(10.0.0.0/8 or ==== Rule version history Version 3 (7.9.1 release):: -* Formatting only. +* Formatting only Version 2 (7.9.0 release):: -Updated query, changed from: +* Updated query, changed from: + [source, js] ---------------------------------- diff --git a/docs/detections/prebuilt-rules/rule-details/network-connection-via-compiled-html-file.asciidoc b/docs/detections/prebuilt-rules/rule-details/network-connection-via-compiled-html-file.asciidoc index 2e25fe8de4..2a5cc15e0f 100644 --- a/docs/detections/prebuilt-rules/rule-details/network-connection-via-compiled-html-file.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/network-connection-via-compiled-html-file.asciidoc @@ -75,10 +75,10 @@ process.name:hh.exe and not destination.ip:(10.0.0.0/8 or ==== Rule version history Version 4 (7.9.1 release):: -* Formatting only. +* Formatting only Version 3 (7.9.0 release):: -Updated query, changed from: +* Updated query, changed from: + [source, js] ---------------------------------- @@ -88,7 +88,7 @@ process.name:hh.exe and event.action:"Network connection detected ---------------------------------- Version 2 (7.7.0 release):: -Updated query, changed from: +* Updated query, changed from: + [source, js] ---------------------------------- diff --git a/docs/detections/prebuilt-rules/rule-details/network-connection-via-mshta.asciidoc b/docs/detections/prebuilt-rules/rule-details/network-connection-via-mshta.asciidoc index 87596a87ab..1986299002 100644 --- a/docs/detections/prebuilt-rules/rule-details/network-connection-via-mshta.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/network-connection-via-mshta.asciidoc @@ -67,10 +67,10 @@ process.name:mshta.exe ==== Rule version history Version 4 (7.9.1 release):: -* Formatting only. +* Formatting only Version 3 (7.9.0 release):: -Updated query, changed from: +* Updated query, changed from: + [source, js] ---------------------------------- @@ -79,7 +79,7 @@ process.name:mshta.exe ---------------------------------- Version 2 (7.7.0 release):: -Updated query, changed from: +* Updated query, changed from: + [source, js] ---------------------------------- diff --git a/docs/detections/prebuilt-rules/rule-details/network-connection-via-msxsl.asciidoc b/docs/detections/prebuilt-rules/rule-details/network-connection-via-msxsl.asciidoc index fee2ecd80c..ee9ab0df8d 100644 --- a/docs/detections/prebuilt-rules/rule-details/network-connection-via-msxsl.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/network-connection-via-msxsl.asciidoc @@ -64,10 +64,10 @@ process.name:msxsl.exe and not destination.ip:(10.0.0.0/8 or ==== Rule version history Version 3 (7.9.1 release):: -* Formatting only. +* Formatting only Version 2 (7.9.0 release):: -Updated query, changed from: +* Updated query, changed from: + [source, js] ---------------------------------- diff --git a/docs/detections/prebuilt-rules/rule-details/network-connection-via-regsvr.asciidoc b/docs/detections/prebuilt-rules/rule-details/network-connection-via-regsvr.asciidoc index 0ebde45ae1..d4915609f9 100644 --- a/docs/detections/prebuilt-rules/rule-details/network-connection-via-regsvr.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/network-connection-via-regsvr.asciidoc @@ -79,10 +79,10 @@ destination.ip:(10.0.0.0/8 or 169.254.169.254 or 172.16.0.0/12 or ==== Rule version history Version 4 (7.9.1 release):: -* Formatting only. +* Formatting only Version 3 (7.9.0 release):: -Updated query, changed from: +* Updated query, changed from: + [source, js] ---------------------------------- @@ -93,7 +93,7 @@ destination.ip:(10.0.0.0/8 or 169.254.169.254 or 172.16.0.0/12 or ---------------------------------- Version 2 (7.7.0 release):: -Updated query, changed from: +* Updated query, changed from: + [source, js] ---------------------------------- diff --git a/docs/detections/prebuilt-rules/rule-details/network-connection-via-signed-binary.asciidoc b/docs/detections/prebuilt-rules/rule-details/network-connection-via-signed-binary.asciidoc index ab9dfecb3d..c0e9ba034e 100644 --- a/docs/detections/prebuilt-rules/rule-details/network-connection-via-signed-binary.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/network-connection-via-signed-binary.asciidoc @@ -75,10 +75,10 @@ and not destination.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) ==== Rule version history Version 4 (7.9.1 release):: -* Formatting only. +* Formatting only Version 3 (7.9.0 release):: -Updated query, changed from: +* Updated query, changed from: + [source, js] ---------------------------------- @@ -88,7 +88,7 @@ and not destination.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) ---------------------------------- Version 2 (7.7.0 release):: -Updated query, changed from: +* Updated query, changed from: + [source, js] ---------------------------------- diff --git a/docs/detections/prebuilt-rules/rule-details/network-sniffing-via-tcpdump.asciidoc b/docs/detections/prebuilt-rules/rule-details/network-sniffing-via-tcpdump.asciidoc index 50fb3f3b2d..a44d5e2c8f 100644 --- a/docs/detections/prebuilt-rules/rule-details/network-sniffing-via-tcpdump.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/network-sniffing-via-tcpdump.asciidoc @@ -78,10 +78,10 @@ process.name:tcpdump ==== Rule version history Version 4 (7.9.1 release):: -* Formatting only. +* Formatting only Version 3 (7.9.0 release):: -Updated query, changed from: +* Updated query, changed from: + [source, js] ---------------------------------- @@ -89,7 +89,7 @@ process.name:tcpdump and event.action:executed ---------------------------------- Version 2 (7.7.0 release):: -Updated query, changed from: +* Updated query, changed from: + [source, js] ---------------------------------- diff --git a/docs/detections/prebuilt-rules/rule-details/nmap-process-activity.asciidoc b/docs/detections/prebuilt-rules/rule-details/nmap-process-activity.asciidoc index 6b209da4ff..4d13c46fd7 100644 --- a/docs/detections/prebuilt-rules/rule-details/nmap-process-activity.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/nmap-process-activity.asciidoc @@ -60,10 +60,10 @@ process.name:nmap ==== Rule version history Version 4 (7.9.1 release):: -* Formatting only. +* Formatting only Version 3 (7.9.0 release):: -Updated query, changed from: +* Updated query, changed from: + [source, js] ---------------------------------- @@ -71,7 +71,7 @@ process.name:nmap ---------------------------------- Version 2 (7.7.0 release):: -Updated query, changed from: +* Updated query, changed from: + [source, js] ---------------------------------- diff --git a/docs/detections/prebuilt-rules/rule-details/nping-process-activity.asciidoc b/docs/detections/prebuilt-rules/rule-details/nping-process-activity.asciidoc index ba87a06e2f..3bb74d53e9 100644 --- a/docs/detections/prebuilt-rules/rule-details/nping-process-activity.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/nping-process-activity.asciidoc @@ -59,10 +59,10 @@ process.name:nping ==== Rule version history Version 4 (7.9.1 release):: -* Formatting only. +* Formatting only Version 3 (7.9.0 release):: -Updated query, changed from: +* Updated query, changed from: + [source, js] ---------------------------------- @@ -70,7 +70,7 @@ process.name:nping and event.action:executed ---------------------------------- Version 2 (7.7.0 release):: -Updated query, changed from: +* Updated query, changed from: + [source, js] ---------------------------------- diff --git a/docs/detections/prebuilt-rules/rule-details/permission-theft-detected-elastic-endpoint-security.asciidoc b/docs/detections/prebuilt-rules/rule-details/permission-theft-detected-elastic-endpoint-security.asciidoc index b46fcc4c39..ba151a128c 100644 --- a/docs/detections/prebuilt-rules/rule-details/permission-theft-detected-elastic-endpoint-security.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/permission-theft-detected-elastic-endpoint-security.asciidoc @@ -51,11 +51,8 @@ endgame.event_subtype_full:token_protection_event) Version 3 (7.9.0 release):: * Rule name changed from: Permission Theft - Detected - Elastic Endpoint -+ -* Formatting only. - Version 2 (7.7.0 release):: -Updated query, changed from: +* Updated query, changed from: + [source, js] ---------------------------------- diff --git a/docs/detections/prebuilt-rules/rule-details/permission-theft-prevented-elastic-endpoint-security.asciidoc b/docs/detections/prebuilt-rules/rule-details/permission-theft-prevented-elastic-endpoint-security.asciidoc index d8073ba18d..db694e1252 100644 --- a/docs/detections/prebuilt-rules/rule-details/permission-theft-prevented-elastic-endpoint-security.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/permission-theft-prevented-elastic-endpoint-security.asciidoc @@ -51,11 +51,8 @@ endgame.event_subtype_full:token_protection_event) Version 3 (7.9.0 release):: * Rule name changed from: Permission Theft - Prevented - Elastic Endpoint -+ -* Formatting only. - Version 2 (7.7.0 release):: -Updated query, changed from: +* Updated query, changed from: + [source, js] ---------------------------------- diff --git a/docs/detections/prebuilt-rules/rule-details/persistence-via-kernel-module-modification.asciidoc b/docs/detections/prebuilt-rules/rule-details/persistence-via-kernel-module-modification.asciidoc index b79fc4ee48..2a2e1f31f4 100644 --- a/docs/detections/prebuilt-rules/rule-details/persistence-via-kernel-module-modification.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/persistence-via-kernel-module-modification.asciidoc @@ -70,10 +70,10 @@ process.name:(insmod or kmod or modprobe or rmod) ==== Rule version history Version 4 (7.9.1 release):: -* Formatting only. +* Formatting only Version 3 (7.9.0 release):: -Updated query, changed from: +* Updated query, changed from: + [source, js] ---------------------------------- @@ -82,7 +82,7 @@ event.action:executed ---------------------------------- Version 2 (7.7.0 release):: -Updated query, changed from: +* Updated query, changed from: + [source, js] ---------------------------------- diff --git a/docs/detections/prebuilt-rules/rule-details/potential-application-shimming-via-sdbinst.asciidoc b/docs/detections/prebuilt-rules/rule-details/potential-application-shimming-via-sdbinst.asciidoc index a9e8bd10d3..dfa0631e86 100644 --- a/docs/detections/prebuilt-rules/rule-details/potential-application-shimming-via-sdbinst.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/potential-application-shimming-via-sdbinst.asciidoc @@ -72,8 +72,8 @@ event.code:1 and process.name:sdbinst.exe ==== Rule version history Version 3 (7.9.0 release):: -* Formatting only. +* Formatting only Version 2 (7.7.0 release):: -* Formatting only. +* Formatting only diff --git a/docs/detections/prebuilt-rules/rule-details/potential-disabling-of-selinux.asciidoc b/docs/detections/prebuilt-rules/rule-details/potential-disabling-of-selinux.asciidoc index d1fd3d65fb..14324d0348 100644 --- a/docs/detections/prebuilt-rules/rule-details/potential-disabling-of-selinux.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/potential-disabling-of-selinux.asciidoc @@ -64,10 +64,10 @@ process.name:setenforce and process.args:0 ==== Rule version history Version 3 (7.9.1 release):: -* Formatting only. +* Formatting only Version 2 (7.9.0 release):: -Updated query, changed from: +* Updated query, changed from: + [source, js] ---------------------------------- diff --git a/docs/detections/prebuilt-rules/rule-details/potential-dns-tunneling-via-iodine.asciidoc b/docs/detections/prebuilt-rules/rule-details/potential-dns-tunneling-via-iodine.asciidoc index 3d78e59251..14d723cb45 100644 --- a/docs/detections/prebuilt-rules/rule-details/potential-dns-tunneling-via-iodine.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/potential-dns-tunneling-via-iodine.asciidoc @@ -59,10 +59,10 @@ process.name:(iodine or iodined) ==== Rule version history Version 4 (7.9.1 release):: -* Formatting only. +* Formatting only Version 3 (7.9.0 release):: -Updated query, changed from: +* Updated query, changed from: + [source, js] ---------------------------------- @@ -70,7 +70,7 @@ process.name:(iodine or iodined) and event.action:executed ---------------------------------- Version 2 (7.7.0 release):: -Updated query, changed from: +* Updated query, changed from: + [source, js] ---------------------------------- diff --git a/docs/detections/prebuilt-rules/rule-details/potential-evasion-via-filter-manager.asciidoc b/docs/detections/prebuilt-rules/rule-details/potential-evasion-via-filter-manager.asciidoc index be1dcec212..3fb15c8b02 100644 --- a/docs/detections/prebuilt-rules/rule-details/potential-evasion-via-filter-manager.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/potential-evasion-via-filter-manager.asciidoc @@ -60,8 +60,8 @@ event.code:1 and process.name:fltMC.exe ==== Rule version history Version 3 (7.9.0 release):: -* Formatting only. +* Formatting only Version 2 (7.7.0 release):: -* Formatting only. +* Formatting only diff --git a/docs/detections/prebuilt-rules/rule-details/potential-modification-of-accessibility-binaries.asciidoc b/docs/detections/prebuilt-rules/rule-details/potential-modification-of-accessibility-binaries.asciidoc index 2bd9dc802d..dc6379cf7d 100644 --- a/docs/detections/prebuilt-rules/rule-details/potential-modification-of-accessibility-binaries.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/potential-modification-of-accessibility-binaries.asciidoc @@ -74,10 +74,10 @@ narrator.exe or osk.exe or sethc.exe or utilman.exe) ==== Rule version history Version 3 (7.9.0 release):: -* Formatting only. +* Formatting only Version 2 (7.7.0 release):: -Updated query, changed from: +* Updated query, changed from: + [source, js] ---------------------------------- diff --git a/docs/detections/prebuilt-rules/rule-details/potential-shell-via-web-server.asciidoc b/docs/detections/prebuilt-rules/rule-details/potential-shell-via-web-server.asciidoc index a46ecb62a2..4c19d24d9b 100644 --- a/docs/detections/prebuilt-rules/rule-details/potential-shell-via-web-server.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/potential-shell-via-web-server.asciidoc @@ -71,10 +71,10 @@ process.name:(bash or dash) and user.name:(apache or nginx or www or ==== Rule version history Version 5 (7.9.1 release):: -* Formatting only. +* Formatting only Version 4 (7.9.0 release):: -Updated query, changed from: +* Updated query, changed from: + [source, js] ---------------------------------- @@ -83,7 +83,7 @@ process.name:(bash or dash) and user.name:(apache or nginx or www or ---------------------------------- Version 3 (7.8.0 release):: -Updated query, changed from: +* Updated query, changed from: + [source, js] ---------------------------------- @@ -92,7 +92,7 @@ event.action:executed ---------------------------------- Version 2 (7.6.1 release):: -Updated query, changed from: +* Updated query, changed from: + [source, js] ---------------------------------- diff --git a/docs/detections/prebuilt-rules/rule-details/powershell-spawning-cmd.asciidoc b/docs/detections/prebuilt-rules/rule-details/powershell-spawning-cmd.asciidoc index f298f976ff..407a23149e 100644 --- a/docs/detections/prebuilt-rules/rule-details/powershell-spawning-cmd.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/powershell-spawning-cmd.asciidoc @@ -72,10 +72,10 @@ process.parent.name:powershell.exe and process.name:cmd.exe ==== Rule version history Version 4 (7.9.1 release):: -* Formatting only. +* Formatting only Version 3 (7.9.0 release):: -Updated query, changed from: +* Updated query, changed from: + [source, js] ---------------------------------- @@ -83,5 +83,5 @@ process.parent.name:powershell.exe and process.name:cmd.exe ---------------------------------- Version 2 (7.7.0 release):: -* Formatting only. +* Formatting only diff --git a/docs/detections/prebuilt-rules/rule-details/pptp-point-to-point-tunneling-protocol-activity.asciidoc b/docs/detections/prebuilt-rules/rule-details/pptp-point-to-point-tunneling-protocol-activity.asciidoc index a7fe8cac9f..6648a34782 100644 --- a/docs/detections/prebuilt-rules/rule-details/pptp-point-to-point-tunneling-protocol-activity.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/pptp-point-to-point-tunneling-protocol-activity.asciidoc @@ -67,7 +67,7 @@ and destination.port:1723 ==== Rule version history Version 3 (7.9.0 release):: -Updated query, changed from: +* Updated query, changed from: + [source, js] ---------------------------------- diff --git a/docs/detections/prebuilt-rules/rule-details/process-activity-via-compiled-html-file.asciidoc b/docs/detections/prebuilt-rules/rule-details/process-activity-via-compiled-html-file.asciidoc index 3ad57c2ee8..1f4ab67f73 100644 --- a/docs/detections/prebuilt-rules/rule-details/process-activity-via-compiled-html-file.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/process-activity-via-compiled-html-file.asciidoc @@ -76,8 +76,8 @@ event.code:1 and process.name:hh.exe ==== Rule version history Version 3 (7.9.0 release):: -* Formatting only. +* Formatting only Version 2 (7.7.0 release):: -* Formatting only. +* Formatting only diff --git a/docs/detections/prebuilt-rules/rule-details/process-discovery-via-tasklist.asciidoc b/docs/detections/prebuilt-rules/rule-details/process-discovery-via-tasklist.asciidoc index c72735e89a..45232e1e5c 100644 --- a/docs/detections/prebuilt-rules/rule-details/process-discovery-via-tasklist.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/process-discovery-via-tasklist.asciidoc @@ -63,8 +63,8 @@ event.code:1 and process.name:tasklist.exe ==== Rule version history Version 3 (7.9.0 release):: -* Formatting only. +* Formatting only Version 2 (7.7.0 release):: -* Formatting only. +* Formatting only diff --git a/docs/detections/prebuilt-rules/rule-details/process-injection-by-the-microsoft-build-engine.asciidoc b/docs/detections/prebuilt-rules/rule-details/process-injection-by-the-microsoft-build-engine.asciidoc index 3e8599dbfc..256bbedb63 100644 --- a/docs/detections/prebuilt-rules/rule-details/process-injection-by-the-microsoft-build-engine.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/process-injection-by-the-microsoft-build-engine.asciidoc @@ -76,5 +76,5 @@ process.name:MSBuild.exe and event.action:"CreateRemoteThread detected ==== Rule version history Version 2 (7.9.0 release):: -* Formatting only. +* Formatting only diff --git a/docs/detections/prebuilt-rules/rule-details/process-injection-detected-elastic-endpoint-security.asciidoc b/docs/detections/prebuilt-rules/rule-details/process-injection-detected-elastic-endpoint-security.asciidoc index a2acdd0441..acf5d482e2 100644 --- a/docs/detections/prebuilt-rules/rule-details/process-injection-detected-elastic-endpoint-security.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/process-injection-detected-elastic-endpoint-security.asciidoc @@ -51,11 +51,8 @@ endgame.event_subtype_full:kernel_shellcode_event) Version 3 (7.9.0 release):: * Rule name changed from: Process Injection - Detected - Elastic Endpoint -+ -* Formatting only. - Version 2 (7.7.0 release):: -Updated query, changed from: +* Updated query, changed from: + [source, js] ---------------------------------- diff --git a/docs/detections/prebuilt-rules/rule-details/process-injection-prevented-elastic-endpoint-security.asciidoc b/docs/detections/prebuilt-rules/rule-details/process-injection-prevented-elastic-endpoint-security.asciidoc index 4ae7be0a73..3ea09b44f2 100644 --- a/docs/detections/prebuilt-rules/rule-details/process-injection-prevented-elastic-endpoint-security.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/process-injection-prevented-elastic-endpoint-security.asciidoc @@ -51,11 +51,8 @@ endgame.event_subtype_full:kernel_shellcode_event) Version 3 (7.9.0 release):: * Rule name changed from: Process Injection - Prevented - Elastic Endpoint -+ -* Formatting only. - Version 2 (7.7.0 release):: -Updated query, changed from: +* Updated query, changed from: + [source, js] ---------------------------------- diff --git a/docs/detections/prebuilt-rules/rule-details/proxy-port-activity-to-the-internet.asciidoc b/docs/detections/prebuilt-rules/rule-details/proxy-port-activity-to-the-internet.asciidoc index 5886ee9470..e0c7b8863e 100644 --- a/docs/detections/prebuilt-rules/rule-details/proxy-port-activity-to-the-internet.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/proxy-port-activity-to-the-internet.asciidoc @@ -84,7 +84,7 @@ or 172.16.0.0/12 or 192.168.0.0/16 or "::1") ==== Rule version history Version 4 (7.9.0 release):: -Updated query, changed from: +* Updated query, changed from: + [source, js] ---------------------------------- @@ -95,7 +95,7 @@ destination.ip:(10.0.0.0/8 or 127.0.0.0/8 or 172.16.0.0/12 or ---------------------------------- Version 3 (7.7.0 release):: -Updated query, changed from: +* Updated query, changed from: + [source, js] ---------------------------------- diff --git a/docs/detections/prebuilt-rules/rule-details/psexec-network-connection.asciidoc b/docs/detections/prebuilt-rules/rule-details/psexec-network-connection.asciidoc index 4f26216542..68f48de0be 100644 --- a/docs/detections/prebuilt-rules/rule-details/psexec-network-connection.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/psexec-network-connection.asciidoc @@ -76,10 +76,10 @@ process.name:PsExec.exe ==== Rule version history Version 4 (7.9.1 release):: -* Formatting only. +* Formatting only Version 3 (7.9.0 release):: -Updated query, changed from: +* Updated query, changed from: + [source, js] ---------------------------------- @@ -88,7 +88,7 @@ process.name:PsExec.exe and event.action:"Network connection detected ---------------------------------- Version 2 (7.7.0 release):: -Updated query, changed from: +* Updated query, changed from: + [source, js] ---------------------------------- diff --git a/docs/detections/prebuilt-rules/rule-details/ransomware-detected-elastic-endpoint-security.asciidoc b/docs/detections/prebuilt-rules/rule-details/ransomware-detected-elastic-endpoint-security.asciidoc index 7bbfba1675..16ec66cf60 100644 --- a/docs/detections/prebuilt-rules/rule-details/ransomware-detected-elastic-endpoint-security.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/ransomware-detected-elastic-endpoint-security.asciidoc @@ -50,11 +50,8 @@ endgame.event_subtype_full:ransomware_event) Version 3 (7.9.0 release):: * Rule name changed from: Ransomware - Detected - Elastic Endpoint -+ -* Formatting only. - Version 2 (7.7.0 release):: -Updated query, changed from: +* Updated query, changed from: + [source, js] ---------------------------------- diff --git a/docs/detections/prebuilt-rules/rule-details/ransomware-prevented-elastic-endpoint-security.asciidoc b/docs/detections/prebuilt-rules/rule-details/ransomware-prevented-elastic-endpoint-security.asciidoc index 4408d22312..d13fa8c56b 100644 --- a/docs/detections/prebuilt-rules/rule-details/ransomware-prevented-elastic-endpoint-security.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/ransomware-prevented-elastic-endpoint-security.asciidoc @@ -50,11 +50,8 @@ endgame.event_subtype_full:ransomware_event) Version 3 (7.9.0 release):: * Rule name changed from: Ransomware - Prevented - Elastic Endpoint -+ -* Formatting only. - Version 2 (7.7.0 release):: -Updated query, changed from: +* Updated query, changed from: + [source, js] ---------------------------------- diff --git a/docs/detections/prebuilt-rules/rule-details/rdp-remote-desktop-protocol-from-the-internet.asciidoc b/docs/detections/prebuilt-rules/rule-details/rdp-remote-desktop-protocol-from-the-internet.asciidoc index 6c450c44e6..0e19ad21ff 100644 --- a/docs/detections/prebuilt-rules/rule-details/rdp-remote-desktop-protocol-from-the-internet.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/rdp-remote-desktop-protocol-from-the-internet.asciidoc @@ -92,7 +92,7 @@ destination.ip:(10.0.0.0/8 or 127.0.0.0/8 or 172.16.0.0/12 or ==== Rule version history Version 4 (7.9.0 release):: -Updated query, changed from: +* Updated query, changed from: + [source, js] ---------------------------------- @@ -103,7 +103,7 @@ destination.ip:(10.0.0.0/8 or 127.0.0.0/8 or 172.16.0.0/12 or ---------------------------------- Version 3 (7.7.0 release):: -Updated query, changed from: +* Updated query, changed from: + [source, js] ---------------------------------- diff --git a/docs/detections/prebuilt-rules/rule-details/rdp-remote-desktop-protocol-to-the-internet.asciidoc b/docs/detections/prebuilt-rules/rule-details/rdp-remote-desktop-protocol-to-the-internet.asciidoc index 8b5b0f4794..7a960f8ffd 100644 --- a/docs/detections/prebuilt-rules/rule-details/rdp-remote-desktop-protocol-to-the-internet.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/rdp-remote-desktop-protocol-to-the-internet.asciidoc @@ -82,7 +82,7 @@ destination.ip:(10.0.0.0/8 or 127.0.0.0/8 or 172.16.0.0/12 or ==== Rule version history Version 4 (7.9.0 release):: -Updated query, changed from: +* Updated query, changed from: + [source, js] ---------------------------------- @@ -93,7 +93,7 @@ destination.ip:(10.0.0.0/8 or 127.0.0.0/8 or 172.16.0.0/12 or ---------------------------------- Version 3 (7.7.0 release):: -Updated query, changed from: +* Updated query, changed from: + [source, js] ---------------------------------- diff --git a/docs/detections/prebuilt-rules/rule-details/rpc-remote-procedure-call-from-the-internet.asciidoc b/docs/detections/prebuilt-rules/rule-details/rpc-remote-procedure-call-from-the-internet.asciidoc index a408e56653..4637bb09bf 100644 --- a/docs/detections/prebuilt-rules/rule-details/rpc-remote-procedure-call-from-the-internet.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/rpc-remote-procedure-call-from-the-internet.asciidoc @@ -68,7 +68,7 @@ source.ip:(10.0.0.0/8 or 127.0.0.0/8 or 172.16.0.0/12 or ==== Rule version history Version 4 (7.9.0 release):: -Updated query, changed from: +* Updated query, changed from: + [source, js] ---------------------------------- @@ -79,7 +79,7 @@ source.ip:(10.0.0.0/8 or 127.0.0.0/8 or 172.16.0.0/12 or ---------------------------------- Version 3 (7.7.0 release):: -Updated query, changed from: +* Updated query, changed from: + [source, js] ---------------------------------- diff --git a/docs/detections/prebuilt-rules/rule-details/rpc-remote-procedure-call-to-the-internet.asciidoc b/docs/detections/prebuilt-rules/rule-details/rpc-remote-procedure-call-to-the-internet.asciidoc index bfbd93476f..273c0ab74f 100644 --- a/docs/detections/prebuilt-rules/rule-details/rpc-remote-procedure-call-to-the-internet.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/rpc-remote-procedure-call-to-the-internet.asciidoc @@ -68,7 +68,7 @@ destination.ip:(10.0.0.0/8 or 127.0.0.0/8 or 172.16.0.0/12 or ==== Rule version history Version 4 (7.9.0 release):: -Updated query, changed from: +* Updated query, changed from: + [source, js] ---------------------------------- @@ -79,7 +79,7 @@ destination.ip:(10.0.0.0/8 or 127.0.0.0/8 or 172.16.0.0/12 or ---------------------------------- Version 3 (7.7.0 release):: -Updated query, changed from: +* Updated query, changed from: + [source, js] ---------------------------------- diff --git a/docs/detections/prebuilt-rules/rule-details/setgid-bit-set-via-chmod.asciidoc b/docs/detections/prebuilt-rules/rule-details/setgid-bit-set-via-chmod.asciidoc index 266c57f357..07612d9638 100644 --- a/docs/detections/prebuilt-rules/rule-details/setgid-bit-set-via-chmod.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/setgid-bit-set-via-chmod.asciidoc @@ -72,10 +72,10 @@ user.name:root ==== Rule version history Version 3 (7.9.1 release):: -* Formatting only. +* Formatting only Version 2 (7.9.0 release):: -Updated query, changed from: +* Updated query, changed from: + [source, js] ---------------------------------- diff --git a/docs/detections/prebuilt-rules/rule-details/setuid-bit-set-via-chmod.asciidoc b/docs/detections/prebuilt-rules/rule-details/setuid-bit-set-via-chmod.asciidoc index 84b12e066a..11bc58c40b 100644 --- a/docs/detections/prebuilt-rules/rule-details/setuid-bit-set-via-chmod.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/setuid-bit-set-via-chmod.asciidoc @@ -72,10 +72,10 @@ user.name:root ==== Rule version history Version 3 (7.9.1 release):: -* Formatting only. +* Formatting only Version 2 (7.9.0 release):: -Updated query, changed from: +* Updated query, changed from: + [source, js] ---------------------------------- diff --git a/docs/detections/prebuilt-rules/rule-details/smb-windows-file-sharing-activity-to-the-internet.asciidoc b/docs/detections/prebuilt-rules/rule-details/smb-windows-file-sharing-activity-to-the-internet.asciidoc index 6fe2fd7cac..35d8562383 100644 --- a/docs/detections/prebuilt-rules/rule-details/smb-windows-file-sharing-activity-to-the-internet.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/smb-windows-file-sharing-activity-to-the-internet.asciidoc @@ -79,7 +79,7 @@ destination.ip:(10.0.0.0/8 or 127.0.0.0/8 or 172.16.0.0/12 or ==== Rule version history Version 4 (7.9.0 release):: -Updated query, changed from: +* Updated query, changed from: + [source, js] ---------------------------------- @@ -90,7 +90,7 @@ destination.ip:(10.0.0.0/8 or 127.0.0.0/8 or 172.16.0.0/12 or ---------------------------------- Version 3 (7.7.0 release):: -Updated query, changed from: +* Updated query, changed from: + [source, js] ---------------------------------- diff --git a/docs/detections/prebuilt-rules/rule-details/smtp-on-port-26-tcp.asciidoc b/docs/detections/prebuilt-rules/rule-details/smtp-on-port-26-tcp.asciidoc index e5b70b36e4..4c555887e3 100644 --- a/docs/detections/prebuilt-rules/rule-details/smtp-on-port-26-tcp.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/smtp-on-port-26-tcp.asciidoc @@ -84,7 +84,7 @@ destination.port:26)) ==== Rule version history Version 3 (7.9.0 release):: -Updated query, changed from: +* Updated query, changed from: + [source, js] ---------------------------------- diff --git a/docs/detections/prebuilt-rules/rule-details/smtp-to-the-internet.asciidoc b/docs/detections/prebuilt-rules/rule-details/smtp-to-the-internet.asciidoc index 3ad6997ef7..fb19a15189 100644 --- a/docs/detections/prebuilt-rules/rule-details/smtp-to-the-internet.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/smtp-to-the-internet.asciidoc @@ -81,7 +81,7 @@ destination.ip:(10.0.0.0/8 or 127.0.0.0/8 or 172.16.0.0/12 or ==== Rule version history Version 4 (7.9.0 release):: -Updated query, changed from: +* Updated query, changed from: + [source, js] ---------------------------------- @@ -92,7 +92,7 @@ destination.ip:(10.0.0.0/8 or 127.0.0.0/8 or 172.16.0.0/12 or ---------------------------------- Version 3 (7.7.0 release):: -Updated query, changed from: +* Updated query, changed from: + [source, js] ---------------------------------- diff --git a/docs/detections/prebuilt-rules/rule-details/socat-process-activity.asciidoc b/docs/detections/prebuilt-rules/rule-details/socat-process-activity.asciidoc index 5499dd5bc1..8168e4fa64 100644 --- a/docs/detections/prebuilt-rules/rule-details/socat-process-activity.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/socat-process-activity.asciidoc @@ -59,10 +59,10 @@ process.name:socat and not process.args:-V ==== Rule version history Version 4 (7.9.1 release):: -* Formatting only. +* Formatting only Version 3 (7.9.0 release):: -Updated query, changed from: +* Updated query, changed from: + [source, js] ---------------------------------- @@ -70,7 +70,7 @@ process.name:socat and not process.args:-V and event.action:executed ---------------------------------- Version 2 (7.7.0 release):: -Updated query, changed from: +* Updated query, changed from: + [source, js] ---------------------------------- diff --git a/docs/detections/prebuilt-rules/rule-details/sql-traffic-to-the-internet.asciidoc b/docs/detections/prebuilt-rules/rule-details/sql-traffic-to-the-internet.asciidoc index 5072d7288a..a7df45d9b5 100644 --- a/docs/detections/prebuilt-rules/rule-details/sql-traffic-to-the-internet.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/sql-traffic-to-the-internet.asciidoc @@ -71,7 +71,7 @@ or 172.16.0.0/12 or 192.168.0.0/16 or "::1") ==== Rule version history Version 4 (7.9.0 release):: -Updated query, changed from: +* Updated query, changed from: + [source, js] ---------------------------------- @@ -82,7 +82,7 @@ and not destination.ip:(10.0.0.0/8 or 127.0.0.0/8 or 172.16.0.0/12 or ---------------------------------- Version 3 (7.7.0 release):: -Updated query, changed from: +* Updated query, changed from: + [source, js] ---------------------------------- diff --git a/docs/detections/prebuilt-rules/rule-details/ssh-secure-shell-from-the-internet.asciidoc b/docs/detections/prebuilt-rules/rule-details/ssh-secure-shell-from-the-internet.asciidoc index 78e80cb179..c411ef6611 100644 --- a/docs/detections/prebuilt-rules/rule-details/ssh-secure-shell-from-the-internet.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/ssh-secure-shell-from-the-internet.asciidoc @@ -92,7 +92,7 @@ source.ip:(10.0.0.0/8 or 127.0.0.0/8 or 172.16.0.0/12 or ==== Rule version history Version 4 (7.9.0 release):: -Updated query, changed from: +* Updated query, changed from: + [source, js] ---------------------------------- @@ -103,7 +103,7 @@ source.ip:(10.0.0.0/8 or 127.0.0.0/8 or 172.16.0.0/12 or ---------------------------------- Version 3 (7.7.0 release):: -Updated query, changed from: +* Updated query, changed from: + [source, js] ---------------------------------- diff --git a/docs/detections/prebuilt-rules/rule-details/ssh-secure-shell-to-the-internet.asciidoc b/docs/detections/prebuilt-rules/rule-details/ssh-secure-shell-to-the-internet.asciidoc index 20026bd3f4..d20d65167e 100644 --- a/docs/detections/prebuilt-rules/rule-details/ssh-secure-shell-to-the-internet.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/ssh-secure-shell-to-the-internet.asciidoc @@ -72,7 +72,7 @@ destination.ip:(10.0.0.0/8 or 127.0.0.0/8 or 172.16.0.0/12 or ==== Rule version history Version 4 (7.9.0 release):: -Updated query, changed from: +* Updated query, changed from: + [source, js] ---------------------------------- @@ -83,7 +83,7 @@ destination.ip:(10.0.0.0/8 or 127.0.0.0/8 or 172.16.0.0/12 or ---------------------------------- Version 3 (7.7.0 release):: -Updated query, changed from: +* Updated query, changed from: + [source, js] ---------------------------------- diff --git a/docs/detections/prebuilt-rules/rule-details/strace-process-activity.asciidoc b/docs/detections/prebuilt-rules/rule-details/strace-process-activity.asciidoc index c5073abb47..fc0d13805f 100644 --- a/docs/detections/prebuilt-rules/rule-details/strace-process-activity.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/strace-process-activity.asciidoc @@ -59,10 +59,10 @@ process.name:strace ==== Rule version history Version 4 (7.9.1 release):: -* Formatting only. +* Formatting only Version 3 (7.9.0 release):: -Updated query, changed from: +* Updated query, changed from: + [source, js] ---------------------------------- @@ -70,7 +70,7 @@ process.name:strace and event.action:executed ---------------------------------- Version 2 (7.7.0 release):: -Updated query, changed from: +* Updated query, changed from: + [source, js] ---------------------------------- diff --git a/docs/detections/prebuilt-rules/rule-details/sudoers-file-modification.asciidoc b/docs/detections/prebuilt-rules/rule-details/sudoers-file-modification.asciidoc index 85a60fbf65..f7e5bf036a 100644 --- a/docs/detections/prebuilt-rules/rule-details/sudoers-file-modification.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/sudoers-file-modification.asciidoc @@ -60,10 +60,10 @@ event.category:file and event.type:change and file.path:/etc/sudoers ==== Rule version history Version 3 (7.9.1 release):: -* Formatting only. +* Formatting only Version 2 (7.9.0 release):: -Updated query, changed from: +* Updated query, changed from: + [source, js] ---------------------------------- diff --git a/docs/detections/prebuilt-rules/rule-details/suspicious-ms-office-child-process.asciidoc b/docs/detections/prebuilt-rules/rule-details/suspicious-ms-office-child-process.asciidoc index 8154f4de8c..06bbdf3628 100644 --- a/docs/detections/prebuilt-rules/rule-details/suspicious-ms-office-child-process.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/suspicious-ms-office-child-process.asciidoc @@ -77,10 +77,10 @@ wmic.exe or wscript.exe or xwizard.exe) ==== Rule version history Version 4 (7.9.1 release):: -* Formatting only. +* Formatting only Version 3 (7.9.0 release):: -Updated query, changed from: +* Updated query, changed from: + [source, js] ---------------------------------- @@ -102,7 +102,7 @@ wmic.exe or wscript.exe or xwizard.exe) ---------------------------------- Version 2 (7.7.0 release):: -Updated query, changed from: +* Updated query, changed from: + [source, js] ---------------------------------- diff --git a/docs/detections/prebuilt-rules/rule-details/suspicious-ms-outlook-child-process.asciidoc b/docs/detections/prebuilt-rules/rule-details/suspicious-ms-outlook-child-process.asciidoc index 66fe771634..aa286d465b 100644 --- a/docs/detections/prebuilt-rules/rule-details/suspicious-ms-outlook-child-process.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/suspicious-ms-outlook-child-process.asciidoc @@ -74,10 +74,10 @@ wmic.exe or wscript.exe or xwizard.exe) ==== Rule version history Version 4 (7.9.1 release):: -* Formatting only. +* Formatting only Version 3 (7.9.0 release):: -Updated query, changed from: +* Updated query, changed from: + [source, js] ---------------------------------- @@ -98,7 +98,7 @@ wmic.exe or wscript.exe or xwizard.exe) ---------------------------------- Version 2 (7.7.0 release):: -Updated query, changed from: +* Updated query, changed from: + [source, js] ---------------------------------- diff --git a/docs/detections/prebuilt-rules/rule-details/suspicious-pdf-reader-child-process.asciidoc b/docs/detections/prebuilt-rules/rule-details/suspicious-pdf-reader-child-process.asciidoc index 1b6bb8c3ae..e8f15ed474 100644 --- a/docs/detections/prebuilt-rules/rule-details/suspicious-pdf-reader-child-process.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/suspicious-pdf-reader-child-process.asciidoc @@ -76,10 +76,10 @@ certutil.exe or ftp.exe) ==== Rule version history Version 3 (7.9.1 release):: -* Formatting only. +* Formatting only Version 2 (7.9.0 release):: -Updated query, changed from: +* Updated query, changed from: + [source, js] ---------------------------------- diff --git a/docs/detections/prebuilt-rules/rule-details/suspicious-powershell-script.asciidoc b/docs/detections/prebuilt-rules/rule-details/suspicious-powershell-script.asciidoc index 0224006038..3ea898639e 100644 --- a/docs/detections/prebuilt-rules/rule-details/suspicious-powershell-script.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/suspicious-powershell-script.asciidoc @@ -50,5 +50,5 @@ Certain kinds of security testing may trigger this alert. PowerShell scripts tha ==== Rule version history Version 2 (7.9.0 release):: -* Formatting only. +* Formatting only diff --git a/docs/detections/prebuilt-rules/rule-details/svchost-spawning-cmd.asciidoc b/docs/detections/prebuilt-rules/rule-details/svchost-spawning-cmd.asciidoc index 27df525293..944fcad962 100644 --- a/docs/detections/prebuilt-rules/rule-details/svchost-spawning-cmd.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/svchost-spawning-cmd.asciidoc @@ -62,10 +62,10 @@ process.parent.name:svchost.exe and process.name:cmd.exe ==== Rule version history Version 4 (7.9.1 release):: -* Formatting only. +* Formatting only Version 3 (7.9.0 release):: -Updated query, changed from: +* Updated query, changed from: + [source, js] ---------------------------------- @@ -73,5 +73,5 @@ process.parent.name:svchost.exe and process.name:cmd.exe ---------------------------------- Version 2 (7.7.0 release):: -* Formatting only. +* Formatting only diff --git a/docs/detections/prebuilt-rules/rule-details/system-shells-via-services.asciidoc b/docs/detections/prebuilt-rules/rule-details/system-shells-via-services.asciidoc index cae38a4632..eec7797dd4 100644 --- a/docs/detections/prebuilt-rules/rule-details/system-shells-via-services.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/system-shells-via-services.asciidoc @@ -64,10 +64,10 @@ powershell.exe) ==== Rule version history Version 4 (7.9.1 release):: -* Formatting only. +* Formatting only Version 3 (7.9.0 release):: -Updated query, changed from: +* Updated query, changed from: + [source, js] ---------------------------------- @@ -77,7 +77,7 @@ powershell.exe) ---------------------------------- Version 2 (7.7.0 release):: -Updated query, changed from: +* Updated query, changed from: + [source, js] ---------------------------------- diff --git a/docs/detections/prebuilt-rules/rule-details/tcp-port-8000-activity-to-the-internet.asciidoc b/docs/detections/prebuilt-rules/rule-details/tcp-port-8000-activity-to-the-internet.asciidoc index 68ec18578c..18efe4e88b 100644 --- a/docs/detections/prebuilt-rules/rule-details/tcp-port-8000-activity-to-the-internet.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/tcp-port-8000-activity-to-the-internet.asciidoc @@ -70,7 +70,7 @@ or 172.16.0.0/12 or 192.168.0.0/16 or "::1") ==== Rule version history Version 4 (7.9.0 release):: -Updated query, changed from: +* Updated query, changed from: + [source, js] ---------------------------------- @@ -81,7 +81,7 @@ destination.ip:(10.0.0.0/8 or 127.0.0.0/8 or 172.16.0.0/12 or ---------------------------------- Version 3 (7.7.0 release):: -Updated query, changed from: +* Updated query, changed from: + [source, js] ---------------------------------- diff --git a/docs/detections/prebuilt-rules/rule-details/telnet-port-activity.asciidoc b/docs/detections/prebuilt-rules/rule-details/telnet-port-activity.asciidoc index fe38743d6b..82e14cd843 100644 --- a/docs/detections/prebuilt-rules/rule-details/telnet-port-activity.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/telnet-port-activity.asciidoc @@ -90,7 +90,7 @@ and destination.port:23 ==== Rule version history Version 3 (7.9.0 release):: -Updated query, changed from: +* Updated query, changed from: + [source, js] ---------------------------------- diff --git a/docs/detections/prebuilt-rules/rule-details/tor-activity-to-the-internet.asciidoc b/docs/detections/prebuilt-rules/rule-details/tor-activity-to-the-internet.asciidoc index f0744d1dcd..6da935ee02 100644 --- a/docs/detections/prebuilt-rules/rule-details/tor-activity-to-the-internet.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/tor-activity-to-the-internet.asciidoc @@ -81,7 +81,7 @@ and destination.port:(9001 or 9030) and source.ip:(10.0.0.0/8 or ==== Rule version history Version 4 (7.9.0 release):: -Updated query, changed from: +* Updated query, changed from: + [source, js] ---------------------------------- @@ -92,7 +92,7 @@ destination.ip:(10.0.0.0/8 or 127.0.0.0/8 or 172.16.0.0/12 or ---------------------------------- Version 3 (7.7.0 release):: -Updated query, changed from: +* Updated query, changed from: + [source, js] ---------------------------------- diff --git a/docs/detections/prebuilt-rules/rule-details/trusted-developer-application-usage.asciidoc b/docs/detections/prebuilt-rules/rule-details/trusted-developer-application-usage.asciidoc index a922faf8cd..e1429caa33 100644 --- a/docs/detections/prebuilt-rules/rule-details/trusted-developer-application-usage.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/trusted-developer-application-usage.asciidoc @@ -74,10 +74,10 @@ event.code:1 and process.name:(MSBuild.exe or msxsl.exe) ==== Rule version history Version 3 (7.9.0 release):: -* Formatting only. +* Formatting only Version 2 (7.7.0 release):: -Updated query, changed from: +* Updated query, changed from: + [source, js] ---------------------------------- diff --git a/docs/detections/prebuilt-rules/rule-details/unusual-dns-activity.asciidoc b/docs/detections/prebuilt-rules/rule-details/unusual-dns-activity.asciidoc index 6c01e6aea5..4ece201bd8 100644 --- a/docs/detections/prebuilt-rules/rule-details/unusual-dns-activity.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/unusual-dns-activity.asciidoc @@ -54,5 +54,5 @@ A newly installed program or one that runs rarely as part of a monthly or quarte ==== Rule version history Version 2 (7.9.0 release):: -* Formatting only. +* Formatting only diff --git a/docs/detections/prebuilt-rules/rule-details/unusual-linux-network-activity.asciidoc b/docs/detections/prebuilt-rules/rule-details/unusual-linux-network-activity.asciidoc index 442f85a8a1..68bb7ecb57 100644 --- a/docs/detections/prebuilt-rules/rule-details/unusual-linux-network-activity.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/unusual-linux-network-activity.asciidoc @@ -73,5 +73,5 @@ performing. ==== Rule version history Version 2 (7.9.0 release):: -* Formatting only. +* Formatting only diff --git a/docs/detections/prebuilt-rules/rule-details/unusual-linux-network-port-activity.asciidoc b/docs/detections/prebuilt-rules/rule-details/unusual-linux-network-port-activity.asciidoc index 91b7a1029a..37f547380d 100644 --- a/docs/detections/prebuilt-rules/rule-details/unusual-linux-network-port-activity.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/unusual-linux-network-port-activity.asciidoc @@ -51,5 +51,5 @@ A newly installed program or one that rarely uses the network could trigger this ==== Rule version history Version 2 (7.9.0 release):: -* Formatting only. +* Formatting only diff --git a/docs/detections/prebuilt-rules/rule-details/unusual-linux-network-service.asciidoc b/docs/detections/prebuilt-rules/rule-details/unusual-linux-network-service.asciidoc index 7d254e4461..d7f31d1124 100644 --- a/docs/detections/prebuilt-rules/rule-details/unusual-linux-network-service.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/unusual-linux-network-service.asciidoc @@ -49,5 +49,5 @@ A newly installed program or one that rarely uses the network could trigger this ==== Rule version history Version 2 (7.9.0 release):: -* Formatting only. +* Formatting only diff --git a/docs/detections/prebuilt-rules/rule-details/unusual-linux-username.asciidoc b/docs/detections/prebuilt-rules/rule-details/unusual-linux-username.asciidoc index 5ab61514cf..af909f1b03 100644 --- a/docs/detections/prebuilt-rules/rule-details/unusual-linux-username.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/unusual-linux-username.asciidoc @@ -76,5 +76,5 @@ user is performing. ==== Rule version history Version 2 (7.9.0 release):: -* Formatting only. +* Formatting only diff --git a/docs/detections/prebuilt-rules/rule-details/unusual-linux-web-activity.asciidoc b/docs/detections/prebuilt-rules/rule-details/unusual-linux-web-activity.asciidoc index a6c28b1048..a93b59cc27 100644 --- a/docs/detections/prebuilt-rules/rule-details/unusual-linux-web-activity.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/unusual-linux-web-activity.asciidoc @@ -55,5 +55,5 @@ A new and unusual program or artifact download in the course of software upgrade ==== Rule version history Version 2 (7.9.0 release):: -* Formatting only. +* Formatting only diff --git a/docs/detections/prebuilt-rules/rule-details/unusual-login-activity.asciidoc b/docs/detections/prebuilt-rules/rule-details/unusual-login-activity.asciidoc index 906d4c8803..a47ac172d1 100644 --- a/docs/detections/prebuilt-rules/rule-details/unusual-login-activity.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/unusual-login-activity.asciidoc @@ -48,5 +48,5 @@ Security audits may trigger this alert. Conditions that generate bursts of faile ==== Rule version history Version 2 (7.9.0 release):: -* Formatting only. +* Formatting only diff --git a/docs/detections/prebuilt-rules/rule-details/unusual-network-connection-via-rundll32.asciidoc b/docs/detections/prebuilt-rules/rule-details/unusual-network-connection-via-rundll32.asciidoc index a86ff704c8..334d2ee01b 100644 --- a/docs/detections/prebuilt-rules/rule-details/unusual-network-connection-via-rundll32.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/unusual-network-connection-via-rundll32.asciidoc @@ -64,10 +64,10 @@ process.name:rundll32.exe and not destination.ip:(10.0.0.0/8 or ==== Rule version history Version 5 (7.9.1 release):: -* Formatting only. +* Formatting only Version 4 (7.9.0 release):: -Updated query, changed from: +* Updated query, changed from: + [source, js] ---------------------------------- @@ -77,7 +77,7 @@ detected (rule: NetworkConnect)" and not destination.ip:(10.0.0.0/8 or ---------------------------------- Version 3 (7.8.0 release):: -Updated query, changed from: +* Updated query, changed from: + [source, js] ---------------------------------- @@ -87,7 +87,7 @@ detected (rule: NetworkConnect)" and not destination.ip:(10.0.0.0/8 or ---------------------------------- Version 2 (7.7.0 release):: -Updated query, changed from: +* Updated query, changed from: + [source, js] ---------------------------------- diff --git a/docs/detections/prebuilt-rules/rule-details/unusual-network-destination-domain-name.asciidoc b/docs/detections/prebuilt-rules/rule-details/unusual-network-destination-domain-name.asciidoc index 063e6384f6..ead391960b 100644 --- a/docs/detections/prebuilt-rules/rule-details/unusual-network-destination-domain-name.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/unusual-network-destination-domain-name.asciidoc @@ -54,5 +54,5 @@ Web activity that occurs rarely in small quantities can trigger this alert. Poss ==== Rule version history Version 2 (7.9.0 release):: -* Formatting only. +* Formatting only diff --git a/docs/detections/prebuilt-rules/rule-details/unusual-parent-child-relationship.asciidoc b/docs/detections/prebuilt-rules/rule-details/unusual-parent-child-relationship.asciidoc index b051e9c22e..5f29a4706c 100644 --- a/docs/detections/prebuilt-rules/rule-details/unusual-parent-child-relationship.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/unusual-parent-child-relationship.asciidoc @@ -77,10 +77,10 @@ winlogon.exe)) ==== Rule version history Version 4 (7.9.1 release):: -* Formatting only. +* Formatting only Version 3 (7.9.0 release):: -Updated query, changed from: +* Updated query, changed from: + [source, js] ---------------------------------- @@ -104,7 +104,7 @@ winlogon.exe)) ---------------------------------- Version 2 (7.7.0 release):: -Updated query, changed from: +* Updated query, changed from: + [source, js] ---------------------------------- diff --git a/docs/detections/prebuilt-rules/rule-details/unusual-process-execution-temp.asciidoc b/docs/detections/prebuilt-rules/rule-details/unusual-process-execution-temp.asciidoc index d294e6321e..a955dacdfe 100644 --- a/docs/detections/prebuilt-rules/rule-details/unusual-process-execution-temp.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/unusual-process-execution-temp.asciidoc @@ -54,10 +54,10 @@ process.working_directory:/tmp ==== Rule version history Version 4 (7.9.1 release):: -* Formatting only. +* Formatting only Version 3 (7.9.0 release):: -Updated query, changed from: +* Updated query, changed from: + [source, js] ---------------------------------- @@ -65,7 +65,7 @@ process.working_directory:/tmp and event.action:executed ---------------------------------- Version 2 (7.7.0 release):: -Updated query, changed from: +* Updated query, changed from: + [source, js] ---------------------------------- diff --git a/docs/detections/prebuilt-rules/rule-details/unusual-process-for-a-linux-host.asciidoc b/docs/detections/prebuilt-rules/rule-details/unusual-process-for-a-linux-host.asciidoc index 306e2a8b83..e2d888b9d2 100644 --- a/docs/detections/prebuilt-rules/rule-details/unusual-process-for-a-linux-host.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/unusual-process-for-a-linux-host.asciidoc @@ -65,5 +65,5 @@ it is performing. ==== Rule version history Version 2 (7.9.0 release):: -* Formatting only. +* Formatting only diff --git a/docs/detections/prebuilt-rules/rule-details/unusual-process-for-a-windows-host.asciidoc b/docs/detections/prebuilt-rules/rule-details/unusual-process-for-a-windows-host.asciidoc index 52b847872f..a3c78576d1 100644 --- a/docs/detections/prebuilt-rules/rule-details/unusual-process-for-a-windows-host.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/unusual-process-for-a-windows-host.asciidoc @@ -74,5 +74,5 @@ as malware by anti-malware tools. ==== Rule version history Version 2 (7.9.0 release):: -* Formatting only. +* Formatting only diff --git a/docs/detections/prebuilt-rules/rule-details/unusual-process-network-connection.asciidoc b/docs/detections/prebuilt-rules/rule-details/unusual-process-network-connection.asciidoc index 9dc252b523..0f76f33dbd 100644 --- a/docs/detections/prebuilt-rules/rule-details/unusual-process-network-connection.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/unusual-process-network-connection.asciidoc @@ -65,10 +65,10 @@ iexpress.exe or odbcconf.exe or rcsi.exe or xwizard.exe) ==== Rule version history Version 4 (7.9.1 release):: -* Formatting only. +* Formatting only Version 3 (7.9.0 release):: -Updated query, changed from: +* Updated query, changed from: + [source, js] ---------------------------------- @@ -79,7 +79,7 @@ iexpress.exe or odbcconf.exe or rcsi.exe or xwizard.exe) ---------------------------------- Version 2 (7.7.0 release):: -Updated query, changed from: +* Updated query, changed from: + [source, js] ---------------------------------- diff --git a/docs/detections/prebuilt-rules/rule-details/unusual-web-request.asciidoc b/docs/detections/prebuilt-rules/rule-details/unusual-web-request.asciidoc index cd7eff4cd2..eb39fd0c18 100644 --- a/docs/detections/prebuilt-rules/rule-details/unusual-web-request.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/unusual-web-request.asciidoc @@ -59,5 +59,5 @@ Web activity that occurs rarely in small quantities can trigger this alert. Poss ==== Rule version history Version 2 (7.9.0 release):: -* Formatting only. +* Formatting only diff --git a/docs/detections/prebuilt-rules/rule-details/unusual-web-user-agent.asciidoc b/docs/detections/prebuilt-rules/rule-details/unusual-web-user-agent.asciidoc index f5338de2a6..22362e020a 100644 --- a/docs/detections/prebuilt-rules/rule-details/unusual-web-user-agent.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/unusual-web-user-agent.asciidoc @@ -58,5 +58,5 @@ Web activity that is uncommon, like security scans, may trigger this alert and m ==== Rule version history Version 2 (7.9.0 release):: -* Formatting only. +* Formatting only diff --git a/docs/detections/prebuilt-rules/rule-details/unusual-windows-network-activity.asciidoc b/docs/detections/prebuilt-rules/rule-details/unusual-windows-network-activity.asciidoc index 57b0f424f1..ea614ea01c 100644 --- a/docs/detections/prebuilt-rules/rule-details/unusual-windows-network-activity.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/unusual-windows-network-activity.asciidoc @@ -82,5 +82,5 @@ as malware by anti-malware tools. ==== Rule version history Version 2 (7.9.0 release):: -* Formatting only. +* Formatting only diff --git a/docs/detections/prebuilt-rules/rule-details/unusual-windows-path-activity.asciidoc b/docs/detections/prebuilt-rules/rule-details/unusual-windows-path-activity.asciidoc index bdf8ceec55..f64b3ac7db 100644 --- a/docs/detections/prebuilt-rules/rule-details/unusual-windows-path-activity.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/unusual-windows-path-activity.asciidoc @@ -53,5 +53,5 @@ A new and unusual program or artifact download in the course of software upgrade ==== Rule version history Version 2 (7.9.0 release):: -* Formatting only. +* Formatting only diff --git a/docs/detections/prebuilt-rules/rule-details/unusual-windows-remote-user.asciidoc b/docs/detections/prebuilt-rules/rule-details/unusual-windows-remote-user.asciidoc index 129f20e7b0..4576033e3b 100644 --- a/docs/detections/prebuilt-rules/rule-details/unusual-windows-remote-user.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/unusual-windows-remote-user.asciidoc @@ -63,5 +63,5 @@ employee working remotely? ==== Rule version history Version 2 (7.9.0 release):: -* Formatting only. +* Formatting only diff --git a/docs/detections/prebuilt-rules/rule-details/unusual-windows-service.asciidoc b/docs/detections/prebuilt-rules/rule-details/unusual-windows-service.asciidoc index a3deac8dbb..8ae8c78615 100644 --- a/docs/detections/prebuilt-rules/rule-details/unusual-windows-service.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/unusual-windows-service.asciidoc @@ -52,5 +52,5 @@ A newly installed program or one that runs rarely as part of a monthly or quarte ==== Rule version history Version 2 (7.9.0 release):: -* Formatting only. +* Formatting only diff --git a/docs/detections/prebuilt-rules/rule-details/unusual-windows-user-privilege-elevation-activity.asciidoc b/docs/detections/prebuilt-rules/rule-details/unusual-windows-user-privilege-elevation-activity.asciidoc index 82976647eb..38f59535d1 100644 --- a/docs/detections/prebuilt-rules/rule-details/unusual-windows-user-privilege-elevation-activity.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/unusual-windows-user-privilege-elevation-activity.asciidoc @@ -52,5 +52,5 @@ Uncommon user privilege elevation activity can be due to an administrator, help ==== Rule version history Version 2 (7.9.0 release):: -* Formatting only. +* Formatting only diff --git a/docs/detections/prebuilt-rules/rule-details/unusual-windows-username.asciidoc b/docs/detections/prebuilt-rules/rule-details/unusual-windows-username.asciidoc index f8196b084c..dda33c1db9 100644 --- a/docs/detections/prebuilt-rules/rule-details/unusual-windows-username.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/unusual-windows-username.asciidoc @@ -76,5 +76,5 @@ Office application, this process could be more suspicious. ==== Rule version history Version 2 (7.9.0 release):: -* Formatting only. +* Formatting only diff --git a/docs/detections/prebuilt-rules/rule-details/user-account-creation.asciidoc b/docs/detections/prebuilt-rules/rule-details/user-account-creation.asciidoc index 3653b11190..fdfc6634c5 100644 --- a/docs/detections/prebuilt-rules/rule-details/user-account-creation.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/user-account-creation.asciidoc @@ -63,10 +63,10 @@ and process.args:(user and (/ad or /add)) ==== Rule version history Version 4 (7.9.1 release):: -* Formatting only. +* Formatting only Version 3 (7.9.0 release):: -Updated query, changed from: +* Updated query, changed from: + [source, js] ---------------------------------- @@ -76,7 +76,7 @@ and process.args:(user and (/ad or /add)) ---------------------------------- Version 2 (7.7.0 release):: -Updated query, changed from: +* Updated query, changed from: + [source, js] ---------------------------------- diff --git a/docs/detections/prebuilt-rules/rule-details/user-discovery-via-whoami.asciidoc b/docs/detections/prebuilt-rules/rule-details/user-discovery-via-whoami.asciidoc index 500d1336c5..73361d9b52 100644 --- a/docs/detections/prebuilt-rules/rule-details/user-discovery-via-whoami.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/user-discovery-via-whoami.asciidoc @@ -66,10 +66,10 @@ process.name:whoami ==== Rule version history Version 4 (7.9.1 release):: -* Formatting only. +* Formatting only Version 3 (7.9.0 release):: -Updated query, changed from: +* Updated query, changed from: + [source, js] ---------------------------------- @@ -77,7 +77,7 @@ process.name:whoami and event.action:executed ---------------------------------- Version 2 (7.7.0 release):: -Updated query, changed from: +* Updated query, changed from: + [source, js] ---------------------------------- diff --git a/docs/detections/prebuilt-rules/rule-details/virtual-machine-fingerprinting.asciidoc b/docs/detections/prebuilt-rules/rule-details/virtual-machine-fingerprinting.asciidoc index 7d4e5b1d63..2d80e46ed8 100644 --- a/docs/detections/prebuilt-rules/rule-details/virtual-machine-fingerprinting.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/virtual-machine-fingerprinting.asciidoc @@ -67,10 +67,10 @@ or "/proc/scsi/scsi" or "/proc/ide/hd0/model") and not user.name:root ==== Rule version history Version 3 (7.9.1 release):: -* Formatting only. +* Formatting only Version 2 (7.9.0 release):: -Updated query, changed from: +* Updated query, changed from: + [source, js] ---------------------------------- diff --git a/docs/detections/prebuilt-rules/rule-details/vnc-virtual-network-computing-from-the-internet.asciidoc b/docs/detections/prebuilt-rules/rule-details/vnc-virtual-network-computing-from-the-internet.asciidoc index f35b12a460..a5931b2bd5 100644 --- a/docs/detections/prebuilt-rules/rule-details/vnc-virtual-network-computing-from-the-internet.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/vnc-virtual-network-computing-from-the-internet.asciidoc @@ -82,7 +82,7 @@ source.ip:(10.0.0.0/8 or 127.0.0.0/8 or 172.16.0.0/12 or ==== Rule version history Version 4 (7.9.0 release):: -Updated query, changed from: +* Updated query, changed from: + [source, js] ---------------------------------- @@ -93,7 +93,7 @@ destination.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) ---------------------------------- Version 3 (7.7.0 release):: -Updated query, changed from: +* Updated query, changed from: + [source, js] ---------------------------------- diff --git a/docs/detections/prebuilt-rules/rule-details/vnc-virtual-network-computing-to-the-internet.asciidoc b/docs/detections/prebuilt-rules/rule-details/vnc-virtual-network-computing-to-the-internet.asciidoc index 0a2da283ba..2bf90fc724 100644 --- a/docs/detections/prebuilt-rules/rule-details/vnc-virtual-network-computing-to-the-internet.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/vnc-virtual-network-computing-to-the-internet.asciidoc @@ -72,7 +72,7 @@ destination.ip:(10.0.0.0/8 or 127.0.0.0/8 or 172.16.0.0/12 or ==== Rule version history Version 4 (7.9.0 release):: -Updated query, changed from: +* Updated query, changed from: + [source, js] ---------------------------------- @@ -83,7 +83,7 @@ destination.port <= 5810 and source.ip:(10.0.0.0/8 or 172.16.0.0/12 or ---------------------------------- Version 3 (7.7.0 release):: -Updated query, changed from: +* Updated query, changed from: + [source, js] ---------------------------------- diff --git a/docs/detections/prebuilt-rules/rule-details/volume-shadow-copy-deletion-via-vssadmin.asciidoc b/docs/detections/prebuilt-rules/rule-details/volume-shadow-copy-deletion-via-vssadmin.asciidoc index a94a9b8158..72f55b5c9a 100644 --- a/docs/detections/prebuilt-rules/rule-details/volume-shadow-copy-deletion-via-vssadmin.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/volume-shadow-copy-deletion-via-vssadmin.asciidoc @@ -62,10 +62,10 @@ process.name:vssadmin.exe and process.args:(delete and shadows) ==== Rule version history Version 4 (7.9.1 release):: -* Formatting only. +* Formatting only Version 3 (7.9.0 release):: -Updated query, changed from: +* Updated query, changed from: + [source, js] ---------------------------------- @@ -74,7 +74,7 @@ process.name:vssadmin.exe and process.args:(delete and shadows) ---------------------------------- Version 2 (7.7.0 release):: -Updated query, changed from: +* Updated query, changed from: + [source, js] ---------------------------------- diff --git a/docs/detections/prebuilt-rules/rule-details/volume-shadow-copy-deletion-via-wmic.asciidoc b/docs/detections/prebuilt-rules/rule-details/volume-shadow-copy-deletion-via-wmic.asciidoc index 8c4f49a0c4..6707cb4df5 100644 --- a/docs/detections/prebuilt-rules/rule-details/volume-shadow-copy-deletion-via-wmic.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/volume-shadow-copy-deletion-via-wmic.asciidoc @@ -62,10 +62,10 @@ process.name:WMIC.exe and process.args:(delete and shadowcopy) ==== Rule version history Version 4 (7.9.1 release):: -* Formatting only. +* Formatting only Version 3 (7.9.0 release):: -Updated query, changed from: +* Updated query, changed from: + [source, js] ---------------------------------- @@ -74,7 +74,7 @@ process.name:WMIC.exe and process.args:(delete and shadowcopy) ---------------------------------- Version 2 (7.7.0 release):: -Updated query, changed from: +* Updated query, changed from: + [source, js] ---------------------------------- diff --git a/docs/detections/prebuilt-rules/rule-details/web-application-suspicious-activity-no-user-agent.asciidoc b/docs/detections/prebuilt-rules/rule-details/web-application-suspicious-activity-no-user-agent.asciidoc index 85aafa2e93..07c8c643e6 100644 --- a/docs/detections/prebuilt-rules/rule-details/web-application-suspicious-activity-no-user-agent.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/web-application-suspicious-activity-no-user-agent.asciidoc @@ -78,10 +78,10 @@ url.path:* ==== Rule version history Version 3 (7.9.0 release):: -* Formatting only. +* Formatting only Version 2 (7.7.0 release):: -Updated query, changed from: +* Updated query, changed from: + [source, js] ---------------------------------- diff --git a/docs/detections/prebuilt-rules/rule-details/web-application-suspicious-activity-post-request-declined.asciidoc b/docs/detections/prebuilt-rules/rule-details/web-application-suspicious-activity-post-request-declined.asciidoc index ea49292d23..573a645f69 100644 --- a/docs/detections/prebuilt-rules/rule-details/web-application-suspicious-activity-post-request-declined.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/web-application-suspicious-activity-post-request-declined.asciidoc @@ -57,8 +57,8 @@ http.response.status_code:403 and http.request.method:post ==== Rule version history Version 3 (7.9.0 release):: -* Formatting only. +* Formatting only Version 2 (7.7.0 release):: -* Formatting only. +* Formatting only diff --git a/docs/detections/prebuilt-rules/rule-details/web-application-suspicious-activity-sqlmap-user-agent.asciidoc b/docs/detections/prebuilt-rules/rule-details/web-application-suspicious-activity-sqlmap-user-agent.asciidoc index cad6677ab7..4a5b0dbe30 100644 --- a/docs/detections/prebuilt-rules/rule-details/web-application-suspicious-activity-sqlmap-user-agent.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/web-application-suspicious-activity-sqlmap-user-agent.asciidoc @@ -57,8 +57,8 @@ user_agent.original:"sqlmap/1.3.11#stable (http://sqlmap.org)" ==== Rule version history Version 3 (7.9.0 release):: -* Formatting only. +* Formatting only Version 2 (7.7.0 release):: -* Formatting only. +* Formatting only diff --git a/docs/detections/prebuilt-rules/rule-details/web-application-suspicious-activity-unauthorized-method.asciidoc b/docs/detections/prebuilt-rules/rule-details/web-application-suspicious-activity-unauthorized-method.asciidoc index 03d8c243fa..105173e6b8 100644 --- a/docs/detections/prebuilt-rules/rule-details/web-application-suspicious-activity-unauthorized-method.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/web-application-suspicious-activity-unauthorized-method.asciidoc @@ -57,8 +57,8 @@ http.response.status_code:405 ==== Rule version history Version 3 (7.9.0 release):: -* Formatting only. +* Formatting only Version 2 (7.7.0 release):: -* Formatting only. +* Formatting only diff --git a/docs/detections/prebuilt-rules/rule-details/whoami-process-activity.asciidoc b/docs/detections/prebuilt-rules/rule-details/whoami-process-activity.asciidoc index ddb4efbad9..b8ca3f3174 100644 --- a/docs/detections/prebuilt-rules/rule-details/whoami-process-activity.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/whoami-process-activity.asciidoc @@ -64,8 +64,8 @@ process.name:whoami.exe and event.code:1 ==== Rule version history Version 3 (7.9.0 release):: -* Formatting only. +* Formatting only Version 2 (7.7.0 release):: -* Formatting only. +* Formatting only diff --git a/docs/detections/prebuilt-rules/rule-details/windows-cryptoapi-spoofing-vulnerability-cve-2020-0601-curveball.asciidoc b/docs/detections/prebuilt-rules/rule-details/windows-cryptoapi-spoofing-vulnerability-cve-2020-0601-curveball.asciidoc index bdaa612728..99ce89ef4e 100644 --- a/docs/detections/prebuilt-rules/rule-details/windows-cryptoapi-spoofing-vulnerability-cve-2020-0601-curveball.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/windows-cryptoapi-spoofing-vulnerability-cve-2020-0601-curveball.asciidoc @@ -64,5 +64,5 @@ message:"[CVE-2020-0601]" ==== Rule version history Version 2 (7.9.0 release):: -* Formatting only. +* Formatting only diff --git a/docs/detections/prebuilt-rules/rule-details/windows-script-executing-powershell.asciidoc b/docs/detections/prebuilt-rules/rule-details/windows-script-executing-powershell.asciidoc index df3f48fc5d..d59440e62d 100644 --- a/docs/detections/prebuilt-rules/rule-details/windows-script-executing-powershell.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/windows-script-executing-powershell.asciidoc @@ -64,10 +64,10 @@ process.name:powershell.exe ==== Rule version history Version 4 (7.9.1 release):: -* Formatting only. +* Formatting only Version 3 (7.9.0 release):: -Updated query, changed from: +* Updated query, changed from: + [source, js] ---------------------------------- @@ -77,7 +77,7 @@ process.name:powershell.exe ---------------------------------- Version 2 (7.7.0 release):: -Updated query, changed from: +* Updated query, changed from: + [source, js] ---------------------------------- diff --git a/prebuilt-rules-scripts/diff-files/final-files/final-rule-file-7.9.0.json b/prebuilt-rules-scripts/diff-files/final-files/final-rule-file-7.9.0.json index c7b425b021..269d14456c 100644 --- a/prebuilt-rules-scripts/diff-files/final-files/final-rule-file-7.9.0.json +++ b/prebuilt-rules-scripts/diff-files/final-files/final-rule-file-7.9.0.json @@ -2613,7 +2613,7 @@ "version": 3, "updated": "7.9.0", "pre_query": "event.kind:alert and event.module:endgame and (event.action:rules_engine_event or endgame.event_subtype_full:rules_engine_event)", - "doc_text": "Formatting only.", + "doc_text": "Formatting only", "pre_name": "Adversary Behavior - Detected - Elastic Endpoint" } ] @@ -2672,7 +2672,7 @@ "version": 2, "updated": "7.9.0", "pre_query": "N/A", - "doc_text": "Formatting only." + "doc_text": "Formatting only" } ] }, @@ -2729,7 +2729,7 @@ "version": 2, "updated": "7.9.0", "pre_query": "N/A", - "doc_text": "Formatting only." + "doc_text": "Formatting only" } ] }, @@ -2785,7 +2785,7 @@ "version": 2, "updated": "7.9.0", "pre_query": "N/A", - "doc_text": "Formatting only." + "doc_text": "Formatting only" } ] }, @@ -4305,7 +4305,7 @@ "version": 3, "updated": "7.9.0", "pre_query": "event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:cred_theft_event or endgame.event_subtype_full:cred_theft_event)", - "doc_text": "Formatting only.", + "doc_text": "Formatting only", "pre_name": "Credential Dumping - Detected - Elastic Endpoint" } ] @@ -4366,7 +4366,7 @@ "version": 3, "updated": "7.9.0", "pre_query": "event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:cred_theft_event or endgame.event_subtype_full:cred_theft_event)", - "doc_text": "Formatting only.", + "doc_text": "Formatting only", "pre_name": "Credential Dumping - Prevented - Elastic Endpoint" } ] @@ -4427,7 +4427,7 @@ "version": 3, "updated": "7.9.0", "pre_query": "event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:token_manipulation_event or endgame.event_subtype_full:token_manipulation_event)", - "doc_text": "Formatting only.", + "doc_text": "Formatting only", "pre_name": "Credential Manipulation - Detected - Elastic Endpoint" } ] @@ -4488,7 +4488,7 @@ "version": 3, "updated": "7.9.0", "pre_query": "event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:token_manipulation_event or endgame.event_subtype_full:token_manipulation_event)", - "doc_text": "Formatting only.", + "doc_text": "Formatting only", "pre_name": "Credential Manipulation - Prevented - Elastic Endpoint" } ] @@ -4633,7 +4633,7 @@ "version": 2, "updated": "7.9.0", "pre_query": "N/A", - "doc_text": "Formatting only." + "doc_text": "Formatting only" } ] }, @@ -5381,7 +5381,7 @@ "version": 3, "updated": "7.9.0", "pre_query": "event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:exploit_event or endgame.event_subtype_full:exploit_event)", - "doc_text": "Formatting only.", + "doc_text": "Formatting only", "pre_name": "Exploit - Detected - Elastic Endpoint" } ] @@ -5442,7 +5442,7 @@ "version": 3, "updated": "7.9.0", "pre_query": "event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:exploit_event or endgame.event_subtype_full:exploit_event)", - "doc_text": "Formatting only.", + "doc_text": "Formatting only", "pre_name": "Exploit - Prevented - Elastic Endpoint" } ] @@ -6545,7 +6545,7 @@ "version": 3, "updated": "7.9.0", "pre_query": "event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:file_classification_event or endgame.event_subtype_full:file_classification_event)", - "doc_text": "Formatting only.", + "doc_text": "Formatting only", "pre_name": "Malware - Detected - Elastic Endpoint" } ] @@ -6606,7 +6606,7 @@ "version": 3, "updated": "7.9.0", "pre_query": "event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:file_classification_event or endgame.event_subtype_full:file_classification_event)", - "doc_text": "Formatting only.", + "doc_text": "Formatting only", "pre_name": "Malware - Prevented - Elastic Endpoint" } ] @@ -8432,7 +8432,7 @@ "version": 3, "updated": "7.9.0", "pre_query": "event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:token_protection_event or endgame.event_subtype_full:token_protection_event)", - "doc_text": "Formatting only.", + "doc_text": "Formatting only", "pre_name": "Permission Theft - Detected - Elastic Endpoint" } ] @@ -8493,7 +8493,7 @@ "version": 3, "updated": "7.9.0", "pre_query": "event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:token_protection_event or endgame.event_subtype_full:token_protection_event)", - "doc_text": "Formatting only.", + "doc_text": "Formatting only", "pre_name": "Permission Theft - Prevented - Elastic Endpoint" } ] @@ -8733,13 +8733,13 @@ "version": 2, "updated": "7.7.0", "pre_query": "event.code:1 and process.name:sdbinst.exe", - "doc_text": "Formatting only." + "doc_text": "Formatting only" }, { "version": 3, "updated": "7.9.0", "pre_query": "event.code:1 and process.name:sdbinst.exe", - "doc_text": "Formatting only." + "doc_text": "Formatting only" } ] }, @@ -8945,13 +8945,13 @@ "version": 2, "updated": "7.7.0", "pre_query": "event.code:1 and process.name:fltMC.exe", - "doc_text": "Formatting only." + "doc_text": "Formatting only" }, { "version": 3, "updated": "7.9.0", "pre_query": "event.code:1 and process.name:fltMC.exe", - "doc_text": "Formatting only." + "doc_text": "Formatting only" } ] }, @@ -9042,7 +9042,7 @@ "version": 3, "updated": "7.9.0", "pre_query": "event.code:1 and process.parent.name:winlogon.exe and process.name:(atbroker.exe or displayswitch.exe or magnify.exe or narrator.exe or osk.exe or sethc.exe or utilman.exe)", - "doc_text": "Formatting only." + "doc_text": "Formatting only" } ] }, @@ -9215,7 +9215,7 @@ "version": 2, "updated": "7.7.0", "pre_query": "process.parent.name:powershell.exe and process.name:cmd.exe", - "doc_text": "Formatting only." + "doc_text": "Formatting only" }, { "version": 3, @@ -9308,13 +9308,13 @@ "version": 2, "updated": "7.7.0", "pre_query": "event.code:1 and process.name:hh.exe", - "doc_text": "Formatting only." + "doc_text": "Formatting only" }, { "version": 3, "updated": "7.9.0", "pre_query": "event.code:1 and process.name:hh.exe", - "doc_text": "Formatting only." + "doc_text": "Formatting only" } ] }, @@ -9386,13 +9386,13 @@ "version": 2, "updated": "7.7.0", "pre_query": "event.code:1 and process.name:tasklist.exe", - "doc_text": "Formatting only." + "doc_text": "Formatting only" }, { "version": 3, "updated": "7.9.0", "pre_query": "event.code:1 and process.name:tasklist.exe", - "doc_text": "Formatting only." + "doc_text": "Formatting only" } ] }, @@ -9451,7 +9451,7 @@ "version": 3, "updated": "7.9.0", "pre_query": "event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:kernel_shellcode_event or endgame.event_subtype_full:kernel_shellcode_event)", - "doc_text": "Formatting only.", + "doc_text": "Formatting only", "pre_name": "Process Injection - Detected - Elastic Endpoint" } ] @@ -9512,7 +9512,7 @@ "version": 3, "updated": "7.9.0", "pre_query": "event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:kernel_shellcode_event or endgame.event_subtype_full:kernel_shellcode_event)", - "doc_text": "Formatting only.", + "doc_text": "Formatting only", "pre_name": "Process Injection - Prevented - Elastic Endpoint" } ] @@ -9601,7 +9601,7 @@ "version": 2, "updated": "7.9.0", "pre_query": "process.name:MSBuild.exe and event.action:\"CreateRemoteThread detected (rule: CreateRemoteThread)\"", - "doc_text": "Formatting only." + "doc_text": "Formatting only" } ] }, @@ -10215,7 +10215,7 @@ "version": 3, "updated": "7.9.0", "pre_query": "event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:ransomware_event or endgame.event_subtype_full:ransomware_event)", - "doc_text": "Formatting only.", + "doc_text": "Formatting only", "pre_name": "Ransomware - Detected - Elastic Endpoint" } ] @@ -10276,7 +10276,7 @@ "version": 3, "updated": "7.9.0", "pre_query": "event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:ransomware_event or endgame.event_subtype_full:ransomware_event)", - "doc_text": "Formatting only.", + "doc_text": "Formatting only", "pre_name": "Ransomware - Prevented - Elastic Endpoint" } ] @@ -11714,7 +11714,7 @@ "version": 2, "updated": "7.9.0", "pre_query": "N/A", - "doc_text": "Formatting only." + "doc_text": "Formatting only" } ] }, @@ -11785,7 +11785,7 @@ "version": 2, "updated": "7.7.0", "pre_query": "process.parent.name:svchost.exe and process.name:cmd.exe", - "doc_text": "Formatting only." + "doc_text": "Formatting only" }, { "version": 3, @@ -12303,7 +12303,7 @@ "version": 3, "updated": "7.9.0", "pre_query": "event.code:1 and process.name:(MSBuild.exe or msxsl.exe)", - "doc_text": "Formatting only." + "doc_text": "Formatting only" } ] }, @@ -12500,7 +12500,7 @@ "version": 2, "updated": "7.9.0", "pre_query": "N/A", - "doc_text": "Formatting only." + "doc_text": "Formatting only" } ] }, @@ -12557,7 +12557,7 @@ "version": 2, "updated": "7.9.0", "pre_query": "N/A", - "doc_text": "Formatting only." + "doc_text": "Formatting only" } ] }, @@ -12613,7 +12613,7 @@ "version": 2, "updated": "7.9.0", "pre_query": "N/A", - "doc_text": "Formatting only." + "doc_text": "Formatting only" } ] }, @@ -12669,7 +12669,7 @@ "version": 2, "updated": "7.9.0", "pre_query": "N/A", - "doc_text": "Formatting only." + "doc_text": "Formatting only" } ] }, @@ -12726,7 +12726,7 @@ "version": 2, "updated": "7.9.0", "pre_query": "N/A", - "doc_text": "Formatting only." + "doc_text": "Formatting only" } ] }, @@ -12782,7 +12782,7 @@ "version": 2, "updated": "7.9.0", "pre_query": "N/A", - "doc_text": "Formatting only." + "doc_text": "Formatting only" } ] }, @@ -12838,7 +12838,7 @@ "version": 2, "updated": "7.9.0", "pre_query": "N/A", - "doc_text": "Formatting only." + "doc_text": "Formatting only" } ] }, @@ -12977,7 +12977,7 @@ "version": 2, "updated": "7.9.0", "pre_query": "N/A", - "doc_text": "Formatting only." + "doc_text": "Formatting only" } ] }, @@ -13174,7 +13174,7 @@ "version": 2, "updated": "7.9.0", "pre_query": "N/A", - "doc_text": "Formatting only." + "doc_text": "Formatting only" } ] }, @@ -13231,7 +13231,7 @@ "version": 2, "updated": "7.9.0", "pre_query": "N/A", - "doc_text": "Formatting only." + "doc_text": "Formatting only" } ] }, @@ -13364,7 +13364,7 @@ "version": 2, "updated": "7.9.0", "pre_query": "N/A", - "doc_text": "Formatting only." + "doc_text": "Formatting only" } ] }, @@ -13420,7 +13420,7 @@ "version": 2, "updated": "7.9.0", "pre_query": "N/A", - "doc_text": "Formatting only." + "doc_text": "Formatting only" } ] }, @@ -13477,7 +13477,7 @@ "version": 2, "updated": "7.9.0", "pre_query": "N/A", - "doc_text": "Formatting only." + "doc_text": "Formatting only" } ] }, @@ -13533,7 +13533,7 @@ "version": 2, "updated": "7.9.0", "pre_query": "N/A", - "doc_text": "Formatting only." + "doc_text": "Formatting only" } ] }, @@ -13590,7 +13590,7 @@ "version": 2, "updated": "7.9.0", "pre_query": "N/A", - "doc_text": "Formatting only." + "doc_text": "Formatting only" } ] }, @@ -13646,7 +13646,7 @@ "version": 2, "updated": "7.9.0", "pre_query": "N/A", - "doc_text": "Formatting only." + "doc_text": "Formatting only" } ] }, @@ -13702,7 +13702,7 @@ "version": 2, "updated": "7.9.0", "pre_query": "N/A", - "doc_text": "Formatting only." + "doc_text": "Formatting only" } ] }, @@ -13759,7 +13759,7 @@ "version": 2, "updated": "7.9.0", "pre_query": "N/A", - "doc_text": "Formatting only." + "doc_text": "Formatting only" } ] }, @@ -14407,7 +14407,7 @@ "version": 3, "updated": "7.9.0", "pre_query": "url.path:*", - "doc_text": "Formatting only." + "doc_text": "Formatting only" } ] }, @@ -14465,13 +14465,13 @@ "version": 2, "updated": "7.7.0", "pre_query": "http.response.status_code:403 and http.request.method:post", - "doc_text": "Formatting only." + "doc_text": "Formatting only" }, { "version": 3, "updated": "7.9.0", "pre_query": "http.response.status_code:403 and http.request.method:post", - "doc_text": "Formatting only." + "doc_text": "Formatting only" } ] }, @@ -14529,13 +14529,13 @@ "version": 2, "updated": "7.7.0", "pre_query": "http.response.status_code:405", - "doc_text": "Formatting only." + "doc_text": "Formatting only" }, { "version": 3, "updated": "7.9.0", "pre_query": "http.response.status_code:405", - "doc_text": "Formatting only." + "doc_text": "Formatting only" } ] }, @@ -14593,13 +14593,13 @@ "version": 2, "updated": "7.7.0", "pre_query": "user_agent.original:\"sqlmap/1.3.11#stable (http://sqlmap.org)\"", - "doc_text": "Formatting only." + "doc_text": "Formatting only" }, { "version": 3, "updated": "7.9.0", "pre_query": "user_agent.original:\"sqlmap/1.3.11#stable (http://sqlmap.org)\"", - "doc_text": "Formatting only." + "doc_text": "Formatting only" } ] }, @@ -14671,13 +14671,13 @@ "version": 2, "updated": "7.7.0", "pre_query": "process.name:whoami.exe and event.code:1", - "doc_text": "Formatting only." + "doc_text": "Formatting only" }, { "version": 3, "updated": "7.9.0", "pre_query": "process.name:whoami.exe and event.code:1", - "doc_text": "Formatting only." + "doc_text": "Formatting only" } ] }, @@ -14747,7 +14747,7 @@ "version": 2, "updated": "7.9.0", "pre_query": "event.provider:\"Microsoft-Windows-Audit-CVE\" and message:\"[CVE-2020-0601]\"", - "doc_text": "Formatting only." + "doc_text": "Formatting only" } ] },