elastic · benskelker · Oct 13, 2020 · Oct 13, 2020 · Oct 13, 2020
diff --git a/...ns/prebuilt-rules/rule-details/adding-hidden-file-attribute-via-attrib.asciidoc b/...ns/prebuilt-rules/rule-details/adding-hidden-file-attribute-via-attrib.asciidoc
@@ -72,10 +72,10 @@ process.name:attrib.exe and process.args:+h
 ==== Rule version history
 
 Version 4 (7.9.1 release)::
-* Formatting only.
+* Formatting only
 
 Version 3 (7.9.0 release)::
-Updated query, changed from:
+* Updated query, changed from:
 +
 [source, js]
 ----------------------------------
@@ -84,7 +84,7 @@ process.name:attrib.exe and process.args:+h
 ----------------------------------
 
 Version 2 (7.7.0 release)::
-Updated query, changed from:
+* Updated query, changed from:
 +
 [source, js]
 ----------------------------------

diff --git a/docs/detections/prebuilt-rules/rule-details/adobe-hijack-persistence.asciidoc b/docs/detections/prebuilt-rules/rule-details/adobe-hijack-persistence.asciidoc
@@ -64,10 +64,10 @@ and not process.name:msiexec.exe
 ==== Rule version history
 
 Version 4 (7.9.1 release)::
-* Formatting only.
+* Formatting only
 
 Version 3 (7.9.0 release)::
-Updated query, changed from:
+* Updated query, changed from:
 +
 [source, js]
 ----------------------------------
@@ -78,7 +78,7 @@ Reader DC\Reader\AcroCEF\RdrCEF.exe") and event.action:"File created
 ----------------------------------
 
 Version 2 (7.6.2 release)::
-Updated query, changed from:
+* Updated query, changed from:
 +
 [source, js]
 ----------------------------------

diff --git a/...les/rule-details/adversary-behavior-detected-elastic-endpoint-security.asciidoc b/...les/rule-details/adversary-behavior-detected-elastic-endpoint-security.asciidoc
@@ -50,11 +50,8 @@ endgame.event_subtype_full:rules_engine_event)
 
 Version 3 (7.9.0 release)::
 * Rule name changed from: Adversary Behavior - Detected - Elastic Endpoint
-+
-* Formatting only.
-
 Version 2 (7.7.0 release)::
-Updated query, changed from:
+* Updated query, changed from:
 +
 [source, js]
 ----------------------------------

diff --git a/...s/prebuilt-rules/rule-details/anomalous-process-for-a-linux-population.asciidoc b/...s/prebuilt-rules/rule-details/anomalous-process-for-a-linux-population.asciidoc
@@ -67,5 +67,5 @@ performing.
 ==== Rule version history
 
 Version 2 (7.9.0 release)::
-* Formatting only.
+* Formatting only
 
diff --git a/...prebuilt-rules/rule-details/anomalous-process-for-a-windows-population.asciidoc b/...prebuilt-rules/rule-details/anomalous-process-for-a-windows-population.asciidoc
@@ -76,5 +76,5 @@ as malware by anti-malware tools.
 ==== Rule version history
 
 Version 2 (7.9.0 release)::
-* Formatting only.
+* Formatting only
 
diff --git a/...ections/prebuilt-rules/rule-details/anomalous-windows-process-creation.asciidoc b/...ections/prebuilt-rules/rule-details/anomalous-windows-process-creation.asciidoc
@@ -56,5 +56,5 @@ Users running scripts in the course of technical support operations of software
 ==== Rule version history
 
 Version 2 (7.9.0 release)::
-* Formatting only.
+* Formatting only
 
diff --git a/...ns/prebuilt-rules/rule-details/attempt-to-disable-iptables-or-firewall.asciidoc b/...ns/prebuilt-rules/rule-details/attempt-to-disable-iptables-or-firewall.asciidoc
@@ -67,10 +67,10 @@ and process.args:(firewalld or ip6tables or iptables))
 ==== Rule version history
 
 Version 3 (7.9.1 release)::
-* Formatting only.
+* Formatting only
 
 Version 2 (7.9.0 release)::
-Updated query, changed from:
+* Updated query, changed from:
 +
 [source, js]
 ----------------------------------

diff --git a/...tections/prebuilt-rules/rule-details/attempt-to-disable-syslog-service.asciidoc b/...tections/prebuilt-rules/rule-details/attempt-to-disable-syslog-service.asciidoc
@@ -65,10 +65,10 @@ and process.args:(syslog or rsyslog or "syslog-ng")
 ==== Rule version history
 
 Version 3 (7.9.1 release)::
-* Formatting only.
+* Formatting only
 
 Version 2 (7.9.0 release)::
-Updated query, changed from:
+* Updated query, changed from:
 +
 [source, js]
 ----------------------------------

diff --git a/...rebuilt-rules/rule-details/base16-or-base32-encoding-decoding-activity.asciidoc b/...rebuilt-rules/rule-details/base16-or-base32-encoding-decoding-activity.asciidoc
@@ -76,10 +76,10 @@ process.name:(base16 or base32 or base32plain or base32hex)
 ==== Rule version history
 
 Version 3 (7.9.1 release)::
-* Formatting only.
+* Formatting only
 
 Version 2 (7.9.0 release)::
-Updated query, changed from:
+* Updated query, changed from:
 +
 [source, js]
 ----------------------------------

diff --git a/...tections/prebuilt-rules/rule-details/base64-encoding-decoding-activity.asciidoc b/...tections/prebuilt-rules/rule-details/base64-encoding-decoding-activity.asciidoc
@@ -77,10 +77,10 @@ base64pem)
 ==== Rule version history
 
 Version 3 (7.9.1 release)::
-* Formatting only.
+* Formatting only
 
 Version 2 (7.9.0 release)::
-Updated query, changed from:
+* Updated query, changed from:
 +
 [source, js]
 ----------------------------------

diff --git a/docs/detections/prebuilt-rules/rule-details/bypass-uac-via-event-viewer.asciidoc b/docs/detections/prebuilt-rules/rule-details/bypass-uac-via-event-viewer.asciidoc
@@ -64,10 +64,10 @@ process.executable:("C:\Windows\SysWOW64\mmc.exe" or
 ==== Rule version history
 
 Version 3 (7.9.1 release)::
-* Formatting only.
+* Formatting only
 
 Version 2 (7.9.0 release)::
-Updated query, changed from:
+* Updated query, changed from:
 +
 [source, js]
 ----------------------------------

diff --git a/docs/detections/prebuilt-rules/rule-details/clearing-windows-event-logs.asciidoc b/docs/detections/prebuilt-rules/rule-details/clearing-windows-event-logs.asciidoc
@@ -64,10 +64,10 @@ process.name:powershell.exe and process.args:Clear-EventLog
 ==== Rule version history
 
 Version 4 (7.9.1 release)::
-* Formatting only.
+* Formatting only
 
 Version 3 (7.9.0 release)::
-Updated query, changed from:
+* Updated query, changed from:
 +
 [source, js]
 ----------------------------------
@@ -77,7 +77,7 @@ process.name:powershell.exe and process.args:Clear-EventLog
 ----------------------------------
 
 Version 2 (7.7.0 release)::
-Updated query, changed from:
+* Updated query, changed from:
 +
 [source, js]
 ----------------------------------

diff --git a/...tections/prebuilt-rules/rule-details/command-prompt-network-connection.asciidoc b/...tections/prebuilt-rules/rule-details/command-prompt-network-connection.asciidoc
@@ -77,10 +77,10 @@ process.name:cmd.exe and not destination.ip:(10.0.0.0/8 or
 ==== Rule version history
 
 Version 4 (7.9.1 release)::
-* Formatting only.
+* Formatting only
 
 Version 3 (7.9.0 release)::
-Updated query, changed from:
+* Updated query, changed from:
 +
 [source, js]
 ----------------------------------
@@ -90,7 +90,7 @@ process.name:cmd.exe and event.action:"Network connection detected
 ----------------------------------
 
 Version 2 (7.7.0 release)::
-Updated query, changed from:
+* Updated query, changed from:
 +
 [source, js]
 ----------------------------------

diff --git a/.../prebuilt-rules/rule-details/connection-to-external-network-via-telnet.asciidoc b/.../prebuilt-rules/rule-details/connection-to-external-network-via-telnet.asciidoc
@@ -66,10 +66,10 @@ or 172.16.0.0/12 or 192.168.0.0/16 or "FE80::/10" or "::1/128")
 ==== Rule version history
 
 Version 3 (7.9.1 release)::
-* Formatting only.
+* Formatting only
 
 Version 2 (7.9.0 release)::
-Updated query, changed from:
+* Updated query, changed from:
 +
 [source, js]
 ----------------------------------

diff --git a/.../prebuilt-rules/rule-details/connection-to-internal-network-via-telnet.asciidoc b/.../prebuilt-rules/rule-details/connection-to-internal-network-via-telnet.asciidoc
@@ -66,10 +66,10 @@ or 192.168.0.0/16 or "FE80::/10") and not (127.0.0.0/8 or "::1/128"))
 ==== Rule version history
 
 Version 3 (7.9.1 release)::
-* Formatting only.
+* Formatting only
 
 Version 2 (7.9.0 release)::
-Updated query, changed from:
+* Updated query, changed from:
 +
 [source, js]
 ----------------------------------

diff --git a/...s/prebuilt-rules/rule-details/creation-of-hidden-files-and-directories.asciidoc b/...s/prebuilt-rules/rule-details/creation-of-hidden-files-and-directories.asciidoc
@@ -83,5 +83,5 @@ process.name:(ls or find)
 ==== Rule version history
 
 Version 2 (7.9.1 release)::
-* Formatting only.
+* Formatting only
 
diff --git a/...les/rule-details/credential-dumping-detected-elastic-endpoint-security.asciidoc b/...les/rule-details/credential-dumping-detected-elastic-endpoint-security.asciidoc
@@ -50,11 +50,8 @@ endgame.event_subtype_full:cred_theft_event)
 
 Version 3 (7.9.0 release)::
 * Rule name changed from: Credential Dumping - Detected - Elastic Endpoint
-+
-* Formatting only.
-
 Version 2 (7.7.0 release)::
-Updated query, changed from:
+* Updated query, changed from:
 +
 [source, js]
 ----------------------------------

diff --git a/...es/rule-details/credential-dumping-prevented-elastic-endpoint-security.asciidoc b/...es/rule-details/credential-dumping-prevented-elastic-endpoint-security.asciidoc
@@ -50,11 +50,8 @@ endgame.event_subtype_full:cred_theft_event)
 
 Version 3 (7.9.0 release)::
 * Rule name changed from: Credential Dumping - Prevented - Elastic Endpoint
-+
-* Formatting only.
-
 Version 2 (7.7.0 release)::
-Updated query, changed from:
+* Updated query, changed from:
 +
 [source, js]
 ----------------------------------

diff --git a/...ule-details/credential-manipulation-detected-elastic-endpoint-security.asciidoc b/...ule-details/credential-manipulation-detected-elastic-endpoint-security.asciidoc
@@ -51,11 +51,8 @@ endgame.event_subtype_full:token_manipulation_event)
 
 Version 3 (7.9.0 release)::
 * Rule name changed from: Credential Manipulation - Detected - Elastic Endpoint
-+
-* Formatting only.
-
 Version 2 (7.7.0 release)::
-Updated query, changed from:
+* Updated query, changed from:
 +
 [source, js]
 ----------------------------------

diff --git a/...le-details/credential-manipulation-prevented-elastic-endpoint-security.asciidoc b/...le-details/credential-manipulation-prevented-elastic-endpoint-security.asciidoc
@@ -51,11 +51,8 @@ endgame.event_subtype_full:token_manipulation_event)
 
 Version 3 (7.9.0 release)::
 * Rule name changed from: Credential Manipulation - Prevented - Elastic Endpoint
-+
-* Formatting only.
-
 Version 2 (7.7.0 release)::
-Updated query, changed from:
+* Updated query, changed from:
 +
 [source, js]
 ----------------------------------

diff --git a/...ions/prebuilt-rules/rule-details/delete-volume-usn-journal-with-fsutil.asciidoc b/...ions/prebuilt-rules/rule-details/delete-volume-usn-journal-with-fsutil.asciidoc
@@ -63,10 +63,10 @@ process.name:fsutil.exe and process.args:(deletejournal and usn)
 ==== Rule version history
 
 Version 4 (7.9.1 release)::
-* Formatting only.
+* Formatting only
 
 Version 3 (7.9.0 release)::
-Updated query, changed from:
+* Updated query, changed from:
 +
 [source, js]
 ----------------------------------
@@ -75,7 +75,7 @@ process.name:fsutil.exe and process.args:(deletejournal and usn)
 ----------------------------------
 
 Version 2 (7.7.0 release)::
-Updated query, changed from:
+* Updated query, changed from:
 +
 [source, js]
 ----------------------------------

diff --git a/...ions/prebuilt-rules/rule-details/deleting-backup-catalogs-with-wbadmin.asciidoc b/...ions/prebuilt-rules/rule-details/deleting-backup-catalogs-with-wbadmin.asciidoc
@@ -62,10 +62,10 @@ process.name:wbadmin.exe and process.args:(catalog and delete)
 ==== Rule version history
 
 Version 4 (7.9.1 release)::
-* Formatting only.
+* Formatting only
 
 Version 3 (7.9.0 release)::
-Updated query, changed from:
+* Updated query, changed from:
 +
 [source, js]
 ----------------------------------
@@ -74,7 +74,7 @@ process.name:wbadmin.exe and process.args:(catalog and delete)
 ----------------------------------
 
 Version 2 (7.7.0 release)::
-Updated query, changed from:
+* Updated query, changed from:
 +
 [source, js]
 ----------------------------------

diff --git a/...ions/prebuilt-rules/rule-details/deletion-of-bash-command-line-history.asciidoc b/...ions/prebuilt-rules/rule-details/deletion-of-bash-command-line-history.asciidoc
@@ -63,5 +63,5 @@ process.args:/\/(home\/.{1,255}|root)\/\.bash_history/
 ==== Rule version history
 
 Version 2 (7.9.1 release)::
-* Formatting only.
+* Formatting only
 
diff --git a/.../detections/prebuilt-rules/rule-details/direct-outbound-smb-connection.asciidoc b/.../detections/prebuilt-rules/rule-details/direct-outbound-smb-connection.asciidoc
@@ -67,10 +67,10 @@ destination.ip:(127.0.0.1 or "::1")
 ==== Rule version history
 
 Version 4 (7.9.1 release)::
-* Formatting only.
+* Formatting only
 
 Version 3 (7.9.0 release)::
-Updated query, changed from:
+* Updated query, changed from:
 +
 [source, js]
 ----------------------------------
@@ -80,7 +80,7 @@ destination.ip:(127.0.0.1 or "::1")
 ----------------------------------
 
 Version 2 (7.7.0 release)::
-Updated query, changed from:
+* Updated query, changed from:
 +
 [source, js]
 ----------------------------------

diff --git a/...s/prebuilt-rules/rule-details/disable-windows-firewall-rules-via-netsh.asciidoc b/...s/prebuilt-rules/rule-details/disable-windows-firewall-rules-via-netsh.asciidoc
@@ -64,10 +64,10 @@ or process.args:(advfirewall and off and state)
 ==== Rule version history
 
 Version 4 (7.9.1 release)::
-* Formatting only.
+* Formatting only
 
 Version 3 (7.9.0 release)::
-Updated query, changed from:
+* Updated query, changed from:
 +
 [source, js]
 ----------------------------------
@@ -77,7 +77,7 @@ or process.args:(advfirewall and off and state)
 ----------------------------------
 
 Version 2 (7.7.0 release)::
-Updated query, changed from:
+* Updated query, changed from:
 +
 [source, js]
 ----------------------------------

diff --git a/docs/detections/prebuilt-rules/rule-details/dns-activity-to-the-internet.asciidoc b/docs/detections/prebuilt-rules/rule-details/dns-activity-to-the-internet.asciidoc
@@ -79,7 +79,7 @@ destination.ip:(10.0.0.0/8 or 127.0.0.0/8 or 169.254.169.254/32 or
 ==== Rule version history
 
 Version 4 (7.9.0 release)::
-Updated query, changed from:
+* Updated query, changed from:
 +
 [source, js]
 ----------------------------------
@@ -90,7 +90,7 @@ or 224.0.0.252 or 255.255.255.255 or "::1" or "ff02::fb")
 ----------------------------------
 
 Version 3 (7.7.0 release)::
-Updated query, changed from:
+* Updated query, changed from:
 +
 [source, js]
 ----------------------------------

diff --git a/docs/detections/prebuilt-rules/rule-details/dns-tunneling.asciidoc b/docs/detections/prebuilt-rules/rule-details/dns-tunneling.asciidoc
@@ -52,5 +52,5 @@ DNS domains that use large numbers of child domains, such as software or content
 ==== Rule version history
 
 Version 2 (7.9.0 release)::
-* Formatting only.
+* Formatting only